Two years ago a journalist for the Sydney Morning Herald requested that Telstra provide copies of his personal information held by Telstra, including any metadata that Telstra held. The original purpose of the request was to demonstrate the scope of information that could be provided to law enforcement bodies under the proposed data retention laws.
While the data retention laws have now passed, the controversial decision of the Privacy Commissioner sheds light on the potential scope of personal information in the digital age. While there has been a good deal of commentary about the decision's impact on the telecommunications industry, the decision could have a much wider impact on all organisations that use big data. In particular, organisations may have to reconsider how they store and access that big data.
When will an individual's identity be apparent or reasonable ascertained?
To fit within the definition of personal information, the individual's identity must be "apparent" or "reasonably ascertained" from the information. While it's clear that information within the same system can be linked with other information in that system to identify an individual, what about information that is held across a number of different systems?
Organisations will often store information that is clearly not identifiable information (for example data relating to the traffic network such as IP addresses and URLs) in a system that is separate to the system in which customer (ie personal) information is stored. When will it be reasonable for cross-matching against different network management and records management systems to produce the type of information that could be considered personal information?
It's generally accepted that what is reasonable will depend upon all the circumstances in each case, and in particular:
- the complexity of the cross-referencing needed to link the information;
- the degree of certainty that connections could be made with that information to identify the individual; and
- the available resources and operational capacities of the organisation.
In this instance, Telstra stated that it captures metadata over up to 13 network management systems, and access to at least three of those systems would be required to link the relevant information such that an individual's identity would be apparent. Telstra confirmed that it currently undertakes such searches to resolve complaints about connectivity service and performance, and to satisfy requests from law enforcement authorities under the relevant legislation. Telstra also confirmed that by doing so, there was a "good degree of certainty" in identifying an individual.
The Privacy Commissioner also observed that Telstra is a large organisation with many resources at its disposal, including a pool of over 120 staff with expertise in this type of data retrieval. In addition, this pool of staff currently engages in this type of data retrieval, and so would not need to be pulled off other duties to attend to the search.
The Privacy Commissioner found that, while the process of metadata retrieval may be lengthy and/or complex, Telstra did not demonstrate that the process of cross-referencing different systems to provide the relevant information is beyond what is reasonable relative to its resources and existing operational capacities.
What does the decision mean?
Organisations that deal with a large amount of data should be looking at how they store data, how easy it would be to cross-reference that data, and whether or not they have the capability and capacity to do so.
Generally, the more sophisticated an organisation, the more likely it is that such cross-referencing could be made, bringing a large amount of what may have previously been considered to be unidentifiable information into the category of personal information. This has ramifications not only for providing access to a wider range of information, but also obligations in relation to the collection, use and security of that information.
This decision again highlights the uneasy relationship between the protection of personal information and the use of big data to help provide a wider, more accessible and more connected range of services to individuals, and to help organisations realise greater commercial profits.
Earlier this year Xerox commissioned Forrester Consulting to conduct research in relation to how organisations in Europe are using big data and data analytics. The report found that 37 percent of respondents said data security and privacy is the biggest hurdle they have to overcome when implementing big data strategies. This hurdle may become greater once the new General Data Protection Regulation becomes EU law, as the current draft gives data owners more control over the use of their data than is provided for by the current EU Data Protection Directive.
The EU approach is most starkly contrasted with that of the US, where data privacy is not highly regulated. While Australia seems to be sitting between the two regimes, the changes to the Privacy Act and this decision of the Privacy Commissioner seem to indicate that the Australian regulatory regime is swinging every closer to the EU approach.
But wait… there's more
As noted above, this is a controversial decision. The Communications Alliance has slammed the decision, stating that it is a stark example of regulatory overreach, and Telstra has advised that it will appeal the Privacy Commissioner's decision. It is likely that the appeal will be made to the Administrative Appeals Tribunal, which will provide an independent merits review of the decision, and has the power to set aside, vary, or affirm the determination made by the Privacy Commissioner.