1 – Scope and application of the Privacy Act

Technical and inferred information

The Discussion Paper proposes to amend the definition of 'personal information' so that it could capture:

• technical personal information such as IP addresses, location data and other online identifiers commonly collected and used for targeted advertising persons; and
• inferred personal information such as personal information about an individual derived from their activities, like online transaction data.

This would be done by amending the definition so that it relates to an identified individual or an individual who is reasonably identifiable, rather than being about such an individual. An individual would be 'reasonably identifiable' if they are capable of being directly, or indirectly, identified. In addition, a non-exhaustive list of types of information capable of falling within the definition, and a list of objective factors to assist organisations to assess whether an individual is 'reasonably identifiable' would also be included. This would mean that technical information would still be subject to the test of whether it reasonably identifies an individual, but would not be subject to the additional complexity of determining whether the information was about the individual or something else.¹

Although we do not anticipate these changes will significantly alter the definition at law, they would codify existing guidance and the position of the OAIC in respect of information that may be 'personal information'. This is particularly relevant given ambiguity about what constitutes 'personal information' following the Federal Court's decision in Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 (Grubb). It will also broadly align the Privacy Act's definition of personal information with the European Union's General Data Protection Regulation (GDPR).

Sensitive information

The Discussion Paper noted suggestions to expand the definition to cover types of personal information that could be employed as proxies for sensitive information. This includes financial information such as transaction histories, which could be used to indicate an individual's gender, or location information that could reveal an individual's health conditions or religious beliefs.

Whilst the Discussion Paper has not put forward any proposals to amend the definition of sensitive information, it is still possible changes could be made in the next stages of the review. This is likely to be of particular interest to fintechs and financial institutions that collect, use and share transaction data and other financial information.

Although the Discussion Paper nods in favour of narrowing (or else abolishing) the existing employee records and small business exemptions under the Privacy Act, the Attorney-General has not yet made any formal recommendations in relation to these exemptions. The Attorney-General intends to revisit these exemptions once there is further certainty as to the other proposed changes to the Privacy Act. The paper indicates that it would be difficult to assess the potential impact on currently exempt practices without understanding what the amended Privacy Act will require, including of small businesses.