By -


  • The Privacy Act 1988 (Cth) places a set of legal obligations on businesses and government agencies alike. These obligations are triggered whenever data meets the definition of ‘personal information’.
  • In a landmark case, the Federal Court ruled against the Privacy Commissioner and determined that the definition of ‘personal information’ has two elements: data must pass a subject matter test, and an identifiability test.
  • The case was decided on narrow grounds under an earlier version of the legislation, so its application to other organisations is not immediately apparent.

In 2013, the Australian Government was preparing to introduce its mandatory data retention laws, to require telcos to keep ‘metadata’ on their customers for two years in case the data was needed later for national security or law enforcement purposes.

A Fairfax technology journalist, Ben Grubb, was curious as to what metadata, such as the geolocation data collected from mobile phones, would actually reveal about an individual. He wanted to illustrate the power of geolocation data to reveal insights into not only our movements, but our behaviour, intimate relationships, health concerns or political interests.

Exercising his rights under what was then National Privacy Principle (NPP) 6.1 in the Privacy Act 1988 (Cth), Ben sought access from his mobile phone service provider, Telstra, to his personal information – namely, ‘all the metadata information Telstra has stored about my mobile phone service (04…)’.

You've reached the end of this article preview

There's more to read! Subscribe to LSJ today to access the rest of our updates, articles and multimedia content.

Subscribe to LSJ

Already an LSJ subscriber or Law Society member? Sign in to read the rest of the article.

Sign in to read more