Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Technologies | Telecommunications

Own Motion Investigation v Information Technology Company [2010] PrivCmrA 24

document icon pdf (147.22 KB)

Case Citation:

Own Motion Investigation v Information Technology Company [2010] PrivCmrA 24

Subject Heading:

Meaning of 'personal information'

Law:

National Privacy Principle 1.2 in Schedule 3 of the Privacy Act 1988 (Cth) and section 6 in Part II of the Privacy Act.

The following case was decided by the Privacy Commissioner prior to 1 November 2010. On 1 November 2010 all the powers of the Privacy Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.

Facts:

The Commissioner received information that suggested that an information technology company was collecting geographical location data about mobile phone customers who used its location-based services.

Issues:

'Personal information' is defined in section 6(1) of the Privacy Act as:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

NPP 1.2 says an organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

Outcome:

The Commissioner commenced an own motion investigation into the activities of the information technology company under section 40(2) of the Privacy Act.

The investigation revealed that the information technology company was not collecting personal information through the use of its location-based services, as defined in the Privacy Act.

Instead, when the information technology company received a customer request for data about their current location from a mobile device, it collected information about nearby cell towers and Wi-Fi access points, and then sent this information back to the customer's device. The customer's device then used this information to determine the customer's exact location. Neither the exact location of the device nor identifying information about the customer was sent back to the information technology company.

The Commissioner considered that individuals could not be identified from the information collected by the information technology company through its location-based services. As the information did not meet the definition of 'personal information', the information technology company's activities in relation to this matter were not subject to the Privacy Act. Therefore the Commissioner ceased the own motion investigation into the matter.

Office of the Australian Information Commissioner
December 2010