440 likes | 668 Views
Information Privacy & Data Surveillance Nigel Waters & Graham Greenleaf Last updated September 2008. Collection & Related Principles. Issues in collection Principles. What types of 'collection' are regulated? Required notice when collecting What types of collection require notice?
E N D
Information Privacy & Data Surveillance Nigel Waters & Graham Greenleaf Last updated September 2008 Collection & Related Principles
Issues in collection Principles What types of 'collection' are regulated? Required notice when collecting What types of collection require notice? Requirement to collect from data subject Permitted purposes of collection Purpose justification principles Anonymity principles Fair collection requirements Special rules for 'sensitive' subjects Other laws relevant to collection
Meaning of ‘collection’ Not defined - examples: Aust NPP 1.1 An organisation must not collect personal information unless …’ HK DPP1 merely says ‘Personal data shall not be collected unless …’ ‘Collection’ remains largely undefined in privacy law
Possible types of ‘collection’ Must consider whether at least the following types of ‘obtaining’ data are ‘collection’: Information solicited from a person (data subject or 3rd party); Unsolicited information (data subject or 3rd party); Information obtained from observations ('surveillance') of the data subject; Information extracted from documentary or other sources (observation other than of data subject). What will this determine? Whether purpose and extent of obtaining data is limited by law Whether fair collection rules apply Whether notice must be given - but this may apply to only some forms of obtaining data, even if they are collection
Solicited information Whether solicited from data subject or 3rd party, this is the clearest case of ‘collection’ Most IPPs include both as ‘collection’ Notice obligations may depend whether data is solicited, and whether collected from data subject: Cth IPP 2 notice required only if solicited from data subject (all others only require data ‘collected’) HK DPP1(3) - only applies if data is collected (does not say ‘solicited’) from the data subject (ie no notice required if collected from 3rd party)
Solicited information – direct collection Some laws do not require collection from data subject in preference to other sources (eg HK) Others require collection from the data subject (as distinct from another source) in some situations, but they differ considerably NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’ When would this be so? (Must you rely on honesty?) Is it OK to then ‘double check’ with a 3rd P? NSW IPP 1 (s10) requires collection ‘directly from the individual’ unless (a) The individual ‘has authorised’ collection from 3rd P; or (b) Provided by parent/guardian if under 16
Solicited information – direct collection (2) NSW IPP 1 (s10) (cont) DO v UNSW[2002] NSWADT 211 Form allowing collection ‘from any tertiary institutions previously attended by me’ did ‘authorise’ NSW s18 - individual may give ‘express consent’ that s10 does not apply; does not seem to limit scope of ‘authorised’ in s10 If s10 applies, is it OK to then ‘double check’ with a 3rd P after collecting from individual? Better view is such collection must be ‘authorised’
Solicited information – direct collection (3) Cth IPPs - no express obligation to collect from individual (see general data quality obligations) ALRC Report 108 R21-1 – preference for direct collection from individual to carry over from NPP to new UPPs applying also to government agencies – agency concerns to be addressed in Privacy Commissioner guidance (R21-2) NSWLRC CP3 – preference for direct collection unless 'unreasonable or impracticable' (Proposal 8)
Unsolicited information Some Acts explicitly exclude unsolicited information from the meaning of ‘collection’: NSW s4(5): ‘not collected … if the receipt is unsolicited’ NZ s2: ``Collect'' does not include receipt of unsolicited info Others leave this as a matter of interpretation Cth Act does not specify - depends on meaning of ‘collect’ HK likewise NSW - effect of exclusion of unsolicited information: NSW IPPs 1-4 do not apply (collection and quality) But IPPs 5-12 do apply (the agency still ‘holds’ personal information)
Unsolicited information received from data subject Hong Kong suggest it is collected but only if and when the data user makes it ‘personal data’ by recording / retrievability (B&W Ch 8 is silent on the Q) Is Notice required? - nothing in DPP 1(3) to preclude this, but would only occur if and when data retained; PCO may take different view Aust federal contrast Gunning (not included) and Greenleaf - suggest s16B resolves this by (in effect) only creating obligation once decision is made to retain data in a record - collection obligations only then arise
What does ‘solicited’ mean? Two contrary views from NZ: [2002] NZPrivCmr 5 - NZPC recognises ‘passive’ collection - where applicant submitted extra information with a form, this was not ‘unsolicited’ (see Paul Roth (2002) 9(7) PLPR 121) Harder v Proceedings Commissioner (NZ) – NZ Court of Appeal held recording of unsolicited comments by data subject was not ‘collection’ - act of turning on recorder did not stop it being ‘receipt of unsolicited information'
Unsolicited information (cont) Unsolicited info from 3rd parties Hong Kong suggest same as when received from data subject (ie only collected if and when the recipient includes it in its records) No notice required even if retained: DPP 1(3) only applies to collection from data subject Same argument applies re Aust NPPs and Cth IPPs How important is this question? Usually, if excluded from collection, other IPPs would still apply because it is still ‘personal information’ If included, main effect may be to create obligations to give notice (But only when the unsolicited information is retained) Also means information can only be retained if for proper purpose, and collection is ‘fair’
Unsolicited information (cont) Little v Melbourne CC [2006] VCAT 2190 WJ v Commissioner for Fair Trading [2007] NSWADT 11 ALRC Report 108 R21-3 – must either destroy unsolicited info or it becomes subject to Principles – gives effect to CLPC Submission DP72-16
Notice when collecting from 3rd Parties This is a different question from whether it is ‘collection’ Summary (see full discussion later): Is notice required where info collected from a 3rd Pty? HK - No (DPP 1(3) says ‘from … the data subject’) NPP 1.5 - Yes (lesser notice than NPP 1.3) - also applies to unsolicited info Cth IPP 2 - No (only 'from the individual') ALRC Report 108 recommends Yes under UPP3
Notice when collecting from 3rd Parties (2) Is notice required where info collected from a 3rd Pty? (continued): NSW IPP 3 (s10) - arguably Yes (‘collects … from an individual’ requires notice to ‘the individual to whom the information relates’) - but not to unsolicited info (s4(5)) but to the contrary: HW v Director of Public Prosecutions (No 2) [2004] NSWADT 73 Principles vary in this respect
Observation of data subject Is observation ‘collection’? Acts do not specify - Q of ordinary meaning of ‘collect*’ No significant contrary views Eastweek did not rely on their being no collection Surveillance limitation laws do not already cover this Limitation of Notice provisions to collection from data subject does not support either view: the distinction may be from collection from 3rd parties, not observation Remedial nature of privacy laws supports a ‘yes’ answer So requirements of minimum collection, fair collection, etc will still apply to observations ALRC Report 108 concludes not necessary to expressly include collection by observation (21.81) but NSWLRC CP3 disagrees (implicitly - Proposal 11)
Observation of data subject Is notice required (if observation is collection)? HK DPP 1(3) requires collection ‘from’ data subject; 1(3)(a)(I) also refers to ‘supply’ of the data by the data subject. HK is clearest case where no notice is required Cth IPP notice requirements only apply if data is ‘solicited’ NPP 1(3) notice requires collection ‘from the individual’?; Cth IPP 3 requires info ‘solicited … from the individual’; NSW IPP 3 (s10) similar - in these cases it is not so clear Is observation collecting ‘from’ a person? Better view is ‘no’ - excludes notice requirement Result is sensible: observation is collection, but does not require notice (unless surveillance laws provide otherwise - as some do)
Information extracted Much personal information is extracted from documentary or other sources It is ‘collection’ - most NPPs, IPPs apply ALRC Report 108 concludes not necessary to expressly include collection by extraction (21.81) Is notice required of collection by extraction? HK - no, it is not ‘from’ data subject, not ‘supply’ NPP 1.5 applies to collection ‘from someone else’ Cth IPP 2 only applies to collection from the individual NSW IPP 3 (s10) requires collection ‘from an individual’ In all 3, extracted info will not require notice
Information extracted Result is sensible: extraction is collection, but does not require notice unless some other law requires it Contra: Cth PComm Info Sheet 18: Taking reasonable steps…: suggests archivists collecting documents need to consider notice
Medium of collection Collection may be in any medium Sound recording (Harder (NZ)) Photograph (Eastweek (HK)) Videos (HKPCO domestic helper case) But data must be recorded (see Key Concepts)
Other modes of collection Can you have collection by the following (no authority as yet?): Bodily samples Thermal imaging etc Remote tracking devices 'internal' generation from transactions ALRC Report 108 concludes not necessary to expressly include collection by these methods (21.81)
Required notice on collection: form and content NPP 1.3 & 1.5; Cth IPP 2; NSW s10; HK DPP 1(3) Why so significant?: cost involved to the data collector data subject is put on notice of risk Notice of purposes affects use/disclosure ALRC Report 108 R23-1recommends separate notification Principle (UPP 3)
Notice – circumstances and content Situations where notice required varies See earlier re notice requirements for 3rd P collection, unsolicited info etc Form of notice required - All require ‘reasonable’ or ‘practicable’ steps to ensure person is aware - written notice is not necessarily required Eg reasonable notice on web pages, or signs Verbal notice on collection of verbal information
Required notice (2) Time of notice varies considerably Aust - all require notice before collection where practicable, otherwise allow notice after collection HK - Notice must be ‘on or before’ disclosure, but notice of access rights must be before first use Exceptions to notice requirement HK DPP 1(3) proviso exempts where notice would prejudice purpose, and Pt VIII exempts access HK S35 exempts repeated collections (in a year)
Required notice (3) Aust Cth PCO Info Sheet 18: Taking reasonable steps… Useful ‘general guide’ - where consequences to individual are greater, or information is more sensitive, then organisations are expected to expend more effort Includes useful examples but some are contentious (eg Pt B a - Archivist eg - suggests they need to consider giving notice when archiving documents referring to 3rd Ps other than the donor) Tenants’ Union v TICA Determination 4/2004- TICA form misleading as to info TICA collected (note: is example of notice given re collection from a 3rd P, its members) TICA had 4 other sources of info about privacy, but P Comm held that if one form purports to be notice, ‘it would generally need to alert individuals to the fact the other information was available’. Held: Failure to take reasonable steps to comply with NPP 1.5
Required notice (4) Hong Kong examples of notice complaints Search results Inadequate display of notice [1999] HKPrivCmrAAB 2 Exercise Find a print/online notice and test it Send your comments to the class list for discussion
Required notice (5) Content of notice - fairly uniform Purpose of collection / proposed use If obligatory, and consequences (can be implicit) Usual recipients of disclosures of data Must be within purpose; cannot sidestep Access and correction rights and procedures HK DPP(1) requires explicit notice of (3)(b) items (PICS - Personal Information Collection Statement) but only implicit notice of (3)(a) items Examples A v Insurer [2002] PrivCmrA 1 - found insurer’s travel insurance claim form was deficient in not identifying ‘other consultants’ info disclosed to N v Private Insurer [2004] PrivCmrA 1- “any other person necessary for claims determination purposes” too wide - but in fact no notice was required because this was a related secondary purpose which was reasonably expected!
Permitted purpose & extent of collection Standard purpose limits: lawful, relevant and minimal - we examine Example - HK DPP1(1) Personal data shall not be collected unless- (a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; (b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and (c) the data are adequate but not excessive in relation to that purpose.
Purpose (1) Lawful purpose Required by Cth IPP 1; NSW s8; HK DPP 1 Not expressly required by NPP 1 - implied? A minimal objective negative standard Statutory and common law lawful purpose Eg collection for illegal gambling; blackmail; fraud; spamming Significance: Lack of a lawful purpose means collection is itself a breach of IPPs that require it May result in damages claim not otherwise available
Purpose (2) - Positive limits? Positive ‘purpose justification’ limits are rare Canada s5(3) ‘only for purposes that a reasonable person would consider are appropriate in the circumstances’ EU Directive A7 `necessary for the purposes of the legitimate interests pursued by the controller or by the third party … to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...' No such limits in NPPs, or Cth/NSW IPPs, or HK Q: Can organisations define their own purposes with no limits except lawfulness?
Purpose of collection (3) ALRC Report 108 R21-5 fails to include tests of 'proportionality' or 'objective reasonableness', as suggested by CLPC (Submission DP72-17), OPC and VPC ALRC doesn't address question of whether there can be multiple purposes of collection – highly relevant to application of use and disclosure principle (CLPC Submission DP72-19) Breadth of purpose – see AK v Gosford City Council [2007] NSWADT 289 – very narrow - incentive mailing for early payment of rates not a 'directly related' purpose
Purpose (4) - Deemed purpose(s) Info can only be collected for a ‘function or activity’ of the organisation - Cth IPP 1.1, NSW s8, HK DPP 1 - ‘a … purpose directly related to a function or activity’ NPP 1.1 - ‘necessary for one of more of its functions or activities Is this an objective test, or completely subjective (within limits of lawfulness)? Objective - look at the actual/probable activities of the organisation - any purpose must be ‘necessary’ for those activities - no other purposes allowed Purposes of agencies are limited by ultra vires; Articles limit purposes of companies (somewhat)
Deemed purpose(s) Determining this purpose of collection Determining such a purpose will usually be the first task in analysing any data protection problem Stated purpose - wherever notice of purpose of collection required (and given) Objective test limits legitimate scope of notices Inferred purpose - required if observed, extracted, or required notice not given Objective test based on actual activities
Minimal collection Minimal collection - statutes vary NPPs - ‘necessary for …’ Cth IPP1(b) ‘necessary for or directly related to ..’ NSW s8 - ‘reasonably necessary for …’ HK DPP 1 (c) ‘adequate but not excessivein relation to …’ What is ‘necessary’ depends on deemed purpose Tenants’ Union v TICA Determination 4/2004- PComm: ‘necessary’ ‘requires consideration of whether or not it is clearly appropriate and relevant to the functions or activities of the organisation’ - can they be done without it? - how sensitive is the information? - Found the Enquiries Database was necessary, without considering the overall privacy detriment that its operation might cause.
Minimal collection (2) Examples Data not needed now, only potentially in future Whole documents collected when extracts would do, or merely a notation that document sighted N v Private Insurer [2004] PrivCmrA 1 - Insurers form authorising any health provider to disclose any health information to the insurer (whether related to claim or not) was excessive Union complaints of company’s introduction of finger-scanning of employees as unnecessary and ‘overkill’ dismissed by NZ PC: [2003] NZPrivCmr 5 HK PC enquiry 2005 ‘discourages’ fingerprint recognition device to record attendance at work - good discussion Search FOI & Privacy Project for ‘collect* near necessary’ for other examples
Minimal collection (3) - Anonymity Anonymity principle - only in the NPPs? 'NPP 8 Anonymity : 'Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.' Anonymity and minimum collection Is an anonymity principle implied by the minimal collection requirement? Or is it narrower? Can ‘not excessive’ personal data require ‘no personal data at all’? Under what circumstances? Or is there normally a right to ‘know your customer’? E.g. Does HK DPP 1 mean that Octopus is required to continue to offer the option of an anonymous card? What is to stop it ‘reinventing’ itself with a new business model involving marketing to all Octopus users?
Anonymity (2) ALRC Report 108, R20-1: New UPP 1 to apply to private and public sectors Expressly includes 'pseudonymity' (accepting CLPC Submissions DP72-13 & 14, including removal of 'not misleading' from DP72 proposal) P v Health Service Provider [2008] PrivCmrA 16 –NPP8 not considered in context of patient's request for deletion of record before consultation
Minimal collection - Anonymity (3) Is it a breach of NPP 8 to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’? Wykanak v Dept Local Govt [2002] NSWADT 208 (summary) - ADT could not review a complaint of an anticipated breach of a NSW IPP FH v NSW Dept Corrective Services [2003] NSWADT 72 - No breach of security where it would cost millions for Dept to log accesses Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’
Fair collection requirements Statutory requirements - similar NPP 1 requires lawful, and fair means, prohibits unreasonably intrusive means Applies to 3rd party collections Cth IPP 1.2 requires lawful and fair means prohibits unreasonably intrusive collection where info. solicited (including from 3rd parties), but not where observed or extracted NSW prohibits unlawful (s8) and unreasonably intrusive means (s11); but not unfair means HK DPP 1(2) requires lawful and fair means
Fair collection (2) Lawful means Irrespective of lawful purpose, means of collection may breach statute (eg surveillance law) or common law (eg breach of confidence) Interaction with surveillance laws significant here If disclosure by data provider is unlawful, can the collection by the recipient be fair (or lawful)? Discussed under Use & Disclosure topic
Fair collection (3) Fair means Deception and undue pressure most important Examples in Cth PC draft Guidelines (Dixon p2,063) ‘Not intrusive’ may be encompassed by ‘fair means’ Does this mean ‘objectively fair to the data subject’ or ‘subjectively fair by the collector’? UK case takes first view, which seems correct Fairness of covert data collection Hong Kong PCO examples held unfair HKPCO ‘Hongkong Post pinhole camera’ s48(2) Report Harder (NZ) - restrictive approach- only ‘to prevent people from being induced by unfair means into supplying information which they would otherwise not have supplied’ L v Tertiary Institution[2004] VPrivCmr 6 - L not informed of email monitoring at work - settled by agreement to review policy
Fair means - examples ‘Blind’ employment advertisements - of considerable concern to HKPCO Finding #10, 2001 CanLII 21538 (P.C.C.)Trucking company collected personal information intended for Canada Customs; held threatening employees with loss of their jobs was not a fair means of collection. Finding #106, 2002 CanLII 42350 (P.C.C.)- Airline requiring Canadian pilots to complete US form that did not meet collection standards in order to obtain US training, at risk of loss of jobs, was unfair collection Employee objects to employer's hidden tape recording in theft investigation - (Case Note 16479) [2001] NZPrivCmr 6- held unfair collection as employee was unaware of seriousness of interview
Special rules for 'sensitive' information Sensitive information Principles Some IPPs have special Principles for defined information (medical, political etc) Eg NPP 10, NSW s19(1) (only re disclosure); Cth IPPs and HK do not Spent convictions laws All Aust jurisdictions have old conviction laws (except Victoria) HK Rehabilitation of Offenders Ordinance may prevent some collection
Sensitive information (2) ALRC Report 108 recommends consent requirement in collection principle UPP2 for sensitive information, but generous exceptions (R22-2 & 22-3) CLPC Submission DP72-20 to 22 – argued for narrower exceptions NSWLRC CP3 – Issue 30