In December 2019, the Attorny-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act). The Review aimed to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”. Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations. This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.
The Privacy Act and the Australian Privacy Principles (APPs) regulate the collection, use and disclosure of personal information. As such, the definition of “personal information” is extremely important, as it defines the scope of the Privacy Act. The Issues Paper and the Discussion Paper both identified this definition as a key element of the Review.
Under section 6(1) of the Privacy Act, “personal information” is defined as:
“information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.”
Background: Existing Regime
There are two elements of this definition that make it complicated to apply. Firstly, the 2017 decision in Privacy Commissioner v Telstra Corporation Ltd  FCAFC 4 (Grubb) (Note: this case considered the definition of “personal information” before it was amended in 2014. However, as the revised definition still includes the “about” language, the case is still considered relevant to the amended Privacy Act). has created uncertainty about how to interpret whether information is “about” the individual. The Grubb decision established that, when analysing whether information meets the definition of “personal information”, a Court must “give content” to the words “about an individual”, however, only limited guidance is provided by the Federal Court on how to perform this analysis. In Grubb, it was held in obiter that an individual must be the “subject matter” of the information for it to be “about an individual” and within the scope of the Privacy Act. This was found to involve an “evaluative conclusion” depending on the facts of the case, to be assessed alone or in conjunction with other available information.
Secondly, the analysis of whether an individual is “identified” or “reasonably identifiable” from the information is difficult to apply. The OAIC APP Guidelines state that “an individual is identified when, within a group of persons, he or she is distinguished from all other members of a group… this will be achieved by establishing a link between information and a particular person”. In order to establish whether an individual can be “reasonably identifiable”, APP entities need to consider whether the information, by itself, establishes a link to a specific individual, but also, whether the information could be linked with other information that could identify the individual. As a result, the classification of “personal information” is not static and could change over time as an entity collects more information or other information becomes publicly available. In the same vein, information may be “personal information” in the hands of one entity, but not in the hands of another – depending on what information is available to the entity that would allow it to link the information to a specific individual.
From an international perspective, the equivalent concept of “personal data” under the GDPR is slightly broader. “Personal data” is defined as “any information relating to an identified or identifiable person” (emphasis added) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (General Data Protection Regulation)  OJ L 119/1, Article 4 (‘GDPR’)). Unlike the definition of personal information contained in the Privacy Act, the GDPR makes it clear that a wide range of identifiers can be personal data for the purposes of the GDPR, including a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Discussion Paper
The Discussion Paper considered a number of amendments to the definition of personal information under section 6(1) of the Privacy Act. Most suggested amendments made in the Discussion Paper related to curing any uncertainty that the current broad definition of personal information creates and enshrining elements of the OAIC APP Guidelines into law.
First, to address the uncertainty stemming from Grubb, the Discussion Paper explored changing the word “about” in the definition of personal information, to “relates to” (i.e. “information or an opinion that relates to an identified individual…”). This change would allow the definition to capture a broader range of information. In particular, the change aims to extend the concept of personal information to include technical information that is “about” a service (rather than “about” an individual), but still “relates to” an individual (for example, metadata or an IP address). The change would also bring the definition in line with other Commonwealth legislation that uses ‘relating to’ when regulating information on privacy (for example, the Competition and Consumer Act 2010 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth)) and bring the Privacy Act definition in line with the language used in the GDPR definition of “personal data”.
Second, the Discussion Paper explored adding a non-exhaustive list of the types of information capable of being covered by the definition of personal information to the Privacy Act. The examples would enshrine into legislation some of the examples given in the OAIC APP Guidelines – for example, identification numbers. The list of examples would make it clear that, where an individual is distinguished from others or has a profile associated with a pseudonym or identifier, this can be classified as personal information, even where the individual is not named.
Third, the Discussion Paper considered including a definition of “reasonably identifiable” that would define the circumstances in which an individual could be identified, directly or indirectly. Again, the Discussion Paper acknowledged that it intends to update the Privacy Act to reflect the OAIC APP Guidelines process for analysing whether an individual is “reasonably identifiable”. By adding the phrase “directly or indirectly”, the definition clarifies that APP entities need to consider other information available when assessing whether information is personal information. This includes publicly available information where there is a risk that the information could be made public.
Finally, the Discussion Paper suggested amending the definition of “collection” to expressly cover information obtained from any source and by any means, including inferred or generated information. The new definition would cover circumstances where an APP entity infers, derives, generates or otherwise creates personal information, whether or not this is done by or on behalf of an individual. This approach was recommended by the OAIC. The Australian Information Security Association (AISA) however recommended a different approach, whereby instead of amending the definition of “collection” the concepts of “collection”, “use”, and “disclosure” should be replaced with “data processing”. This change would remedy issues around notice and consent requirements for inferred personal information.
The OAIC’s response to the Discussion Paper acknowledges that, while there are significant benefits in keeping a flexible and broad definition of personal information, there has been a number of challenges in regard to the scope of the current definition which has created uncertainty on how the definition is to be applied in particular circumstances. Interestingly, the OAIC agrees there is a need to clarify when information is ‘about’ an individual, to avoid overly restrictive interpretations of this term.
Contrary to the position of the OAIC, several key technology and telecommunications industry stakeholders including Microsoft and Telstra, disagreed with the proposal to replace ‘about’ with ‘relates to’ in the definition of personal information, and the proposal to include a non-exhaustive list of technical information that is capable of being personal information. As an alternative, both Microsoft and Telstra recommended implementing supporting guidance documentation regarding technical, inferred and generated information and leaving the definitions unchanged.
Regarding the Discussion Paper proposal to define “reasonably identifiable”, the OAIC expressed concern that this proposal may detract from the principles based nature of the Privacy Act and its flexibility, and instead recommended that APP entities should be required to have regard to the OAIC APP Guidelines (and their process for analysing whether an individual is reasonably identifiable) when carrying out their functions of activities.
Deciding on the definition of 'personal information'
It is clear that the Attorney-General has a number of competing interests to weigh up when deciding how to reform the definition of ‘personal information’ contained in the Privacy Act. On one hand, the definition needs to be broad enough to capture all information that the public legitimately views as being personal and private to them and, if improperly used, could harm individuals. On the other hand, it needs to be narrow enough so that APP entities are not burdened by having to comply with the APPs in circumstances where the relevant information is “low risk” in nature. The definition represents a unique challenge for the Review process and we don’t believe that mirroring the approach taken under the GDPR is the best approach. What is clear is that the participants to the Review process agree that the current definition, as interpreted in Australian case law to date, needs to be reformed to provide greater certainty for individuals as well as businesses.
Authors: Andrew Hii, Claire Harris and Lucy Savona