Fact Sheet - Reasonably Ascertainable Identity
Read the document below or download it here Fact Sheet - Reasonably Ascertainable Identity, updated April 2020
NSW privacy law[1] regulates the handling of personal information by public sector agencies and some private health service providers. The PPIP Act governs how agencies collect, store, use and disclose personal information according to the Information Protection Principles (IPPs).[2] ‘Personal information’ is defined in the PPIP Act as any information or opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.[3]
This fact sheet provides guidance about the meaning of reasonably ascertainable identity in the definition of personal information under NSW privacy law. The fact sheet refers to the different ways and means that identity can be reasonably ascertained, such as in video footage, digital images and metadata. Agencies can refer to this fact sheet to assist in their compliance with the IPPs.
Agencies may also refer to IPC fact sheet de-identification of data for further guidance.
The meaning of ‘reasonably ascertainable identity’
What does ‘reasonably ascertainable’ mean under the PPIP Act?
The definition of personal information in the PPIP Act states that the information is about an individual ‘whose identity is apparent or can reasonably be ascertained from the information or opinion.’
Something is ‘apparent’ if it is ‘capable of being clearly perceived or understood; plain or clear.’
The NSW Civil and Administrative Tribunal (the NCAT) has observed that ‘[b]y including the option that a person's identity can reasonably be ascertained from the information, the legislature was intending to allow a person to find out or determine the identity of the person from the information and, where reasonably identifiable from other information, from that other information’. [4]
Australian privacy jurisdictions have referred to the dictionary meaning of ‘ascertainable’ when identifying this test. The verb, ‘ascertain’ means ‘to find out by trial, examination or experiment, so as to know as certain; determine’.[5]
In one case, the NCAT found that even if the complainant’s image was captured by CCTV cameras, it does not necessary follow that their identity would be apparent or could reasonably be ascertained from that captured image. The success of the complainant’s application for review is dependent on establishing that the complainant’s personal information was in fact captured by the CCTV cameras.[6]
The NCAT has stated that it will not have jurisdiction to review an agency’s conduct where that conduct relates to an alleged contravention of an IPP, merely because both parties agree that the person’s image would probably have been captured by a CCTV camera.[7]
The NCAT has found that an agency’s work health and safety incident report and associated documents concerning a bullying and harassment complaint contained information that would, if disclosed, lead to the identity of an individual being relatively easily ascertainable.[8]
The meaning of personal information given by the definition in the PPIP Act must be applied in the context in which a particular item of information has been collected, held, used or disclosed.[9]
Even if a single piece of information is not ‘about an individual’, it might be about the individual when combined with other information, and the determination of whether the identity can reasonably be ascertained will require an evaluative conclusion based on the facts of each case.[10]
Who reasonably ascertains or identifies the person?
The PPIP Act does not state who is supposed to be able to ascertain the individual’s identity.
Identification of an individual occurs where a person can be reasonably identified by any individual, entity or machine, other than themselves. This could be the agency or organisation holding the data, or any third party.
The NCAT’s Appeal Panel has stated that information might be personal information even though extrinsic knowledge is necessary to identify an individual, where the recipient of the information can link the information to an individual.[11]
The Tribunal has found that even if images of persons in video footage were not identifiable to the agency, this does not mean that individuals were not generally identifiable, particularly if the persons could reasonably be expected to be identified by their facial features.[12]
In one case, NCAT found that identification of information in digital form could be performed by a machine, where the information redacted from a document that had been published on the agency’s website was masked from the human eye. However, the personal information was able to be ‘read’ by the Google search engine, leading to a link to a copy of the record about the individual.[13] The NCAT’s Appeal Panel found that information which is redacted and not immediately ascertainable by the human eye, may become read by the human eye by using a PDF editing tool.
Is a name required to identify a person?
An identity can be ‘reasonably be ascertained’ even if the person’s name is not included within the record.
Most NCAT cases which have reviewed the concept of ‘reasonably identifiable identity’ have involved information which does not include any name, but which includes enough other details to identify the subject person.
The NCAT has stated that ‘documents which themselves do not contain any obvious features identifying an individual may take on the quality by virtue of the context to which they belong’.[14]
In one case, a document about a staff member referred to a person only by his first name. As there was only one person out of the 400 possible staff with that first name, the individual was identifiable.[15]
In another case, a complainant’s handwriting on an agency’s internal complaint form was personal information because it could communicate knowledge including about the likely identity of the author.[16]
The NCAT has also found that it was possible to identify the individual referred to (but not named) in a workers’ compensation case study provided in a media report, from the details provided about the claims.[17]
Can a person be identified by other sources of information?
The person’s identity does not have to be reasonably ascertainable solely from the information record. The NCAT has applied a test of whether ‘more than moderate steps’ is necessary to match data from different sources, in order to ascertain an individual’s identity.[18]
Therefore, the surrounding context, and other information sources, can enable a person’s identity to be ascertained from the information or opinion, in taking no more than moderate steps to combine these sources to identify the individual.[19]
When disclosing information to the public, agencies need to have regard to other publicly available information on a website controlled by the agency from which a person’s identity can be reasonably ascertained.[20]
The NCAT has stated that if information in the public arena could only be obtained after complicated and tedious searches, that would be a factor in determining whether the individual's identity can reasonably be ascertained from the information or opinion.[21]
For example, the NCAT has considered that it would not be incumbent on agencies to compile a list of key words relevant to each piece of information it holds and then conduct an internet search in respect of each of those key words.[22]
Some examples of identification in combination with other sources of information, that result in information being personal information, include:
(a) Information about an address and restoration works to the property, including photographs of the property, in combination with information on a website controlled by the agency[23]
(b) A photograph of a residential apartment, when taken together with information from a local council’s files, was sufficient to enable the apartment’s owner to be identified[24]
(c) The publication of an address enabled the identification of the couple holding the lease for the property at that address, by way of ’reasonable means’, namely ’simple internet searches’[25]
(d) CCTV footage of an incident in a shopping centre was found to meet the test for personal information because it could be combined with ‘publicly available information about the identities of (the individuals filmed on CCTV) for example, through social media’[26]
(e) The statement ‘(a named individual) left general practice in order to care for a child who required intensive attention because he had diabetes’ was found to be sufficient to ascertain the identity of the child[27]
(f) Information about a person ‘tapping on’ and ‘tapping off’ a travel card at various locations was held to be ‘personal information’ because the person's identity could be ascertained by combining this with other information.[28] In contrast, the identity of an individual exemption holder for parking meters was not ascertainable where their registration information was collected in isolation from other data, and not recorded in a way to link it to any other identifying information.[29]
Identifying a person in digital images and video footage
In an increasingly digitised world, it is important to consider the capture and identification of individuals via digital means.
A photograph of a person's home or building works that a person is carrying out, where the agency holding the photograph knows the identity of the individual and deals with the photograph, has been found to be personal information. [30]
In a case concerning CCTV footage taken outside a public hospital, the NCAT considered not just the face, head or neck of the images of persons in the footage, but any identifying marks, such as a tattoo, in identifying the individuals. The NCAT stated that it referred to tattoos because such marks may be sufficient to enable identification of an individual even where their face is not visible.[31]
In contrast, the NCAT in the same case did not consider that any element of the gait or body shape of any person in any of the footage to be sufficiently distinctive as to enable identification where the face, head and neck are concealed by pixelation.[32]
However, the NCAT has found that video images of a person’s actions during an incident of physical assault in a shopping centre, together with information sourced from extensive media reports of the incident, would enable a person to reasonably ascertain the identity of the individuals.[33]
The NCAT also stated that the information record held by the agency may still be found to be personal information despite the events which it recorded having occurred in public, or even if there are media reports about the event.[34]
The quality of the images captured and whether the images are taken from a distance are relevant to determining if a person’s identity can be ‘reasonably ascertained’.[35]
Who can complain about information which reveals an individual’s identity?
The NCAT has confirmed that complaints brought under the PPIP Act for a breach of an IPP must concern the personal information of the individual who bought the complaint. In other words, in applying the definition of ‘personal information’, the complainant can complain about whether it is their identity that is apparent or can reasonably be ascertained from the information or opinion. [36]
In one case, the applicant did not have standing to bring proceedings concerning whether the identities of persons were reasonably ascertainable from media reports of workers compensation claims, because there was no evidence that an individual to whom the information related had consented to or supported the application for review.[37]
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au
The IPC can give general advice on rights and compliance under the PPIP Act, but cannot give legal advice. You should seek your own legal advice about these issues.
[1] Privacy and Personal Information Protection Act 1998 (PPIP Act); Health Records and Information Protection Act 2002 (HRIP Act).
[2] Agencies are also required to comply with the Health Privacy Principles (HPPs) under the HRIP Act.
[3] PPIP Act, section 4; HRIP Act, section 5.
[4] Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [56].
[5] See, Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015), at [68]. Although this determination was set aside on appeal, the meaning of ‘ascertainable’ was not at issue in the appeal; see, Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015); Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [54]-[70].
[6] SF v Shoalhaven City Council [2011] NSWADT 6 at [25].
[7] SF v Shoalhaven City Council [2011] NSWADT 6 at [24]-[25].
[8] Winn v The Hills Shire Council [2020] NSWCATAD 14 at [63].
[9] WL v Randwick City Council (No 2) [2010] NSWADT 84 at [25].
[10] CRP v Department of Family and Community Services [2017] NSWCATAD 164 at [76] citing Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 at [63].
[11] AFW v Workcover Authority of New South Wales [2013] NSWADT 133 at [47], referring to WL v Randwick City Council [2007] NSWADTAP 58.
[12] Meldru v Wollondilly Shire Council [2017] NSWCATAD 292 at [42].
[13] AIN v Medical Council of New South Wales [2016] NSWCATAD 5 at [32].
[14] WL v Randwick City Council [2007] NSWADTAP 58 at [15].
[15] AQK v Commissioner of Police, NSW Police Force [2014] NSWCATAD 55 at [29].
[16] Marden v Pharmacy Council of New South Wales [2017] NSWCATAD 34 at [85].
[17] AFW v WorkCover Authority of New South Wales [2013] NSWADT 133 at [49] – [50].
[18] AIN v Medical Council of New South Wales [2016] NSWCATAD 5 at [39] – [44].
[19] WL v Randwick City Council [2007] NSWCATAD 12 at [22].
[20] Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [72].
[21] Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [67], citing Forgie DP in Re Lobo and Department of Immigration and Citizenship (2011) 124 ALD 238 at [300] and [301].
[22] Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [72].
[23] Office of Finance and Services v APV and APW [2014] NSWCATAP 88.
[24] WL v Randwick City Council [2007] NSWADTAP 58.
[25] APV and APW and Department of Finance and Services [2014] NSWCATAD 10 at [15].
[26] Field v Commissioner of Police, New South Wales Police Force [2015] NSWCATAD 153 at [33].
[27] AIN v Medical Council of New South Wales [2016] NSWCATAD 5.
[29] Waters v Transport for NSW [2018] NSWCATAD 40 at [67].
[30] WL v Randwick City Council (No 2) [2010] NSWADT 84 at [33] and [36].
[31] Seven Network Limited v South Eastern Sydney Local Health District [2017] NSWCATAD 210 at [56].
[32] Seven Network Limited v South Eastern Sydney Local Health District [2017] NSWCATAD 210 at [56].
[33] Field v Commissioner of Police, NSW Police Force [2015] NSWCATAD 153 at [75].
[34] See, Commissioner of Police, NSW Police Force v Field [2016] NSWCATAP 59 at [63].
[35] Seven Network (Operations) Ltd v Public Transport Authority [2017] WAICmr 12 (26 May 2017) at [54]-[57].
[36] DSN v NSW Department of Justice [2019] NSWCATAD 174 at [58].
[37] AFW v WorkCover Authority of New South Wales [2013] NSWADT 133 at [53]-[58].
