Use, disclosure, and related principles (data quality etc)

Use, disclosure, and related principles (data quality etc)

Privacy & Surveillance

Graham Greenleaf & Nigel Waters

Last updated October 2008

Use, Disclosure and Quality 2

Sources

ALRC Report 108, Chapter 25 Greenleaf, Waters & Bygrave (Dec 2007) Strengthening

uniform privacy principles: an analysis of the ALRC's proposed Principles Submission to the ALRC Review of Australian Privacy Laws Discussion Paper 72, particularly ‘8. Use and Disclosure (UPP 5)’ , ‘9. Direct Marketing (UPP 6)’ & ‘10. Data Quality (UPP 7)’

Also Greenleaf, Waters & Bygrave (Jan 2007) Implementing privacy principles: After 20 years, its time to enforce the Privacy Act, Submission to the ALRC Review of Privacy Laws Issues Paper (2006)

NSWLRC Consultation Paper 3, 2008, pp 117-124


Overview Finality - Use & disclosure limitation principles

Importance of ‘finality’ Meanings of use and disclosure Effect of purpose on subsequent recipients

General exceptions to finality principles Related purpose; consent; authorised by law

Other exceptions (numerous)


Overview (2)

Related matters Public registers - Application of IPPs Data export limitation principles Data matching controls

Related principles Data integrity/quality principles 'Objection to processing' principles


‘Finality’ - Use & disclosure limitation principles ‘Finality’ - the EU term for limiting subsequent use and

disclosure to the original purpose of collection The single most important concept in information privacy Applies irrespective of how data collected, or who from

Generally - Data can only be used / disclosed in 5 ways: (I) For the purpose for which it was collected (ii) For a related purpose (iii) With consent of the data subject (iv) As authorised by law (v) Other subject-specific exceptions

Some common public interest exceptions (eg safety of others; law enforcement)

Many very specific exemptions (often jurisdiction-specific)


Meanings of ‘use’ and ‘disclose’ IPPs limit both disclosure and use - but wordings differ

Cth PA: IPPs and NPPs refer separately to ‘use’ and disclose;; definition of ‘use’ says it does not include ‘mere disclosure’, but does include inclusion in a publication

HK DPP 3 refers only to ‘use’ but s2 definition of ‘use’ says use ‘includes disclosure or transfer of the data’

Disclosure Can be verbal or by allowing inspection - All Australian and HK IPPs refer to

disclosure of ‘personal information’data, not disclosure of records Can ambiguity be ‘disclosure’? - see BG v DOCS ([2008] NSWADT71) -

Case Summary [2008] AUPrivCS 2: Tribunal held that a letter disclosing that a criminal record check might be a reason for rejection of carer status did not disclose the fact that BG had a criminal record (was so).

HK defn ‘disclosing’ specifically ‘includes disclosing information inferred from the data’ (s2) - implied elsewhere


Meanings of ‘use’ and ‘disclose’ (2) Is there ‘disclosure’ if the information is already known?

see debate between Greenleaf and Gunning Example: if answer is ‘no’, any organisations could confirm the truth of

any information put to it by another organisation without disclosure (and ‘no comment’ is not a disclosure either).

Reasons for ‘yes’ answer Different sources have different authority (But careful - NSW ADT case

regarded news report as ‘publicly available publication’) Unfair to require P to prove what another party did not know Courts may reduces damages if discloser shows information already

known by recipient (less harm to P) HK use of ‘transfer’ as well as ‘disclose’ - may confirm that it does

include information already known


Meanings of ‘use’ and ‘disclose’ (3) Use - Can mere inspection be ‘use’ by data user?

‘No’ answer for previous UK Act - R v Brown [1996] 1 AC 543; police officer viewed record in police database of interest to debt collector with whom he associated; HL held ‘using’ required that the information be subsequently deployed

Reasons for a ‘yes’ answer (better view) Abuse by ‘insiders’ is a major cause of privacy invasions; and it

is very difficult to prove subsequent use (as in Brown) Will encourage employers to adopt ‘need to know’ restrictions

on access - so breaches will also breach internal policies HK and Aust long titles of Acts indicates purpose of privacy

protection (contra UK Act at that time) - supports inspection being covered - see discussion in RG


Meanings of ‘use’ and ‘disclose’ (4) Onus of proof problems

Obligation on complainant to prove use or disclosure; civil standard of balance of probabilities

QE v Macquarie University [2008] NSWADT 144 - Example of Tribunal unwilling to conclude that disclosure by Macq employee occurred despite strong circumstantial evidence; but also unwilling to find Macq in breach of security principle for lack of logging of mere accesses to files which did not involve amendments

Unauthorised access can be ‘computer crime’ Also relevant: ‘computer crime’ offences can cover mere

unauthorised access - in some jurisdictions, can cover access by authorised personnel for unauthorised purposes


Finality - Effect on subsequent (3rd

party) recipients ‘Finality’ usually refers to subsequent uses/ disclosures by the

collector Issues: (I) Are 3rd P recipients tied to the same purpose as the

proper purposes of the discloser (the original collector)? (ii) Does this depend on whether the 3rd P is aware of the original purpose of collection?

It is rare for IPPs to explicitly address this Cth public sector IPP 11(3) - Recipient from agency can only use

the information for purpose for which it is disclosed to them Re NPPs, Note to s13B(1) (re related corporations) implies ‘yes’

answer


Finality - Effect on subsequent (3rd party) recipients (2)

Other sets of IPPs (eg HK) do not address this Best answer is that collection must be by ‘fair’ means - fairness is

an objective test in relation to data subject This covers both legitimate disclosures (wider purposes of

collection unfair), and illegitimate disclosures (any collection unfair); Where 3rd P is unaware of original reasons for collection, a strong

approach still protects the data subject; weak approach allows recipients new purposes (may be approach of HK PCO)

Necessary answer to support the policy of the legislation Once unlawfulness of discloser is known, collector’s use may also

be a breach of confidence - additional ground for objection to either unlawful collection or unfair collection


Finality - Effect on subsequent (3rd party) recipients (2)

Examples Use of personal data obtained from a public register -

[2003] HKPrivCmr 8 - purpose of bulk disclosure of public register data by agency precluded commercial use of data; attempt by purchaser to use with search engine breached DPP 3.

What implications for Tenants’ Union v TICA No 4 ?


Allowed uses: Principal purpose of collection

IPPs require a purpose of collection NPP 1.3 refers to ‘purposes’: PC’s Guidelines still say there is

only one primary purpose Notice of purpose under IPPs is evidence of purpose

Notice broader than function/ activity - invalid notice, use still limited by (objective) function/activity

Notice narrower than all functions allow - users can limit by notice those of their purposes for which they collect - cannot use for any wider (though legitimate) function/ activity

Is Tenants Uniion v TICA #4 (2004) consistent with this? Data subjects may expressly limit the purpose of collection

Purpose need not be as wide as all allowable purposes HK [2003] HKPrivCmr 8 : ‘Use of personal data obtained from

public registry’ (Materials #5)


Lack of notice - effect on purposes If no notice is given, purpose is inferred

Purposes may be implied by relationship between parties Reasonable expectations of data subject are relevant when

data is collected from data subject (B&W 127) Where collected from 3rd parties, their reasonable

expectations are relevant Where data is collected by observation/from documents, no

expectations, so function/activity becomes crucial (B&W 127)

Common complaint: Disclosure was within purpose of collection, but notice was not given as required

HK PCO Eg Disclosure of skating competitors OK as a purpose of collection, but no DPP 1(3) notice given - breach of DPP1 (collection) , not DPP3 (disclosure)


Allowed uses (I): Secondary purpose exceptions Uses allowed for secondary purposes related to primary

purpose - but tests differ (in wording): HK DPP 3, Cth and NSW public sector IPPs - must be ‘directly

related’ NPP 2 for private sector and Vic/NT public sectors

(I) must only be ‘related’ (or ‘directly related’ if it is sensitive information - difference must be meaningful); AND

(II) ‘the individual would reasonably expect’ the secondary use ‘Reasonable expectations’ test

NPP test is of the expectations of the individual concerned Cth PC suggests test is expectations of a reasonable person with

no particular knowledge of the industry concerned Reasonable expectations of data subjects/3rd parties may also

affect the meaning of ‘directly related’ (B&W support)


Secondary purposes: ‘Reasonable expectations’ (2)

[2003] HKPrivCmr 5 : ‘Posting of complaint letter on notice board’ - ‘it was unlikely that he would have given consent’

HKPCO complaint 4/05: ISP used complainant’s credit card details from a terminated account to recoup charges on a different account - breach of DPP 3, ‘not within a consumer’s reasonable expectations’

HK AAB appeal 66/2003: C complained to property mgt co. R about neighbour; R disclosed her details to neighbour (who later used them in a civil action against her). PCO held disclosure was for a directly related purpose, to help resolve a dispute; also was for s58(1) purpose of remedying ‘seriously improper conduct’ (both upheld by AAB)


Secondary purposes: ‘Reasonable expectations’ (3)

HK AAB appeal 13/2004: disclosure of account information to

debt collector is for a directly related purpose HK PCO appeal 26/2004: employer disclosed to Dr that medical

examination was for purpose of confirming employee’s fitness to

attend disciplinary hearing; PCO held (and AAB upheld) that this was for a directly related purpose; and could also be justified under s58

Excessive disclosures must still be avoided: Prosecution witness' personal data [2004]

HKPrivCmr 5 - disclosure of whole statement to defendant was unjustified


Secondary purposes: ‘Reasonable expectations’ (3) Tenants’ Union v TICA No 4 [2004] PrivCmrACD 4

TICA collected from its members, not from tenants TU complained TICA breached NPP 2.1(a) in disclosing

info to members from Enquiries database because tenants would not ‘reasonably expect’ information about unsuccessful applications to be disclosed to real estate agents.

Dismissed by PC - ‘reasonable expectations’ is only relevant to secondary purposes, and use for default listings was TICA’s primary purpose of collection from its members.

PC had already found that tenancy application information was ‘necessary’ for TICA’s provision of a ‘risk management service’ - PC used an objective assessment of TICA’s primary purposes


Secondary purposes: ‘Reasonable expectations’ (4) Tenants’ Union v TICA No 4 - Questions:

(1) How do you determine what is a primary purpose? don’t you look at what TICA made consumers reasonably

aware of under NPP1.5? PC found that TICA breached NPP 1.5 - didn’t they imply

they only collected defaults? shouldn’t they be bound by that as their purpose? - it

would be nonsense to say you can have a primary purpose different from what you say it is, but secondary uses must be within ‘reasonable expectations’

(2) Can TICA use the information if its members are in breach of NPP 2 in supplying it?

PC questions [95] whether TICA members’ disclosures to TICA are for a secondary purpose and satisfy NPP 2

But he fails to consider the implications of this …


Secondary purposes: Mistaken disclosures can still be for correct purposes

[2003] HKPrivCmrAAB 1 - Bank mistakenly disclosed complainant’s access request to his employer - mistake of fact that employer held the information sought - PC held, and AAB upheld, that this was for the original purpose of collection or at least directly related to it

Seem that disclosure for an intended correct purpose is OK if it is based on a mistake of fact (not a mistake as to allowed purpose)

S41 directions expand NSW ‘directly related’ test S17 limit on secondary use is expanded by Privacy Comm’s s41

Direction allowing uses where an agency is ‘reasonably satisfied’ that use is in pursuance of an agency’s lawful functions.

Eg AK v Gosford City Council ([2007] NSWADT 289) - Case Summary [2007] AUPrivCS 16: Council sent advertising material for a chance to win prizes if rates were paid on time. Although not ‘directly related’ to Council functions according to Local Govt. Act, remitted back to Council for internal review on this exemption!


Allowed uses (II) Consent A lot of variation in requirements for disclosure:

HK DPP3 requires ‘prescribed consent’ (s2(3) defn) Australia usually ‘express consent or implied consent’ (Cth PA s6,

also Vic) (see GG & LB 2005, 1.8) - Contra NSW requires ‘express consent’ for disclosures (s26(2)), but

only consent for new uses (s17(a)). C.f. NZ requires ‘authorisation’

NZ Courts (L v J, L v L) have held this includes implied authorisations (see Roth article)

Consent must also be informed (meaning of ‘consent’) Data subject’s consent to change of use is needed even if data

was not collected from the data subject (B&W support). See ‘effect on subsequent recipients’


Consent exception (2) Re NSW s26(2) ‘express consent’ for disclosures

Macquarie v FM [2003] NSWADTAP 43 See also Greenleaf casenotes on original decision and appeal NSW s18 requires express consent (s26(2)) UNSW had express consent to obtain FM’s academic transcript

from other Unis Held: This ≠ express consent to Macquarie to disclose it to

UNSW; ‘must be the subject of administrative action by the agency disclosing …’

So not even enough if the UNSW form had expressly mentioned Macquarie - very strict


Consent (3) HK DPP3 requires ‘prescribed consent’ (s2(3) defn)

Inclusion of ‘voluntariness’ implies strictness beyond normal meaning of consent (PCO suggests)

Might imply there cannot be any adverse consequences for failure to consent, if consent is to be ‘prescribed consent’

Does not necessarily require writing Does not allow ‘opt out’ - In HK PCO complaint estate agent

attempted to require clients to opt out from being members of a club - ineffective

S2(3)(b) allows prescribed consent to be revoked, but only in writing


Consent exception (4) - Can consent be implied from failure to opt out? HK - ‘No’ - see ‘prescribed consent’ in DPP 3 Australia - sometimes ‘yes’

Supported by Explanatory Memo to 2001 amendments re NPP2.1(b)

Aust PC’s NPP (draft?) Guidelines - ‘Yes’, but considers it depends on specific circumstances - Sets out 8 factors supporting finding of consent: (I) clearly stated / understandable ; (ii) likely to be read; (iii) likely to understand implications; (iv) free and not bundled; (v) no cost / little effort; (vi) consequences harmless; (vii) subsequent restoration possible; (viii) multiple means of opt-out

Example (PC): Rarely applicable to opt-outs from marketing info because (I) not likely read; (ii) belief of adverse effects of replying

Canadian PC has recognised opt-out can be consent: see case #207


Consent (5)

When can consent be otherwise implied? Family members: can’t just be assumed HK ‘express consent given voluntarily’ (s2(3)) -

How different from implied consent allowed in Australia?

A broad interpretation of ‘directly related’ can have the same effect

PCO eg in RG - purpose of collection of client data by a social worker implicitly includes compliance with any legal obligation to the Courts - disclosure allowed


Consent (cont) ‘Bundled’ consent

Unresolved, but reference to notice of ‘purposes’ in NPP 1.3(c) gives some support

Argument against is that it bundled consents may not be consents given freely (except for principal purpose) because refusal to consent will disadvantage

ALRC 108 (2008) proposes only that PCO issues guidance See Greenleaf, Waters & Bygrave ‘3.2. Meaning of Consent’ in

submission to ALRC, 2007, particularly Submission DP72-10 that separate consent should be required for each proposed purpose of use


Prior awareness exception Prior awareness exception

Cth IPP 11(a) ‘individual …is reasonably likely to have been aware, or made aware under IPP2’ of disclosure practices

NSW s18(1)(b) – similar - nothing similar in NPPs or HK Example - Macquarie v FM [2003] NSWADTAP 43

No need to be directly related, with consent, or authorised by law; but argue that it must still be within purposes of agency

Does this allow post-collection notice/awareness of changes to disclosure practices? - inimical to finality

No evidence whether so abused since introduced in 1988 ALRC Report 108 (2008) – ALRC proposed UPP 5 does not

include any such exception


Allowed uses (III): ‘Authorised by law’ Cth Privacy Act (IPPs and NPPs) - uses/disclosures ‘authorised

by or under law’ PA did not retrospective invalidate any legislation permitting or

requiring disclosures Includes common law duties/rights to disclose see GG&LB 2.1.3 - EU A29 Committee incorrect - still requires a

positive authorisation or requirement to disclose NSW more restrictive (s25):

non-compliance may be ‘lawfully authorised or permitted’ or ‘necessarily implied or reasonably contemplated’ ‘under an Act or any other law’

HK does not have a general exception ‘where authorised under law’ - see specific exceptions (later)


‘Authorised by law’ exception (2) ACT Dept JACS [2004] PrivCmrACD 5

C, JACS employee, was whistleblower to ACT Omb.; JACS staff disclosed personal info about C’s internal grievances to Omb.

JACS claimed it did so to show Omb that complaint may be ‘frivolous or vexatious’

PC held no defence (I) that C would be ‘reas aware’ of such disclosures; or (ii) that it was ‘authorised by law’ - some disclosure was authorised, but only if it was relevant to the Omb. Investigation - this was not.

However, $0 compensation; apology ordered - who would be a whistleblower?


'Authorised by law' exception (3)

ALRC Report 108, Chapter 16 Considered case for limiting exception to 'specifically

authorised’, but decided against (Greenleaf, Waters & Bygrave submission recommended this)

Same wording 'required or authorised by or under law' recommended for several principles

Recommends defining 'law', including to cover common law duties of confidentiality, and exceptions to them (R16-1)

May make no difference to existing law here Recommends OPC guidance (R16-2)


Reminder: Limited role of exceptions

The limited role of exceptions They are usually not a requirement to disclose/use They are usually not authority to disclose/use if some other

law forbids this (eg BOC) They merely mean there is no breach of an IPP

This also applies to ‘authorised by law’ exceptions - ‘Authorised’ ≠ ‘required’ (trite but important) - not required to disclose just because an IPP exception exists - still their discretion to exercise

HK Pt VIII (Exemptions) s52 specifies that an exemption ‘neither confers any right nor imposes any requirement’


Other exceptions Will only consider some important ones:

Direct marketing exceptions Protection of safety of self and others Law enforcement purposes Disclosure between related corporations (NPPs) See also 'Exemptions' slides

Sources Cth PC Info Sheet 11 - Exemptions from NPPs GG&LB 2005


Direct marketing exception Many jurisdictions (including EU) have a Direct

Marketing (DM) exception allowing opt-out Hong Kong direct marketing ‘opt out’ exception (s34)

Notice of right to opt out must be given first time personal data is used for direct marketing.

Data user must comply with subject’s wish to opt out Need notice be given every time new data is held, or only if

it is actively used for direct marketing? See 4 examples in RG S34 applies even if the direct marketing is with consent

(PCO egs); this differs from Australia Promotion of government programs, and investment

newsletters, are both direct marketing (HK PCO egs)


Direct marketing exception (2) HKPCO complaint AR 7/05: publisher

outsourced direct mailings to a lettershop, who failed to recognise different versions of name of complainant who had previously opted out; held publisher was in breach of s34, required to find a better lettershop, and to for its staff to do quality checks on de-duplication processes used


Direct marketing exception (3) Australian NPP 2.1(c)

Only applies to use, not disclosure, for DM Better view - 2.1(c) is an alternative to (a) or (b)

Marketing use need not be within reasonable expectations Wishful thinking view - all direct marketing must comply with

2.1(c) (Many submissions to PC’s review support a change) NPP 2.1(c) can only be relied on to allow DM if

Impractical to obtain consent [under (b)] before this use PC (NPP GLs) says it is ‘normally not impractical’ with online

communications Individual has not previously opted out from marketing from this

organisation [will it cover central opt -out lists?] Each marketing communication must give an option to opt-out

from further communications (No equiv to HK annual notice)


Direct marketing exception (4)

ALRC Report 108 recommends stronger right to opt-out of Direct Marketing (DM) – UPP 6, but:

Organisations only – not extended to agencies Right to opt out etc would apply to all uses of PI for DM Direct marketing left undefined To existing customers, (i) DM must be within existing

expectations and (ii) offer a ‘simple and functional’ means of opting out.

To non-customers, DM allowed provided (I) consent obtained unless not practicable; (ii) explicit notice that opt-out possible; and (ii) disclosure of source of PI provided on request.


Direct marketing exception (cont) Alternatives to NPP 2.1(c) for direct marketers:

Rely on DM as express purpose of collection (implied consent) Rely on 2.1(a) ‘related purpose’ / reasonable expectations Obtain express consent to marketing, come within 2.1(b)

PC (NPP GLs) says express consent will be needed In all 3 cases, no need to give 2.1(c) opt-out notice BUT Where individuals do opt-out anyway, this would negate both

consent and reasonable expectations Current development

Government considering ‘Do Not Call’ register US one has US$15K fines if they do after opt-out (bounty better) How would this handle the 200M calls p/a outsourced O/S? Note also the requirements of the Spam Act 2003


2 Protection of safety/health All Australian Acts have variants of 'necessary to

prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person’

HK s59 exempts ‘personal data relating to the physical or mental health of the data subject’ where access (DPP 6) or restricting use (DPP 3) ‘would be likely to cause serious harm to the physical or mental health’ of the data subject or another person

FM v Macquarie University [2003] NSWADT 78 Macq staff were concerned that FM might injure someone at

UNSW No exemption because not ‘serious’ or ‘imminent’


3 Law enforcement exceptions Cth PA exempt purposes of disclosure

IPPs 10.1(e)/11.1(e) ‘reasonably necessary for the enforcement of the criminal law’ etc

NPPs 2.1(f)&(h) NSW Act has much broader set of exemptions, often blanket for

agencies All law enforcement exemptions (except NSW) require a ‘note’

to be kept of all disclosures The only example of logging of disclosures required by IPPs (NPP

2.2; Cth IPP 10.2) Is logging essential for adequate security? - see FH v NSW

Corrective Services ([2003] NSWADT 72) - Summary [2003] NSWPrivCmr 1

If there is no logging, rights of access (and notification of corrections are significantly crippled


Exceptions - law enforcement etc HK PDPO s58(2) - use/disclosure for 'prevention or

detection of crime', 'serious improper conduct' etc does not breach DPP 3

See earlier examples from 2004/05 AR D must show that adherence to DPP 3 would

prejudice one of these interests, and he had reasonable grounds for believing this

Lily Tse Case [1998] HKCFI 811 - Personal injuries action concerning Albert House collapse

1994 - Held DPP 3 did not apply so as impede third party discovery (of witness statements held by Police) in a civil action

A tort was 'serious improper conduct’ for s58(2). This has broad implications for PC(P)O.


4 Related corporations exception No HK direct equivalent Aust Cth s13B allows information to be disclosed by

corporation A to related corporation B primary purpose of collection of corporation A will normally

determine what secondary use corporation B can make (restricted by 'reasonable expectations' test) [see note to s13B(1)]

BUT not in relation to the direct marketing exception in NPP 2.1(c) (test does not apply)

B can send direct marketing to A's customers (with opt-out) irrespective of A’s purpose of collection


Other rules and Principles related to use and disclosure Related principles (covered in following

slides) Data integrity/quality principles - see following 'Objection to processing' principles Proposed ‘automated decision-making’ principle

Separate slides / Reading Guides Data export limitation /cross-border principles Public registers - Application of IPPs

Limited separate NSW principles Data matching controls


Data integrity/quality principles Quality principles - these variously require:

HK DPP 2(1) - ‘all practicable steps’ to ensure data are ‘accurate’ having regard to principal and directly related uses

Cth IPP 8 - reasonable steps to ensure ‘accurate, up-to-date and complete’ (AUC) before use (not disclosure, not at collection)

NPP 3 - reas steps to ensure AUC when collects, uses or discloses

Cth IPP 9 - may only use for relevant purposes NSW s11 (IPP 4) reas steps to ensure AUC when collecting

‘from an individual’ NSW s16 (IPP 9) reas steps before use to ensure relevant

and AUC


Data integrity/quality principles: Hong Kong

DPP 2(a) requires that 'All practicable steps … to ensure … personal data are accurate having regard to the purpose‘ (of use).

'use' includes disclosure, so DPP2 obliges data users to ensure data accurate for the purpose for which it is being disclosed to a 3rd party

DPP2(c) also imposes obligation to inform 3rd party of inaccuracy and provide corrected data

"Inaccurate" …. means … incorrect, misleading, incomplete or obsolete' (s2) - same as elsewhere

HKPCO avoids adjudicating on correction of data - see discussion under Access & Correction


Data integrity/quality principles: Hong Kong DPP2(b) requires that inaccurate data

(i) not be used or (ii) be erased. Discussed in next topic

s66 compensation claims possible subject to defences - DPP 2 is one of most likely sources


Data integrity/quality principles Significance of quality principles:

Correction of errors may not be enough - prior failure to take reas steps may be breach

Legitimate uses/disclosures may still lack quality control

Legitimate collection may still lack quality control Examples

L v Commonwealth Agency [2003] PrivCmrA 10 - failure to take any steps to check a mailing address was a breach


Data integrity/quality principles Tenants’ Union v TICA #2 [2004] PrivCmrACD 2 - PC found

breach of NPP 3 in relation to the ‘enquiries’ (ie not defaults) database

vital nature of housing impacts on what is reasonable TICA’s random checking to ensure accuracy

PCO carried out its own (since TICA did not keep records) and found many inaccuracies

Important elements in a system of quality control include (I) system of random checking; (ii) advising those who have received inaccurate records - TICA failed

TICA’s collection practices - for tenancy databases (given prejudicial effect) 3 pieces of identifying information is minimum necessary - TICA failed tho always had two.

Failure to advise tenants of listing impacts quality obligations Deleting notes that listings are disputed after 30 days 6 forms of breach identified in Determination


Data integrity/quality principles Tenants’ Union v TICA #3 [2004] PrivCmrACD 3 - PC found

breaches of NPP 3 in relation to its defaults database because it was retained for an excessive time and therefore ‘out of date’.

Criteria applied (para 53) set out steps required for reasonableness if potentially prejudicial information is to be held for a long period (over 3 years in this case)

ALRC proposals Greenleaf, Waters & Bygrave (Dec 2007) ‘10. Data Quality

(UPP 7)’


'Objection to processing' principles EU privacy Directive contains examples:

Art 14(a) right to object to data processing generally, Art 14(b) right to object to direct marketing Art 15(1) right to object to decisions based on fully

automated assessments of one's personal character Only Aust and HK examples is the right to opt-out of direct

marketing (Aust - NPP2.1(c))

ALRC Report 108 strengthens right to opt out of direct marketing – UPP 6

– see slide above

‘Automated decision-making’ proposed Principle ALRC 108 (2008) Rejects case for an

automated decision making rule In Greenleaf, Waters & Bygrave 2007 ‘15.6.

Automated decision-making principles’ we agree with the ALRC that a separate principle is unnecessary, but submit that it should be made an express requirement as part of UPP 7, with an appropriate ‘reasonable steps’ limitation.

Use, disclosure, and related principles (data quality etc)

Documents

Transcript of Use, disclosure, and related principles (data quality etc)