The recent determination of the Privacy Commissioner in Ben Grubb v Telstra Corporation Limited [2015] AICmr 35 has clarified the extent to which metadata collected by telecommunications providers will constitute ‘personal information’ for the purposes of Principle 6.1 of the National Privacy Principles (NPP 6.1).  NPP6.1 was the precursor to, and is the equivalent of, the current Principle 12 of the Australian Privacy Principles).

In short, the scope for metadata to be caught by the Privacy Act is broader than many may have considered, which will have cost consequences in planning for Privacy Act compliance.

In 2013, Mr Grubb (the Complainant and a technology journalist for the Sydney Morning Herald) requested that Telstra provide him with ‘all the metadata information Telstra has stored’ in respect of his mobile phone service, which ‘would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called…’

The Complainant’s request was made pursuant to NPP 6.1, which obliges an organisation to give an individual all ‘personal information’ that it holds about that individual, subject to some exceptions. An organisation is not compelled to provide information where:

1. Providing access would have an unreasonable impact upon the privacy of other individuals;
2. Providing access would be unlawful;
3. Denying access is required or authorised by or under law.

By the time that the matter came before the Privacy Commissioner for determination, Telstra had responded by providing a great deal of information including details of:

1. His outbound calls (including the numbers he called, the time and duration and cell towers involved in such calls);
2. His network type;
3. ‘Subscriber information’ relating to his account.

However, Telstra refused to provide:

1. Network data;
2. Incoming call records.

The question before the Privacy Commissioner was whether the metadata in relation to network data and incoming call records which was held by Telstra constituted personal information, and if so, whether it had been improperly withheld by Telstra in breach of NPP 6.1.

Network Data

Telstra argued that the metadata concerning network data was not personal information as defined under the Privacy Act 1988 (Cth) for the reason that the Complainant’s identity was not apparent, nor could it reasonably be ascertained, from that data. Telstra submitted that the data sat in complex network management systems, and that to identify an individual or collect the data would be burdensome in terms of complexity, time and cost.

However, the Commissioner found that by cross-referencing data, an individual could be identified and thus the network data constituted personal information. Telstra could identify individuals from this data – and they routinely did so in response to law enforcement agency requests. Further, the Commissioner considered that the time and cost of retrieving the data must be viewed in light of the resources of the organisation. Telstra had 120 staff trained and employed for the purpose of such data collection. In the circumstances, the Commissioner considered the process of data collection to be reasonable relative to Telstra’s resources.

Incoming Call Records

Telstra submitted that incoming call records were not the personal information of the Complainant, but rather constituted the personal information of the third parties who had made the calls. It was Telstra’s position that if that information was disclosed would have an unreasonable impact on the privacy of the incoming callers, and would potentially constitute a breach of the Telecommunications Act 1997 (Cth) which regulates the use and disclosure of telecommunications data.

The Complainant’s position was that in cases where the calling number display had not been blocked or the option of a silent line had not been exercised, there was no unreasonable impact on the privacy of those making the incoming calls as he would have been able to see their number on his phone at the time of the call.

The Commissioner found favour with Telstra’s submissions on this issue  because third party information of a personal nature would be included in the information provided to the Claimant.  This would have included callers with silent numbers or those who called the wrong number who would not have intended that their information become available to the Complainant.  The Commissioner recognised that it would be impossible for Telstra to edit the incoming calls to provide only the numbers of those individuals who intentionally contacted the Complainant and did not have a silent line.

Conclusions

The Commissioner’s finding  in this case helps businesses identify that the scope of what may properly be considered to be ‘personal information’ is potentially very broad. This is particularly so for a large, well-resourced organisation such as Telstra, which has the ability and resources to match data sets.