Research
Casenote - Putting the Reasonable in Reasonably Ascertainable: WL v La Trobe University (February 2006)
|
Background
This case note examines the implications for information handling after the decision of the Victorian Civil and Administrative Tribunal in WL v La Trobe University (General) [2005] VCAT 2592.[1] The case examines what personal information can be collected and stored in order to come within the definition of personal information under the Information Privacy Act 2000 (Vic).[2] Personal information is defined in section 3 of the Act:
‘personal information’ means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies.
The important elements of the above definition relevant to this case are:
- The information is about the complainant; and
- From the information the complainant’s identity:
- Is apparent; or
- Can be reasonably ascertained.
The Victorian Privacy Commissioner does not have jurisdiction to hear cases that do not involve the handling of personal information. The respondent was arguing that the information collected was not personal information as defined by the Act and consequently the Tribunal (who was hearing the case as a result of a referral from the Privacy Commissioner) did not have jurisdiction to hear the complaint.
Facts
The complainant’s partner participated in a survey as part of a study titled Australian Longitudinal Study of Health and Relationships. The survey was completed by telephone and was conducted by Hunter Valley Research Foundation (HVRF) on behalf La Trobe University. The following day the applicant complained to the university because a number of highly personal questions had been asked about the applicant, and the applicant’s telephone number was used to conduct the survey and stored as a contact. As a result of the complaint the university ordered that the data collected be deleted from the HVRF database.
A compliant was subsequently lodged alleging that a number of Information Privacy Principles had been breached. The complainant believed that informed consent had not been sought and that as she was the home-owner and the telephone number was in her name, she could be identified.
The respondent’s lawyer submitted that the information collected by HVRF was not personal information within the meaning of the Act, therefore there was no valid complaint.
The applicant’s lawyer submitted that the words used to define ‘personal information’ in section 3 should be interpreted broadly and given their plain and ordinary meaning. It was also submitted that the tribunal held personal information of the applicant both on disk and within databases controlled by HVRF. Lastly, it was claimed that by combining the data collected in the survey with details of the applicant on electronic whitepages software held by HVRF the complainant’s identity could be ‘reasonably ascertained’ with certainty.
The Tribunal noted that the complainant’s success depended on what extraneous material could be used to ascertain the identity of the complainant.
Decision
Deputy President Coghlan found that the complainant’s identity was not apparent from the information. In order for the information to be apparent ‘one would need to be able to look at the information collected and know or perceive plainly and clearly that it was information about the applicant’. This would include situations where a photograph was included, a person’s name was mentioned, or where because of the singular nature of the information it could be no one else but a particular person.
In determining what was reasonably ascertainable the Tribunal noted that regard could be had to extraneous material[3] and the determination is not restricted solely to the information collected.
While use of extraneous material is permissible, resort to these sources is limited by the concept of reasonableness - the identity of the individual must be reasonably ascertainable. What is reasonable will also depend on the circumstances of each case.
In the present case it was found that the process of identifying the complainant’s identity involved inquiries and cross-matching from five different databases and then cross-matching with an external database, namely the electronic whitepages. This process would still not identify the complainant with certainty and was said by Deputy President Coghlan to go well beyond what was reasonable.
The Deputy President ordered that the complaint be dismissed.
Potential Impact of the Decision
While this case refers to Victoria’s privacy legislation it still presents lessons for other Australian jurisdictions. Both federal and New South Wales privacy legislation includes an identical definition to personal information contained in the Victorian Act (minus the qualification excluding information to which the Health Records Act 2001 applies).
Furthermore, the case interprets the ‘personal information’ definition in a common-sense manner that gives effect to the plain and ordinary meaning of the words in the definition. This makes it an appropriate model to be applied in other jurisdictions.
In order to determine whether the information is in fact ‘personal information’, including whether de-identified data can be re-identified, regard can be had to extraneous resources. However, use of these resources is restricted to what is reasonable determined by reference to the individual circumstances of the case. Overly onerous or complicated processes required to re-identify data are not likely to fulfil the ‘reasonable’ requirement. Whether or not an individual can be identified with certainty will also affect any determination of whether the identity of an individual can be reasonably ascertained from the information collected or stored.
It is also worth noting is that while there is no Commonwealth judicial decision on the definition of personal information, the definition was considered by the Privacy Commissioner in a May 2005 investigation. The investigation considered whether a Health Communication Network (HCN) software package that used de-identified patient records of some GPs and sold the information to commercial organisations without doctors’ knowledge or permission dealt with personal information.
Despite holding that ‘by law, health information is accorded a high level of privacy protection,’ the Commissioner found that the patient information transferred from doctors to CAMM Pacific via HCN’s Medical Director software, was de-identified and therefore did not fall within the definition of personal information outlined in the federal Privacy Act. Even in the event of an accidental transfer of de-identified patient data of a non-consenting doctor the Commissioner found that HCN could not identify that doctor and did not use the de-identified patient information. The Commissioner determined the identity of the patients could not be reasonably ascertained from the information that was communicated.[4]
Prashanti Ravindra
Galexia
[1] <http://www.austlii.edu.au/au/cases/vic/VCAT/2005/2592.html>
[2] <http://www.dms.dpc.vic.gov.au>
[3] This view was supported by a past Victorian case, namely Bailey v Hinch [1989] VR 78 which considered a similar provision in the Judicial Proceedings Report Act 1958.
[4] The Office of the Privacy Commissioner, Media Release: Privacy Commissioner concludes investigation into CAMM Pacific and Health Communications Network Limited, 11 May 2005 <http://www.privacy.gov.au/news/media/05_02.html>. See also The Office of the Privacy Commissioner, Media Statement: Commissioner clarifies media inaccuracies that doctors are selling patient information to drug companies, 26 May 2005 < http://www.privacy.gov.au/news/05_05.html>.