This week we saw a landmark ruling by Australian Privacy Commissioner Timothy Pilgrim.
Fairfax journalist Ben Grubb was granted the right to receive his own personal metadata, two years after initially making the request.
This ruling adds significant weight to the ongoing global debate over what actually constitutes privacy and how much control individuals have over their personal data. This debate has been touted in the media as a “global shift” – so what does this mean for organisations when dealing with personal information?
In Ben Grubb’s case, he argued that spies, councils, the RSPCA and other agencies could access his mobile phone metadata – but he couldn’t. His goal was to be able to map his metadata, like German politician Malte Spitz did after he successfully sued his telco in 2011 to illustrate how invasive the storage of all your metadata could be.
This example comes back to what constitutes personal information; information that can reasonably identify an individual. This is the most important first step when handling potentially sensitive or personal data and information. Can you use this information to identify an individual person, even if it takes multiple steps to get there?
Telstra argued that the data of the cell towers connecting to an individual’s phone was not deemed personal information about that individual – but this argument was overruled, as even though names, addresses, phone numbers and other identifiers were removed, by cross-matching different datasets a person’s identity could still be determined.
This case proves that privacy – the dealings with individuals’ personal information – can be a minefield.
As former Deputy Privacy Commissioner for NSW Anna Johnston said, this example goes far beyond the telco’s. She urges organisations to use caution and assume that even ‘anonymised’ data can in fact be ‘personal information’ – meaning if it ended up in the wrong hands that organisation could cop a fine from the Privacy Commissioner.
This ruling shows how topical this year’s Privacy Awareness Week theme is – privacy every day. What could your metadata say about you? What stories could the personal information you hold tell about your customers?