- The Privacy Act 1988 (Cth) places a set of legal obligations on businesses and government agencies alike. These obligations are triggered whenever data meets the definition of ‘personal information’.
- In a landmark case, the Federal Court ruled against the Privacy Commissioner and determined that the definition of ‘personal information’ has two elements: data must pass a subject matter test, and an identifiability test.
- The case was decided on narrow grounds under an earlier version of the legislation, so its application to other organisations is not immediately apparent.
In 2013, the Australian Government was preparing to introduce its mandatory data retention laws, to require telcos to keep ‘metadata’ on their customers for two years in case the data was needed later for national security or law enforcement purposes.
A Fairfax technology journalist, Ben Grubb, was curious as to what metadata, such as the geolocation data collected from mobile phones, would actually reveal about an individual. He wanted to illustrate the power of geolocation data to reveal insights into not only our movements, but our behaviour, intimate relationships, health concerns or political interests.
Exercising his rights under what was then National Privacy Principle (NPP) 6.1 in the Privacy Act 1988 (Cth), Ben sought access from his mobile phone service provider, Telstra, to his personal information – namely, ‘all the metadata information Telstra has stored about my mobile phone service (04…)’.