Privacy, metadata and the new landscape

15 Feb 2017

  • Governance
  • Data
  • Privacy and Compliance

Barely underway and the new year is already delivering some interesting things. On 19 January the Federal Court of Australia handed down its long-awaited decision in the Privacy Commissioner’s submission: Grubb vs Telstra. As marketers we must be aware that it’s a case of some significance to privacy.

For those of you who may have missed it, here’s a quick précis:

This case was initiated by Fairfax tech journalist Ben Grubb who asked Telstra in June 2013 for all of the Personal Information (PI), including metadata they had on his customer file for his mobile phone service, including (but not only) cell tower logs, inbound call and text details, duration of data sessions and telephone calls and the URLs of websites visited. He was curious to discover what that metadata might show.

Personal information is defined, according to law firm Minter Ellison as “information or an opinion about an identified individual, or an individual who is reasonably identifiable."

Telstra fulfilled the request however without the requested metadata, citing that it was unidentifiable ‘network data’ and their compliance with the Privacy Act (2003). Metadata, so you know, can be best defined as a set of data that describes and gives information about other data, like geolocation data for example.

At this point Mr Grubb asked the Office of the Australian Information Commissioner (OAIC i.e. the Privacy Commissioner) for a determination. The OAIC investigated and agreed with his position and instructed Telstra in May 2015, to surrender the information. However, Telstra appealed in December 2015 via the Administrative Appeals Tribunal (AAT), arguing that metadata was not personal information as it was unidentifiable and therefore not subject to the Privacy Act (2003) thus rendering the initial decision invalid.

In it’s finding, the AAT, somewhat unexpectedly concluded that mobile network data was “about connections between mobile devices” and the manner in which that service is delivered rather than “about an individual” therefore proving Telstra’s position.

The Privacy Commissioner appealed to the Federal Court where its submission was denied on a point of law.

So what does it mean for marketers in an increasingly data-driven world?

• The AAT judgement has effectively narrowed the definition of PI to when an individual is the subject of the information.
• In effect, the definition of PI remains as it was in 2014: “information or an opinion about an identified individual, or an individual who is reasonably identifiable.” However, this is now more intertwined with an element of identifiability and it remains to be seen whether a small change in language will make any practical difference to the application of the law.
• If you consider your situation is not covered by this definition of PI, then tread warily. The Privacy Act has broad application and lawyers are tending to take a conventional approach.
• If you are covered by definition, then the full effects of the Privacy Act apply.

ADMA has factsheets on the Privacy Act covering Rights, Responsibilities and Spam, that can be downloaded from the Compliance Hub. If you find that you’re not sure, get in touch with the ADMA Compliance team to assist email or call 02 9277 5400. 

Smart use of data is in every marketers’ future. Training your team is vital to ensure that they understand the rights of the consumer in addition to the rights and obligations of the company.   

For more information about ADMA’s Privacy and Compliance course.

STOP PRESS: Take $200 off this course if booked before 1 March. Use Code IQEB17

Need more info?