Metadata, privacy and the right to personal information

Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015)

WHAT YOU NEED TO KNOW

• On 1 May 2015, the Privacy Commissioner made a determination that Telstra Corporation Limited (Telstra) had breached the Privacy Act 1988 (Cth) (Act) by failing to provide the complainant with access to some of his personal information, described as "metadata", held by Telstra. 
• The determination is of particular interest on the question of what amounts to "personal" information.
• The Privacy Commissioner found that while the information did not, of itself, identify the complainant it was still personal information. Personal information includes information about an individual whose identity can reasonably be ascertained from the information. The Commissioner determined that Telstra was able to identify the complainant from the metadata by combining it with other information, and that having regard to Telstra's resources already devoted to related activities, the data matching exercise required to identify that the metadata related to the complainant was reasonable in the circumstances. Telstra estimated that the data retrieval and analysis process would take a minimum four days full time engagement for one week's data retrieval or a minimum 12 days full time engagement for four (or more) week's data retrieval.
• Telstra has indicated it will appeal the determination.

Background

On 15 June 2013, Mr Ben Grubb, journalist for Fairfax (complainant) sent Telstra a request for "all the metadata information Telstra has stored" about him in relation to his mobile phone service, including cell tower logs, inbound call and text details, duration of data sessions and telephone calls, and the Uniform Resource Locators (URLs) of websites visited.

On 16 July 2013, Telstra notified the complainant that he could access outbound mobile call details and the duration of data sessions via the online billing system. Otherwise, Telstra declined to provide the additional information citing privacy laws and advised that the complainant would need a subpoena for the remainder of the information to be disclosed.

On 8 August 2013, the complainant lodged a complaint with the Office of the Australian Information Commissioner (the OAIC) under section 36 of the Act, seeking a declaration that Telstra meet its access obligations under the Act.

As the request relates to events that occurred prior to the Act's reform on 12 March 2014, the National Privacy Principles (NPPs) applied. The parties did not dispute that Telstra was an organisation within the meaning given by the Act and bound by the NPPs. Despite this determination being made under the pre-reform Act, it provides guidance as to any decisions to be made with reference to the Australian Privacy Principles.

Does metadata constitute personal information?

The term "metadata" is somewhat ambiguous, with the Federal Government failing to clearly define the term in its recently passed mandatory data retention legislation. In the request, the complainant used the term "metadata" interchangeably with "communications data" and "telecommunications data".

Under the pre-reform privacy regime, personal information is defined under section 6 as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion" [emphasis added]. Section 16 of the pre-reform Act states that an organisation must not do any act that breaches a NPP. Relevantly, NPP 6.1 provides that if an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual – subject to a number of exceptions.

Network data

Telstra identified three sub-types of network data which the complainant had not been provided access to:

• Internet Protocol (IP) address information;
• URL information; and
• Cell tower location information beyond the cell tower location information that Telstra retains for billing purposes (as this had already been provided).

Telstra maintained that the metadata generated from the complainant's phone activity on Telstra's mobile network (ie network data) was not personal information about the complainant. It contended that its data is not linked in a way where the customer's identity is apparent nor can it be reasonably ascertained. The Commissioner accepted Telstra's evidence that network data may, by cross-matching it with other data held on Telstra's various networks and records management systems, link that data to a particular individual. Telstra estimated that the data retrieval and analysis process would take a minimum four days full time engagement for one week's data retrieval or a minimum 12 days full time engagement for four (or more) week's data retrieval. The Commissioner therefore held that network data in the context of consumer transactions captured on Telstra's network management systems was information "about an individual".

The Commissioner then considered whether the customer's identity was apparent or could reasonably be ascertained from the information. The Commissioner found that while the customer's identity was not apparent from the data, it was able to be reasonably ascertained. That is, the process of cross-matching data across different network management and records management systems "is not only possible, but is in fact, a process that Telstra already puts into practice, not only for network assurance purposes but also in responding to large numbers of requests for metadata by law enforcement agencies and other regulatory bodies".

The third prong is whether the process of ascertaining an individual's identity from the metadata is reasonable in the circumstances. While the Commissioner accepted that the process of extracting some of the metadata may be lengthy and require interrogation of databases by specially qualified personnel, when considered in the light of Telstra's resources and operational capacities (and the fact that it already supports this process for information requests from law enforcement bodies), suggested that this was reasonable in the circumstances. Accordingly, the Commissioner determined that the metadata held by Telstra in respect of "network data" constituted the complainant's personal information under the Act and should be disclosed to the complainant.

Incoming call records

Telstra identified that incoming call records contain inbound call numbers, location-based information, details of the communication such as time and date and the billing information and subscriber data of incoming callers. The complainant confirmed that his request was limited to the numbers of incoming callers. Telstra's current position is that, even if inbound call numbers fall within the scope of the complainant's personal information, an exception at NPP 6.1(c) permits Telstra to refuse access to the information.

The Commissioner noted that an inbound call number, in the context of the complainant's mobile phone activity, comprises shared personal information about the complainant and the incoming caller. The Commissioner also held that while the identity of the complainant would not readily be apparent from the phone number alone, it would be reasonably ascertainable.

Exceptions to the Rule

NPP 6.1(a)-(k) provide exceptions to the obligation that an organisation has under the Act to provide an individual with access to their personal information. 

Relevant to "incoming call records", NPP 6.1(c) provides that an organisation may refuse an individual access to their personal information where the provision of that information would have an "unreasonable impact on the privacy of other individuals". Referring to the authority of Smallbone v New South Wales Bar Association [2011] FCA 1145 [47] the Commissioner noted that whether a disclosure would have unreasonable impact "is a matter of practical judgment having regard of all the circumstances of the case".

The Commissioner noted the different circumstances of incoming calls. For example, if callers take active steps to make their phone numbers silent or blocked, then the Commissioner held that any subsequent disclosure of that information would be an unreasonable impact on the privacy of those callers. Where a caller may have dialled the complainant's number unintentionally (wrong number), the Commissioner stated that granting subsequent access to the phone numbers of the unintentionally callers would prejudice the privacy of those callers. The Commissioner noted that the view regarding the situation when a caller intentionally dials the complainant is less certain, however it might reasonably be expected that these callers would consent. However, the Commissioner did not draw a firm conclusion on the latter circumstance. The Commissioner also took into consideration Telstra's Privacy Statement and its assurances of confidentiality. 

Telstra indicated that it is possible for specialised staff to interrogate the data for no more than 30 days to identify callers with silent numbers or blocked IDs, however, it is not possible to identify records of persons that unintentionally contacted the complainant. As it is not possible to edit the records so that only intentional calls are provided, the Commissioner found that Telstra could rely on NPP6.1(c) to refuse the complainant access. 

There are no exceptions that apply to "network data".

Outcome

The Commissioner determined that Telstra was in breach of NPP 6.1 by failing to provide the complainant with access to his personal information in breach of NPP 6.1 of the Act.

The Commissioner held that Telstra must, within 30 business days, provide the complainant with access to his personal information concerning "network data" including IP address information, URL information and cell tower location information beyond the data already provided. The Commissioner stated that the information should be provided free of charge.

The Commissioner held that Telstra was not required to give access to the phone numbers of incoming callers, and was not in breach of the Act in its refusal to provide this information.

The complainant did not seek an apology or compensation.

Looking forward

Telstra has already indicated that it will be seeking a review of the determination noting that "this determination would require us to go well beyond the lawful assistance we provide to law enforcement agencies today" and "well beyond what we have to retain under the Government's data retention regime" (see: Clarifying our obligations, Telstra Website, http://exchange.telstra.com.au/2015/05/01/clarifying-our-obligations).

The outcome of this appeal will provide certainty for telecommunications providers (as well as other entities which fall under this threshold) in relation to their obligations of disclosure in relation to a customer's personal information.