The Information Privacy Act 2009 (Qld) ( IP Act ) contains a number of privacy principles which set out the rules for how personal information is to be managed by Queensland government agencies. 1 These include rules about collecting, storing, securing, using and disclosing personal information, sending it out of the country and obliging contractors to deal with it appropriately. 2
Personal information is defined in section 12 of the IP Act. It is a very broad definition that encompasses any information about an individual who can be identified directly from the information, or whose identity can be reasonably ascertained by reference to other information. Information does not necessarily have to be true, or written down, to be personal information, and neither does it need to be sensitive or 'important'.
An IP address (internet protocol address) is a string of numbers separated by decimal points (for example, 18.104.22.168) which identifies a specific piece of equipment, usually a computer, on the internet. IP addresses are generally assigned by an Internet Service Provider ( ISP ), either temporarily (a dynamic IP address) or permanently (a static IP address).
There are a number of IP address locator websites which will provide the name and geographical location of the entity to whom an IP address is registered. Because most internet users access the internet through an ISP, such as iiNet or iPrimus, or at their place of employment, which may use a third party ISP or act as its own ISP, the locator will reveal information about the ISP and not the individual internet user.
IP addresses are generally visible to any website visited by the internet user and many websites will collect and store that IP address on a permanent or temporary basis. While any website may collect and hold IP addresses, generally only an ISP can link it to the name of an individual account holder. 3 Because of this lack of ability to link an IP address to an identifiable individual, a number of authorities 4 are of the view that an IP address in isolation is not personal information.
The OIC supports the view that an IP address in the absence of any information enabling it to be connected with an identifiable individual, is not personal information within the meaning of section 12 of the IP Act. However, if an IP address is linked to other information which would allow an individual to be reasonably identified then it will become personal information and it is subject to the privacy principles, including the obligations limiting its transfer out of Australia.
Jane Smith is surfing the internet from her home computer, and she visits the Department website. While she’s there, the website records her IP address and information about her computer, for example that her computer's operating system uses Windows and she browses online using Internet Explorer. The Department has no way to link this information with Jane, so it is not personal information.
Jane's ISP is Awesome Internet. After she's finished on the Department website, she navigates to the Awesome Internet website which also collects her IP address and computer information. As Awesome Internet assigned Jane's IP address and maintains a record that it was assigned to her, at that specific date and time Awesome Internet can link the IP address to Jane. Accordingly, when Awesome Internet collects the information it qualifies as personal information.
Google Analytics is a free service provided by Google for the purpose of gathering statistical information about visitors to a website. This information generally includes IP addresses, geographical location of the IP address, pages visited, how the visitor arrived at the webpage and computer information, such as the operating system and browser being used. Google Analytics is implemented through a cookie which is placed on the visitor's computer coupled with code in the webpage which collects visitor data and relays it to Google's servers for processing.
A number of Queensland Government agencies, including the OIC, use Google Analytics as an efficient and cost effective method of ensuring their websites are responsive to community needs and are being utilised by the public. It allows them to identify information such as from where their traffic originates and which pages are the most popular. For example, Google Analytics could provide information on which resources on the OIC website are the most downloaded.
The agreement with Google Analytics requires those using it to place a prominent privacy statement on their website. Agencies must ensure that they comply with this requirement. 6
As long as information collected and provided to Google through the use of Google Analytics is limited only to non-personal information the use of Google Analytics will not breach an agency's obligation to comply with the privacy principles. However, if the agency is able to link the IP address of a visitor to their website to a specific individual, then the collection of information through Google Analytics will be a collection of personal information, which will trigger compliance with the privacy principles.
Current as at: January 11, 2012