The other IPPs - Access, correction, openness, security and destruction

Privacy and Surveillance

Graham Greenleaf

January 2006

The other IPPs Access rights Correction rights Remedies and access & correction rights ‘Openness’ - Information generally available Security Destruction

Access rights under Privacy Acts Australian access rights

Generally: access under IPPs limited by FOIA exemptions Exemptions do not forbid access, just deny a right

Cth IPP 6 access right Subject to Cth FOIA 1982 Pt IV exemptions

NSW s14 access right Subject to NSW FOIA 1989 Sch 1 exemptions (s20(5))

Private sector NPP 6 access right Exemptions in NPP 6.1(a)-(k) & 6.2 Similar but not identical to FOIA exemptions

Victoria NPP 6 access right Exemptions as above, then overridden by Vic FOIA (s12)!

Hong Kong DPP6 - Access Hong Kong DPP6 - Access and correction

Pt V detailed regime prevails if inconsistent with DPP 6 (s4) HK does not have a FOIA

HK Exceptions to access (Pt VIII) Many exceptions apply (see Berthold summary) Exemptions relate to data, not specific data users S58(1) broad exemption requires that access either

(i) prejudices interests listed or (ii) in/directly disclose source [broader than s20] Why should (ii) always be a bar to access?

Practical aspects of access Access fees

Provided they are not abused, a significant restraint on frivolous and burdensome requests

Cth IPPs - governed by FOIA NSW s14 - ‘without excessive delay or expense’ Private sector NPP 6.4 ‘must not be excessive’

and ‘must not apply to lodging a request’ HK - May charge but may not be excessive (s28);

If two forms of access possible, lower fee must be charged; can charge merely for enquiring if file held (s18)

Cannot charge for correction of file

Practical aspects of access Tenants Union v TICA #1 [2004] PrivCmrACD 1

$11 by mail for enquiry/copy; held both breach NPP 6; cannot charge for enquiry; recommended $8:80 charge (marginal cost of provision) for copies, credit card facility (only accepted cash or bank chqs before), and within 10 days [refuses to direct, but does indicate what will satisfy]

$5.45/minute by phone ($327/hour) not a breach of NPP6; mail enquiries were ‘reasonable steps’ to provide access [but $327/hr would not be reasonable steps to ensure NPP 3

data quality] TICA failure to provide access via property managers not a

breach

Practical aspects of access Who decides access request complaints?

Australia - Cth P Comm refused to investigate public sector access / correction complaints, forcing complainants to go to the AAT - Legitimate?

see s41(1)(f) ‘a more appropriate remedy’ But FOIA does not allow for compensation etc

Cth PC must investigate private sector complaints - no FOI option

NSW PC? - agency internal review or PComm can investigate

HK - PC can use s39(2)(d) to divert access complaints, but no FOI to divert them to

HKPCO must decide access complaints in both sectors

HK Access Examples PCO complaint examples

[1998] HKPrivCmr 11: $230 per slide for 250 clinical slides was excessive, and on recalculation reduced to $7.20 - actual cost + 20% administration fee was OK

Employer could not refuse employee a copy of investigation report on which his summary dismissal was based - only grounds are s20 or Pt VIII

Appeals to AAB against PCO [1999] HKPrivCmrAAB 1: Hospital had attempted but failed to

locate minutes to which C wanted access - no breach, even though minutes did exist (7/00)

[2001] HKPrivCmr 5: AAB held University was not required to provide complainant with a ‘consolidated document list’ so she could choose what documents to access.

HK Access Examples AAB Case 24/2001 [2001] HKPrivCmr 5:

C complained that University had not provided all documents it held about her

PC issued enforcement notice requiring Uni to (I) do a ‘thorough search’ and (ii) provide to C a ‘consolidated documents list’

AAB held both requirements invalid under s18(1): (I) ‘thorough search is a higher burden than ‘due diligence’; (ii) data user must identify documents to which access is requested.

Suggest: s18 does not require requestor to identify documents, may instead request ‘all documents held’

In previous AAB Case 1/01, AAB held s18(1)(a) only requires data user to confirm data is held, not to list it

Intermediary access The problem

Data exempted from access is usually the most prejudicial and important data about a person

Refusal of access prevents putting a counter-case, and stopping abuse of other rights (eg disclosure)

Correction is often tied to right of access (see later) - compounds the problem of lack of direct access

Access exemptions are more absolute than they need to be, because it is impossible to define the line

Access to part of the information via a 3rd party trusted by both sides can reduce this - but is this possible?

Intermediary access (2) Australian law

NPP 6.3 defective attempt - org. must only ‘consider’ ‘mutually agreed intermediaries’

No other explicit provisions Do P Comms have powers to so act?

Complainant will first have to credibly allege a breach of an IPP

What can Commissioner then disclose? Can Commissioner then use own motion powers?

Intermediary access (3) Hong Kong law

No general provision for intermediary access Pointless to make PCO a ‘relevant person’ in s2 Privacy Commissioner can access exempt

records, if has reasonable grounds to suspect breach of PDPO / DPP (s38)

Possible complaint: suspected inaccurate records as lack of data quality (DPP2)

Some reasonable grounds needed

Access exemptions:3rd party privacy When does 3rd P privacy exempt disclosure? Hong Kong

S20(1)(b) requires data users to refuse accesses which contain [any] personal data about a 3rd party unless:

(I) the 3rd P data can be edited out (ss(2)(b); or (ii) the 3rd P has consented to disclosure (ss(1)(b)

But no ‘reverse FOI’ obligation on data user to ask 3rd P Mere identification of source of data is no bar to access unless the

source is explicitly named (ss(2)(a)) Extremely restrictive compared with Australian exemptions which

require ‘unreasonable disclosure’ re 3rd Ps, not just any identification

A PD(P)O provision needing reform? Most cases from other jurisdictions are irrelevant

Access exemptions: 3rd party privacy

Australian provisions Cth IPPs - FOIA s41 - ‘unreasonable disclosure of

personal information about any person’ (same definition as in PA since 1991)

Waters - problem of conflicting FOI objectives of openness leads to narrow reading of privacy exceptions

Private sector NPP 6.1(c) - ‘an unreasonable impact upon the privacy of other individuals’

No FOI objectives of openness to balance -> could result in more protection of 3rd P privacy than in FOIA

‘Privacy’ is narrower than ‘personal information’ -> but is it the same so long as ‘unreasonable’ relates to privacy?

Access exemptions:3rd party privacy (2)

NSW IPPs - NSW FOIA Sch 1 cl 6 ‘the unreasonable disclosure of information concerning

the personal affairs of any person (whether living or deceased)’

‘Personal affairs’ is narrower than ‘personal information’ Perrin’s Case (1993) NSW CA - names of Police carrying out

their duties was not ‘personal affairs’ Followed in Robinson [2002] NSWADT 222 and Woods [2002]

NSWADT 253 Effect is also to limit correction rights under NSW FOIA

See Timmins ‘Decisions on the ‘personal affairs’ exemption in NSW FOI’ (2003) 10(3) PLPR 43

Access exemptions:3rd party privacy (3) Victoria

even worse, 1999 amendt to FOIA gave absolute exemption to all ‘personal information’: privacy destroys FOI

Solutions? - Waters [2002] PLPR 24 Considers ‘personal information’ a worse starting point

than ‘personal affairs’ [I disagree] Recommends (i) all individual access be dealt with

separately under privacy legn; (ii) statutory statement that identities/actions of public

servants is not exempted from access, following WA FOIA 1992 Sch 1 Cl 3(3) & Reg 9

Access exemptions:3rd party privacy Is motive of applicant relevant to what is

‘unreasonable’? - see Timmins article NSW cases inconsistent

Saleam v Dept Community Services [2002] NSWADT 41 - O’Connor J rejects any relevance

Contra Saleam v NSW Police Service [2002] NSWADT 40 - Robinson JM found ‘mosaic effect’ of disclosures justified refusal of access

Cth AAT cases inconsistent Vic VCAT cases consider motive and purpose

Access exemptions:3rd party privacy (3) ‘Reverse FOI’ provisions

Cth FOIA s27; NSW FOIA s31 - If agency is going to grant access to documents containing 3rd P personal information, must give 3rd P opportunity to object on grounds of unreasonableness

No equivalent in NPPs - 3rd Ps have no opportunity to object

No HK equivalent - another aspect of HK’s very restrictive access regime

Forced access by 3rd parties

Can 3rd parties force use of access rights? eg employers, insurers etc require data subject to

obtain a copy of own record Would this constitute unfair collection by the party

forcing access? Better view is ‘yes’ (see B&W 1st Ed pgs 170-1) This argument will apply in HK and Australia Only a breach once the 3rd P is provided with the data?

Do IPPs need amendment to prevent this? not certain until ‘unfair collection’ approach is tested

Correction rights Issues

Do correction rights depend on access rights? What does correction require? Remedies for access & correction breaches

Sources See Waters and Greenleaf ‘IPPs examined: the

correction principle’ (2005) 11 PLPR 137 (Materials #5)

Meaning of correction For HK DPP6 "correction" ‘means

rectification, erasure or completion’ (s2)

Correction rights: Do they depend on access? Do correction rights depend on access rights?

Cth FOIA s48 correction only to docs ‘to which access has been lawfully provided to the person’ - no correction of exempt docs

Cth IPP 7.1 obligation to correct only refers to ‘a record’ but 7.2 says this ‘is subject to any applicable limitation in a

law… that provides a right to require the correction or amendment of documents’

does this mean FOIA s48 limits? - probably ‘yes’ Private sector NPP 6.5 correction only requires that

organisation ‘holds personal information’ BUT only if ‘the individual is able to establish that the information

is not accurate, complete and up-to-date’ - onus of proof of error is on the individual [but see NPP 3 Data Quality]

Correction rights: Do they depend on access? (2) NSW s15 correction right

only requires that agency ‘holds personal information’ But s20(5) imposes FOIA ‘conditions or limitations (however

expressed)’ NSW FOIA s39 only allows correction to ‘A person to

whom access to an agency’s document has been given’ so exempt docs cannot be corrected in NSW either

Is refusal of correction to exempt documents unfair? What does refusal of access imply?

Correction rights: Do they depend on access? (3) Hong Kong: Does correction require access?

DPP 6 does not: 6(e) independent of 6(b) BUT s22 makes correction depend on official

access 'where... (a) a copy of personal data has been supplied

by a data user in compliance with a data access request; and (b) the ... data subject considers that the data are inaccurate, then that individual or relevant person, as the case may be, may ... request... correction to the data'

Can’t argue DPP6 gives a broader right S58(1) exemption is from DPP6 as a whole DPPs generally subject to the rest of the PDPO (s4) -

Correction rights: Do they depend on access? (4) Hong Kong: Can DS obtain correction without

access? If DS has ‘unofficial’ knowledge of data content

DS can complain to PCO of DPP2(1) breach - inaccurate PCO can then access records, (I) find DPP2 breach if

inaccurate, (ii) require non-use or erasure, and (iii) require notice to 3rd party recipients (but cannot disclose to DS)

Also, DS can sue under s66 for damages for DPP2 breach - if prima facie inaccurate, then DU must establish defences. Can DS obtain discovery despite s58(1)?

If DS has no knowledge of data content How to frame a complaint to the PCO? How to establish prima facie DPP2 breach for s66?

Correction rights: Intermediaries and correction Intermediaries and correction

Cth PA 1988 s35 gives (defective) intermediary addition rights via PComm

Depends on exhausting AAT appeals first! P.Comm can only recommend correction of exempt

record, but can require addition to it does not cover access or correction, merely equivalent of

FOIA s51 / IPP 7.3 annotations

Alternative approaches What if individual complains to P. Comm under IPP

8 (data quality) about prior or subsequent use of incorrect record? Or seeks a s98 injunction?

Correction rights:Notification to 3rd party recipients Notification to 3rd party recipients of corrections

NSW s15 requires this, at request of applicant, where ‘reasonably practicable’

Only applies where individual is aware that correction is made Draft Australian Casinos Code requires this Neither Cth IPPs nor NPPs explicitly require this

Would refusal to do so on request be a failure to mitigate damage?

Would failure to do so where individual is not aware be a failure to mitigate damage?

Would failure to do so = lack of reasonable steps to maintain data quality (NPP 3)?

Correction rights:Notification to 3rd party recipients Hong Kong DPP 2(1)(c) requires notification by

data user to 3rd Ps to whom data has been disclosed Where it is ‘practicable’ for data user to know that the

data are ‘materially inaccurate’ for the purpose for which they are to be used by the 3rd P

Information necessary to ‘rectify’ inaccuracies also to be provided

Breach of this provision could lead to s66 liability ‘Inaccurate’ is not defined, but "correction" ‘means

rectification, erasure or completion’ (s2) and ‘inaccurate may have a similarly broad meaning

Limits on the correction right PCOs (and tribunals) are generally unwilling

to adjudicate issues of ‘inaccuracy’ of records where Another adjudicative body is more appropriate; or The ‘inaccuracy’ is largely a question of opinion

They then use powers to refuse investigation Should they only do so if there is some reasonable

alternative access to another adjudicator? Are rights of annotation of disputed records a

sufficient alternative? Eg HK s25(2)-(3)

Limits on the correction right [2001] HKPrivCmrAAB 4: Complainant alleged that press

report about him largely consisted of lies; PCO ’considered it to be a question on the manner of reporting and, as such, was not meant to be regulated by the PDPO’; ‘AAB ruled that fabrication or lies told about a person did not amount to his "personal data" ‘

Demonstrates the lengths PCO and AAB will go to in order to avoid applying the PDPO to the media

Could not possibly be held similarly if a credit bureaux was involved

[2000] HKPrivCmrAAB 2: AAB held comments or opinions in a letter of dismissal were inherently contentious , and the proper forum to resolve the dispute was by bringing of legal proceedings in the Labour Tribunal instead of resorting to a data correction request.

Remedies for access & correction breaches Hong Kong

s66 can apply to where damage to a person results from a refusal to correct a record (DPP6) Failure to notify inaccuracies to a third party (DPP2) Failure to comply with ‘data quality’ (DPP2)

note s66(3) defences in relation to incorrect data received from a 3rd party

Remedies for access & correction breaches Australia

FOIAs do not provide for compensation Refusal to allow access or make corrections is a breach; if

injury has resulted, compensation may follow Cth IPP 7 accuracy obligation on agencies is independent of

correction requests or use [not so for NPPs or NSW] Fed P Comm can refuse to investigate (s41(1)) or defer

(s41(3)) should not do so if damages could be relevant

Data Quality principles may be needed to supplement correction claims - requires use (Cth IPPs 7, 8, NPP 3)

‘Openness’ principle:Information generally available ‘Openness’ / ‘FOI’ principle

valuable to the media, community organisations etc but is little used by anyone

Cth IPP 5 Cth IPP 5.1 requires reasonable steps to allow anyone to ascertain

(subject to FOI etc exemptions: IPP 5.2) If they posses/control ‘any records that contain personal information’ and

‘the nature of that information’ Requires answers, not documents Does not refer to records about the applicant

Cth IPP 5.3 requires a record to be kept (and made available to public: IPP 5.4) detailing nature and purpose of classes of records; classes of data subjects, recipients and conditions of access.

Annual copy to Commissioner for Personal Information Digest - no one ever reads it.

‘Openness’ principle:Information generally available Private sector NPP 5

NPP 5.1 requires a document containing ‘clearly expressed policies on its management of personal info’, available on request [relevant to collection]

NPP 5.2 requires reasonable steps to answer requests on matters equivalent to Cth IPP 5.3; but only ‘generally’, not in relation to the individual applicant

NSW PPIPA s13 & s40 S13 requires agencies to take reasonable steps to allow a person to

ascertain matters equivalent to Cth IPP 5.1 But s13(b) refers to info ‘relating to that person’ - Would provide the ‘list of

documents’ refused in HK; differs from NPPs and Cth IPPs S40 discretion for Privacy Commissioner to require returns from

selected agencies (s40(3)) [contra Cth - not all] Compile and publish a Digest based on that info (s40(1),(2)) Not done as yet

‘Openness’ principle:Hong Kong

DPP 5 right of any person to ascertain: a data user's policies and practices the kind of personal data held by a data user; the main purposes for which data are used

PDPO Pt V - Data User Returns PCO can require specified classes of users to submit

returns (S14) PCO must then provide public access database (s15)

and other access to returns Pt V has not yet been used - similar to NSW s40

‘Openness’ principle:Hong Kong

Examples: HongKong Post pinhole camera report -

also a breach of DPP 5 in not having PICS to inform employees of correction practices

Public body breached by not having a written data protection policy (AAB 5/01)

Security principle Provisions

Cth IPP 4 Private sector NPP 4.1 NSW s12(b)-(d) HK DPP 4

Sources Waters & Greenleaf ‘IPPs examined: The security principle’

(2004) 11(4) PLPR 96 (Materials) - this includes many examples of complaints

Aust. Comm PC Info Sheet 6 Security (2001) - Sets out long list of Australian and international standards that may apply

Security principle

Scope All require security from from misuse and loss and

from unauthorised access, modification or disclosure

so internal and external threats, and mere negligence are covered

All only require ‘reasonable steps’ or ‘practicable steps’

Security principle: Hong Kong DPP 4 requires ‘All practicable steps … to ensure …

protected against unauthorized or accidental access, processing, erasure or other use’

Includes (as if personal data) data to which access is not practicable

Lists 5 factors to which data users must have ‘particular regard’ - reflects standard criteria -

(a) kind of data and possible harm (‘harm test’) (b) physical location / + security appropriate) (c) technical security measures (d) personnel integrity etc measures (e) communications security measures

Security principle Possible examples of breaches

If hackers access data, data user may be liable for inadequate security - supplements computer crime laws: sue the company, not the hacker

Mailouts in error of sensitive data Accidental destruction of data valuable to a person Security which destroys other privacy interests will not be

‘practicable’ Lax practices with cleaners etc

Personal files are regularly found at kindergartens and tips Unencrypted data on mobiles:

63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR 95-97)

Security principle Australian examples

See these and more examples in Waters & Greenleaf article Agency client provided password to be used to identify

him; agency failed to ask for it (L v Commonwealth Agency [2003] PrivCmrA 10)

ATO web site disclosing ABN details FH v NSW Dept Corrective Services [2003] NSWADT 72 ; Summary

[2003] NSWPrivCmr 1- Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses (see Waters & Greenleaf article)

E v Financial Institution [2003] PrivComA 3 - audit trail failed to record access to customer account - settled

B v Victorian Government organisation [2003] VicPrivCom 2 - $25,000 compensations settlement when agency disclosed complainant’s new address to ex-spouse ‘across the counter’ despite known risk

Security principle Hong Kong examples - Complaints to PCO held to

breach DPP4 (security): Faxing details of donation to estate office (AR 5/05) Newspaper publication of address of complainant, endangering him, not

a breach of DPP4; DPP3 (disclosure) was only DPP relevant (AAB appeal 4/00)

Insurer sending insurance policies for 3 people to the address of one of them

Unsealed letters of demand sent to neighbours addresses Law firm’s messenger allowed duplicate cover sheet of divorce process

to be read by others at workplace while waiting to serve process: [1998] HKPrivCmr 8

Law firm left trial bundle in gap between litigant’s metal gate and door: [2003] HKPrivCmr 8

See other examples in McLeish and Greenleaf chapter

Security managers in apartment blocks required to destroy data on visitors after a reasonable period [1998] HKPrivCmr 4

Hong Kong examples concerning ID cards Mobile phone Co. made first 6 numbers of ID card the

default password for call data, billing etc information; debt collector accessed data and harassed complainant and friends; held breach of DPP 4: [2003] HKPrivCmr 3

Disclosure of ex- employee ID numbers in faxes to customers

Bank and dept. store jointly responsible for printing error disclosing ID nos. in mailout

Security principle

Retention / deletion principles Sources

Waters & Greenleaf ‘IPPs examined: The retention principle’ (2004) 11(4) PLPR 96

Aust. Cth PC Info Sheet 6 Security (2001) Provisions

HK DPP 2(2) and s26 Cth IPPs - none Private sector NPP 4.2 ‘reasonable steps to destroy or

permanently de-identify … if it is no longer needed for any purpose’ allowed under NPP2 - Test of ‘permanent de-identification is whether it is no longer ‘personal information’

NSW s12(a) - similar to NPP 4.2

Retention / deletion principles

For Australian and other examples, see Waters & Greenleaf article, including:

Tenants Unions v TICA (No3) [2004] PrivCmrACD 3 - Failure to delete or remove old tenancy information was a breach of NPP 4.2; PC ‘recommended’ TICA

Delete ‘history’ information in Tenancy History Database after four years;

Delete 'application' information in Enquiries Database after three years; and

Delete information moved to ‘dead tenant database’ (ie database which stores deleted listings) not less than once a month - in case of errors

Retention / deletion principles

NZ Comm supports retention of information on dismissed employees for 5 years

Retention / deletion principles (HK)

Hong Kong DPP 2(2) and s26 DPP 2(2): ‘Personal data shall not be kept longer

than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'.

Keeping for the purpose of some exception not allowed Only says ‘personal data’ shall not be kept - what if made

inaccessible?; what if de-identified? Is DPP 2(2) satisfied?

Retention / deletion principles (HK) HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure

of personal data no longer required’) Says ‘A data user shall erase personal data …’ Doubtful if data can be made inaccessible or de-identified in

the face of this explicit provision S26 has 2 exceptions:

'(a) any such erasure is prohibited under any law’; Archives laws etc will override DPP 2(2)

‘(b) it is in the public interest (including historical interest) for the data not to be erased.’

Q of public interest is a question of law, not of good faith belief S26(3) protects any joint controller against suits by other

controller because of erasure of data

Retention / deletion principles Hong Kong DPP2(2) and s26 - Examples of

appeals to AAB against PCO: [1999] HKPrivCmrAAB 3: Telecomms Co.

retained customer details for 180 days after suspension of service, in case of reconnection - no breach

Pursuant to DPP 2(2), Consumer Credit Code requires data deletion 5 years after ‘final settlement’ - raised issues of how this applied to bankruptcies, but not necessary to decide (7/01)