1 / 36

Security and related IPPs (Retention and Disposal)

Security and related IPPs (Retention and Disposal). Privacy and Surveillance Nigel Waters & Graham Greenleaf Last updated October 2008. Security and related IPPs. Security Retention Destruction/Disposal. Security Principles. Sources

harper
Download Presentation

Security and related IPPs (Retention and Disposal)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security and related IPPs (Retention and Disposal) Privacy and Surveillance Nigel Waters & Graham Greenleaf Last updated October 2008

  2. Security and related IPPs • Security • Retention • Destruction/Disposal LAWS 3037 Data Surveillance & Information Privacy Law

  3. Security Principles • Sources • Waters, Greenleaf and Roth (2007) ‘Interpreting the Security Principle, v.6’ UNSW - this includes many examples of complaints (Materials) (cited herein as Waters, Greenleaf and Roth, 2007) • Aust Privacy Commr Info Sheet 6 Security (2001) - Sets out long list of Australian and international standards that may apply • ALRC Report 108, Chapters 28, 51 & 58 LAWS 3037 Data Surveillance & Information Privacy Law

  4. Security principles • Provisions • Cth IPP 4 • Private sector NPP 4.1 • NSW s12(b)-(d)‏ • HK DPP 4 • ALRC Proposed UPP 8 LAWS 3037 Data Surveillance & Information Privacy Law

  5. Security principles • Scope • All require security from from misuse and loss and from unauthorised access, modification or disclosure • so internal and external threats, and mere negligence are covered • All only require ‘reasonable steps’ or ‘practicable steps’ LAWS 3037 Data Surveillance & Information Privacy Law

  6. Security – reasonable steps? • “When considering reasonableness in the security context, factors which may be relevant include: • the workability of the safeguards • the cost of the safeguards • the risks involved • the sensitivity of the information and • the other safeguards in place.” • Source: OECD Information Security Guidelines 1992 cited by NZ Privacy Commissioner in [2003] NZPrivCmr 22 (Case Note 28351)‏ LAWS 3037 Data Surveillance & Information Privacy Law

  7. Security – different aspects • physical security • computer and network security • communications security • personnel security • Source: OFPC Guidelines to the National Privacy Principles, September 2001, Guidelines to NPP4. LAWS 3037 Data Surveillance & Information Privacy Law

  8. Security principle - example • Hong Kong has an unusally detailed security principles • DPP 4 requires ‘All practicable steps … to ensure … protected against unauthorized or accidental access, processing, erasure or other use’ • Includes (as if personal data) data to which access is not practicable • Lists 5 factors to which data users must have ‘particular regard’ - reflects standard criteria - • (a) kind of data and possible harm (‘harm test’)‏ • (b) physical location / + security appropriate)‏ • (c) technical security measures • (d) personnel integrity etc measures • (e) communications security measures LAWS 3037 Data Surveillance & Information Privacy Law

  9. Security breach examples • Possible examples of breaches • If hackers access data, data user may be liable for inadequate security - supplements computer crime laws: sue the company, not the hacker • Mailouts in error of sensitive data • Accidental destruction of data valuable to a person • Security which destroys other privacy interests will not be ‘practicable’ • Lax practices with cleaners etc • Personal files are regularly found at kindergartens and tips • Unencrypted data on mobiles: • 63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR 95-97)‏ LAWS 3037 Data Surveillance & Information Privacy Law

  10. Security - Factors (1) • Internet information– requires cooperation to remedy • E v Statutory Entity [2003] VPrivCmr 5 - - audit trail failed to record access to customer account - settled • Complainant AD & Others v The Department [2006] VPrivCmr 5 • Not an absolute • Cannot guarantee 100% security • Other interests – may require higher standard • Proportionality LAWS 3037 Data Surveillance & Information Privacy Law

  11. Security - Factors (2) • Role of standards • Mixed benefit – may or may not be adequate • OECD Information Security Guidelines • 1992, revised 2002 • Risk assessment LAWS 3037 Data Surveillance & Information Privacy Law

  12. Security - Factors (3) • Security requirements in other legislation • In Australia, ASIC and APRA • APRA Superannuation Guidance Note 140.1, paragraph 19 • Action by other regulators • e.g. UK FSA v Nationwide Building Society 2006 – 1 million pounds fine for inadequate security leading to loss of laptop containing customer data LAWS 3037 Data Surveillance & Information Privacy Law

  13. Security - Factors (4) • Inadvertent collection for security reasons • Common access facilities W v Public Library [2005] VPrivCmr 5 • Special protection for sensitive information • NZ & Canadian cases in Waters, Greenleaf & Roth, page 15 • 'Need to know' • Access control – minimum standards • Logs and audit trails • E v Financial Institution[2003] PrivComrA 3 - audit trail failed to record access to customer account - settled • FH v NSW Dept Corrective Services[2003] NSWADT 72; Summary [2003] NSWPrivCmr 1- Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses • But remember employee privacy - balance LAWS 3037 Data Surveillance & Information Privacy Law

  14. Security - Factors (5) • Human (personnel) security • Confidentiality deeds • Training • B v Victorian Government organisation[2003] VPrivCmr 2 ($25k - $25,000 compensations settlement when agency disclosed complainant’s new address to ex-spouse ‘across the counter’ despite known risk • Canadian & NZ cases in Waters, Greenleaf & Roth pp 19-21 • Enforcement • disciplinary action • dismissal • Prosecution LAWS 3037 Data Surveillance & Information Privacy Law

  15. Security - Factors (6) • Relationship with disclosure • Does unauthorised disclosure necessarily mean a beach of security? • Can authorised actions involve a security breach? • HK, Austn & NZ cases • Liability? • Vicarious liability by employer? LAWS 3037 Data Surveillance & Information Privacy Law

  16. Security - Factors (7) • 'Standing' for security complaints • Only affected individual,or also third party? • When is someone 'affected'? - only when actual breach or also prospective? LAWS 3037 Data Surveillance & Information Privacy Law

  17. Security - Factors (8) • Communications Security • Austn, NZ, Canadian and HK cases in Waters, Greenleaf & Roth pp 25-27 • Data security • encryption? • Fax • Postal/courier LAWS 3037 Data Surveillance & Information Privacy Law

  18. Security - Factors (9) • Security obligations when contracting • Emphasised in International instruments • Express requirements in some Australian privacy laws: • PA s.8(1) and 95B; IPA s.9(1)(j) and s.17 (an agency can expressly transfer the obligations by contract); PPIPA s.4(4)(b). LAWS 3037 Data Surveillance & Information Privacy Law

  19. Security - Factors (10) • Programming errors and multiple breaches • Australian PC own-motion investigations in mid 1990s • ATO, DSS, DVA, DET, private sector • Potential for representative complaints • Access control must be managed • L v Commonwealth Agency [2003] PrivComrA 10 - Agency client provided password to be used to identify him; agency failed to ask for it • Other cases in Waters, Greenleaf & Roth p 31 LAWS 3037 Data Surveillance & Information Privacy Law

  20. Security principle: Australian reform proposals • ALRC Report 108 (2008) Chapter 28 • UPP 8.1(a) – replicates NPP 4.1, but applies to both organisations and agencies • OPC Guidance on 'reasonable steps' (Recommendation 28-3)‏ • No need for any specific additional obligations in relation to third parties • For commentary, see • Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘11.2. Data security proposals’ Dec 2007 • Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008 LAWS 3037 Data Surveillance & Information Privacy Law

  21. Security principle - HK • Hong Kong examples - Complaints to PCO held to breach DPP4 (security): • Faxing details of donation to estate office (AR 5/05)‏ • Newspaper publication of address of complainant, endangering him, not a breach of DPP4; DPP3 (disclosure) was only DPP relevant (AAB appeal 4/00) • Insurer sending insurance policies for 3 people to the address of one of them • Unsealed letters of demand sent to neighbours addresses • Law firm’s messenger allowed duplicate cover sheet of divorce process to be read by others at workplace while waiting to serve process:[1998] HKPrivCmr 8 • Law firm left trial bundle in gap between litigant’s metal gate and door: [2003] HKPrivCmr 8 • See other examples in McLeish & Greenleaf chapter in Berthold & Wacks LAWS 3037 Data Surveillance & Information Privacy Law

  22. Security principle – HK • Security managers in apartment blocks required to destroy data on visitors after a reasonable period [1998] HKPrivCmr 4] • Hong Kong examples concerning ID cards • Mobile phone Co. made first 6 numbers of ID card the default password for call data, billing etc information; debt collector accessed data and harassed complainant and friends; held breach of DPP 4: [2003] HKPrivCmr 3 • Disclosure of ex- employee ID numbers in faxes to customers • Bank and dept. store jointly responsible for printing error disclosing ID nos. in mailout LAWS 3037 Data Surveillance & Information Privacy Law

  23. Data Breach Notification • History • Response to identity crime • 44 US States + Ontario legislated requirements • Now under consideration around the world • Canada, UK, Australia • Guidelines, pending legislation LAWS 3037 Data Surveillance & Information Privacy Law

  24. Data Breach Notification Guidelines • Canadian model law (CIPPIC, 2007)‏ • Victorian Privacy Commissioner • Guide: Responding to Privacy Breaches, May 2008 • Australian Privacy Commissioner • Guide to handling personal information security breaches, August 2008 LAWS 3037 Data Surveillance & Information Privacy Law

  25. Data Breach Notification Proposals - Australia • ALRC Report 108 Chapter 51 • Recommendation 51-1- New part of Act (not a principle)‏ • Requirement to notify Commissioner and affected individuals if: • actual or suspected breach = acquisition of specified information by unauthorised person AND • agency, organisation or Commissioner believes real risk of serious harm (specifed factors)‏ • 'Specified information' = particular combinations of personal and sensitive(?) LAWS 3037 Data Surveillance & Information Privacy Law

  26. Data Breach Notification Proposals – ALRC proposal (continued)‏ • Harm factors: • Whether encrypted adequately • Whether acquired in good faith by employee or agent and acting for a permitted purpose • Privacy Commissioner can waive requirement to notify individuals • Civil penalty for failure to notify Commissioner • For commentary, see • Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘15.1.Possible new UPP - Security breach notification’ Dec 2007 • Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008 LAWS 3037 Data Surveillance & Information Privacy Law

  27. Retention / disposal principles • Sources • Waters and Greenleaf (2006) 'Interpreting Retention and Disposal Principles, v.1 • Aust Privacy Commr Info Sheet 6 Security (2001)‏ • ALRC Report 108, Chapters 28 & 58 LAWS 3037 Data Surveillance & Information Privacy Law

  28. Retention / disposal principles (2)‏ • Provisions • HK DPP 2(2) and s26 • Cth IPPs - none • Private sector NPP 4.2 ‘reasonable steps to destroy or permanently de-identify … if it is no longer needed for any purpose’ allowed under NPP2 - Test of ‘permanent de-identification is whether it is no longer ‘personal information’ • NSW s12(a) - similar to NPP 4.2 LAWS 3037 Data Surveillance & Information Privacy Law

  29. Retention / disposal principles (3)‏ • Private sector – mandatory retention • Tax records – typically 5 years • AML/CTF – 7 years - Guidance Note 08/04 • Telco/ISP records? • EU data retention Directive 2006/24 • Public sector complicated by Public Records/Archives requirements • Uncertain interaction with privacy law • GR v Department of Housing [2003] NSWADT 268 LAWS 3037 Data Surveillance & Information Privacy Law

  30. Retention / disposal principles (4)‏ • Need for a policy? • Tenants' Unions v TICA [2004] PrivCmrACD 3 - Failure to delete or remove old tenancy information was a breach of NPP 4.2; PC ‘recommended’ TICA • Delete ‘history’ information in Tenancy History Database after four years; • Delete 'application' information in Enquiries Database after three years; and • Delete information moved to ‘dead tenant database’ (i.e. a database which stores deleted listings – for use in case of errors) not less than once a month • FH v Commissioner, NSW Dept of Corrective Services [2003] NSWADT 72 - missed opportunity to require a policy • Canadian cases to contrary – support TICA Determination LAWS 3037 Data Surveillance & Information Privacy Law

  31. Retention / disposal principles (5)‏ • Deletion under Correction principle • May override general policy • Technology issues • Difficulty once publicly available e.g. on Internet • E v Statutory Entity [2003] VPrivCmr 5 • Complainant AD & Others v The Department [2006] VPrivCmr 5 LAWS 3037 Data Surveillance & Information Privacy Law

  32. Retention / disposal principles: Australian reform proposals • ALRC Report 108 Chapter 28 • UPP 8.1(b) - Destroy or render non-identifiable • See definition of personal information • Apply to agencies • But express priority for Archives Act retention requirements (UPP 8.2)‏ • OPC Guidance (Recommendation 28-5) • For commentary, see • Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘’11.3. Non-retention (destruction or non-identifiability)’Dec 2007 • Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008 LAWS 3037 Data Surveillance & Information Privacy Law

  33. Retention / disposal principles (6)‏ • Other jurisdictions • NZ - Commissioner opinion supported retention of information on dismissed employees for 5 years • Canada – Commissioner noted 2 year retention policy for employment records • UK - 2005 Information Tribunal case on Criminal records retention LAWS 3037 Data Surveillance & Information Privacy Law

  34. Retention / disposal principles (HK)‏ • Hong Kong DPP 2(2) and s26 • DPP 2(2): ‘Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'. • Keeping for the purpose of some exception not allowed • Only says ‘personal data’ shall not be kept - what if made inaccessible?; what if de-identified? Is DPP 2(2) satisfied? LAWS 3037 Data Surveillance & Information Privacy Law

  35. Retention / disposal principles (HK)‏ • HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure of personal data no longer required’) • Says ‘A data user shall erase personal data …’ • Doubtful if data can be made inaccessible or de-identified in the face of this explicit provision • S26 has 2 exceptions: • '(a) any such erasure is prohibited under any law’; • Archives laws etc will override DPP 2(2)‏ • ‘(b) it is in the public interest (including historical interest) for the data not to be erased.’ • Q of public interest is a question of law, not of good faith belief • S26(3) protects any joint controller against suits by other controller because of erasure of data LAWS 3037 Data Surveillance & Information Privacy Law

  36. Retention / disposal principles (HK)‏ • Hong Kong DPP2(2) and s26 - Examples of appeals to AAB against PCO: • [1999] HKPrivCmrAAB 3:Telecomms Co. retained customer details for 180 days after suspension of service, in case of reconnection - no breach • Pursuant to DPP 2(2), Consumer Credit Code requires data deletion 5 years after ‘final settlement’ - raised issues of how this applied to bankruptcies, but not necessary to decide (7/01)‏ LAWS 3037 Data Surveillance & Information Privacy Law

More Related