By -


  • Australian entities are at risk if they do not understand the breadth of data which is covered by their legal obligations under the Privacy Act
  • Recent determinations by the OAIC demonstrate that the reach of privacy laws extends beyond what some organisations might expect.
  • Tech vendors, IT teams and legal advisors who rely on an industry notion of what is personally identifying information can fall foul of the correct legal test.

Most information privacy and data protection laws around the world have as their starting point some notion of identifiability. Legal obligations will typically only apply to data that relates to an ‘identifiable’ person.

For example, Australian privacy laws create privacy principles, which apply only to data which meets the definition of ‘personal information’. Section 6 of the Privacy Act 1988 (Cth) (‘Privacy Act’) defines this as:

‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not’.

The point of this legal definition is that if no individual is identifiable from a set of data, then the privacy principles – the backbone of an organisation’s legal obligations – simply won’t apply. If no individual can be identified from a dataset, then the dataset can be safely released as open data; matched or shared with or sold to other organisations; or used for a new purpose such as data analytics, without breaching privacy law.

Or so the theory goes.

In reality, determining whether or not an individual might be considered in law to be ‘identifiable’ is not straightforward. The scope of what is included within the notion of identifiability may surprise many organisations.


You've reached the end of this article preview

There's more to read! Subscribe to LSJ today to access the rest of our updates, articles and multimedia content.

Subscribe to LSJ

Already an LSJ subscriber or Law Society member? Sign in to read the rest of the article.

Sign in to read more