-
On this page
11 December 2020
Importance of flexibility
2.1 The definition of ‘personal information’ is a key concept that delineates the scope of what is regulated and sought to be protected under the Privacy Act.
2.2The current definition does not list specific types of information that constitute ‘personal information’. Instead, the definition sets out a test whereby, depending on the circumstances, any type of data can be personal information if it is about an identified individual, or an individual who is reasonably identifiable.
2.3The definition of personal information is therefore neutral in its application to different sectors, different activities and different technologies. The definition can be applied flexibly in different contexts and to a broad range of information, which ensures it is adaptable as technology and the way data is used evolves.
2.4The OAIC considers that there are significant benefits in retaining this flexible and broad definition. However, a number of challenges have tested the scope of the current definition and created some uncertainty, particularly around the following issues:
- When personal information will be ‘about’ an individual
- The application of the definition to technical information
- Whether the definition captures inferred information
- Whether the current threshold is fit for purpose
- Whether the definition should capture individuated information.
2.5The OAIC’s recommendations in this section address these uncertainties, as well as whether reforms should be introduced in relation to de-identified information.
2.6The definition of personal information is a foundational concept in the Privacy Act. These recommendations will help to ensure that the definition is fit for purpose now and into the future.
Information ‘about’ an individual
2. What approaches should be considered to ensure the Act protects an appropriate range of technical information?
2.7The OAIC considers that clarifying when information is ‘about’ an individual is the most fundamental issue that needs to be addressed in relation to the definition of personal information in the Privacy Act. Addressing issues caused by overly narrow interpretations of this term will assist in resolving other key matters raised in the Issues Paper and promote greater clarity about the circumstances in which information will be in scope.
2.8As highlighted in the Issues Paper, the Full Federal Court of Australia’s decision in Privacy Commissioner v Telstra Corporation Ltd (the Grubb case) considered the meaning of personal information and has challenged the application of the definition.[16] In finding that the individual needs to ‘be a subject matter’ of the information, this judgment risks being interpreted as narrowing the definition of personal information.
2.9Following this decision, the OAIC is aware of uncertainty in the regulated community around whether the information is ‘about’ an individual. To a large extent, the need to clarify whether the definition of personal information captures technical information stems from this uncertainty. This is despite the Court noting that it was only deciding a point of law about the meaning of the word ‘about’ and did not decide whether metadata actually met the definition of personal information.
2.10 This uncertainty was highlighted in the Treasury Laws Amendment (Consumer Data Right) Bill 2019, which adopted the word ‘relate’ rather than ‘about’ in the definition of CDR data. As explained in the explanatory memorandum to the Bill, this is because:
[1.106] The concept of ‘relates to’ is a broader concept than information ‘about’ an identifiable or reasonably identifiable person under the Privacy Act 1988. For example, using this term is intended to capture meta-data of the type found not to be about an individual in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFA 4 (19 January 2017).
[1.107] ‘Relates’ can include reference to an identifier such as a name, an identification number, location data of the person or of products that would reasonably be expected to be co-located with either the person or their address, an online identifier (including cookie identifiers and internet protocol addresses) or to one or more factors specific to the physical, physiological, genetic, mental, behavioural (including predictions of behaviours or preferences), economic, cultural or social identity or characteristics of that person.
2.11 The OAIC recommends replacing the word ‘about’ in the definition of personal information with ‘relates to’, which would promote consistency with the Consumer Data Right (CDR) regime and the GDPR. This amendment would also assist in resolving the uncertainty caused by the Grubb judgment and afford an opportunity to re-engage with the regulated community about the scope of the Privacy Act. It would also support the OAIC’s Recommendation 5 about capturing technical information in the definition of personal information.
2.12 The OAIC considers that this would achieve greater clarity and certainty, rather than impose a significant regulatory burden on APP entities.
Recommendation 4 Replace the word ‘about’ with ‘relates to’ in the definition of personal information to achieve greater clarity and certainty for regulated entities.
Other changes to address ‘technical information’
2.13 In addition to the key change to the definition of personal information, recommended above, the OAIC recommends that the explanatory memorandum makes clear that the definition of personal information is intended to capture certain types of technical information.
2.14 Online identifiers and device identifiers are increasingly being used to track individuals. This is rivalling names and addresses as key information used to identify people.[17] At the same time, there is often uncertainty about whether technical information can be personal information under the Privacy Act, particularly since the Grubb case.[18]
2.15 The OAIC considers that including an explanation that the definition of personal information is intended to capture technical information in the explanatory memorandum will support ongoing flexibility, while clarifying that this type of data can be personal information in appropriate circumstances. This would also bring the Privacy Act in line with more modern privacy regulations around the world.
2.16 In making this recommendation, the OAIC has considered several factors:
- Future-proofing the definition – The technology-neutral nature of the definition is important to allow it to evolve over time, particularly as the types of technical information that may be considered personal information will change with technological developments. An overly prescriptive definition runs the risk of quickly becoming out-of-date. For example, while cookies have commonly been considered an important online identifier, online platforms are already planning to phase this technology out.
- Capturing appropriate information – Technical data is often used for essential purposes to the running of the internet such as authentication, session management, security management and network routing. These same types of technical data, however, can also be used for tracking or profiling purposes, meaning that it may be personal information under the current definition. Technical data may even be used for both purposes at the same time or may be repurposed over the life of the identifier. The definition must be flexible enough to capture technical data that is personal information without placing undue obligations on information that does not carry privacy risks.
2.17 Having regard to these issues, the OAIC does not recommend listing specific types of technical data in the definition. Rather, the OAIC recommends that the explanatory memorandum for Recommendation 4 could set out a non-exhaustive list of some of the types of technical information that could be caught within the definition. This could be modelled on the explanatory memorandum for the Treasury Laws Amendment (Consumer Data Right) Bill 2019 set out above.[19]
2.18 The Commissioner-issued guidelines could also clarify the types of technical data that may be caught by the definition of personal information.[20]
2.19 Placing this list in the explanatory memorandum clarifies that the definition could capture technical information without detracting from the key aspect of any assessment for personal information, which is whether the information relates to an identified or reasonably identifiable individual (as discussed in paragraphs 2.7-2.12 above). This recommended approach also avoids the likelihood of the definition quickly becoming out of date if specific types of technical data are listed.
2.20 The explanatory memorandum could provide additional clarification about the scope of these terms, for example that online identifiers may include cookies, IP addresses, MAC addresses or user IDs.
2.21 While this recommendation will assist in clarifying the circumstances in which technical data will be personal information, technological advancements are increasingly challenging the concept of personal information beyond the application of the definition to technical data. New developments in the way that data is handled are making it increasingly difficult to draw a bright line between personal and non-personal information.[21] This is particularly true where a third party is able to draw inferences, track, profile or directly impact individuals without being able to identify them. For example, the OAIC understands that individuated information is increasingly being used to target content to individuals online, including advertisements, job offers or political content.[22]
2.22 Online targeting has the potential for individuals to experience harm, including discrimination through preferential pricing or exclusion.[23] To the extent that online targeting is covered under the Privacy Act, these harms may be addressed by the OAIC’s Recommendation 37 to introduce fairness and reasonableness obligations on APP entities, which can be further particularised in the planned online platforms code. These issues, however, may go beyond the scope of privacy and may also be more appropriately addressed by other regulatory regimes targeted towards the specific harms experienced.
Recommendation 5 Include a non-exhaustive list of technical data that may be captured by the definition of personal information in the explanatory memorandum for these amendments.
Inferred personal information
3. Should the definition of personal information be updated to expressly include inferred personal information?
36. Does the definition of ‘collection’ need updating to reflect that an entity could infer sensitive information?
Clarifying the status of inferred information
2.23 The use of big data and predictive data analytics make it possible to make more accurate inferences and predictions about individuals, which are being used to create increasingly detailed profiles of individuals.[24] These inferences are often about sensitive information that an individual would not expect and may not have disclosed voluntarily.
2.24 The definition of personal information includes ‘information or an opinion’ about a person, ‘whether the information or opinion is true or not’. By explicitly including opinion as well as information, the OAIC suggests that inferred data about an identified or reasonably identifiable individual will already be captured by the definition. This position is reflected in existing OAIC guidance. The OAIC supports this guidance being elevated into law to clarify that the definition of personal information captures inferred information.[25]
2.25 This amendment would also meet the expectations of the Australian community about the protection of inferred information online.
79% of Australians consider an organisation inferring information about them (for example, sexual orientation, mental health, political views) based on what they do online to be misuse.[26]
2.26The OAIC recommends that a new subsection (c) is introduced to the existing definition of personal information in s 6 of the Privacy Act:
(c) whether the information or opinion is provided, collected, created, generated or inferred.
2.27 The OAIC’s proposed amendment clarifies the existing definition of personal information, rather than broadening its scope. APP entities are already required to assess whether inferred information meets the definition of personal information, however the OAIC considers that including an explicit requirement to do so will provide greater clarity and certainty for entities and individuals.
Collection as creation
2.28 The OAIC does not consider that the definition of ‘collects’ needs to be updated to reflect that an entity could infer personal or sensitive information, as the issue will be addressed by the OAIC’s Recommendation 6. Nonetheless, the OAIC sees merit in amending the definition of ‘collects’ in s 6 of the Privacy Act to clarify the types of activities that can constitute collection.
2.29 The OAIC recommends adopting the explanation of ‘collects’ from the OAIC’s APP guidelines as the basis for this reform.[27] The guidelines state that the concept of ‘collects’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means. This includes collection by ‘creation’, which may occur when information is created with reference to, or generated from, other information that the entity holds.[28]
2.30 Elevating this guidance into the Privacy Act would complement the OAIC’s recommended amendment to the definition of personal information to clarify the status of inferred information under the Act.
Recommendation 6 Introduce a new subsection in the definition of personal information clarifying that the definition applies whether the information or opinion is provided, collected, created, generated or inferred.
Recommendation 7 Clarify that the concept of collecting personal information under the Privacy Act applies broadly, and includes gathering, acquiring, inferring or obtaining personal information from any source and by any means. This includes collection by ‘creation’, which may occur when information is created with reference to, or generated from, other information the entity holds.
De-identified, anonymised and pseudonymised information
4. Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be?
2.31 The OAIC encourages the use of de-identified information where possible,[29] as an important privacy protective measure. However, technological advancements are continually increasing the risk that information can be re-identified, particularly if the de-identified information is released publicly or the subject of a data breach.
2.32The Privacy Act is still relevant to de-identified information. In particular, APP entities will have to consider the de-identified information that they hold and their compliance with APPs 6, 8 and 11, as these are the APPs that may apply if the data is to be transferred to another environment or the circumstances in which it is held changes.[30]
2.33 However, the OAIC considers that there is merit in placing additional protections on this type of information. These additional protections should be balanced with the need to ensure that APP entities are not discouraged from relying on this privacy protective measure.
2.34 The OAIC recommends that the term ‘de-identified’ is replaced with ‘anonymised’ in the Privacy Act. This would overcome a lack of clarity arising from dual meanings of the term ‘de-identified’, which is commonly used to describe certain technical processes and also used in a legal sense under the Privacy Act:
- We understand that the term ‘de-identified’, from a technical standpoint, means data that has been subjected to de-identification techniques (such as the removal of direct identifiers like name, address, etc).[31]
- This is a lower standard than prescribed in the Privacy Act, which means that the information is no longer about an identifiable (or reasonably identifiable) individual.
2.35 Using the term ‘anonymised’ in the Privacy Act and relevant guidance will also bring Australia into closer alignment with other international privacy regimes. International jurisdictions have moved away from the term ‘de-identified’ to promote clarity in legal standards. Under the GDPR this is referred to as ‘anonymised’ data and pseudonymisation.[32]
2.36 We also consider that there is merit in providing additional protections for anonymised information. These would include:
- APP 1 – Amending APP 1 to insert an express obligation in APP privacy policies which require notification to individuals that their information may be anonymised and used for purposes other than those permitted for the initial collection.
- APP 11 – Extending the obligations of APP 11 to require APP entities to take reasonable steps to protect anonymised information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
- APP 11 – Introducing a prohibition on APP entities taking steps to re-identify information that was collected by them in an anonymised state, except in order to conduct testing of the effectiveness of security safeguards that have been put in place to protect the information.
2.37 In practice, an important part of complying with these obligations would include requiring APP entities to conduct ongoing and regular re-identification risk assessment checks to ensure that information remains anonymised, including whether information becomes available that increases the re-identification risk. As part of taking ‘reasonable steps’, entities will need to ensure that any measures applied to anonymise the information are proportionate to the purpose for which the information is anonymised and the sensitivity of the personal information. Good data governance should apply throughout all stages of the anonymisation process and be in place before and after anonymisation has occurred.
2.38The OAIC also recommends an amendment to the NDB scheme requiring notification where an APP entity identifies that:
- there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, that an entity holds, in circumstances where there is a risk of re-identification of that information
- if this information is re-identified, it is likely to result in serious harm to one or more individuals, and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
2.39 Information will be anonymised where the risk of an individual being re-identified in the data is very low in the relevant context in which it is held or released. In practice, this means that information may be considered anonymised while held by an APP entity but would be personal information if released publicly.
2.40This risk of re-identification will shift where the context in which information is held changes, for example, because of loss or unauthorised access or disclosure. Clarifying that notification is required in these circumstances will allow individuals to take steps to protect themselves from serious harm, while also alerting the OAIC to potential breaches of the APP 11 obligation recommended above.
Recommendation 8 Replace the term ‘de-identified’ with ‘anonymised’ in the Privacy Act.
Recommendation 9 Amend APP 1 to insert an express obligation that an APP privacy policy must notify individuals that their information may be anonymised and used for purposes other than those permitted for the initial collection.
Recommendation 10 Extend the obligations of APP 11 to require APP entities to take reasonable steps to protect anonymised information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Recommendation 11 Introduce a prohibition on APP entities taking steps to re-identify information that they collected in an anonymised state, except in order to conduct testing of the effectiveness of security safeguards that have been put in place to protect the information.
Recommendation 12 Extend Part IIIC to require notification where:
- there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, that an entity holds, in circumstances where there is a risk of re-identification of that information
- if this information is re-identified, it is likely to result in serious harm to one or more individuals, and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
Information about deceased individuals
5. Are any other changes required to the Act to provide greater clarity around what information is ‘personal information’?
2.41 As observed in the Issues Paper, the definition of personal information relates to information about an ‘individual’. This term is defined in the Privacy Act as ‘a natural person’. This means that the definition of personal information does not capture information about deceased individuals unless the information is also about a living person.
2.42The OAIC recommends that the definition of ‘individual’ is amended to capture deceased individuals. This would have several benefits:
- It would create consistency with the privacy laws in many State privacy jurisdictions, which cover information about deceased individuals, thereby furthering the object of the Privacy Act to provide the basis of nationally consistent regulation of privacy.
- It would allow for the creation of a framework to appropriately and respectfully deal with the information of an individual after they have died. For example, we understand that this has been an issue in relation to social media profiles of deceased individuals.
2.43 The OAIC recommends that the Privacy Act cease to apply to information about an individual who has been dead for more than 30 years. This would promote consistency with privacy legislation in New South Wales and Victoria.[33]
2.44 The OAIC suggests that the Privacy Act review ensure that work on this issue is aligned across Government and consider any implications that this recommended amendment may have on other Commonwealth laws. The OAIC notes that other Commonwealth information laws, the Freedom of Information Act 1982 (Cth) (FOI Act) and the Archives Act 1983 (Cth), already protect against unreasonable disclosure of personal information of deceased individuals in response to requests for access to government documents.[34]
2.45The OAIC notes that the New South Wales Law Reform Commission recommended enacting a statutory scheme to govern access to digital records of deceased individuals.[35] The Council of Attorney-Generals has agreed to form a Working Group to consider developing a nationally consistent approach to the regulation of access to these digital records.[36] Enacting a national scheme that regulates access to such records will provide greater certainty about when access should be granted and to whom. The OAIC considers that this work should inform the development of a framework for asserting the privacy of deceased individuals under the Privacy Act.
Recommendation 13 Amend the Privacy Act to ensure that the definition of personal information extends to deceased individuals for a period of 30 years after death.
Footnotes
[16] Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4.
[17] See for example UK Information Commissioner’s Office (2019) Update Report into adtech and real time bidding, ICO, United Kingdom Government, p. 12, which found that most requests for online advertising contained several types of online identifiers including an IP address, cookie ID, location information and device information.
[18] Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4.
[19] This explanatory memorandum substantially captures the types of data listed in the definition of personal data in Article 4 and Recital 30 of the GDPR.
[20] The OAIC recommends that a new provision is included in the Privacy Act that would require entities to have regard to any guidelines issued by the Commissioner when carrying out their functions and activities under the Privacy Act. See Recommendation 16 below.
[21] See also the discussion of the challenges posed by AI technologies to the definition of personal information in Office of the Victorian Information Commissioner (2018), Artificial intelligence and privacy, OVIC, Victorian Government, p. 9.
[22] Individuation refers to the ability to disambiguate or single out a person in a crowd, such that that individual could be tracked, profiled, targeted, contacted or subject to a decision or action which impacts upon them, even if that individual’s identity was not known or knowable (see discussion from page 9 in Johnson A 2020, Individuation: Re-imagining data privacy laws to protect against digital harms, Brussels Privacy Hub Working Paper 6 (24), 1-22).
[23] See discussion from page 41 in Salinger Privacy (2020), The Definition of Personal Information, research paper for the Office of the Australian Information Commissioner, Salinger Privacy.
[24] See discussion of inferred information in Office of the Victorian Information Commissioner (2020), The Internet of Things and Privacy, OVIC, Victorian Government, p. 5. See examples of the use of inferred data to profile individuals in European Data Protection Board (2 September 2020) Guidelines 8/2020 on the targeting of social media users, EDPB, accessed 18 November 2020, pp. 22-24.
[25] See for example OAIC (May 2017) The definition of personal information [online document], OAIC, accessed 18 November 2020 and OAIC (March 2018) Guide to data analytics [online document], OAIC, accessed 18 November 2020.
[26] OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, p. 36.
[27] OAIC (March 2018) Guide to data analytics [online document], OAIC, accessed 18 November 2020.
[28] OAIC (March 2018) Guide to data analytics [online document], OAIC, accessed 18 November 2020.
[29] According to s 6 of the Privacy Act, personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
[30] See discussion of the application of privacy obligations to de-identified information in OAIC (March 2018) De-identification and the Privacy Act [online document], OAIC, accessed 18 November 2020.
[31] See for example Department of Premier and Cabinet (2018), De-identification Guideline, report prepared by the Chief Data Officer, Department of Premier and Cabinet, Victoria Government, Chapter 4 (De-identification techniques and technologies).
[32] See GDPR Article 4 and Recital 26.
[33] See the Privacy and Personal Information Protection Act 1998 (NSW), s4(3)(a) and the Victorian Health Records Act 2001 (Vic). We note that the limit is set at 25 years in Tasmania, 5 years in the Northern Territory, and ‘as far as is practical’ in the ACT’s Health Records (Privacy and Access) Act 1997.
[34] Freedom of Information Act 1982 (Cth) s 47F; Archives Act 1983 (Cth) s 33(1)(g).
[35] New South Wales Law Reform Commission (2019), Access to digital records upon death or incapacity (Report No 147), NSWLRC, accessed 19 November 2020.
[36] See the Council of Attorneys-General (27 July 2020) Communique, CAG, accessed 19 November 2020.