Metadata: what’s it all about?
Can metadata be personal information protected by Australia’s Privacy Act? A recent case considered this question.
Defining metadata
Before looking at the case, we should define what we mean by “metadata”.
Let’s use an example of a client file that a professional adviser would hold for a client. Inside the file there is printed material and notes, including personal information about the client. On the front of the file there is other information including the name of the client, details of the matter, the matter number, and when the file was opened.
The information on the front of the file is metadata: data that describes or gives information about the contents of the file.
Some types of metadata could be personal information. The cover of the client file, for example, includes the client’s name.
For other types of information, the answer is not so clear. Is the matter number for the file personal information of the client? If you only had the matter number, you would not be able to identify the client. But if you looked up the client records, you could cross reference the matter number to the client’s name.
The Grubb case
In Telstra Corporation Limited and Privacy Commissioner [2017] FCAFC 4, the Federal Court of Australia ruled on a long running dispute about whether mobile network metadata was personal information. The decision hinged on the interpretation of the whether the data was information “about an individual”.
Until the Privacy Act amendments in 2014, personal information was defined as information or an opinion about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.
It all began when journalist Ben Grubb made a request to Telstra in 2013 to access all metadata information stored by Telstra about his mobile phone service. Telstra gave him some information but refused to give access to its mobile network data, which includes metadata. Mr Grubb then filed a privacy complaint. The Privacy Commissioner ruled that the mobile network data was personal information and ordered Telstra to provide access. Telstra appealed to the Administrative Appeals Tribunal (“AAT”) and won, and the Privacy Commissioner then took the matter to the Federal Court, which again found in favour of Telstra.
The AAT decision that was appealed was given by Deputy President Forgie. She told a story about how she had to take her new car back to the dealer for repairs, which required a replacement part. The dealer had a service order and record for the car which included information about that part and the car. However, she said, that information “is not information about me. That is so even if the service records referred to the registration number of my car and even my name.” And the fact that the information could be traced back to her from the service records or service order did not change the nature of the information.
The Federal Court agreed with this line of thinking. It held that for information to be “about an individual”, the individual had to be the “subject matter” of the information. But the court also said that information can have multiple subject matters. That means in every case you have to consider whether the particular item of personal information is information about an individual. This requires “an evaluative conclusion, depending on the facts of any individual case.”
The court decision set out some examples. Mr Grubb was given information about the colour of his mobile phone and the network type it used (3G). In the judges’ view, this was not information about him – either by itself or with other information.
So was the metadata information requested by Mr Grubb information “about” him? The AAT said no, and the Federal Court did not reconsider this finding, because the appeal by the Privacy Commissioner from the AAT decision didn’t challenge the AAT’s finding that the metadata was not “about” Mr Grubb. The appeal by the Privacy Commissioner instead argued that asking whether information was “about” and individual was the wrong test. In effect the Privacy Commissioner was arguing that the words “about an individual” are redundant in the definition of personal information: as long as an individual’s identity is apparent “or could be reasonably ascertained” from the information, it will be personal information. The court rejected that argument.
Changes to the law
In the four years since Mr Grubb first made his request, things have moved on.
Amendments were made to the telecommunications legislation in 2015 which require telecommunications providers to retain certain metadata. This information is now deemed to be personal information “about an individual” if it relates to the individual or to a communication to which the individual is a party.
Although telecommunications metadata is now personal information, other kinds of metadata are not treated the same way and so the Grubb case is still relevant. There is plenty of metadata that is not telecommunications data, and it is growing exponentially. In the financial services area, for example, some kinds of payment transaction data may be metadata.
The definition of “personal information” in the Privacy Act has also been amended.
Personal information is now defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. The amended definition still uses the word “about”, but personal information is now information about an identified individual (or an individual who is reasonably identifiable), not just information about an individual.
Conclusion
Some commentators have been critical of the court’s decision in the Grubb case, because it requires you to look at the facts of each situation and consider whether the item of information is “about” an individual. This leads to uncertainty as to how the law applies. But the court’s finding is quite a sensible way of dealing with legislation that tries to impose general obligations in relation to something which can be very hard to delineate in the real world: namely, personal information.
In practice, most organisations will play it safe and treat their information as if it were personal information - if there’s doubt as to what it’s about.