Key privacy concepts – personal and sensitive information

Overview

Under the Information Privacy Act 2009 (Qld) (IP Act), agencies must comply with the Queensland Privacy Principles (QPPs).

The Key Privacy Concepts guidelines are intended to assist agencies by explaining important words and phrases used in the QPPs, the IP Act, and the Right to Information Act 2009 (Qld) (RTI Act).

Personal information

The concept of personal information is central to the IP Act, which provides for the fair collection and handling of personal information in the public sector environment. Personal information held by agencies is protected by the Queensland Privacy Principles and there are limits placed on when it can be disclosed to an entity outside Australia.

Under the RTI Act individuals can apply to access documents containing their personal information and apply to have their personal information amended with no fee. Personal information is a factor to be considered when deciding whether to release information and agencies are not permitted to publish the applicant's personal information on their disclosure logs.

What is personal information?

Section 12 of the IP Act defines personal information for both the IP Act and the RTI Act, and states:

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Common examples include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details, and commentary or opinions made by or about the individual. Generally, the presence of an individual’s name in a document is sufficient to make it personal information.

Sensitive information

Personal information includes sensitive information, which is a specific category of personal information defined in schedule 5 IP Act. Sensitive information is information or an opinion about an individual’s:

• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual orientation or practices
• criminal record
• health information
• genetic information that is not otherwise health information
• biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
• biometric templates.

QPP 3 and QPP 6 contain specific rules for the collection, use and disclosure of sensitive information.

Does not include information about the deceased

Individual is not defined in the IP Act, but it is defined in the Acts Interpretation Act 1954 (Qld) as a natural person. This means that only living individuals can have personal information.

Information about a deceased person is no longer personal information for the deceased, but it may be the personal information of other, still living individuals. For example, coronial records often contain personal information about the deceased individual's family and friends, and health records may contain biological information about family, such as inheritable genetic conditions.

Limited exceptions – the RTI Act

The RTI Act uses the IP Act's definition of personal information, however it also provides specific exception for information about deceased people in the amendment provisions and the public interest factors which allow agencies to treat it as if the individual was still alive.

There are no equivalent exceptions in the IP Act. The QPPs and other privacy obligations in the IP Act, e.g., the overseas disclosure rules, only apply to information about living individuals.

Whether true or not

The definition of personal information specifically provides that the information or opinion is not required to be true in order to be personal information.

Whether recorded in a material form

The definition of personal information also provides that information does not have to be recorded in a material form to be personal information. Personal information communicated verbally or by signals (for example, sign language) still attracts the QPPs, even if is never written down or recorded. However, some QPPs only apply if the information is held¹ or collected² by the agency.

For personal information that is recorded in a material form: material form is not limited to text in a document or electronic message. Personal information can be images, videos, sounds, or discoverable from a physical object, such as DNA in a blood sample.

Whether information is about an individual

For information to be personal information it must be about an individual who is or can be identified. Information is about an individual where these is a sufficient connection between the information and the individual.

Some information will obviously be about an individual, e.g., name, date of birth, medical records, financial records, bank details or salary.

Where information is not obviously about an individual, it is critical to consider the context surrounding the information, because Information that appears to be about something other than an individual, e.g., a car, boat, or piece of land, can also be about an individual.

For example, in Privacy Commissioner v Telstra Corporation Limited³ in determining that metadata held by a company was not about an individual stated:

The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual.”

Noting the decision does not mean that metadata, or data that can be linked with other data, can never be ‘about’ an individual.

The key question is: taking into account all the circumstances in which the information appears, is there a sufficient connection between the fact or opinion and the individual to reveal something about the individual.

The Commissioner considered whether information was about an individual in both Mahoney and Tomkins and Rockhampton Regional Council⁴ (Tomkins).

In Mahoney, the Commissioner considered whether information directly and indirectly related to the applicant's land was personal information. The applicant submitted that the fact of her ownership provided a sufficient link between herself and the information to make it her personal information.

The Commissioner did not accept that information of significance to land owned by the applicant was necessarily the applicant's personal information. The Commissioner held that the information did not reveal a fact or opinion about the applicant and without more, there was insufficient connection between the information and the applicant to make it the information about the applicant. The information was about the applicant's land rather than the applicant and was not the applicant's personal information.

In Tomkins, the Commissioner considered whether photographs of dogs and interview recordings with a person attacked by specific dogs were about the individual dog owner. The recordings were about the victim’s account of the attack and her consideration of the dog photos. There was no information on the photographs that related to the dog owner, only handwritten numbers.

The Commissioner decided neither the recordings nor the photographs were about the dog owner because neither revealed a fact or opinion about the dog owner nor was there a sufficient link or connection between the information in the recording or photographs and the dog owner.

Whether the individual can be reasonably identified

For information to be personal information it must be about an individual who is or can be identified. Whether an individual is identified or can be identified will depend on the circumstances and nature of the information.

The individual is identified

An individual will be identified from information where they can be identified from the information itself, without referring to any other information. For example:

• where the information includes the person's name
• where the information includes the person's photograph, where they can be clearly seen in the photograph; or
• where the information is so unique that it cannot be about anyone else, for example, if the information says it is about 'the woman who was Queen of England in 2008'.

The individual is reasonably identifiable

While the term ‘apparent’ requires that the individual can be identified from the information itself, reasonably identifiable allows for the information to be compared or cross-referenced with other information to identify the individual in question.

When determining if identity is reasonably identifiable, the only relevant question is whether identity could be ascertained, not whether someone actually intends to do so.

How far the comparison or cross-referencing can go and still be considered reasonable will depend on the circumstances. Where it is technically possible to identify an individual but doing so is so impractical there is almost no chance of it occurring, or the steps required to do so are excessively time-consuming or costly, the individual's identity would not generally be regarded as reasonably identifiable.

Relevant factors include:

• The availability of the secondary material: is it readily available to all or can it only be obtained by a limited class of persons? Most entities and individuals would encounter difficulty in using a licence plate number to identify the registered owner of a car, as they would not have access to the car registration database. By contrast, an agency or individual with access to that database may be able to identify the owner. Accordingly, the licence plate number may be ‘personal information’ held by that agency or individual but may not be personal information if held by another entity.
• The number of steps required to be taken to determine the individual’s identity: will it involve referencing a single source of secondary information, or will it involve a chain of linkages?  The more steps involved the less likely that the likelihood of identification will be considered reasonable.
• The level of certainty of the identification: will the linkage between the information and the secondary source allow a single individual to be identified, or will it narrow it only to one of a class of individuals?
• The ability of the person receiving or collecting the information to use it to identify an individual:  For example, information that an unnamed person with a certain medical condition lives in a specific postcode may not enable the individual to be identified, and consequently not be personal information. However, if it is held or received by an agency or individual with specific knowledge that could link an identifiable individual to the medical condition and postcode, it will be personal information.
• The uniqueness of the information: For example, a common surname shared by many people may not be enough on its own to reasonably identify a particular individual. However, if the surname is unique, or the common surname is combined with other information, such as address or other contact information, the identity of the individual may be reasonably identifiable, making the information personal information.
• For information publicly released, e.g., published on an agency website, whether a reasonable member of the public who accesses that information could identify the individual.

Anonymised, de-identified and coded information

Personal information is anonymised where it is impossible for the person collecting, using, or receiving it to identify the individual it is about. When this occurs, it ceases to be personal information and will be outside the ambit of the IP Act.

The identity of an individual may be removed from personal information in a number of ways.

• Information may be aggregated and combined in a form with no personal identifiers. For example, information may be broken down into statistics which are broad enough to ensure the people they are about are not reasonably identifiable.
• Information may be stripped of identifiers and coded, so that only someone holding the key code can link the information to a specific individual. For example, where non-identifying portions of the information are extracted and linked to a numerical sequence and another document or database holds a record linking the number to the individual. Easily broken codes such as mathematical formulae based on the letters in an individual’s name should not be used to generate a numerical sequence, due to the possibility of the code or formula being ‘reverse-engineered’ to reveal the name.

Refer to Privacy and de-identified data for more information.