Part 2: Definition of personal information

2.1 The definition of ‘personal information’ is a key concept that delineates the scope of what is regulated and sought to be protected under the Privacy Act.

2.2The current definition does not list specific types of information that constitute ‘personal information’. Instead, the definition sets out a test whereby, depending on the circumstances, any type of data can be personal information if it is about an identified individual, or an individual who is reasonably identifiable.

2.3The definition of personal information is therefore neutral in its application to different sectors, different activities and different technologies. The definition can be applied flexibly in different contexts and to a broad range of information, which ensures it is adaptable as technology and the way data is used evolves.

2.4The OAIC considers that there are significant benefits in retaining this flexible and broad definition. However, a number of challenges have tested the scope of the current definition and created some uncertainty, particularly around the following issues:

• When personal information will be ‘about’ an individual
• The application of the definition to technical information
• Whether the definition captures inferred information
• Whether the current threshold is fit for purpose
• Whether the definition should capture individuated information.

2.5The OAIC’s recommendations in this section address these uncertainties, as well as whether reforms should be introduced in relation to de-identified information.

2.6The definition of personal information is a foundational concept in the Privacy Act. These recommendations will help to ensure that the definition is fit for purpose now and into the future.

2. What approaches should be considered to ensure the Act protects an appropriate range of technical information?

2.7The OAIC considers that clarifying when information is ‘about’ an individual is the most fundamental issue that needs to be addressed in relation to the definition of personal information in the Privacy Act. Addressing issues caused by overly narrow interpretations of this term will assist in resolving other key matters raised in the Issues Paper and promote greater clarity about the circumstances in which information will be in scope.

2.8As highlighted in the Issues Paper, the Full Federal Court of Australia’s decision in Privacy Commissioner v Telstra Corporation Ltd (the Grubb case) considered the meaning of personal information and has challenged the application of the definition.[16] In finding that the individual needs to ‘be a subject matter’ of the information, this judgment risks being interpreted as narrowing the definition of personal information.

2.9Following this decision, the OAIC is aware of uncertainty in the regulated community around whether the information is ‘about’ an individual. To a large extent, the need to clarify whether the definition of personal information captures technical information stems from this uncertainty. This is despite the Court noting that it was only deciding a point of law about the meaning of the word ‘about’ and did not decide whether metadata actually met the definition of personal information.

2.10 This uncertainty was highlighted in the Treasury Laws Amendment (Consumer Data Right) Bill 2019, which adopted the word ‘relate’ rather than ‘about’ in the definition of CDR data. As explained in the explanatory memorandum to the Bill, this is because:

[1.106] The concept of ‘relates to’ is a broader concept than information ‘about’ an identifiable or reasonably identifiable person under the Privacy Act 1988. For example, using this term is intended to capture meta-data of the type found not to be about an individual in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFA 4 (19 January 2017).

[1.107] ‘Relates’ can include reference to an identifier such as a name, an identification number, location data of the person or of products that would reasonably be expected to be co-located with either the person or their address, an online identifier (including cookie identifiers and internet protocol addresses) or to one or more factors specific to the physical, physiological, genetic, mental, behavioural (including predictions of behaviours or preferences), economic, cultural or social identity or characteristics of that person.

2.11 The OAIC recommends replacing the word ‘about’ in the definition of personal information with ‘relates to’, which would promote consistency with the Consumer Data Right (CDR) regime and the GDPR. This amendment would also assist in resolving the uncertainty caused by the Grubb judgment and afford an opportunity to re-engage with the regulated community about the scope of the Privacy Act. It would also support the OAIC’s Recommendation 5 about capturing technical information in the definition of personal information.

2.12 The OAIC considers that this would achieve greater clarity and certainty, rather than impose a significant regulatory burden on APP entities.

Recommendation 4 Replace the word ‘about’ with ‘relates to’ in the definition of personal information to achieve greater clarity and certainty for regulated entities.

2.13 In addition to the key change to the definition of personal information, recommended above, the OAIC recommends that the explanatory memorandum makes clear that the definition of personal information is intended to capture certain types of technical information.

2.14 Online identifiers and device identifiers are increasingly being used to track individuals. This is rivalling names and addresses as key information used to identify people.[17] At the same time, there is often uncertainty about whether technical information can be personal information under the Privacy Act, particularly since the Grubb case.[18]

2.15 The OAIC considers that including an explanation that the definition of personal information is intended to capture technical information in the explanatory memorandum will support ongoing flexibility, while clarifying that this type of data can be personal information in appropriate circumstances. This would also bring the Privacy Act in line with more modern privacy regulations around the world.

2.16 In making this recommendation, the OAIC has considered several factors:

2.17 Having regard to these issues, the OAIC does not recommend listing specific types of technical data in the definition. Rather, the OAIC recommends that the explanatory memorandum for Recommendation 4 could set out a non-exhaustive list of some of the types of technical information that could be caught within the definition. This could be modelled on the explanatory memorandum for the Treasury Laws Amendment (Consumer Data Right) Bill 2019 set out above.[19]

2.18 The Commissioner-issued guidelines could also clarify the types of technical data that may be caught by the definition of personal information.[20]

2.19 Placing this list in the explanatory memorandum clarifies that the definition could capture technical information without detracting from the key aspect of any assessment for personal information, which is whether the information relates to an identified or reasonably identifiable individual (as discussed in paragraphs 2.7-2.12 above). This recommended approach also avoids the likelihood of the definition quickly becoming out of date if specific types of technical data are listed.

2.20 The explanatory memorandum could provide additional clarification about the scope of these terms, for example that online identifiers may include cookies, IP addresses, MAC addresses or user IDs.

2.21 While this recommendation will assist in clarifying the circumstances in which technical data will be personal information, technological advancements are increasingly challenging the concept of personal information beyond the application of the definition to technical data. New developments in the way that data is handled are making it increasingly difficult to draw a bright line between personal and non-personal information.[21] This is particularly true where a third party is able to draw inferences, track, profile or directly impact individuals without being able to identify them. For example, the OAIC understands that individuated information is increasingly being used to target content to individuals online, including advertisements, job offers or political content.[22]

2.22 Online targeting has the potential for individuals to experience harm, including discrimination through preferential pricing or exclusion.[23] To the extent that online targeting is covered under the Privacy Act, these harms may be addressed by the OAIC’s Recommendation 37 to introduce fairness and reasonableness obligations on APP entities, which can be further particularised in the planned online platforms code. These issues, however, may go beyond the scope of privacy and may also be more appropriately addressed by other regulatory regimes targeted towards the specific harms experienced.

Recommendation 5 Include a non-exhaustive list of technical data that may be captured by the definition of personal information in the explanatory memorandum for these amendments.

2.23 The use of big data and predictive data analytics make it possible to make more accurate inferences and predictions about individuals, which are being used to create increasingly detailed profiles of individuals.[24] These inferences are often about sensitive information that an individual would not expect and may not have disclosed voluntarily.

2.24 The definition of personal information includes ‘information or an opinion’ about a person, ‘whether the information or opinion is true or not’. By explicitly including opinion as well as information, the OAIC suggests that inferred data about an identified or reasonably identifiable individual will already be captured by the definition. This position is reflected in existing OAIC guidance. The OAIC supports this guidance being elevated into law to clarify that the definition of personal information captures inferred information.[25]

2.25 This amendment would also meet the expectations of the Australian community about the protection of inferred information online.

2.26The OAIC recommends that a new subsection (c) is introduced to the existing definition of personal information in s 6 of the Privacy Act:

(c) whether the information or opinion is provided, collected, created, generated or inferred.

2.27 The OAIC’s proposed amendment clarifies the existing definition of personal information, rather than broadening its scope. APP entities are already required to assess whether inferred information meets the definition of personal information, however the OAIC considers that including an explicit requirement to do so will provide greater clarity and certainty for entities and individuals.

Collection as creation

2.28 The OAIC does not consider that the definition of ‘collects’ needs to be updated to reflect that an entity could infer personal or sensitive information, as the issue will be addressed by the OAIC’s Recommendation 6. Nonetheless, the OAIC sees merit in amending the definition of ‘collects’ in s 6 of the Privacy Act to clarify the types of activities that can constitute collection.

2.29 The OAIC recommends adopting the explanation of ‘collects’ from the OAIC’s APP guidelines as the basis for this reform.[27] The guidelines state that the concept of ‘collects’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means. This includes collection by ‘creation’, which may occur when information is created with reference to, or generated from, other information that the entity holds.[28]

2.30 Elevating this guidance into the Privacy Act would complement the OAIC’s recommended amendment to the definition of personal information to clarify the status of inferred information under the Act.

Recommendation 6 Introduce a new subsection in the definition of personal information clarifying that the definition applies whether the information or opinion is provided, collected, created, generated or inferred.

Recommendation 7 Clarify that the concept of collecting personal information under the Privacy Act applies broadly, and includes gathering, acquiring, inferring or obtaining personal information from any source and by any means. This includes collection by ‘creation’, which may occur when information is created with reference to, or generated from, other information the entity holds.

4. Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be?

2.31 The OAIC encourages the use of de-identified information where possible,[29] as an important privacy protective measure. However, technological advancements are continually increasing the risk that information can be re-identified, particularly if the de-identified information is released publicly or the subject of a data breach.

2.32The Privacy Act is still relevant to de-identified information. In particular, APP entities will have to consider the de-identified information that they hold and their compliance with APPs 6, 8 and 11, as these are the APPs that may apply if the data is to be transferred to another environment or the circumstances in which it is held changes.[30]

2.33 However, the OAIC considers that there is merit in placing additional protections on this type of information. These additional protections should be balanced with the need to ensure that APP entities are not discouraged from relying on this privacy protective measure.

2.34 The OAIC recommends that the term ‘de-identified’ is replaced with ‘anonymised’ in the Privacy Act. This would overcome a lack of clarity arising from dual meanings of the term ‘de-identified’, which is commonly used to describe certain technical processes and also used in a legal sense under the Privacy Act:

2.35 Using the term ‘anonymised’ in the Privacy Act and relevant guidance will also bring Australia into closer alignment with other international privacy regimes. International jurisdictions have moved away from the term ‘de-identified’ to promote clarity in legal standards. Under the GDPR this is referred to as ‘anonymised’ data and pseudonymisation.[32]

2.36 We also consider that there is merit in providing additional protections for anonymised information. These would include:

2.37 In practice, an important part of complying with these obligations would include requiring APP entities to conduct ongoing and regular re-identification risk assessment checks to ensure that information remains anonymised, including whether information becomes available that increases the re-identification risk. As part of taking ‘reasonable steps’, entities will need to ensure that any measures applied to anonymise the information are proportionate to the purpose for which the information is anonymised and the sensitivity of the personal information. Good data governance should apply throughout all stages of the anonymisation process and be in place before and after anonymisation has occurred.

2.38The OAIC also recommends an amendment to the NDB scheme requiring notification where an APP entity identifies that:

2.39 Information will be anonymised where the risk of an individual being re-identified in the data is very low in the relevant context in which it is held or released. In practice, this means that information may be considered anonymised while held by an APP entity but would be personal information if released publicly.

2.40This risk of re-identification will shift where the context in which information is held changes, for example, because of loss or unauthorised access or disclosure. Clarifying that notification is required in these circumstances will allow individuals to take steps to protect themselves from serious harm, while also alerting the OAIC to potential breaches of the APP 11 obligation recommended above.

Recommendation 8 Replace the term ‘de-identified’ with ‘anonymised’ in the Privacy Act.

Recommendation 9 Amend APP 1 to insert an express obligation that an APP privacy policy must notify individuals that their information may be anonymised and used for purposes other than those permitted for the initial collection.

Recommendation 10 Extend the obligations of APP 11 to require APP entities to take reasonable steps to protect anonymised information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Recommendation 11 Introduce a prohibition on APP entities taking steps to re-identify information that they collected in an anonymised state, except in order to conduct testing of the effectiveness of security safeguards that have been put in place to protect the information.

Recommendation 12 Extend Part IIIC to require notification where:

• there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, that an entity holds, in circumstances where there is a risk of re-identification of that information
• if this information is re-identified, it is likely to result in serious harm to one or more individuals, and
• the entity has not been able to prevent the likely risk of serious harm with remedial action.

5. Are any other changes required to the Act to provide greater clarity around what information is ‘personal information’?

2.41 As observed in the Issues Paper, the definition of personal information relates to information about an ‘individual’. This term is defined in the Privacy Act as ‘a natural person’. This means that the definition of personal information does not capture information about deceased individuals unless the information is also about a living person.

2.42The OAIC recommends that the definition of ‘individual’ is amended to capture deceased individuals. This would have several benefits:

• It would create consistency with the privacy laws in many State privacy jurisdictions, which cover information about deceased individuals, thereby furthering the object of the Privacy Act to provide the basis of nationally consistent regulation of privacy.
• It would allow for the creation of a framework to appropriately and respectfully deal with the information of an individual after they have died. For example, we understand that this has been an issue in relation to social media profiles of deceased individuals.

2.43 The OAIC recommends that the Privacy Act cease to apply to information about an individual who has been dead for more than 30 years. This would promote consistency with privacy legislation in New South Wales and Victoria.[33]

2.44 The OAIC suggests that the Privacy Act review ensure that work on this issue is aligned across Government and consider any implications that this recommended amendment may have on other Commonwealth laws. The OAIC notes that other Commonwealth information laws, the Freedom of Information Act 1982 (Cth) (FOI Act) and the Archives Act 1983 (Cth), already protect against unreasonable disclosure of personal information of deceased individuals in response to requests for access to government documents.[34]

2.45The OAIC notes that the New South Wales Law Reform Commission recommended enacting a statutory scheme to govern access to digital records of deceased individuals.[35] The Council of Attorney-Generals has agreed to form a Working Group to consider developing a nationally consistent approach to the regulation of access to these digital records.[36] Enacting a national scheme that regulates access to such records will provide greater certainty about when access should be granted and to whom. The OAIC considers that this work should inform the development of a framework for asserting the privacy of deceased individuals under the Privacy Act.