Search
Close this search box.

Spectrum of Identifiability

The Spectrum of Personal Information is a visual representation of the identifiability spectrum.

Spectrum of Personal Information

The Spectrum of Personal Information is a visual representation of the identifiability spectrum. It re-iterates the two limbs that are required to meet the current Australian definition of personal information – that it must relate to the individual, and the individual must be identified or reasonably identifiable.

The Attorney General’s Privacy Review Report noted that many submitters spoke of the difficulty in determining the point at which an individual becomes ‘identifiable’, or conversely ‘de-identified’, and that there were a range of different approaches to these common concepts. Stakeholders also disagreed on what standard should be used to satisfy ‘reasonably identifiable’.These areas of confusion and lack of consistency in application were also evident from the ACCC’s DPI Inquiry.

The terms ‘identified’, ‘reasonably identifiable’ and ‘de-identified’ currently in the Australian Privacy Act conceive of identification on a spectrum. The spectrum begins at information unrelated to an individual, then moves through various degrees of unidentified information before reaching reasonable identifiability in the middle.

On the other side of the spectrum are the degrees of de-identification until an individual can no longer be distinguished and the information can no longer be linked with other information.

It was suggested that the qualifier ‘reasonably’ be dropped from the definition on the basis that it may weaken its scope, or because it lacks international equivalents.

Overseas case law indicates courts have implied reasonableness into the assessment of identifiability under international privacy laws.

Recital 26 of the GDPR indicates that in determining whether an individual is identifiable, ‘account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’. Stakeholders highlighted that given the nature of the assessment requiring consideration of the availability of other information, if the reasonableness qualifier were removed, Australian courts may nonetheless imply reasonableness when gauging identifiability.

The diagram below, originally published in the Privacy Act Review Report 2022, is a visual representation of the identifiability spectrum. It re-iterates the two limbs that are required to meet the definition of personal information – that it must relate to the individual, and the individual must be identified or reasonably identifiable.

A

Unrelated
(no risk)

Not related to an individual

Information that does not relate to an individual, or which is only peripherally concerned with an individual.

Example:

A street map of Suburb B

B

Not identified
(negligible risk)

Information which relates to an individual

Information that is related to an individual, but where the individual is not distinguished from all others.

Example:

A man in his fifties lives in Suburb B

C

Identifiable with independent effort
(low risk)

Information which relates to an individual

Information that could hypothetically distinguish an individual from all others if a motivated individual with the right means were able to exert considerable effort to access linkable information in the right context.

Example:

A Mr Smith lives in Suburb B

D

Possibility / risks identifying
(high risk)

Information which relates to an individual

Information that could reasonably distinguish an individual from all others when linked together with other information, but which is not currently linked.

Example:

A Mr Smith, born in 1967, lives in Suburb B

E

Reasonably identifiable
(personal information)

Information which relates to an individual

Information in a context where it is linked with other information and this information together reasonably distinguishes an individual from all others.

Example:

  • Records held together detailing that:
    • A Mr Smith, born in 1967, lives in Suburb B.
    • A Mr Smith lives in house no. 1 on a street called “Long Street”.

There is a long street in Suburb B

F

Identified
(personal information)

Information that distinguishes and individual from all others.

Example:

Rental records for house no. 1 on Long Street, Suburb B, noting that Mr John Smith (DOB 1 January 1967) is a resident at that address

G

Very limited de-identification
(high risk)

Information that is stored or manipulated in such a way as to no longer reasonably distinguish an individual from all others, but this treatment is easily reversible.

Example:

Separate records showing that:

Redacted rental records for house no. 1 on Long Street, Suburb B, noting that ‘identifier #123’ is resident at that address.

‘identifier #123’ is identified as Mr John Smith (DOB 1 January 1967)

H

Limited de-identification
(low risk)

Information that is stored or manipulated in such a way as to no longer reasonably distinguish an individual from all others, but this treatment is reversible with difficulty or only by introducing new linkable information.

Example:

Redacted rental records for house no. 1 on Long Street, Suburb B, noting that ‘identifier #123’ is resident at that address

All separate records containing information about ‘identifier #123’ have been deleted

I

Anonymised
(no risk)

Information that is aggregated or anonymised to a degree from which it would be practically impossible to reasonably distinguish or re-identify an individual from all others.

Example:

Statistics of residents of Suburb B noting that 20% of residents are in their fifties.

  • Information located along E and F is currently classified as personal information in the Privacy Act.
  • Information along D and G has a high risk of being personal information, and at the higher end may fall into the definition depending on how it is handled. The OAIC generally recommends erring on the side of caution if there is uncertainty about whether the information is captured, such that D and G should also be treated as personal information.
  • Information located along G, H and I is currently ‘de-identified information in the Privacy Act.
  • Information located along B and C is information which relates to an individual, but where the individual is not identified and reasonably identifiable.
  • Information along A and I would currently fall outside the Act because it would not meet either limb of the definition of personal information.

Examples in the above diagram are examples of how an individual can become more or less identifiable as the context in which information is held changes.

These examples are not intended as guidance of what will always be or never be personal information

Contact us

to discuss a range of services and support to suit your business needs and goals.

* Required field

Martech Talks: The End Of Cookies

This webinar was recorded in May 2024.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: The Four Stages Of Attribution Excellence

This webinar was recorded in April 2024.

Download the full 2024 Digital Experience Benchmarks report from Contentsquare.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: The Four Stages Of Attribution Excellence

This webinar was recorded in October 2023.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: Privacy and Data Governance

This webinar was recorded in August 2023.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: Privacy Changes and Data Security

This webinar was recorded in July 2023.

 

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.