““Who are you?”
”No one of consequence.”
”I must know.”
”Get used to disappointment.””
— William Goldman, Privacy Commissioner v Telstra Corporation Limited  FCAFC 4 (or “the Princess Bride”)
The Privacy Act 1988 (Cth) (Privacy Act) governs the way in which business entities and federal government agencies must handle personal information, largely through the 13 Australian Privacy Principles (APP) set out within the Privacy Act.
The Privacy Act defines ‘personal information’ to mean:
“…information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a) Whether the information or opinion is true or not; and
b) Whether the information or opinion is recorded in a material form or not”
By now, most advisers and most licensees understand the legal definition, but the practical definition is less certain.
In fact, the practical definition of personal information becomes particularly relevant when we assess an inadvertent disclosure of information, or, when we respond to a request for personal information from an individual or when we’re considering the possible detriment caused by a data breach.
Telstra and Personal Information
The definition of personal information is given extensive consideration in the cases of:
- Telstra Corporation Limited and Privacy Commissioner  AATA 991, and
- Privacy Commissioner v Telstra Corporation Limited  FCAFC 4. (Collectively, Telstra)
You shouldn’t need a lawyer to tell you that words matter.
In these cases, the practical application of the Privacy Act (and all the attendant obligations) hinged on part of the legislative definition of ‘personal information’ and, in particular, the words “about an identified individual,”.
In Telstra, it was ultimately held that the first step when determining whether information is personal information is to ask: is the information about a particular person?
This may seem obvious, but think it through, personal information (or those nuggets of data that you consider to be personal information) aren’t subject to the protection of the Privacy Act unless they are about an identified individual.
Without getting too pedantic, the relevant meaning of the word ‘about’ is “concerning or relating to someone or something, on the subject of them or it”
The words ‘about an individual’ require that the individual is the subject matter of the information or opinion. Simply, if the datum doesn’t identify a specific individual, then it’s not personal information.
Given that you may share your name with someone else (and in all probability you do) does your name identify a specific individual or a group of individuals? If you share a name with one or more of the 7.9 billion people on the planet, then your name is unlikely to be personal information protected by the Privacy Act.
In reality, determining whether each item of information is about an individual will require an evaluative conclusion that depends upon the facts of any individual case. Importantly, even if a single piece of information is not ‘about the individual’, it may be about the individual when combined with other information.
Aggregation of information, and specificity, is what makes information personal and protected from misuse and disclosure.
To be clear, if the information is not ‘about’ a particular person, then it cannot be personal information under the Privacy Act.
The second test we must apply to determine whether information is personal information requires we ask: is the individual the information is about identified or reasonably identifiable?
Answering this question is also an evaluative process, the outcome of which will differ based upon the facts of each individual case.
Telstra clarifies that when answering this question external material may be considered. For example, if a person’s name is published this will not necessarily equate to the identification of that person. Particularly, if the name of the person is not uncommon. However, if an organisation publishes a statement such as:
“[Name] attends an Anglican grammar school in the Campbelltown area”
Then this may constitute a disclosure of ‘personal information’ because by cross matching the name with the social media or registries of Anglican grammar schools in the Campbelltown area the named person may be reasonably identified.
As stated in Telstra, determining whether information is personal information does not require that an organisation scours the public domain to ascertain whether there is information which can be connected to form personal information. Instead, it requires a practical consideration of what might be matters of general knowledge.
Telstra provides us with further examples. If, for example, the information is along the lines of:
“singer and songwriter who died prematurely”
Then it is unlikely that it could be said that the identity of the individual can be reasonably ascertained from that information.
If the information is:
“female singer and songwriter who died prematurely”
Then again, it is unlikely that it could be said that the identity of the individual can be reasonably ascertained from that information. But if the information is:
“English female singer and songwriter who was known for her eclectic mix of musical genres of soul, rhythm and blues and jazz but who died prematurely in July 2011”
Then, according to the Telstra cases, this likely constitutes personal information because, reasonably, the aggregated data identifies or is likely to identify a specific individual.
“It’s not personal Sonny, it’s strictly business.”
— Michael Corleone, The Godfather (1972)
Applying the above to financial services, if, for example, a licensee inadvertently emails the name and investment strategy of a client to an unintended recipient then it is unlikely that this information alone will constitute personal information. This is because a client cannot reasonably be identified by reference to a name and an investment strategy.
If the licensee in our example inadvertently emails the name, mobile phone number, email address and investment strategy of a client to an unintended recipient, then this information will likely constitute personal information. This is because the inadvertent email is about the licensee’s client and when the information is considered in totality, the mobile phone number or email address could be cross matched on social media or otherwise to reasonably identify the client.
Think of your Discovery process.
- If your file note/fact find only records a client’s name, is it personal information?
- If your file note/fact find only records a client’s name and their goals and objectives, is it personal information?
- If your file note/fact find records a first name and a suburb and their goals and objectives, is it personal information?
- Is a first name and a date of birth, by itself, personal information?
- Is a business phone number, by itself, personal information?
In all likelihood, the answer to all these questions is No, because the information does not identify a specific individual.
The devil, as compliance experts often tell you, is in the detail. The amount and nature of the information you collect, and the ease with which it can be combined with other information to identify an individual, are relevant considerations but the Courts (and the law) focus on reasonableness.
It’s the aggregation of information, its specificity and its illuminative and evidentiary value, that determines whether it is personal information. Unless the information can identify a specific individual then, at least according to the Telstra cases, the information isn’t personal information protected by the Privacy Act.
This may be quite different to what you’ve assumed.
To deal with this nuanced and highly contextualised definition, as financial services providers we must make practical assessments of the information we hold and disclose to determine whether or not it does in fact constitute personal information.
This is particularly relevant when you’re considering privacy or data breaches.
It’s common for some licensees (and some advisers) to consider any information they hold to be personal information and protected by the Act, but that’s not true. Instead of defaulting to assuming breaches, responsible entities need to consider the nature of the disclosed or released. If it doesn’t, by itself, identify a specific individual then it’s not personal information and therefore not protected. If it doesn’t, by itself, identify a specific individual but, in the aggregate, does then it is personal information.
We may choose to err on the side of caution, and the AOIC suggest we do, but we may also choose when we’ll assume the liabilities and obligations imposed on us by the Privacy Act. You might never misuse or release personal information, but you may choose not to collect it in the first place.