A journalist takes on Telstra

After almost two years of persistence, in a decision handed down on the 4th of May 2015, Telstra was ordered to provide Fairfax journalist Ben Grubb with access to certain metadata Telstra held relating to him. The Privacy Commissioner had determined that Telstra breached the Privacy Act in initially refusing Mr Grubb access to this metadata.

This decision of the Privacy Commissioner has confirmed that metadata can be 'Personal Information', and must be treated in accordance with the Australian Privacy Principles.

More importantly, the ruling has determined that each element of metadata, no matter how obscure and unintelligible on its own, will become Personal Information if it can be pieced together so that an individual's identity can be reasonably ascertained. The cost and the effort of doing so are not necessarily an impediment to this.

This ruling has implications for all businesses who hold data, including identified and de-identified data, as when management systems connect, that information may now be subject to the Australian Privacy Principles, and must be treated the same way as other Personal Information.

Businesses should consider what anonymous customer data they collect and determine if this data is managed in a way that meets the obligation prescribed under the Australian Privacy Principles, including the appropriate notification of collection requirements.

Background

On 8 August 2013, Fairfax journalist Ben Grubb requested access to the personal metadata that Telstra held about him. He wanted to see what agencies could get about him. This metadata included which cell tower his phone used at any given time, the phone numbers of both incoming and outgoing calls, IP addresses, URL information and all SMS data. Telstra was willing at the time to only provide details of calls and data usage (essentially what appears on your phone bill), and cited that any further data was beyond the realms of what privacy laws would allow them to disclose. Mr Grubb lodged a complaint with the Privacy Commissioner stating that Telstra had breached the Privacy Act in not allowing him access to information it held about him.

The Privacy Commissioners decision

The Commissioner determined that Telstra had breached National Privacy Principle 6.1 (now its equivalent is APP 12), in that it had interfered with Mr Grubb's privacy by failing to provide him with access to his Personal Information (being the metadata).

The determination by the Commissioner came down to whether metadata is considered Personal Information.

Telstra has already stated it will contest the decision.

What is metadata?

A useful way to think about metadata is to describe it as machine-produced data. In his ruling, the Commissioner, effectively included within the scope of metadata; certain network data including: Internet Protocol (IP) address information; Uniform resource Locator (URL) information; cell tower location information (beyond the cell tower location information retained for billing purposes).

This determination also considered that the other metadata that Telstra had willingly handed over was also Personal Information, including: call data records for outgoing calls (including numbers, location, date and time), SMS and MMS messages on the user's phone, itemised bills, subscriber information (including name, address, date of birth, email address, billing account number, IMSI (international Mobile Subscriber Identity), and Personal Unlock Key, IMEI, colour of the user's device, their handset ID, and network type.

Content, or substance, included within metadata was expressly stated as laying outside the scope of metadata information.

How is metadata 'Personal Information'?

Under the previous definition of Personal Information, there were two key elements:

  1. The information must be about the individual; and
  2. The information must be information from which the individual's identity is apparent or can be reasonably ascertained.

The Commissioner easily found that the metadata in question was information about Mr Grubb.

Despite Telstra arguing that an individual's phone activity on the Telstra network was not Personal Information, in that a customer's identity can not be ascertained from that metadata, the Commissioner found that Mr Grubb's identity could reasonably be ascertained because individual components of the metadata could be cross matched between databases, systems and networks to link common identifiers and reasonably identify the individual.

Telstra argued that the time and cost involved in piecing together the various elements of metadata to form one combined set of information was impractical and would have no likelihood of ever occurring. This was disregarded by the Commissioner, who stated that Telstra has the resources and operational capacities to achieve this, leading to the determination that Mr Grubb's identity was reasonably ascertainable.

Impacts on business

If you hold even anonymous data that relates to individuals, you may need to treat it with the same care as Personal Information.

This determination shows that the Privacy Commissioner is taking a broad approach in the interpretation of the term 'Personal Information'. In fact, the new definition of Personal Information is even broader than the previous, so the scope of the Commissioner's definition may widen even more.

Simply de-identifying a record (by removing names and other identifiers) for a database may no longer be a sufficient way of protecting privacy. Any dataset which can potentially be linked to other data sources leading to an individual's identity being ascertained, can be Personal Information.

Telstra collected elements or components of metadata from up to 13 different management systems across the Telstra network. Each on their own are unusable pieces of information. However, the fact that each related to an individual and when pieced together, an individual was able to be ascertained (regardless of the fact that it would take several databases and many man hours to achieve), these discrete pieces of data are considered Personal Information for the purposes of the Privacy Act.

This determination shows that despite the cost, obscurity and impractical nature of collating elements of metadata and identifying an individual, the Privacy Commissioner has made it clear that it is possible. That is, it is reasonably able to be achieved, and an individual's identity is able to be reasonably ascertained.

What should you do?

Subject to Telstra's appeal, businesses should be on alert that the broad interpretation of Personal Information and the classification of each individual element of metadata as Personal Information, means that each element of metadata will need to be afforded the same treatment as other data more traditionally recognised as Personal Information and be treated in accordance with the Australian Privacy Principles.

Businesses should consider whether they collect any anonymous usage data of their customers and how they manage that data. This data will now need to be stored, secured and disclosed in accordance with the Australian Privacy Principles. Further, if an individual is unaware that this information is being collected, they will need to be notified of the collection.

If your business collects any form of network or usage data of customers, such as IP addresses, geo-location tracking data, URL information or other forms of machine generated data, you will need to review the internal practices of your company to determine how that information is stored, secured and handled, and whether at any point in the usage cycle it can be connected to an individual.

Businesses will need to consider whether this information is adequately dealt with in privacy policies and whether customers have been provided with the adequate notification of collection in relation to this data.

As the global debate over what constitutes privacy and how much control individuals have over their Personal Information heats up, the cautionary step every business should take moving forward is to assume that even the most "anonymous" piece of data meets the definition of Personal Information and must be treated in accordance with the Australian Privacy Principles.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.