Metadata under the new landmark decision by the Australian Privacy Commissioner, can now be considered personal, or privacy data, which means it is protected. The Commissioner determined that personal information whereby an individual may be reasonably ascertained from that information would be considered personal information. According to the article, “this decision was based on the National Privacy Principles (‘NPP’) under the Privacy Act and not the Australian Privacy Principles (‘APP’) which came into force in 2014.” However, given the APP did not significantly change the definition of personal information, it is predicted that more types of data could be considered personal information, and the decision is expected to carry substantial weight in future cases considered under the new regime.”
The implication of the decision means that all companies must assess what metadata they hold can be considered under the Privacy Act. The issue is magnified as ‘any dataset which holds unit-record level data can potentially be linked to data from other sources, which can then lead to someone’s identity being ascertainable’. Penalties run from $340,000 for individuals or $1.7 million for corporations.
I’m quite sure the US government isn’t quite that sophisticated and is evaluating metadata as personal or privacy information, but it is interesting from a corporate point of view. The $1.7 million dollar fine is not the issue, to some companies it’s just pocket change and to other companies a fortune.
How would the organization protect themselves and ensure the metadata they hold can’t be used against them? Since 91% of organizations still use manual metadata tagging, what about errors in tagging and the potential repercussions? It opens up a whole bag of worms.