Here’s looking at you[r data], kid

On May 8, 2017 the Australian Federal Police (AFP) announced its decision to close its investigation into allegations the Human Services Minister Alan Tudge (who is responsible for Centrelink) unlawfully shared Andie Fox’s private welfare details with Fairfax journalist Paul Malone.

Fox, a welfare recipient and blogger, was published by Fairfax: ‘As a struggling mother, Centrelink terrorised me over ex-partner’s debt’. The article outlined how difficult it is to verify Centrelink debts with the agency. Malone’s original comment piece: ‘Centrelink is an easy target for complaints but there are two sides to every story’ defends the multimillion dollar agency.

It happens that under Australian law privacy protections turn on whether data is classified as ‘personal information’ or not, which I thought would be an easy catch, except that legal definitions of ‘personal information’, ‘private information’ and ‘protected information’ in Australia are far from settled.

Most government bodies have provisions that both prohibit the release of data they hold, and make it an offence to do so. Social Security law is no different: it’s a criminal offence to release protected information about welfare recipients. In this particular case Fox’s welfare data should be considered ‘protected information’, making it illegal to release it to a third party — but, and here’s the kicker, there are limited circumstances where data can be released.

One such circumstance is when the Secretary issues a ‘Certificate of Release’ to formalise the data release. This power allows the Secretary to provide information to ‘such persons and for such purposes’ as they see fit. [This seems very vague.] The Human Services Minister even issues guidelines that direct the Secretary on when and how they can do this. One of those instances is ‘correcting a comment made in the media’.

The AFP Assistant Commissioner said that the information released by the Human Services Minister’s office and prepared by his Department was approved for release; as such, was not an ‘unauthorised disclosure’; thus Trudge didn’t act unlawfully. So, while Fox didn’t approve the release of her information, Centrelink did, so that makes the release lawful. Except that Centrelink didn’t approve it. There was no Certificate. A spokesperson said the Department could use personal information:

… for Social Security law or Family Assistance law purposes and it was entitled to release information to correct the record. [Such releases] do not need to be formally authorised by the Secretary.

This contradicts the Human Services Minister’s own guidelines and is very vague language. How many government departments can claim ‘Social Security law or Family Assistance law purposes’? The ATO, Veterans Affairs, Austudy, the ABS, MyGov, MyHealth? My lay-reading is that the myriad loopholes in our Social Security and Privacy laws mean there’ll always be a justification for whatever form a data release takes — you just have to find it. As we’ll see, the notion of an Australian ‘right to privacy’; our privacy protections (or lack thereof); and our current Privacy laws get muddier the more we look at them.

Over the past few years findings from three court cases have had direct effects on the notion of privacy in this country. The first case concerns Fairfax journalist Ben Grubb’s request to Telstra for access to ‘All the metadata information Telstra has stored about my mobile phone service’. The case in a nutshell:

- Telstra gave Mr Grubb some information, but refused to provide all data generated within the mobile network in the course of carrying communications using Mr Grubb’s mobile service.

- Mr Grubb filed a complaint with the Office of the Australian Information Commissioner (OAIC). This investigation held that Telstra’s refusal was a breach of National Privacy Principle (NPP) 6.1.

- Telstra applied to the Administrative Appeals Tribunal (AAT) to set aside this finding, submitting that Mr Grubb’s identity could not be ascertained only by reference to mobile network data.

- The AAT decided that data would only qualify as ‘personal information’ if it satisfied the threshold requirement of being information ‘about’ an individual. Although it may technically be possible to identify Mr Grubb from the network data held by Telstra, it wasn’t ‘about’ him.

- The conclusion was that the mobile network data in question was not ‘about’ an individual in relation to NPP 6.1: Once the call or message was transmitted… the data generated was directed to delivering the call or message… [It] is no longer about Mr Grubb or the fact that he made a call or sent a message… [it] is about the way in which Telstra delivers the call or the message.

My lay-reading is that only part of the data was defined as ‘personal information’ ‘about’ him (and therefore protected as ‘private’) meaning only part of the metadata is protected under ‘fair collection’ provisions. This is more about the specific use of the data (by Telstra), rather than what can be discovered (about Mr Grubb) via the data’s collection and collation (by a second party) or release (to a third party).

The second case involves Crickey journalist Josh Taylor’s Freedom of Information (FoI) request to see George Brandis’ metadata. [link] He wanted access to what he thought should be public information about a Government Minister. The case in a nutshell:

- In 2014, Attorney-General George Brandis announced the Government’s mandatory data retention scheme legislation, but was unable to define ‘metadata’.

- Mr Taylor filed a FoI request for Brandis’ own metadata. According to Taylor: ‘The request had two purposes: 1) find out the Government’s definition of metadata; 2) find out who our Attorney-General speaks with during the course of his day as a Minister and public representative.’

- Mr Taylor received a heavily redacted Telstra phone bill, and an 18-month battle for Brandis’ metadata followed (Josh vs. the Attorney-General’s Office). In between was the OAIC — as mediator. The OAIC’s boss is the Attorney-General’s Office.

- The OAIC closed the review and suggested it be referred to the Administrative Appeals Tribunal (AAT). Such applications cost $800 for the person who originally lodged the FoI request.

My lay-reading is that all Brandis’ data was considered ‘personal’ (and therefore ‘private’) — security issues aside — despite the FoI covering communications carried out by Brandis in his role as a Government Minister and public servant. This is the opposite to the Grubb case, and seems to be about what can be revealed about Brandis (by Mr Taylor) via the data’s collection and collation.

The third case concerns a series of exchanges that occurred on a Facebook (FB) ‘wall’ and in private messages between Ms Jurecek and a colleague while Ms Jurecek was seconded to the Office of the Director, Transport Safety Victoria (TSV). [link] This one’s got a number of moving parts:

- The TSV considered posts and messages sent by Ms Jurecek to a colleague to be abusive. After internal and external investigations TSV issued a formal warning.

- Ms Jurecek complained to the Victorian Privacy Commissioner. The Commissioner referred the matter to VCAT, which found (for the most part) her complaint was unproven.

- Ms Jurecek then went to the Victorian Supreme Court, claiming TSV breached Information Privacy Principles (IPPs) 1.1, 1.2, 1.3, 1.4 and 1.5, as set out in the Victorian Information Privacy Act 2000 (Privacy Act); predecessor to the Victorian Privacy & Data Protection Act 2014:

- The decision of Supreme Court Justice Bell:

  1. FB information may be ‘personal’ under privacy laws, even if it is accessible online. Such information does not inevitably constitute a ‘generally available publication’. However,
  2. TSV did not breach IPP 1.1: the collection of personal information was necessary for a misconduct investigation, which is a legitimate purpose.
  3. TSV did not breach IPP 1.2: the collection of personal information was not by unauthorised means (nor unreasonably intrusive). It was located through Facebook searches (or provided by the employee who felt targeted by Ms Jurecek’s posts & messages).
  4. TSV did not breach IPP 1.3 & 1.5: these principles set out an obligation to take reasonable steps to ensure individuals are made aware of specified matters, but does not stipulate how. TSV was not required to immediately notify Ms Jurecek of the information collection — this would have jeopardised the investigation.
  5. TSV did not breach IPP 1.4: it was not ‘reasonably practicable’ for TSV to obtain the personal information from Ms Jurecek directly — this would have also jeopardised the investigation.

My lay-reading is that while the social media data was considered ‘private’, so should have been protected under ‘fair collection’ provisions, Justice Bell’s concerns were about broader legal issues, such as the misuse of a carriage service (to menace a colleague), workplace safety or bullying. This decision is more about the initial communication (by Ms Jurecek), rather than reasons for data collection, the methods used, or the inferences that can be garnered from any collated information (by TSV). Ms Jurecek was sacked.

Each of these decisions have only added to the murky waters surrounding Australian Privacy Law. The scatter gun definitions of ‘personal’, ‘private’ and ‘protected’ information (state & federal) in no way clarify any ‘right to privacy’ in Australia, and in cases where courts must consider broader legal issues, we see that any perceived ‘right to privacy’ is extinguished. Current state and federal Privacy Acts — let alone inconsistencies between institutions and departments within jurisdictions — are opaque at best; throw in the idea that a Department Secretary can provide information to ‘such persons and for such purposes as they see fit’, and we have no idea who can access our data or where it may end up. We can’t even access all the metadata applicable to ourselves. As I said initially, the notion of a ‘right to privacy’ in Australia; our privacy protections (or lack thereof); and our current Privacy laws get cloudier the more we investigate them.

Craig Garrett

References:

For information about Rebecca Ananian-Welsh’s research (lecturer in public law) search UQ’s website; for information about our privacy laws go to Office of the Australian Information Commissioner; The Australian Privacy Foundation; the Administrative Appeals Tribunal (AAT); for information about the Centrelink debt fiasco go to the Australian Unemployed Workers’ Union; for information on Grubb and Taylor go to Fairfax and CSO, and King and Wood Mallesons; for information on Jurecek/TSV go to Corrs; for more information on Fox/Malone/Tudge go to New Matilda.