Key concepts in Information Privacy Principles (IPPs)

Information Privacy & Data Surveillance

Topic 4

Nigel Waters & Graham GreenleafLast updated September 2008

2

Some key concepts These concepts affect all aspects of information privacy laws Concepts used in Cth, NSW, other Aust jurisdictions, NZ and

HK are very similar But always read the statutory fine print as there are many

significant differences ‘Interference with privacy’ and equivalents ‘Personal information’ / ‘personal data’ 'Records' / 'documents’ ‘Publicly available’ data ‘Data user’, and equivalents Consent

3

‘Interference with privacy’ What is the core provision of data protection

legislation? Hong Kong

S4 PD(P)O: “A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance.”

The HK provision is very clear Other jurisidictions

Acts have more obscure references to ‘interferences with privacy’ when they only mean ‘breaching an IPP’…

4

‘Interference with privacy’ Cth Privacy Act 1988

s13 and s13A define all ‘interferences with privacy’ (see s13F) - as breaches of IPPs, NPPs, Pt IIIA, credit Codes, TFN rules, etc etc

ss13B-E provide for some exceptions s36 - Commissioner can only investigate

complaints of ‘interferences with privacy’ No s52 remedies if no ‘interference with privacy’

Some sections use different terminology s16 - Agencies shall not ‘breach’ IPPs s16A - Organisations must not ‘breach’ NPPs or codes s98 (Injunctions) refers to ‘contraventions of this Act’

5

‘Interference with privacy’ equivalents

NSW PPIPA 1998 s21 Agencies must not contravene IPPs s21 ‘Contravention’ is ‘conduct to which Pt 5

applies’ (internal review) (s21(2)) can lead to s55 ADT review and enforceable remedies

S45 complaints to the Privacy Commissioner can be for any ‘violation of, or interference with, the privacy of an individual’ (all undefined)

can not lead to any ADT review or enforceable remedies also provides the ‘non-IPP’ jurisdiction of Privacy NSW See NSWLRC CP3 – Issues 54-56

6

‘Personal information/data' See articles in Reading Guide Definitions: read the fine print

Australia Cth Act 'personal information' NSW PPIPA Act s4 ‘personal information’

Ss(1) largely similar to Cth definition Ss(2) includes biological samples etc Ss(3) excludes many categories of information

New Zealand s2 ‘personal information’ Does not mention opinions

Hong Kong - s2 'personal data' and ‘data’

7

‘Personal information/data' (2) Significance - almost all IPPs require it

See Cth IPPs (all 11); NPPs (8/10); NSW DPPS (12/12)

HK - 6/6 DPPs require ‘personal data’ The first question is always ‘is personal

information / data involved here?’ Issues

(1) Identifiability (2) Intention to identify? (3) Information ‘about’ a person (4) ‘Personal’ or ‘private’ affairs only?

8

‘Personal information/data' (3)

Are visual images 'personal information'? NSWLRC CP3 Issue 18 ALRC Report 108 - overall interaction of

definitions of “personal information” and “record” should ensure that privacy law applies to photographs and visual images (6.141)

9

HK - ‘data’ and ‘personal data’ "data" means ‘any representation of information

(including an expression of opinion) in any document, and includes a personal identifier;’ (s2)

"personal data" means ‘any data - (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the

individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is

practicable;’ (s2)

All 3 requirements must be satisfied: (a) ‘relating to’; (b) identification practicable; (c) retrievabilityEach should have some separate function.

10

HK - ‘data’ and ‘personal data’ ‘Relating to’

Must it differ from the Q of identifiability? - seems ‘yes’, it is in a different numbered sub-part in HK - consider Durant Case

Identification practicable Practicable by whom? - the person in

possession of the data? Retrievability

Consider: Pulped paper Consider: Encrypted data where it is practically

impossible for anyone to decrypt

11

‘Personal information’(1) Identifiability

Problem - the doctor and the cleaner Patient files by number only; names only in locked card

index; files left in rubbish bin for cleaners; cleaners place files on rubbish tip

Problem - email and IP addresses Collection of IP addresses correlated with cookie data to

customise website - collection of personal information? Sale to firm specialising in data aggregation - disclosure

or collection of personal information? Use of harvested email addresses for direct marketing

12

Identifiability General issues about personal data:

Data must be considered in combination with other accessible data (‘indirect’)

Not necessarily from a document Context is important: In whose hands must the

data be identifiable? Is it only the person who may breach?

Is personal data time dependent? Perhaps only after some other data collected? Perhaps it stops being so if certain events occur?

13

Identifiability (2) - Australia

ALRC Report 108 R6-1 - change in definition of pi to '...

identified or reasonably identifiable' (no longer 'from the information..'). Consistent with international instruments (improvement)

R6-2 & 6-3 - Leaves difficult interpretation issues to Privacy Commissioner 'guidance' e.g. ...

14

Identifiability (3) - Australia

ALRC Report 108 views: If identification keys held by third party then

not 'reasonably identifiable' (6.58, 6.72) (dangerous)

Ability to contact alone (e.g. telephone no or IP address) NOT pi, unless linked to an individual (6.61) (weak – see CLPC Submission DP72-1)

15

'Constructive' identification

K v Health Service Provider [2008] PrivCmrA 11 Disclosure of treatment example to newspaper by health service

provider was of pi because reasonable likelihood of constructive identification

WL v La Trobe University ([2005] VCAT 2592) Applicant objected to collection of pi about him from his partner in response to

health survey. Respondent had deleted survey response on receipt of complaint so no pi held at time of complaint. Even while response was held, applicant was not 'reasonably ascertainable' even though theoretically possible from extraneous data, because of effort required.

See NSWLRC CP3 Issue 19

16

‘Personal information’ - (2) Intention to identify? Eastweek [2000] HKCA 137

Photo of ‘Japanese mushroom head’ published Majority required an ‘intention to identify’ Wong JA (dissent) stressed identifiability

Criticisms Was it personal data at the time it was published, though not

at the time it was collected? Is ‘intention to identify’ only a factor going toward

‘identification practicable’ Why would it have mattered if this was personal data? - only

DPPs 1(2) and 1(3) might be relevant, but possibly not Compare B&W (2nd, 7.34ff) - critical of Eastweek but do not

reject it

17

Eastweek - criticisms Ribeiro JA (majority)

Why is ‘identifiable’ not sufficient? - plain words of definition - satisfies example of attempt to retrieve by her name a year later

Inhibiting press? - why not just hold it is ‘fair’ in the news context? - consent is not required, notice may be

Support from other Ordinance provisions? - aren’t all 5 examples satisfied by ‘retrievable’?

Wong JA (dissent): Example implies ‘identifiable’ - but he does not answer

whether she was identifiable by Eastweek - if she was not, no personal data

Conclusion: Would have been better to find for Eastweek because (I) fair or (ii) not identifiable

18

(2) Intention to identify? Some issues arising from Eastweek:

Position of CCTV, web cams etc? Can information become personal?

Problem - CCTV with stored tapes Re person on tape which is never looked at Re person on tape retrieved by security guard Re person on tape given to private eye by security guard Re person on old tapes which are unguarded in Shroff’s

office, from where they are stolen In any of these cases should the person have a

remedy under the PD(P)O? Do they?

19

(3) Information ‘about’ a person All definitions refer to information ‘about’

a person, or (in HK or Europe) information ‘relating to’ a person

Issues: (a) Opinions and attitudes of the person (b) Indirect attribution via other entities (c) A person’s name (d) ‘Personal’ or ‘private’ affairs only?

20

(3) Information ‘about’ a person- (a) Opinions and attitudes of the person

(a) Opinions and attitudes of the person Opinions of others about the person clearly are

personal information - but does ‘opinion’ only cover this type of opinion?

E.g. an exam paper or a statement by a person Roth (2002) 9 PLPR 49 says they are ‘about’ the

person but only when linked to the person’s name contra Taggart - they are ‘of’ the person contra Berthold & Wacks 2nd Ed [7.15]

21

(3) Information ‘about’ a person - (b) Indirect attribution via other entities

Is information about a family company about the person(s) behind it?

Contra C v ASB Bank Ltd (1997) 4 HRNZ 306 P was sole Director and near-sole shareholder of Co Bank’s unauthorised disclosure of statements to ex-wife Complaints Review Tribunal held this was not disclosure of

‘personal information’ under the NZ Privacy Act ‘Metaphoric information’(Roth)

Roth (2002) 9 PLPR 49: this ignores that a company is only a legal fiction; in this context, info about a company was also info about the person who ran it.(ALRC Report 108 agrees – at 6.43)

Roth is not suggesting that companies have privacy rights See B&W [7.24] - Seems to advocate a flexible approach but

excluding information about companies and partnerships in most cases

22

(3) Information ‘about’ a person - (c) A person’s name

Canadian Act (PPIPEDA) says names are PI in any context which reveals info about the person

Siddha Yoga Foundation v Strang and DIEA (see Gunning) - considered names of officeholders were not ‘personal info’ for FOI purposes [Is this applicable to privacy cases?]

23

(3) Information ‘about’ a person -(d) ‘Personal’ or only ‘private’ affairs? Durant v Financial Services Authority

[2003] EWCA Civ 1746 (Auld, Mummery & Buxton JJ)

restrictive approach by highest Court to yet consider question

Could D access (s7) files of Barclays and FSA that referred to him and the complaint he made?

No exclusion in UK Act for documents used in litigation

CA starts from purpose of s7: ‘to enable him to check whether … processing … infringes his privacy’; ‘It is not an automatic key to any information … in which he may be named …’

24

(3)(d) ‘Personal’ or only ‘private’ affairs?

Durant v Financial Services Authority (cont) ‘Mere mention’ does not amount to personal data; it

‘depends on where it falls in a continuum of relevance or proximity to the data subject…’; 2 factors:

(I) ‘whether the information is biographical in’… ‘going beyond’ events which have ‘no personal connotations’ or his privacy is not compromised.

(ii) ‘the information should have the putative data subject as its focus rather than some other person’

‘In short it is information that affects his privacy whether in his personal or family life, business or professional capacity.’ - allows ‘business or professional privacy’

Considers exceptions for opinions and intentions would be ‘otiose’ if broader view taken [Would they?]

Note the number of references to ‘personal’ and ‘privacy’

25

(3)(d) Personal’ or only ‘private’ affairs?

Lindsay’s criticisms [2004] PLPR 13 of Durant: Role of definition of ‘personal data’ is to distinguish

anonymous information, not to differentiate between kinds of information based on the extent they affect privacy

Will create great uncertainly Ignores rights-based approach of Data Protection Directive -

access is essential to autonomy and dignity Other interests are protected by exceptions to the IPPs, not

by artificial limits on ‘personal information’

26

(3)(d) Personal’ or only ‘private’ affairs?

Should Durant be followed in Australia? For: ‘about’ is similar to ‘related to’; UK CA Against: Previous criticisms of reasoning apply On Durant facts, NPP 6 (Aust) exception already protects

existing or anticipated litigation, or negotiations, against access requests (Lindsay)

ALRC Report 108 No change to 'about an individual' – always contextual

(6.51) Business information can be 'about and individual' (6.43)

27

(3)(d) Personal’ or only ‘private’ affairs? (2)

Should Durant be followed in HK? ‘related to’ is used in HK In Eastweek Ribiero JA refers to ‘important’ personal data

(once) - is this significant? Do PD(P)O exceptions from access apply? - see s58(1)and

(3) - is this the correct way to deal with the issue? Long title: ‘to protect the privacy of individuals in relation to

personal data’ - does this dictate any particular approach?

28

'Records' / 'documents’ Hong Kong

s2 definition 'data' is only 'any representation of information, in any document'.

'document' includes disks, film etc from which visual images

or other data are 'capable ...of being reproduced’ The HK position is the most common - the Act only

covers information if it has at some point entered some recording system (see exceptions later)

Note: Once information has entered a record, it may still be disclosed verbally or by observation

29

'Records' / 'documents’ (2) - Australia

Australia Significance in Commonwealth Privacy Act Cth IPPs all require information in ‘records’ or a ‘generally

available publication’ NPPs don’t, but s16B has same effect One of the dividing lines between information privacy

and surveillance laws Examples of significance

Interview with no notes taken CCTV with no film Listening device with no recording

30

'Records' / 'documents’ (3) - Australia

ALRC Report 108 R6-6 – definition of record should include: a document as defined in Acts Interpretation

Act 1901 (Cth), and 'information stored in electronic or other

format' (i.e. not just in body or mind) responding to CLPC Submission DP72-3

31

'Records' / 'documents’ (4) Other jurisdictions requiring records / documents

Victoria S3 definition ‘personal information’ - ‘means information … that

is recorded in any form …’ Northern Territory

S4 definition ‘personal information’ means ‘government information from which …’

S4 definition ‘government information’ means ‘a record held …’ Hong Kong

s2 definition 'data' is only 'any representation of information, in any document'.

'document' includes disks, film etc from which visual images or other data are 'capable ...of being reproduced’

32

'Records' / 'documents’ (5) New Zealand - may have no such requirement

Obiter in Comm. Police v Ombudsman [1985] 1 NZLR New South Wales - until 2005 like NZ - background:

S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition

NSW IPPs all refer to ‘personal information’ simply No equivalent to Cth IPPs requiring ‘in a record’ , or Cth s16B

re NPPs All NSW IPPs therefore apply to all personal information

whether or not it is ever recorded But NSW IPPs all require that agency must ‘collect’ or ‘hold’

personal information …

33

'Records' / 'documents’ (6) FM v Macquarie University [2003] NSWADT 78

Hennessy Dep P (upheld by Appeals Panel, overturned by NSW CA) S18 breach by Macq’s disclosure to UNSW of information in 2

telephone conversations Information was observations of FM and opinions about him The information was never recorded by Macq

Held - Was ‘personal information’ even though FM’s behaviour was observed by others

Held - Info was ‘held’ in the mind of Macq staff s4(4) defines ‘held’ as ‘possession or control’ ‘Possess’ must include ‘in the mind’ for non-material information Did not decide if no ‘control’ because others knew it

Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies

34

'Records' / 'documents’ (7) Macquarie University v FM [2003] NSWADTAP 43

See Case Summary Macquarie University v FM Appeal panel held there was nothing in s4(1) requiring

information to be recorded in a material form; nor did the inclusions in s4(2) or exclusions in s4(3) imply this

Implications How can all of the IPPs be sensibly applied to information

which may only be held in a person’s mind? - consider all IPPs

What alternatives are there to this interpretation?

35

'Records' / 'documents’ (8) Vice-Chancellor Macquarie University v FM [2005] NSWCA 192

Spigelman CJ, Tobias JA & Brownie AJA Asks: How could most of ss12-19 apply to information held

only in the mind of an employee? [28]-[29] Asserts: ‘Overwhelmingly probable’ that ‘holds personal

information’ is used in the same sense in all sections [28], [30] Can ‘personal information’ be non-material? - see [33] Can non-material forms of information be ‘held’? - see [34]

Questions When will this decision cause injustice? Was it just here? Could the Appeal Panel’s decision have been workable? interpretation seems at odds with the intention of Parliament in

expressly including 'whether or not recorded in a material form' in the definition of 'personal information (PPIPA s4)

36

Publicly available data Most Acts have some special rules for personal

information normally published - government ‘public registers’ or ‘trade gazettes’

Approaches vary between (I) general exemptions or (ii) exempt from some IPPs or (iii) special rules for ‘public registers’

Hong Kong is unusual no special rules for publicly available data

37

Privacy Act 1988 (Cth) See notes by Greenleaf, 2005 (handout) Defn ‘record’ (s6) exempts ‘generally available

publication’ IPPs do not apply except IPPs 1-3 (collection) s16C produces same result for NPPs Defn ‘generally available publication’ (s6) ‘means

a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public."

Publicly available data (2)

38

Generally available publication

ALRC Report 108 R6-7 - Publication is 'generally available'

whether or not a fee is charged R11-1 Privacy Commissioner guidance on

g.a.p in electronic format – no change to exclusion from definition of p.i. for 'generally available publication'

R11-2 Government should ensure public register restrictions are clear

39

Publicly available data (3)

NSW PPIPA Defn ‘personal information’ (s4) excludes

information ‘contained in a publicly available publication’

Defn ‘publicly available publication’ (s3) only says regs can exclude publications from it - so all is exempted unless excluded

Part 6 adds limited rules for Public Registers

40

Publicly available publication (1) EG v Commissioner of Police [2003] NSWADT 150

Letter from Police Comm to Solicitor’s Admission Board said EG ‘is a Police Officer currently under suspension’.

ADT held this was not ‘personal information’ because it was ‘included in a publicly available publication’ - an article in the Daily Telegraph (letter did not refer to the article)

Submission by Privacy Commissioner that an official letter was a completely different context was rejected - plain words of section did not allow a narrower reading

Implication is that once information enters a PAP, any other form of that information cannot be ‘personal information’

Is this a good decision?

41

Publicly available publication (2)

PC v University of New South Wales [2007] NSWADT 286 Tribunal said that “publications” are “legible records which are made

available for others to read” (at 15) Tribunal dismissed respondent's preliminary application that a law

report is a 'publicly available publication' and therefore exempt – not sufficiently accessible

WL v Randwick City Council NSWADTAP 58 Tribunal inclined to view that p.a.p. Means “...material in a published

form consistent with general, unfettered availability such as a brochure, pamphlet or report” (at 27)

NW v NSW Fire Brigades [2005] NSWADT 73 Repackaging information taken from a publicly available publication

may lose the benefit of the exemption

42

‘Data user’ and equivalents

Hong Kong Definition of ‘data user’ (s2(3)) See exclusion of agents but not in relation

to collection (s2(12)) Call centres still responsible for DPP 1

See B&W [7.55]ff

43

Consent Hong Kong - ‘Prescribed consent’ (s2(3)):

(a) ‘means the express consent of the person given voluntarily’ - therefore requires a positive act - prescribed consent cannot therefore be a consent implied from an option to opt-out.

(b) Can be ‘withdrawn by notice in writing served on the person to whom the consent has been given’

If only ‘consent’ is required, not ‘prescribed consent’ it will have its normal meaning and may be implied

Australian provisions See notes concerning consent by Bygrave & Greenleaf,

2005 (handout) In the federal Act, ‘consent’ includes both express and

implied consent

44

Consent (2)

ALRC Report 108 avoids major issues – R19-1 recommends

leaving them to Privacy Commissioner guidance. Fails to deal adequately with:

How 'free' e.g. revocable? Implied consent (inc. failure to opt-out?) Consent vs acknowledgement 'Bundled' consent

See CLPC Submissions DP72-5 to 72-10