490 likes | 623 Views
The other IPPs - Access, correction, openness, security and destruction. Privacy and Surveillance Graham Greenleaf January 2006. The other IPPs. Access rights Correction rights Remedies and access & correction rights ‘Openness’ - Information generally available Security Destruction.
E N D
The other IPPs - Access, correction, openness, security and destruction Privacy and Surveillance Graham Greenleaf January 2006
The other IPPs • Access rights • Correction rights • Remedies and access & correction rights • ‘Openness’ - Information generally available • Security • Destruction
Access rights under Privacy Acts • Australian access rights • Generally: access under IPPs limited by FOIA exemptions • Exemptions do not forbid access, just deny a right • Cth IPP 6 access right • Subject to Cth FOIA 1982 Pt IV exemptions • NSW s14 access right • Subject to NSW FOIA 1989Sch 1 exemptions (s20(5)) • Private sector NPP 6 access right • Exemptions in NPP 6.1(a)-(k) & 6.2 • Similar but not identical to FOIA exemptions • Victoria NPP 6 access right • Exemptions as above, then overridden by Vic FOIA (s12)!
Hong Kong DPP6 - Access • Hong Kong DPP6 - Access and correction • Pt V detailed regime prevails if inconsistent with DPP 6 (s4) • HK does not have a FOIA • HK Exceptions to access (Pt VIII) • Many exceptions apply (see Berthold summary) • Exemptions relate to data, not specific data users • S58(1) broad exemption requires that access either • (i) prejudices interests listed or • (ii) in/directly disclose source [broader than s20] • Why should (ii) always be a bar to access?
Practical aspects of access • Access fees • Provided they are not abused, a significant restraint on frivolous and burdensome requests • Cth IPPs - governed by FOIA • NSW s14 - ‘without excessive delay or expense’ • Private sector NPP 6.4 ‘must not be excessive’ and ‘must not apply to lodging a request’ • HK - May charge but may not be excessive (s28); • If two forms of access possible, lower fee must be charged; can charge merely for enquiring if file held (s18) • Cannot charge for correction of file
Practical aspects of access • Tenants Union v TICA #1 [2004] PrivCmrACD 1 • $11 by mail for enquiry/copy; held both breach NPP 6; cannot charge for enquiry; recommended $8:80 charge (marginal cost of provision) for copies, credit card facility (only accepted cash or bank chqs before), and within 10 days [refuses to direct, but does indicate what will satisfy] • $5.45/minute by phone ($327/hour) not a breach of NPP6; • mail enquiries were ‘reasonable steps’ to provide access • [but $327/hr would not be reasonable steps to ensure NPP 3 data quality] • TICA failure to provide access via property managers not a breach
Practical aspects of access • Who decides access request complaints? • Australia - Cth P Comm refused to investigate public sector access / correction complaints, forcing complainants to go to the AAT - Legitimate? • see s41(1)(f) ‘a more appropriate remedy’ • But FOIA does not allow for compensation etc • Cth PC must investigate private sector complaints - no FOI option • NSW PC? - agency internal review or PComm can investigate • HK - PC can use s39(2)(d) to divert access complaints, but no FOI to divert them to • HKPCO must decide access complaints in both sectors
HK Access Examples • PCO complaint examples • [1998] HKPrivCmr 11: $230 per slide for 250 clinical slides was excessive, and on recalculation reduced to $7.20 - actual cost + 20% administration fee was OK • Employer could not refuse employee a copy of investigation report on which his summary dismissal was based - only grounds are s20 or Pt VIII • Appeals to AAB against PCO • [1999] HKPrivCmrAAB 1:Hospital had attempted but failed to locate minutes to which C wanted access - no breach, even though minutes did exist (7/00) • [2001] HKPrivCmr 5: AAB held University was not required to provide complainant with a ‘consolidated document list’ so she could choose what documents to access.
HK Access Examples • AAB Case 24/2001 [2001] HKPrivCmr 5: • C complained that University had not provided all documents it held about her • PC issued enforcement notice requiring Uni to (I) do a ‘thorough search’ and (ii) provide to C a ‘consolidated documents list’ • AAB held both requirements invalid under s18(1): (I) ‘thorough search is a higher burden than ‘due diligence’; (ii) data user must identify documents to which access is requested. • Suggest: s18 does not require requestor to identify documents, may instead request ‘all documents held’ • In previous AAB Case 1/01, AAB held s18(1)(a) only requires data user to confirm data is held, not to list it
Intermediary access • The problem • Data exempted from access is usually the most prejudicial and important data about a person • Refusal of access prevents putting a counter-case, and stopping abuse of other rights (eg disclosure) • Correction is often tied to right of access (see later) - compounds the problem of lack of direct access • Access exemptions are more absolute than they need to be, because it is impossible to define the line • Access to part of the information via a 3rd party trusted by both sides can reduce this - but is this possible?
Intermediary access (2) • Australian law • NPP 6.3 defective attempt - org. must only ‘consider’ ‘mutually agreed intermediaries’ • No other explicit provisions • Do P Comms have powers to so act? • Complainant will first have to credibly allege a breach of an IPP • What can Commissioner then disclose? • Can Commissioner then use own motion powers?
Intermediary access (3) • Hong Kong law • No general provision for intermediary access • Pointless to make PCO a ‘relevant person’ in s2 • Privacy Commissioner can access exempt records, if has reasonable grounds to suspect breach of PDPO / DPP (s38) • Possible complaint: suspected inaccurate records as lack of data quality (DPP2) • Some reasonable grounds needed
Access exemptions:3rd party privacy • When does 3rd P privacy exempt disclosure? • Hong Kong • S20(1)(b) requires data users to refuse accesses which contain [any] personal data about a 3rd party unless: • (I) the 3rd P data can be edited out (ss(2)(b); or • (ii) the 3rd P has consented to disclosure (ss(1)(b) • But no ‘reverse FOI’ obligation on data user to ask 3rd P • Mere identification of source of data is no bar to access unless the source is explicitly named (ss(2)(a)) • Extremely restrictive compared with Australian exemptions which require ‘unreasonable disclosure’ re 3rd Ps, not just any identification • A PD(P)O provision needing reform? • Most cases from other jurisdictions are irrelevant
Access exemptions: 3rd party privacy • Australian provisions • Cth IPPs - FOIA s41 - ‘unreasonable disclosure of personal information about any person’ (same definition as in PA since 1991) • Waters - problem of conflicting FOI objectives of openness leads to narrow reading of privacy exceptions • Private sector NPP 6.1(c) - ‘an unreasonable impact upon the privacy of other individuals’ • No FOI objectives of openness to balance -> could result in more protection of 3rd P privacy than in FOIA • ‘Privacy’ is narrower than ‘personal information’ -> but is it the same so long as ‘unreasonable’ relates to privacy?
Access exemptions:3rd party privacy (2) • NSW IPPs - NSW FOIA Sch 1 cl 6 • ‘the unreasonable disclosure of information concerning the personal affairs of any person (whether living or deceased)’ • ‘Personal affairs’ is narrower than ‘personal information’ • Perrin’s Case (1993) NSW CA - names of Police carrying out their duties was not ‘personal affairs’ • Followed in Robinson [2002] NSWADT 222 and Woods [2002] NSWADT 253 • Effect is also to limit correction rights under NSW FOIA • See Timmins ‘Decisions on the ‘personal affairs’ exemption in NSW FOI’ (2003) 10(3) PLPR 43
Access exemptions:3rd party privacy (3) • Victoria • even worse, 1999 amendt to FOIA gave absolute exemption to all ‘personal information’: privacy destroys FOI • Solutions? - Waters [2002] PLPR 24 • Considers ‘personal information’ a worse starting point than ‘personal affairs’ [I disagree] • Recommends (i) all individual access be dealt with separately under privacy legn; • (ii) statutory statement that identities/actions of public servants is not exempted from access, following WA FOIA 1992 Sch 1 Cl 3(3) & Reg 9
Access exemptions:3rd party privacy • Is motive of applicant relevant to what is ‘unreasonable’? - see Timmins article • NSW cases inconsistent • Saleam v Dept Community Services [2002] NSWADT 41 - O’Connor J rejects any relevance • Contra Saleam v NSW Police Service [2002] NSWADT 40 - Robinson JM found ‘mosaic effect’ of disclosures justified refusal of access • Cth AAT cases inconsistent • Vic VCAT cases consider motive and purpose
Access exemptions:3rd party privacy (3) • ‘Reverse FOI’ provisions • Cth FOIA s27; NSW FOIA s31 - If agency is going to grant access to documents containing 3rd P personal information, must give 3rd P opportunity to object on grounds of unreasonableness • No equivalent in NPPs - 3rd Ps have no opportunity to object • No HK equivalent - another aspect of HK’s very restrictive access regime
Forced access by 3rd parties • Can 3rd parties force use of access rights? • eg employers, insurers etc require data subject to obtain a copy of own record • Would this constitute unfair collection by the party forcing access? • Better view is ‘yes’ (see B&W 1st Ed pgs 170-1) • This argument will apply in HK and Australia • Only a breach once the 3rd P is provided with the data? • Do IPPs need amendment to prevent this? • not certain until ‘unfair collection’ approach is tested
Correction rights • Issues • Do correction rights depend on access rights? • What does correction require? • Remedies for access & correction breaches • Sources • See Waters and Greenleaf ‘IPPs examined: the correction principle’ (2005) 11 PLPR 137 (Materials #5)
Meaning of correction • For HK DPP6 "correction" ‘means rectification, erasure or completion’ (s2)
Correction rights: Do they depend on access? • Do correction rights depend on access rights? • Cth FOIA s48 correction only to docs ‘to which access has been lawfully provided to the person’ - no correction of exempt docs • Cth IPP 7.1 obligation to correct only refers to ‘a record’ • but 7.2 says this ‘is subject to any applicable limitation in a law… that provides a right to require the correction or amendment of documents’ • does this mean FOIA s48 limits? - probably ‘yes’ • Private sector NPP 6.5 correction only requires that organisation ‘holds personal information’ • BUT only if ‘the individual is able to establish that the information is not accurate, complete and up-to-date’ - onus of proof of error is on the individual [but see NPP 3 Data Quality]
Correction rights: Do they depend on access? (2) • NSW s15 correction right • only requires that agency ‘holds personal information’ • But s20(5) imposes FOIA ‘conditions or limitations (however expressed)’ • NSW FOIA s39 only allows correction to ‘A person to whom access to an agency’s document has been given’ • so exempt docs cannot be corrected in NSW either • Is refusal of correction to exempt documents unfair? • What does refusal of access imply?
Correction rights: Do they depend on access? (3) • Hong Kong: Does correction require access? • DPP 6 does not: 6(e) independent of 6(b) • BUT s22 makes correction depend on official access • 'where... (a) a copy of personal data has been supplied by a data user in compliance with a data access request; and (b) the ... data subject considers that the data are inaccurate, then that individual or relevant person, as the case may be, may ... request... correction to the data' • Can’t argue DPP6 gives a broader right • S58(1) exemption is from DPP6 as a whole • DPPs generally subject to the rest of the PDPO (s4) -
Correction rights: Do they depend on access? (4) • Hong Kong: Can DS obtain correction without access? • If DS has ‘unofficial’ knowledge of data content • DS can complain to PCO of DPP2(1) breach - inaccurate • PCO can then access records, (I) find DPP2 breach if inaccurate, (ii) require non-use or erasure, and (iii) require notice to 3rd party recipients (but cannot disclose to DS) • Also, DS can sue under s66 for damages for DPP2 breach - if prima facie inaccurate, then DU must establish defences. Can DS obtain discovery despite s58(1)? • If DS has no knowledge of data content • How to frame a complaint to the PCO? • How to establish prima facie DPP2 breach for s66?
Correction rights: Intermediaries and correction • Intermediaries and correction • Cth PA 1988 s35 gives (defective) intermediary addition rights via PComm • Depends on exhausting AAT appeals first! • P.Comm can only recommend correction of exempt record, but can require addition to it • does not cover access or correction, merely equivalent of FOIA s51 / IPP 7.3 annotations • Alternative approaches • What if individual complains to P. Comm under IPP 8 (data quality) about prior or subsequent use of incorrect record? Or seeks a s98 injunction?
Correction rights:Notification to 3rd party recipients • Notification to 3rd party recipients of corrections • NSW s15 requires this, at request of applicant, where ‘reasonably practicable’ • Only applies where individual is aware that correction is made • Draft Australian Casinos Code requires this • Neither Cth IPPs nor NPPs explicitly require this • Would refusal to do so on request be a failure to mitigate damage? • Would failure to do so where individual is not aware be a failure to mitigate damage? • Would failure to do so = lack of reasonable steps to maintain data quality (NPP 3)?
Correction rights:Notification to 3rd party recipients • Hong Kong DPP 2(1)(c) requires notification by data user to 3rd Ps to whom data has been disclosed • Where it is ‘practicable’ for data user to know that the data are ‘materially inaccurate’ for the purpose for which they are to be used by the 3rd P • Information necessary to ‘rectify’ inaccuracies also to be provided • Breach of this provision could lead to s66 liability • ‘Inaccurate’ is not defined, but "correction" ‘means rectification, erasure or completion’ (s2) and ‘inaccurate may have a similarly broad meaning
Limits on the correction right • PCOs (and tribunals) are generally unwilling to adjudicate issues of ‘inaccuracy’ of records where • Another adjudicative body is more appropriate; or • The ‘inaccuracy’ is largely a question of opinion • They then use powers to refuse investigation • Should they only do so if there is some reasonable alternative access to another adjudicator? • Are rights of annotation of disputed records a sufficient alternative? Eg HK s25(2)-(3)
Limits on the correction right • [2001] HKPrivCmrAAB 4: Complainant alleged that press report about him largely consisted of lies; PCO ’considered it to be a question on the manner of reporting and, as such, was not meant to be regulated by the PDPO’; ‘AAB ruled that fabrication or lies told about a person did not amount to his "personal data"‘ • Demonstrates the lengths PCO and AAB will go to in order to avoid applying the PDPO to the media • Could not possibly be held similarly if a credit bureaux was involved • [2000] HKPrivCmrAAB 2: AAB held comments or opinions in a letter of dismissal were inherently contentious , and the proper forum to resolve the dispute was by bringing of legal proceedings in the Labour Tribunal instead of resorting to a data correction request.
Remedies for access & correction breaches • Hong Kong • s66 can apply to where damage to a person results from • a refusal to correct a record (DPP6) • Failure to notify inaccuracies to a third party (DPP2) • Failure to comply with ‘data quality’ (DPP2) • note s66(3) defences in relation to incorrect data received from a 3rd party
Remedies for access & correction breaches • Australia • FOIAs do not provide for compensation • Refusal to allow access or make corrections is a breach; if injury has resulted, compensation may follow • Cth IPP 7 accuracy obligation on agencies is independent of correction requests or use [not so for NPPs or NSW] • Fed P Comm can refuse to investigate (s41(1)) or defer (s41(3)) • should not do so if damages could be relevant • Data Quality principles may be needed to supplement correction claims - requires use (Cth IPPs 7, 8, NPP 3)
‘Openness’ principle:Information generally available • ‘Openness’ / ‘FOI’ principle • valuable to the media, community organisations etc • but is little used by anyone • Cth IPP 5 • Cth IPP 5.1 requires reasonable steps to allow anyone to ascertain (subject to FOI etc exemptions: IPP 5.2) • If they posses/control ‘any records that contain personal information’ and ‘the nature of that information’ • Requires answers, not documents • Does not refer to records about the applicant • Cth IPP 5.3 requires a record to be kept (and made available to public: IPP 5.4) detailing nature and purpose of classes of records; classes of data subjects, recipients and conditions of access. • Annual copy to Commissioner for Personal Information Digest - no one ever reads it.
‘Openness’ principle:Information generally available • Private sector NPP 5 • NPP 5.1 requires a document containing ‘clearly expressed policies on its management of personal info’, available on request [relevant to collection] • NPP 5.2 requires reasonable steps to answer requests on matters equivalent to Cth IPP 5.3; but only ‘generally’, not in relation to the individual applicant • NSW PPIPA s13 & s40 • S13 requires agencies to take reasonable steps to allow a person to ascertain matters equivalent to Cth IPP 5.1 • But s13(b) refers to info ‘relating to that person’ - Would provide the ‘list of documents’ refused in HK; differs from NPPs and Cth IPPs • S40 discretion for Privacy Commissioner to require returns from selected agencies (s40(3)) [contra Cth - not all] • Compile and publish a Digest based on that info (s40(1),(2)) • Not done as yet
‘Openness’ principle:Hong Kong • DPP 5 right of any person to ascertain: • a data user's policies and practices • the kind of personal data held by a data user; • the main purposes for which data are used • PDPO Pt V - Data User Returns • PCO can require specified classes of users to submit returns (S14) • PCO must then provide public access database (s15) and other access to returns • Pt V has not yet been used - similar to NSW s40
‘Openness’ principle:Hong Kong • Examples: • HongKong Post pinhole camera report - also a breach of DPP 5 in not having PICS to inform employees of correction practices • Public body breached by not having a written data protection policy (AAB 5/01)
Security principle • Provisions • Cth IPP 4 • Private sector NPP 4.1 • NSW s12(b)-(d) • HK DPP 4 • Sources • Waters & Greenleaf ‘IPPs examined: The security principle’ (2004) 11(4) PLPR 96 (Materials) - this includes many examples of complaints • Aust. Comm PC Info Sheet 6 Security (2001) - Sets out long list of Australian and international standards that may apply
Security principle • Scope • All require security from from misuse and loss and from unauthorised access, modification or disclosure • so internal and external threats, and mere negligence are covered • All only require ‘reasonable steps’ or ‘practicable steps’
Security principle: Hong Kong • DPP 4 requires ‘All practicable steps … to ensure … protected against unauthorized or accidental access, processing, erasure or other use’ • Includes (as if personal data) data to which access is not practicable • Lists 5 factors to which data users must have ‘particular regard’ - reflects standard criteria - • (a) kind of data and possible harm (‘harm test’) • (b) physical location / + security appropriate) • (c) technical security measures • (d) personnel integrity etc measures • (e) communications security measures
Security principle • Possible examples of breaches • If hackers access data, data user may be liable for inadequate security - supplements computer crime laws: sue the company, not the hacker • Mailouts in error of sensitive data • Accidental destruction of data valuable to a person • Security which destroys other privacy interests will not be ‘practicable’ • Lax practices with cleaners etc • Personal files are regularly found at kindergartens and tips • Unencrypted data on mobiles: • 63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR 95-97)
Security principle • Australian examples • See these and more examples in Waters & Greenleaf article • Agency client provided password to be used to identify him; agency failed to ask for it (L v Commonwealth Agency [2003] PrivCmrA 10) • ATO web site disclosing ABN details • FH v NSW Dept Corrective Services[2003] NSWADT 72 ; Summary [2003] NSWPrivCmr 1- Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses (see Waters & Greenleaf article) • E v Financial Institution[2003] PrivComA 3 - audit trail failed to record access to customer account - settled • B v Victorian Government organisation[2003] VicPrivCom 2 - $25,000 compensations settlement when agency disclosed complainant’s new address to ex-spouse ‘across the counter’ despite known risk
Security principle • Hong Kong examples - Complaints to PCO held to breach DPP4 (security): • Faxing details of donation to estate office (AR 5/05) • Newspaper publication of address of complainant, endangering him, not a breach of DPP4; DPP3 (disclosure) was only DPP relevant (AAB appeal 4/00) • Insurer sending insurance policies for 3 people to the address of one of them • Unsealed letters of demand sent to neighbours addresses • Law firm’s messenger allowed duplicate cover sheet of divorce process to be read by others at workplace while waiting to serve process:[1998] HKPrivCmr 8 • Law firm left trial bundle in gap between litigant’s metal gate and door: [2003] HKPrivCmr 8 • See other examples in McLeish and Greenleaf chapter
Security principle • Security managers in apartment blocks required to destroy data on visitors after a reasonable period [1998] HKPrivCmr 4 • Hong Kong examples concerning ID cards • Mobile phone Co. made first 6 numbers of ID card the default password for call data, billing etc information; debt collector accessed data and harassed complainant and friends; held breach of DPP 4: [2003] HKPrivCmr 3 • Disclosure of ex- employee ID numbers in faxes to customers • Bank and dept. store jointly responsible for printing error disclosing ID nos. in mailout
Retention / deletion principles • Sources • Waters & Greenleaf ‘IPPs examined: The retention principle’ (2004) 11(4) PLPR 96 • Aust. Cth PC Info Sheet 6 Security (2001) • Provisions • HK DPP 2(2) and s26 • Cth IPPs - none • Private sector NPP 4.2 ‘reasonable steps to destroy or permanently de-identify … if it is no longer needed for any purpose’ allowed under NPP2 - Test of ‘permanent de-identification is whether it is no longer ‘personal information’ • NSW s12(a) - similar to NPP 4.2
Retention / deletion principles For Australian and other examples, see Waters & Greenleaf article, including: • Tenants Unions v TICA (No3) [2004] PrivCmrACD 3- Failure to delete or remove old tenancy information was a breach of NPP 4.2; PC ‘recommended’ TICA • Delete ‘history’ information in Tenancy History Database after four years; • Delete 'application' information in Enquiries Database after three years; and • Delete information moved to ‘dead tenant database’ (ie database which stores deleted listings) not less than once a month - in case of errors
Retention / deletion principles • NZ Comm supports retention of information on dismissed employees for 5 years
Retention / deletion principles (HK) • Hong Kong DPP 2(2) and s26 • DPP 2(2): ‘Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'. • Keeping for the purpose of some exception not allowed • Only says ‘personal data’ shall not be kept - what if made inaccessible?; what if de-identified? Is DPP 2(2) satisfied?
Retention / deletion principles (HK) • HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure of personal data no longer required’) • Says ‘A data user shall erase personal data …’ • Doubtful if data can be made inaccessible or de-identified in the face of this explicit provision • S26 has 2 exceptions: • '(a) any such erasure is prohibited under any law’; • Archives laws etc will override DPP 2(2) • ‘(b) it is in the public interest (including historical interest) for the data not to be erased.’ • Q of public interest is a question of law, not of good faith belief • S26(3) protects any joint controller against suits by other controller because of erasure of data
Retention / deletion principles • Hong Kong DPP2(2) and s26 - Examples of appeals to AAB against PCO: • [1999] HKPrivCmrAAB 3:Telecomms Co. retained customer details for 180 days after suspension of service, in case of reconnection - no breach • Pursuant to DPP 2(2), Consumer Credit Code requires data deletion 5 years after ‘final settlement’ - raised issues of how this applied to bankruptcies, but not necessary to decide (7/01)