By Anna Johnston -
Snapshot
- Australian entities are at risk if they do not understand the breadth of data which is covered by their legal obligations under the Privacy Act
- Recent determinations by the OAIC demonstrate that the reach of privacy laws extends beyond what some organisations might expect.
- Tech vendors, IT teams and legal advisors who rely on an industry notion of what is personally identifying information can fall foul of the correct legal test.
Most information privacy and data protection laws around the world have as their starting point some notion of identifiability. Legal obligations will typically only apply to data that relates to an ‘identifiable’ person.
For example, Australian privacy laws create privacy principles, which apply only to data which meets the definition of ‘personal information’. Section 6 of the Privacy Act 1988 (Cth) (‘Privacy Act’) defines this as:
‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not’.
The point of this legal definition is that if no individual is identifiable from a set of data, then the privacy principles – the backbone of an organisation’s legal obligations – simply won’t apply. If no individual can be identified from a dataset, then the dataset can be safely released as open data; matched or shared with or sold to other organisations; or used for a new purpose such as data analytics, without breaching privacy law.
Or so the theory goes.
In reality, determining whether or not an individual might be considered in law to be ‘identifiable’ is not straightforward. The scope of what is included within the notion of identifiability may surprise many organisations.
