Privacy Law and Policy Reporter
New Zealand’s Privacy Act 1993 defines ‘personal information’ as ‘information about an identifiable individual’. Although on the face of it the concept seems straightforward, it raises two interesting issues. One is whether information that is generated or produced by an individual, but does not directly deal with himself or herself, constitutes information ‘about’ that individual. In other words, does information ‘of’ the data subject constitute information ‘about’ the ,data subject? The other is whether information that is not about a natural person can amount to information about a particular individual. In particular, can information about a company, which by definition has its own independent corporate personality, constitute information about an individual? The suggested answer to both these questions is an affirmative one, which is in keeping with a purposive interpretation of the legislation.
The issue of whether or not non-autobiographical or non-self-referring information generated by an individual is ‘about’ that individual was first raised in the New Zealand freedom of information context by Michael Taggart. He commented as follows on the Chief Ombudsman’s view that examination scripts were personal information about the students who produced them.
While the grade given is certainly information about the candidate (as would be the examiner’s comments, ,if any were made and not otherwise exempt) and hence accessible as personal information without charge to the student, I have my doubts that the ,script itself can properly be said to be information ‘held about’ the student-requestor. It is the product of the candidate’s intellect and endeavour but is not information about that person unless one takes the extreme view that one’s actions always tell others something about one’s self. The synonyms for ‘about’ — concerning, touching, with respect to, in connection with, as regards to, in reference or regard to — support the view that the information must be about the person and not of the person.
The same approach has been taken in relation to a similar legislative setting by Mark Berthold and Raymond Wacks in their commentary to the Hong Kong Personal Data (Privacy) Ordinance 1995. They remarked that:
... opinion data [do not] ‘relate’ to an individual because they record or reflect his opinions. A research paper or book does not constitute personal data about the author unless it has autobiographical content. Similarly, A’s evaluation of B does not sufficiently relate to A to constitute personal data about him. ,It does, however, relate to B.
This position seems counter-intuitive. One can easily imagine situations where it would not hold true. An examination script could be said to comprise personal information about the examinee in that it is information about how the individual was able to deal with the examination, what the individual’s particular strengths and weaknesses were in relation to it, as well as the individual’s views and state of knowledge at the time of the examination. Similarly, A’s research paper or opinion about B also arguably contains ‘autobiographical’ content, ,in as much as they disclose what A’s state of knowledge or opinion about something or someone was at the ,time they were produced.
To resolve this issue, it is useful ,to draw a distinction between ‘information’ and ‘data’. The term ‘information’ is defined in neither ,the Act nor the official information legislation from which the concept of ‘personal information’ in the Act was taken, though it has received some elucidation in case law. In particular, McMullin J in the New Zealand ,Court of Appeal held that the word ‘information’ simply denotes ‘that which informs, instructs, tells or makes aware’. This definition is a sound ,one, capturing the essence of how ‘information’ is conventionally conceived, though it is really the preposition ‘about’ in the definition of ‘personal information’ that infuses the word ‘information’ with a precise nuance in its statutory context.
There is a vast academic literature ,on the concept of ‘information’ and information theory. In this literature, ,a distinction is often drawn between ‘information’ and ‘data’. While in some contexts ‘information’ and ‘data’ are used interchangeably, ‘information’ may be contrasted to mere ‘data’ in that information is always ‘about’ something or someone, while data are the raw material or building blocks that comprise information. Information can therefore be conceived of as data that have been ‘processed’ in some way, and the essence of information is that it conveys meaning or, as one author has termed it, ‘aboutness’. Information can be viewed as data placed in context and made meaningful or useful in some way.
This relationship between ‘information’ and ‘data’ is used in a regulatory context, for example, in ,the OECD Recommendation of the Council concerning Guidelines for the Security of Information Systems. ,This instrument distinguishes between ‘data’, defined as ‘a representation of facts, concepts or instructions in a formalised manner suitable for communication, interpretation or processing by human beings or by automatic means’, and ‘information’, which it defines as ‘the meaning assigned to data by means of conventions applied to that data’.
This distinction is a useful one for analysing what ‘personal information’ is for the purposes of the Act. Taking as a starting point the idea that ‘personal information’ is something that conveys meaning ‘about’ someone, a distinction could be drawn between mere ‘data’, which alone have no meaning ‘about’ anyone or anyone in particular, and ‘information about’ someone.
Meaning can be imposed on data through a variety of means, such as analysis, the combination of data, placing data in context, or some other use or operation. For example, the word ‘blue’ or the number ‘4798600’ are meaningless data in themselves, but when taken in conjunction with the data ‘Mr X’s eye colour’ or ‘Mr X’s phone number’, they become information ‘about’ someone. Even the absence of data could conceivably constitute information ‘about’ someone. If a government agency holds a file labeled ‘Mr X’, but the file is empty, this is arguably information ‘about’ Mr X as well. A file has been opened; someone had some reason to open such a file (even if it might be the result of a mistake), but on a particular date the file lacked content. The point here is that whether or not information is ‘about’ someone can depend on the context. This means that whether or ,not a specific item of data is ‘about’ someone cannot always be predicted ,in advance. As indicated by the Act definition, data become ‘personal information’ only when they constitute ‘information about an identifiable individual’.
Applying the distinction drawn above to non-autobiographical or non-self-referring information generated by an individual, one could argue that such matters concern ‘data’, as opposed to ‘information’, which must be ‘processed’ to yield ‘information’ about the individual whose work or opinions these are. In other words, it is the context in which information appears or is used that is all important for conferring upon them the status of ‘information’. Thus, one might say that the examination answer or research paper or opinion ,is not by itself ‘information’ about ,the individual concerned, but it is ‘information’ if it is used in a process that tells us something about the individual. Thus, an examination answer on its own is not ‘personal information’; in conjunction with the mark given to it, or some other assessment of its author, however, it becomes ‘personal information’ about the individual concerned. Even the mere linking of the examination with the author’s name arguably converts the data into information about the author. Thus, an essay on zebras tells us nothing about the author; but an essay on zebras by Ms Z tells us that Ms Z wrote an essay on zebras: this is information ‘about’ ,Ms Z. Likewise, an individual’s opinion of another is, on its own, not information about the author. In the context of the author’s personal file or use of the opinion as an example of the author’s judgment, however, it becomes ‘information about’ the author. Even ,the mere fact that the author had the opinion, however, is information about the author.
Therefore, on the basis of this distinction between ‘data’ and ‘information’, one could not say beforehand whether or not such information was ‘personal information’ about the author without having regard to the context in which it appears or is sought. This is in accord with a purposive approach to the Act, which is supposed to deal with information that in particular may have some importance or relevance for the person to whom the information relates. If, for example, an individual’s opinions about others have been collected and placed in a file for the purposes of carrying out a performance assessment, then that is certainly ‘personal information’ about the opinion holder (as well as the person about whom the opinion is held). The individual concerned might then wish to gain access to it, to ensure compliance with the information privacy principles in the Act, or to monitor and possibly enforce other ,legal rights, such as in relation to employment. For example, the individual may wish to verify that his personal file contains a fair and representative sample of his opinions; that they actually are his opinions; that they are being held for the purpose for which they were collected, and so on.
The difference between ‘data’ and ‘information’, therefore, is a useful one for distinguishing what is ‘information about’ an individual, and what is not. However, this conceptual tool has its limits in relation to the Act because it would seem that in virtually all cases ‘data’ may be directly ‘processed’ by a recipient into ‘personal information’ for the purposes of the Act without any intermediate step.
Moreover, even if the individual concerned is only identifiable by a small number of people, or indeed only one other person, that is sufficient to constitute information ‘about’ an individual for the purposes of the ,Act. Thus, the Complaints Review Tribunal has held that an individual is ‘identifiable’ in terms of the definition of ‘personal information’ ,so long as the data has ‘the capacity ,to identify [the individual] to some members of the public’, that is sufficient for making it ‘personal information’ for the purposes of the Act. The fact that people who receive certain data can process it directly into ‘personal information’ on the basis of their prior knowledge illustrates how ‘data’ can be converted directly into ‘information about an identifiable individual’. The processing that is necessary to give meaning to data, thereby converting it into information, can therefore only be carried out by some recipients. However, as far as the Act is concerned, it is sufficient if only one recipient is able to convert the data concerned into ‘information about’ an individual.
This means that potentially any opinion or work of an identifiable individual can, through the act of hearing or viewing it, be converted to ‘information about’ that individual, because the reader or viewer is able ,to mentally ‘process’ such data into information. While the answer to an examination on its own, for example, may not be ‘information about’ the examinee, anyone who reads the answer (including the examinee) will be able to glean some information ‘about’ its author. Thus, in terms ,of the Act, one’s opinions or works will normally amount to ‘personal information’ about that person, because humans are able to draw meaning from such data.
Information can be ‘about’ an individual where, on the face of it, ,it seems to be about someone or something else, but it carries with it some meaning ‘about’ a particular individual. This sort of information might be termed ‘metaphoric’ information, in that it signifies something other than that which appears on the surface. For example, to say ‘There is an old dog who lives down the street and goes into everyone’s rubbish after dark’ might literally refer to a dog, and therefore not be ‘personal information’. However, it could also metaphorically refer to an identifiable individual in a particular neighbourhood with unusual nocturnal habits, and therefore in that context constitute ‘personal information’.
The concept of ‘metaphoric’ information can be applied to explain why identification numbers and identifiers, other than proper names, associated with particular individuals are ‘personal information’ about those individuals. This is because the description denotes other ways in which the individual might be identified.
Information about companies is ,not, generally speaking, personal information because it is not information about a natural person. ,But the concept of ‘metaphoric’ information might be applied to such information if it is about the individual who owns or runs a particular company. While the doctrine of corporate personality dictates that ,the company has a separate ‘legal personality’, this is, after all, a legal fiction to enable the individual or individuals behind the company to enjoy limited liability. Fictions should not necessarily substitute for reality for all purposes. In cases where a sole trader really ‘is’ the company, information ‘about’ the company easily can and should be taken to constitute information ‘about’ an identifiable individual. Indeed, in one older case investigated by the Ombudsman, it ,was hypothetically suggested that ‘information about the business of ,a sole trader would be information about the trader’.
Whether information about a one-person company could also constitute personal information for the purposes of the Act is an issue that was dealt with by the Complaints Review Tribunal in C v ASB Bank Ltd. ,The approach adopted in this case, however, was that information about a corporate person would not constitute ‘personal information’. The threshold issue was whether the defendant bank’s unauthorised disclosure of the bank statements of the plaintiff’s company to the plaintiff’s former ,wife concerned a disclosure of the plaintiff’s ‘personal information’ in terms of the Act. The plaintiff was the sole director and owner of all but one of the shares of the company. The Tribunal held that the bank statements were not personal information about the plaintiff.
The plaintiff argued that his use of the company bank account for personal as well as business transactions was relevant in determining whether the information was personal. While the Tribunal accepted that the plaintiff operated his company bank account as if it was a personal bank account, and that the company bank statements disclosed to his former wife recorded transactions for domestic or personal purposes, the Tribunal did not accept that ‘the way in which a company was operated affected its status as a legal entity separate from the individuals owning or operating it’.
The plaintiff also argued that the purpose for which his former wife obtained the information was relevant in determining whether the information in issue was personal information. His former wife wanted information about the plaintiff rather than the company. The Tribunal, however, stated that ,‘the assessment of what is personal information is a factual exercise’. ,It went on to hold:
The reasons for requesting information should not be confused with the substance of that which is requested. Accordingly we do not accept that the purpose for which the statements were requested can affect the status of the information thereby disclosed by transforming what would otherwise ,be regarded as information about a company to information about an identifiable individual.
The plaintiff also argued that the information from the company bank statements, when combined with other information which the former wife held about the plaintiff, became personal information about the plaintiff which was subsequently used to the plaintiff’s detriment. The Tribunal held:
In our view the bank statements which were disclosed contain information ,about the financial transactions of the company. As such they stand alone. We do not accept that the conclusions that may be drawn about an identifiable individual by the combination of different categories of information can affect the status of the information from which those conclusions are drawn, for the purposes of the the Act. To do so would render the issue of what is personal information a completely subjective exercise and the definition ,in the Act, meaningless.
The Tribunal concluded that the company bank statements did not constitute personal information about the plaintiff in terms of the Act. This conclusion ignored the fact that corporate personality is simply a legal fiction and that information about ,the company in this context was also information about the individual who ran it. Moreover, the Tribunal’s approach in this case to ‘identifiability’ was inconsistent with its approach in other cases, where the basis for the identifiability of an individual is not limited to the information itself, but can be by way of combination with other information known about the particular individual.
This article has sought to show that the concept of ‘personal information’ ,as information ‘about’ an identifiable individual is not as straightforward as first meets the eye. However, if one takes a purposive approach, the ambit of the definition should be interpreted as widely as possible, for it is the role ,of both privacy and freedom of information law to enable data subjects to gain access to information held about them by others and check for accuracy and appropriate use by the agency concerned.
Paul Roth, Associate Professor, ,Faculty of Law, University of Otago.
 Section 2. Section 6 of the Australian Privacy Act 1988 (Cth) similarly defines the expression as ‘information or an opinion ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’.
 The definition of ‘personal information’ in New Zealand freedom of information legislation (the Official Information Act 1982, hereafter OIA, and the Local Government Official Information and Meetings Act 1987, hereafter LGOIMA) is for present purposes identical to that in the Privacy Act: ‘any official information held ,about an identifiable person.’
 ‘Freedom of Information and the University’  OtaLawRw 7; (1988) 6 Otago Law Review 638 at 657. The relevant Ombudsman’s case note was Case ,No 216 (1985) 6 CCNO 82, 86 (G R Laking). In relation to examinations, the Ombudsman has treated candidates’ answers, the marks, the markers’ identity, and markers’ comments as personal information about the candidate concerned. See also Case ,Nos 929, 934, 969 (1989) 9 CCNO 143 (J Robertson).
 Section 2 of the Hong Kong Personal Data (Privacy) Ordinance in part defines ‘personal data’ as any data ‘relating directly or indirectly to a living individual’. The term ‘data’ in the ,Hong Kong Ordinance corresponds to ‘information’ in the New Zealand Act, and the expression ‘relating ... to’ corresponds to the word ‘about’ in ,the New Zealand legislation.
 Berthold M and Wacks R Data Privacy Law in Hong Kong: Professional Guide FT Law & Tax ,Asia Pacific Hong Kong 1997 p 158.
 See Gudsell v Pet Pac Foods Ltd (unreported, Decision No 3/2001, ,26 March 2001) where the Complaints Review Tribunal (somewhat surprisingly) questioned whether ,A’s opinion about B was personal information about B at all. The Tribunal was of the view that the information ‘tells us more about’ A.
 The closest thing approaching a definition in the official information legislation is that ‘official information’ is something that is ‘held’ by a Department, Minister, or organisation(s 2 of the OIA and the LGOIMA).
 Commissioner of Police v Ombudsman  1 NZLR 385 at 402.
 See, for example, Dretske F I Knowledge and the Flow of Information 1981; Hamming R W Coding and Information Theory (2nd ed) Prentice-Hall London 1986; Scarrot G G ‘The Nature of Information’ (1989) 32 Computer Journal 262; Shannon C E and ,Weaver W The Mathematical ,Theory of Communication University ,of Illinois Press Urbana 1949; ,Stamper G R K ‘Information: Mystical Fluid or a Subject for Scientific Enquiry’ (1985) 28 Computer Journal 195.
 See, for example, Losee R M ‘A Discipline Independent Definition of Information’ (1997) 48 Journal of the American Society for Information Science 254 at 258: ‘Information is always informative about something, being a component of the output or result of the process. This “aboutness” or representation is the result of a process or function producing the representation of the input, which might, in turn, be the output of another function and represent its input, and so forth.’
 26 November 1992.
 Such means may generally be labelled ‘processing’, particularly in technical contexts. The definition of ‘processing’ in the European Union Personal Data Directive, art 2(b), sets out the wide scope of what can be included under the concept ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure ,by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’.
 Note that the definition of ‘document’ in the Privacy Act 1993, ,s 2(c), includes ‘[a]ny label, marking, or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means’.
 Renamed the Human Rights Review Tribunal by the Human Rights Amendment Act 2001.
 Proceedings Commissioner v Commissioner of Police  NZAR 277 at 285.
 This raises the interesting but largely academic question of whether ,an individual’s name is ‘personal information’ about the individual concerned, since the notion ‘identifiable individual’ is that to which any ‘personal information’ must relate, suggesting that an individual’s identity is conceptually distinct from information about that individual. The Canadian Privacy Act 1985 appears to acknowledge that there is an issue, as ,it defines ‘personal information’ as ‘information about an identifiable individual’, and for the avoidance of doubt this includes ‘the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual’ (s 3(i)).
 Case No 210 (1985) 6 CCNO 115 T 118 (G R Laking).
  NZCRT 21; (1997) 4 HRNZ 306.
 Abov note 18 at 310.
 Above note 18 at 310.
 Above note 18 at 311.
 In data protection legislation generally, the individual to which information relates need not be identifiable from the information itself alone; it is sufficient that identification can be made on the basis of an extrinsic link leading to the individual’s identification. Such a link might be supplied by the holder’s or recipient’s knowledge from other sources, or by other means, such as context, identification numbers, and the like. Thus, for example, in Proceedings Commissioner v Commissioner of Police  NZAR 277 the Complaints Review Tribunal held that so long as information ‘had the capacity to identify [the individual] to some members of the public’, it was personal information for the purposes of the Privacy Act. This approach is consistent with such international standards as those set out in the OECD Guidelines (art 1(b)) and the European Union Personal Data Directive (art 2(a)), which define ‘personal data’ as information concerning ‘an identified or identifiable’ individual. The use of the term ‘identifiable’ can be contrasted to the term ‘identified’: the former can involve the use of linked data, whereas the latter entails identification through the information itself.