Telstra, Metadata and Privacy – The decision that you need to know about

In a landmark decision on 1 May 2015, the Privacy Commissioner has made it clearer what is meant by “personal information” and “metadata”, with potentially far-reaching consequences for all organisations that are caught by the Privacy Act.

This decision confirms that businesses must take a conservative and cautious approach to how they are approaching their systems to comply with the Privacy Act. The argument that information is difficult to protect (or in this case, difficult to produce to someone on request) is not a good enough reason not to take steps to ensure that the way the organisation deals with this data is in compliance with the Privacy Act. In practical terms, this means that organisations should go through the types of information they hold in relation to individuals to ascertain whether components of data they hold in different ways might be able to be combined to create data that will be classified as “personal information” and subject to the Privacy Act, even if each component of the data may not be classified as “personal information”.

Under the Privacy Act, personal information is defined as including any information about an identified individual or an individual who is reasonably identifiable. So for example, most people are unable to identify an individual simply by using a license plate. However, some government agencies have information that can link a license plate to an identified individual, so for those sorts of agencies, a license plate would be considered to be personal information. Whether an individual is reasonably identifiable will depend on the circumstances.

There is currently no legal definition of metadata, but it is understood to be data that is created during online activity or other forms of electronic communication. So for example, metadata about a phone call will provide information about the number of the caller, the length and time of the call, the physical location of the recipient of the call, but it will not provide information on the content of the call itself.

The landmark decision[i] that was recently handed down concluded a 2 year battle between Grubb and Telstra Corporation Limited (Telstra), with the Commissioner agreeing that the information that Grubb was seeking was personal information, and so required Telstra under the Privacy Act to release the requested information to Grubb.[ii]

Grubb[iii], a Fairfax media journalist, had been seeking for the past 2 years, information that was described as “metadata”, information that Telstra had in relation to his mobile phone service, including information in relation to cell tower logs, inbound call and text details, duration of data sessions and telephone calls, and the Uniform Resource Locations (URLs) of websites that he had visited. Telstra refused to provide the information, and informed Grubb that a subpoena would be required before they’d release the requested information. Grubb made a complaint to the Privacy Commissioner, for breach of the Privacy Act, for failing to provide him with access to his own personal information[iv].

The crux of Telstra’s argument was that the “metadata” that was requested by Grubb was not personal information. They argued that the information that he requested was not personal information about Grubb as it was not data that was linked in such a way that his identity was apparent or could be reasonably ascertained.

But the Commissioner disagreed.

Telstra’s evidence was that matching the metadata with other data to identify a particular individual would involve a process that would take a minimum of 4 days full time work to retrieve 1 weeks’ worth of data, or a minimum of 12 days full time work for 4 or more weeks’ worth of data. But this process was something that Telstra already had in place and did in practice, for both network assurance purposes and in responding to requests for metadata by law enforcement agencies and other regulatory bodies. The Commissioner accepted that the process of extracting the information may be lengthy and require specialists, but in consideration of Telstra’s resources and operational capacities, it was found to be reasonable in the circumstances. Accordingly, Telstra was found to be in breach of the Privacy Act by failing to provide Grubb with access to his personal information, and required Telstra to provide it within 30 business days and free of charge.

The decision has far-reaching consequences for any organisation that deals with personal information, any information that might reasonably identify an individual, or even “big data”. Potentially now, any information that can be linked with other information that an entity holds to identify a person could be treated as personal information. Simply de-identifying the information may not be enough to take it out of the ambit of the Privacy Act, and de-identified information could be protected in accordance with the Privacy Act.

If this is confusing, don’t feel like you are on your own. This is a complex area, and as businesses are now starting to realise, one that is fraught with danger for organisations that are not taking the time to consider what the legislation means in relation to their business processes and documents. If you are confused, contact us on [email protected] or (02) 8006 0830 for assistance.

[i] Ben Grubb and Telstra Corporation Limited (Telstra) [2015] AICmr 35 (1 May 2015)

[ii] The decision is highly relevant at the moment in light of the recent mandatory metadata retention laws that were passed by the senate in March this year, requiring phone and internet providers to store metadata for 2 years. But Telstra has already indicated that it will appeal the decision, as the Privacy Commissioner’s decision requires Telstra to go beyond what they are required to do under the new data retention regime and in providing assistance to law enforcement agencies. Watch this space for further developments in this case.