Is it 'personal information' or not?
One of the key concepts in Australia's privacy laws is whether or not information is 'personal information'.
The definition is broad and does not really provide any practical indication of how the concept applies.
The Australian Privacy Act defines 'personal information' as:
'Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a. whether the information or opinion is true or not; and
b. whether the information or opinion is recorded in a material form or not.'
There is a vast range of information that can be considered 'personal information'. This could be health information, credit information, a tax file number, addresses, phone numbers etc. The list is almost endless in what can be captured.
However, for the information to be 'personal information', it must be:
1. about an identified individual; or
2. about an individual who is reasonably identifiable.
That means, to come under the auspices of the Privacy Act in Australia then a person must be identifiable from the information. For example, if just a phone number is made available that is not linked to a particular individual then it may not be personal information in that context. However, if the phone number and person's name was available then it may be considered 'personal information'.
It is a potential minefield given the different types of information available and whether or not it identifies or reasonably identifies a person.
It is additionally complex when you then have to consider when information about an individual will mean that they are able to be 'identified'.
You would think that being identified was a relatively straight forward concept, however that's not always the case. Think about it this way, having a body covered in tattoos might make you reasonably identifiable in an average group of people but may not if you were among a group of bikies.
With rapid developments in technology, methods of identifying individuals from information will continue to expand making this a shifting area of law. Consider this case study provided by the Office of the Australian Information Commissioner (the OAIC):
'In 2006, AOL, a search engine provider, released apparently anonymous web search records for 658,000 users. However, some journalists working for the New York Times were able to link the search terms to identify users and contacted them. For example, 'Subscriber 4417749' was able to be identified as a 62-year old woman, through her searches for local real estate agents and gardeners, her use of dating sites, health queries she had entered about her 'numb fingers' and questions about her dog's behaviour.'
To assist, the OAIC have provided the following questions that may be of assistance.
- Is the information 'about' an individual - that is, is there a connection between the information and the person? This is a question of fact, and depends on the context and circumstances.
*Some information is clearly about an individual - for example, name, date of birth, occupation details, medical records.
*Otherwise - does the information reveal a fact or opinion about the person, in a way that is not too tenuous or remote?
- Is the relevant individual identified, or reasonably identifiable? Entities should consider all relevant contextual factors, including:
*the nature and amount of information
*who will have access to the information
*other information that is available.
- Remember - when in doubt, err on the side of caution and treat the information as personal information.