Attorney-General asked to update 'personal information' definition in Privacy Act

Many tech giants, finance sector participants and regulators, human rights campaigners, and startups agree the current definition is outdated.

The Attorney-General's Department is currently in the midst of reviewing the Australia Privacy Act 1988. Since October, it has been calling for all interested parties to provide their two cents.

A reoccurring theme from many of the submissions has been to align the Act with international laws, such as Europe's General Data Protection Regulation (GDPR). Facebook, for example, has suggested making such a change would prevent the creation of a "splinternet". 

Adopting many elements of the GDPR would also provide for a more up-to-date definition of "personal information", according to many. The Cyber Security Cooperative Research Centre (CSCRC), which is based out of Edith Cowan University in Western Australia, in its submission, called for the definition of personal information to be amended to align with the GPDR. As did Facebook.

AusPayNet submitted [PDF] that the definition of what constitutes personal data as seen in other data protection regulation should be used to reduce uncertainty and ensure the rights and freedoms of Australians are protected.

It said using the term "related to" rather than "about" an identifiable individual would also help.

Microsoft similarly believes [PDF] personal information should be defined in the Privacy Act to include information that relates to an identified or identifiable individual; likewise, DiGi [PDF], the not-for-profit association representing the digital industry in Australia, believes the definition of personal information in the Act should be updated to clarify that it captures technical data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual.  

The Act currently limits the definition of "personal information" to that of an identified individual or an individual who is reasonably identifiable.

The GDPR defines personal data as: "Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person".

The Human Rights Watch, meanwhile, has encouraged the consideration of the rights guaranteed to individuals under the GDPR, saying in its submission [PDF] many of which should form a fundamental part of a truly modernised Privacy Act.

Recognising a copy and paste of the EU law would not be the ultimate solution, Human Rights Watch added that the GDPR's "rights of the data subject" section ensures there are clear and actionable rights for individuals. It believes the review of the Privacy Act should seek to provide the same, or similar.

In contrast, the Australian Financial Markets Association (AFMA) said it does not see an overarching need to amend the definition of personal information to expressly include technical information.

"The current definition of personal information does not imply the potential for exclusion of technical information as constituting personal information. We note the current definition is broad in scope, sufficiently so to include technical information to the extent that the information reasonably identifies an individual when combined with other data fields," the AFMA said in its submission [PDF].

"We submit that it would not be appropriate to extend the definition of personal information to include personal information of the deceased given the well-recognised legal principles already applied in the Privacy Act."

Fintech Australia, the body representing Australia's fintech industry, has the interests of its data-hungry members at the forefront, arguing in its submission [PDF] a need for separate frameworks for how data is handled.

It has suggested a "simple framework" that is built to align with the relevant industry, rather than a one size fits all approach that is currently adopted with the principles based privacy regime.

"The overarching goal of the framework system should be to enable the development of a vibrant and innovative data economy in a way that maximises the certainty, transparency, trust and security of individuals to whom the data relates," it wrote.

With calls for another GDPR mechanism, the right to erasure, coming from many submitters, Fintech Australia said it disagrees with such a concept.

"It is difficult in a practical sense to delete information from all systems; erasing data is not permitted in a lot of cases (such as for anti-money laundering purposes, know your client, and other requirements at law) and so the request may be futile and potentially gives individuals a misleading sense about what they can do with their information," it said.

"It destroys a valuable resource for our digital economy as it may compromise an aggregated data set used for statistical or analytical purposes."

MORE FROM THE PRIVACY ACT REVIEW