The Australian Law Reform Commission (ALRC) has recommended in its Final Report on privacy law reform that the Privacy Act 1988 (Cth) be amended to include a new definition of 'personal information'.
Current definition of 'personal information'
'Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion'.
Proposed new definition 'personal information'
'Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual'.
The words in brackets have been deleted since the definition of 'record' expressly includes 'information stored in electronic or other formats'.
Further, the new definition will mean that the Privacy Act will apply to information about an individual who is 'identified or reasonably identifiable', an amendment which will bring the Act more into line with other jurisdictions and international instruments including the APEC Privacy Framework, the OECD Guidelines, the Council of Europe Convention and the EU Directive.
The ALRC supports this wording because it captures information which, when combined with other information, would identify an individual. This includes other information the organisation has in its possession or other information the organisation has the capacity to access or is likely to access without unreasonable cost or difficulty. Under the current definition, if an individual's identity cannot reasonably be ascertained 'from the information or opinion' then the information will not be personal information. Therefore the new wider definition of 'personal information' will be relevant to all organisations and agencies because information that is held by them may now be subject to the Privacy Act.
Information that simply allows an individual to be contacted, such as a telephone number, a street address or an IP address, in isolation, would not fall within the recommended definition of 'personal information'. To assist organisations, the ALRC recommends that the Privacy Commissioner develop and publish guidance on the meaning of 'identified or reasonably identifiable'
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
