Ray Marshall

Business must comply with Privacy Act in use of metadata

Ray Marshall

6 May 2015

Confidentiality and Privacy IT


 

A decision from the Office of the Australian Information Commissioner on 1 May 2015 has potential ramifications on obligations of software developers and service providers under the Privacy Act 1988 (Cth) (the Act), particularly in the internet and mobile space, in relation to metadata which is collected deliberately or incidentally as part of the service.

 

The background of Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 saw Mr Grubb request all of the metadata relating to him which Telstra had in its possession or control under the Act. The metadata in question and considered by Commissioner Pilgrim included network-based identifiers, connection geolocation information, and incoming and outgoing call information and data records. Telstra admitted that this metadata was regularly made available to law enforcement agencies.

 

Commissioner Pilgrim acknowledged that Telstra has recently changed its policies to make metadata information available to customers. However, the Commissioner had to consider whether this access was an obligation for the purposes of the Act, requiring a determination to be made on whether the metadata constituted personal information as defined under the Act.

 

The Act defines personal information as “information or an opinion about an identified individual, or an individual who is reasonably identifiable, (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.

 

Telstra submitted, in summary, that the metadata was not personal information for the purposes of the Act as it would take considerable effort to identify a person from the metadata. Commissioner Pilgrim accepted this argument. However, the Commissioner further elaborated that merely because it would take considerable effort to identify a person does not mean that a person cannot be reasonably identified, and cited occasions on which Telstra had undertaken such efforts (such as the disclosure of metadata to law enforcement) as evidence that a person could be identified and consequently, that the metadata constituted personal information for the purposes of the Act.

 

This decision may impact anyone who collects any sort of metadata, which may be deemed to track a user, whether deliberately or as a natural consequence of providing an internet, mobile or telephony-enabled service.

 

Depending on the circumstances of collection and the other information which is collected or otherwise publicly available about a person, all of the following could be considered personal information even where the information is otherwise anonymised:

 

  • geolocation and spatial data;
  • temporary or permanent network or transaction identifiers (e.g. mobile IMEI/IMSI, IP address, or session identifier);
  • data access logs and communication records (time of access, source and destination, duration of communication); and
  • device and software information (device model, browser/application).

 

If a person collects such information, by whatever means or for whatever reason, it may be necessary to take steps to ensure that this information is stored and disclosed only in accordance with the Act. This may impact the way businesses operate their online and mobile services.

 

Even “anonymised” information may constitute personal information where the information may be used to identify a person (e.g. simply because geolocation information is not recorded against a specific person, the aggregate of the information could be used to identify a person based on that person’s unique movements).

 

Telstra has said that it will appeal the decision. However, as the first port of call for privacy complaints, and with the power to enforce heavy fines for breaches of the Act, businesses would do well to consider any decision made by the Commissioner carefully.

 

The decision is available here.