IP addresses and the privacy principles

Overview

The Information Privacy Act 2009 (Qld) ( IP Act ) contains a number of privacy principles which set out the rules for how personal information is to be managed by Queensland government agencies. 1 These include rules about collecting, storing, securing, using and disclosing personal information, sending it out of the country and obliging contractors to deal with it appropriately. 2

Personal information

Personal information is defined in section 12 of the IP Act. It is a very broad definition that encompasses any information about an individual who can be identified directly from the information, or whose identity can be reasonably ascertained by reference to other information. Information does not necessarily have to be true, or written down, to be personal information, and neither does it need to be sensitive or 'important'.

What is an IP address?

An IP address (internet protocol address) is a string of numbers separated by decimal points (for example, 210.8.42.131) which identifies a specific piece of equipment, usually a computer, on the internet. IP addresses are generally assigned by an Internet Service Provider ( ISP ), either temporarily (a dynamic IP address) or permanently (a static IP address).

IP address locators

There are a number of IP address locator websites which will provide the name and geographical location of the entity to whom an IP address is registered. Because most internet users access the internet through an ISP, such as iiNet or iPrimus, or at their place of employment, which may use a third party ISP or act as its own ISP, the locator will reveal information about the ISP and not the individual internet user.

Are IP addresses personal information?

IP addresses are generally visible to any website visited by the internet user and many websites will collect and store that IP address on a permanent or temporary basis. While any website may collect and hold IP addresses, generally only an ISP can link it to the name of an individual account holder. 3 Because of this lack of ability to link an IP address to an identifiable individual, a number of authorities 4 are of the view that an IP address in isolation is not personal information.

The OIC supports the view that an IP address in the absence of any information enabling it to be connected with an identifiable individual, is not personal information within the meaning of section 12 of the IP Act. However, if an IP address is linked to other information which would allow an individual to be reasonably identified then it will become personal information and it is subject to the privacy principles, including the obligations limiting its transfer out of Australia.

Example one: IP address is not personal information

Jane Smith is surfing the internet from her home computer, and she visits the Department website. While she’s there, the website records her IP address and information about her computer, for example that her computer's operating system uses Windows and she browses online using Internet Explorer. The Department has no way to link this information with Jane, so it is not personal information.

Example two: IP address is personal information

Jane's ISP is Awesome Internet. After she's finished on the Department website, she navigates to the Awesome Internet website which also collects her IP address and computer information. As Awesome Internet assigned Jane's IP address and maintains a record that it was assigned to her, at that specific date and time Awesome Internet can link the IP address to Jane. Accordingly, when Awesome Internet collects the information it qualifies as personal information.

  • 1 In this Guideline references to an "agency" include Ministers and bound contracted service providers, unless otherwise specified.
  • 2 See chapter 2, parts 3 and 4 and schedules 3 and 4 of the IP Act.
  • 3 State v. Reid (2008) 194 N.J. 386, 954 A.2d 503.
  • 4 See for example Canadian Federal Privacy Commissioner's findings in PIPEDA Case Summaries #2005-319 and #2009-010, the Irish High Court in EMI Records & ORS v Eircom Ltd [2010] IEHC 108 and the United States Court of Appeal in Klimas v Comcast Cable Communications Inc 465 F.3d 271.

Current as at: June 19, 2022