- Do not assume anonymous information is anonymous, question whether it can be linked to identifying information.
- Run a test on your internal systems -- could your organisation respond easily and on a timely basis to a request like the one Telstra faced?
- Update your information governance policies and reporting to cover seemingly anonymous data.
The data retention issue
Following amendments to the Privacy Act 1998 (Cth) in 2014 to strengthen privacy protection and give the Privacy Commissioner power to impose significant penalties for interferences with privacy, the federal government introduced and passed the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).
That Act required, among other things, telecommunications providers to retain computer and phone metadata for customers for a period of 2 years. At the time a number of telcos complained and noted that they did not currently retain that information as it was not needed for their businesses. If they did, they argued, they would be in breach of their obligations under the Privacy Act Catch 22.
However, Attorney-General George Brandis and his colleagues were adamant that such information needed to be retained and made available to law enforcement agencies "as reasonably necessary" and so with the threat of national security the laws were passed.
But, what is metadata?
Metadata can certainly be confusing. During the passage of the data retention law a number of government ministers tasked with helping "sell" the new laws struggled to even enunciate what metadata meant and the media had a field day. Meanwhile, in a parallel universe, Telstra and the Privacy Commissioner were arguing in granular details what constituted metadata and how it related to personal information under the Privacy Act.
A useful way to think about metadata is to describe it as machine-produced data. In his ruling, the Privacy Commissioner effectively included within the scope of metadata certain network data including: Internet Protocol (IP) address information, Uniform Resource Locator (URL) and cell tower location information (beyond the cell tower location information retained for billing purposes).
This ruling also considered that the other metadata that Telstra had willingly handed over was also personal information, including: call data records for outgoing calls (including numbers, location, date and time), SMS and MMS messages on the user's phone, itemised bills, subscriber information (including name, address, date of birth, email address, billing account number, IMSI (international Mobile Subscriber Identity), and Personal Unlock Key, IMEI, colour of the user's device, their handset ID and network type. Content, or substance, included within metadata was expressly stated as laying outside the scope of personal information.
What did the Privacy Commissioner decide about metadata?
The decision of the Privacy Commissioner had determined that Telstra breached the Privacy Act in initially refusing Mr Grubb access to this metadata.
This decision of the Privacy Commissioner has confirmed that metadata can be "personal information", and must be treated in accordance with the Australian Privacy Principles.
Telstra has stated that it would appeal the decision but as yet there is no publicly available information about an appeal being lodged.
More importantly, the ruling has determined that each element of metadata, no matter how obscure and unintelligible on its own, will become personal information if it can be pieced together so that an individual's identity can be reasonably ascertained. The cost and the effort of doing so are not necessarily an impediment to this.
This ruling has implications for all businesses that hold data, including identified and de-identified data, as when management systems connect, that information may now be subject to the Australian Privacy Principles, and must be treated the same way as other personal information.
Businesses should consider what anonymous customer data they collect and determine if this data is managed in a way that meets the obligation prescribed under the Australian Privacy Principles. This includes the appropriate notification of collection requirements.
What does this mean for businesses other than Telcos?
Companies that hold anonymous data that relates to individuals may need to treat it with the same care as if it was personal information.
Any dataset which can potentially be linked to other data sources leading to an individual's identity being ascertained can be personal information.
Telstra collected elements or components of metadata from up to 13 different management systems across the Telstra network. A number of these were, on their own, unusable pieces of information. However, the fact that each related to an individual and when pieced together, an individual was able to be identified (regardless of the fact that it would take several databases and many man hours to achieve), these discrete pieces of data are now clearly considered personal information for the purposes of the Privacy Act in its current form.
This determination shows that despite the cost, obscurity and impractical nature of collating elements of metadata and identifying an individual, if it can be done as a practical manner then the consequent linked information is personal information.
Subject to Telstra's appeal, businesses should be on alert that the broad interpretation of personal information and the classification of each individual element of metadata as personal information, means that each element of metadata will need to be afforded the same treatment as other data more traditionally recognised as personal information and be treated in accordance with the Australian Privacy Principles.
Businesses should consider whether they collect any anonymous usage data of their customers and how they manage that data. Can it be linked to an individual? This data will now need to be stored, secured and disclosed in accordance with the Australian Privacy Principles. Further, if an individual is unaware that this information is being collected, they will need to be notified of the collection.
If your business collects any form of network or usage data of customers, such as IP addresses, geo-location tracking data, URL information or other forms of machine generated data, you will need to review the internal practices of your company to determine how that information is stored, secured and handled, and whether at any point in the usage cycle it can be connected to an individual.
Businesses will need to consider whether this information is adequately dealt with through internal privacy policies and procedures and whether customers have been provided with the adequate notification of collection in relation to this data.
Note: This is an extract from Privacy Law Bulletin, August 2015, Volume 12 No 8