This LAWFIT™ Privacy Guide is published as part of a series of legal and regulatory guides on data and privacy. Below we examine the central definition of ‘Personal Information’ under Australian privacy law.
“Personal Information” (‘PI’) is defined under the Privacy Act 1988 (Cth) (‘Act’) as:
(a) information or an opinion about an identified individual, or an individual who is reasonably identifiable:
whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Thus, for information to be PI under the Act, it must be about either an ‘identified individual’, or an individual who is ‘reasonably identifiable’. We break this down below.
An ‘identified individual’: An individual is generally considered to be ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of a group. Even the if individuals’ name is not used, a detailed description or a photograph may allow the information to be linked back to the specific person that it relates to and therefore constitute PI.
For example, which of these individuals are ‘distinguished’ from other members of the group?
Perhaps the man in the cap? But in any case probably only to his best friends or family, and even then probably not without more information. That further information might be, for example, the fact that the person loves live music and always wears a black cap, or the fact that it was known they were at this particular concert.
An individual who is ‘reasonably identifiable’: In addition, an individual can be ‘identifiable’ for the purposes of the Act where the information is able to be linked with other information that ultimately identifies the individual. This require a contextual consideration of the particular circumstances, including:
• The nature and amount of information;
• Who will hold and have access to the information; and
• The practicability of using that information to identify an individual.
With respect to the last point, even though it may be technically possible to identify an individual, if identifying the individual is so impractical that there is almost no likelihood of it occurring, then the information would not generally be regarded as ‘PI’. Taking the image of the man in the black cap above, this person could potentially be identified if one had access to the list of people who bought tickets for the event. However, on balance, an outsider obtaining access to this list is likely to be so impractical that there is almost no likelihood of it occurring. Therefore to an outsider who does not know the person, the man in the black cap is not ‘reasonably identifiable’.
Fortunately for those seeking to bring certainty to this area, the subjectiveness of the above is tempered under the Act, as a number of categories of information are explicitly recognised (under section 6 of the Act) as PI:
• ‘Sensitive information’ (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of PI).
• ‘Health information’ (which is also ‘sensitive information’).
• ‘Credit information’.
• ‘Employee record’ information (subject to exemptions).
• ‘Tax file number information’.
Further, the following examples have been explicitly recognised by the OAIC as PI:
• Information relating to a person’s private or family life – e.g. name, signature, home address, email address, telephone number, date of birth, medical records, bank account details.
• Information about working habits and practices – e.g. employment details such as work address and contact details, salary, job title and work practices.
• Commentary or opinion about a person – e.g. a referee’s comments about a job applicant’s career, performance, attitudes and aptitude is ‘information about that person. (The referee’s comments may also be PI about the referee themselves as they provide information about the referee’s views on a particular subject.)
• An opinion about an individual’s attributes based on other information about them – e.g. an opinion formed about an individual’s gender and ethnicity, based on information such as their name or their appearance. (This will be PI about the individual even if it is not correct.
• Information or an opinion inferred from their activities – e.g. a person’s tastes and preferences based on online credit card purchases, or from their web browsing history.
• Certain business information – e.g. information about a loan taken out by a sole trader individual to purchase equipment, or about utility usage.
Although not explicitly recognised as PI under the Act, information may fall under the definition of PI under other legislation. For example, certain telecommunications data (sometimes referred to as ‘metadata’) is taken to be PI for the purposes of the Act.
However, information does not have to be explicitly recognised as PI to constitute PI under the Act.
The definition of PI from the Act expressly states that information is PI ‘whether the information or opinion is recorded in a material form or not’.
PI can be in any format – it is not limited to information that is contained in written records. For example, this can include information that is:
• Shared verbally;
• Captured digitally in stills;
• Recorded in video and/or audio form; or
• Recorded in biometrics and DNA.
PI is not necessary exclusive to an individual. On the contrary, the PI of one individual can also be the PI of one or more other individuals. An example of this is the situation identified above, where a person gives a work reference for someone. The professional reference contains PI about the subject of the reference, though may also be the PI of the person giving the reference. Information which reveals PI about more than one person is known as ‘joint PI’.
PI is anything that is not capable of reasonably identifying an individual, either on its’ own or together with other information. For example:
• A photo of a crowd that does not show enough details to determine the gender or identifying features of an individual.
• Information that is not about an individual, such as an aerial photograph of people on a beach where no unique individual’s identity is discernible.
• Generally speaking, information about a business.
• Information about a deceased person.
• ‘De-dentified’ information – under the Act, this means the removal or alteration of the identifying attributes of information so that there is a very low risk of re-identification.
(a) PI is information or an opinion ‘about’ an identified or ‘reasonably identifiable’ individual.
(b) Certain categories of PI are set out in the Act, and are beyond debate.
(c) In determining whether information is PI, consider whether the information reveals a fact or opinion about the person in a way that is not too tenuous or remote?
(d) PI can be in any format, and does not have to be written.
(e) PI must be about a natural person and will not generally include business information or de-identified information.
(f) When in doubt, err on the side of caution and treat the information as PI.
This article should not be considered legal advice. If you would like to learn more about the collection of personal information under the Privacy Act, please contact us below.