The Key Privacy Concepts guidelines explain important words and phrases used in the Information Privacy Act 2009 (Qld) (IP Act). They are intended to assist in the interpretation and application of the privacy principles in the IP Act.
Personal information is defined in section 12 of the IP Act as information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent or can be reasonably ascertained.
Living natural persons
'Individual' is not defined in the IP Act, but it is defined in the Acts Interpretation Act 1954 (Qld) as a natural person. This means that only living people can have personal information.
Despite this, the IP Act allows for the amendment of a deceased person’s personal information by a person permitted to do so under the IP Act, for example their next of kin.
Information about a deceased person is no longer personal information in relation to the deceased person but it may be the personal information of living individuals. For example, coronial records often contain personal information about the deceased individual's family and friends and health records may contain biological information about family, such as inheritable genetic conditions.
Whether true or not
The IP Act does not require that the information be verified as correct in order to fall within the definition of personal information.
Recorded in a material form or not
Personal information does not have to be recorded in a material form. Communication of personal information verbally or by signals (for example, sign language) will attract the privacy principles, and communication in a non-recorded form that is not compliant with the privacy principles will be a breach of the IP Act.
‘Recorded personal information’ is not limited to words on paper. The words may be stored messages (for example, emails, SMS and voice mail messages), displays on computer monitors, or information on signs. It may not involve words at all, but images, video, CCTV, sounds, or be able to be discovered from an object, such as DNA in a blood sample.
Whether information is ‘about’ an individual
Whether information is about an individual or not will generally depend on the context in which the information appears. It requires a sufficient connection between the information and the individual.
Some information will obviously be about an individual: medical records, financial records, bank details or salary. For other information, the connection between the individual and the information will not be so obvious.
Even if the information appears to concern something other than an individual—a car, for example, or a piece of land—it can still be about the individual. For example, information that the rates for a particular property have not been paid for a year is about the land, but it also reveals a fact about the owner, that they have not been paying the rates.
Refer to Mahoney v Ipswich City Council and the ‘What is Personal Information checklist’ for more information.
Whether identity is apparent or can reasonably be ascertained
Whether an individual’s identity is apparent or can be reasonably ascertained will depend on the circumstances and the nature of the information.
When the identity of an individual can be determined solely from the information, then their identity is apparent. The information is personal information about the individual.
This would include circumstances where the individual’s name was included in the information, or their photograph. Even if a photograph contains more than one individual it can be their personal information, so long as one or more individuals are identifiable or, where the photograph accompanies other information, the particular individual can be identified, for example, by reference to their position in the group or their attire.
Personal information would also include circumstances where the information was of such a singular nature that, even without a name, it could be about no one else.
Where the description is such that it could only be about one person (‘the person who wears a crown and ruled the British Empire in 2008’ is obviously Queen Elizabeth II), or the person described had a key involvement in such a well-known and unique event in the place the information is being used or disclosed that the identity of the person would be known (‘the man who headed the inquiry into misconduct in the Queensland Police Service in 1987’ is obviously the Honourable Gerald Edward (Tony) Fitzgerald AC, QC).
When considering the definition of personal information, it is necessary to determine either if an individual's identity is apparent or can reasonably be ascertained. While the term ‘apparent’ requires that the individual can be identified from the information itself, ‘reasonably ascertainable’ allows for the information to be compared or cross-referenced with other information to identify the individual in question.
When determining if identity is reasonably ascertainable, the only relevant question is whether identity could be ascertained, not whether someone actually intends to do so. How far the comparison or cross-referencing can go and still be considered reasonable will depend on the circumstances.
Relevant factors include:
- The availability of the secondary material: is it readily available to all or can it only be obtained by a limited class of persons? For example, a licence plate number may be linked to an identifiable individual, but only through the records held by Queensland Transport.
- The number of steps required to be taken to determine the individual’s identity: will it involve referencing a single source of secondary information, or will it involve a chain of linkages? The more steps involved the less likely that the ascertainability will be considered reasonable.
- The level of certainty of the identification: will the linkage between the information and the secondary source allow a single individual to be identified, or will it narrow it only to one of a class of individuals?
An individual’s post code may be identified by anyone as being in a specific geographical location, but not linked to a specific address.
- The ability of the person receiving or collecting the information to use it to identify an individual. For example, a hair may be personal information if provided to a forensic scientist with a genetic database, but not if provided to a hairdresser.
- The publicity or uniqueness of the information. For example, if an individual is involved in a unique accident in a specific industry, the details of their injury could be personal information.
A man is injured by falling into a rock crusher at a mine and loses an arm. Statistics appearing in a mining journal that identify the specifics of the accident along with his age and experience in the mining industry could be the injured man’s personal information, due to the unique nature of the injury and likely publicity which surrounded it.
Anonymised, de-identified and coded information
Personal information is anonymised where it is impossible for the person collecting, using or receiving it to identify the individual it is about. When this occurs, it ceases to be personal information and will be outside the ambit of the IP Act.
The identity of an individual may be removed from personal information in a number of ways.
- Information may be aggregated and combined in a form with no personal identifiers. For example, information may be broken down into statistics which are broad enough to ensure the people they are about are not reasonably identifiable.
- Information may be stripped of identifiers and coded, so that only someone holding the key code can link the information to a specific individual. For example, where non-identifying portions of the information are extracted and linked to a numerical sequence and another document or database holds a record linking the number to the individual.
Note that easily broken codes such as mathematical formulae based on the letters in an individual’s name should not be used to generate a numerical sequence, due to the possibility of the code or formula being ‘reverse-engineered’ to reveal the name.
Information may initially be collected anonymously, with no identifying information included. In this case it will never have constituted personal information under the IP Act.
Current as at: July 19, 2013