480 likes | 645 Views
Privacy and Surveillance Nigel Waters and Graham Greenleaf Last updated October 2008. Other IPPs - Access, Correction, & Openness. Other IPPs. Access rights Correction rights Access & correction rights - Complaints and Remedies ‘Openness’ - Information generally available
E N D
Privacy and Surveillance Nigel Waters and Graham Greenleaf Last updated October 2008 Other IPPs - Access, Correction, & Openness
Access, correction and Openness Other IPPs Access rights Correction rights Access & correction rights - Complaints and Remedies ‘Openness’ - Information generally available See also Collection Notification principles
Access, correction and Openness Sources • Greenleaf, Waters and Bygrave, Strengthening uniform privacy principles: an analysis of the ALRC's proposed principles, Submission to the ALRC, December 2007, pp 56-63 • ALRC Report 108 (2008), Chapter 29; For commentary, see • Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘12. Access and Correction (UPP 9)’ Dec 2007 • Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008 • NSWLRC CP 3, pp 115-117 • Waters and Greenleaf, IPPs examined: The correction principle, [2005] 11(5) PLPR 137 • Berthold & Wacks, Hong Kong Data Privacy Law, Second Edition 2003 (in Library), Chapter 12
Access, correction and Openness Access rights - Australia Generally: access under IPPs limited by FOIA exemptions Exemptions do not forbid access, just deny a right Cth agenciesIPP 6 access right Subject to Cth FOIA 1982 Pt IV exemptions NSW agencies s14 access right Subject to NSW FOIA 1989Sch 1exemptions (s20(5)) NSWLRC CP3 – relationship unclear (p.115)
Access, correction and Openness Access rights – Australia (2) Victoria NPP 6 access right Exemptions as above, then overridden by Vic FOIA (s12) Private sector NPP 6 access right Exemptions in NPP 6.1(a)-(k) & 6.2 Similar but not identical to FOIA exemptions ALRC Report 108 – UPP 9 to apply to agencies and organisations
Access, correction and Openness Hong Kong DPP6 - Access Hong Kong DPP6 - Access and correction Pt V detailed regime prevails if inconsistent with DPP 6 (s4) HK does not have a FOIA HK Exceptions to access (Pt VIII) Many exceptions apply (see Berthold summary) Exemptions relate to data, not specific data users S58(1) broad exemption requires that access either (i) prejudices interests listed or (ii) in/directly disclose source [broader than s20] Why should (ii) always be a bar to access?
Access, correction and Openness Access – timeliness and manner ALRC Report 108Recommendation 29-7 Respond within a reasonable time In a manner requested, if reasonable and practicable
Access, correction and Openness Access fees - Australia Provided they are not abused, fees are a significant restraint on frivolous and burdensome requests Cth IPPs - governed by FOIA NSW s14 - ‘without excessive delay or expense’ Private sector NPP 6.4 ‘must not be excessive’ and ‘must not apply to lodging a request’ ALRC Report 108 UPP 9.1 – respond within reasonable time UPP 9.4 – replicates NPP 6.4 but applies to agencies and organisations
Access, correction and Openness Access fees – Australia (2) Tenants Union v TICA #1 [2004] PrivCmrACD 1 $11 by mail for enquiry/copy; held both breach NPP 6; cannot charge for enquiry; recommended $8:80 charge (marginal cost of provision) for copies, credit card facility (only accepted cash or bank chqs before), and within 10 days [no power to direct, but does indicate what will satisfy] $5.45/minute by phone ($327/hour) not a breach of NPP6; mail enquiries were ‘reasonable steps’ to provide access [but $327/hr would not be reasonable steps to ensure NPP 3 data quality] TICA failure to provide access via property managers not a breach
Access, correction and Openness Access fees (HK) HK - May charge but may not be excessive (s28); If two forms of access possible, lower fee must be charged; can charge merely for enquiring if file held (s18) Cannot charge for correction of file
Access, correction and Openness HK Access Examples PCO complaint examples [1998] HKPrivCmr 11: $230 per slide for 250 clinical slides was excessive, and on recalculation reduced to $7.20 - actual cost + 20% administration fee was OK Employer could not refuse employee a copy of investigation report on which his summary dismissal was based - only grounds are s20 or Pt VIII Appeals to AAB against PCO [1999] HKPrivCmrAAB 1:Hospital had attempted but failed to locate minutes to which C wanted access - no breach, even though minutes did exist (7/00) [2001] HKPrivCmr 5: AAB held University was not required to provide complainant with a ‘consolidated document list’ so she could choose what documents to access.
Access, correction and Openness HK Access Examples AAB Case 24/2001 [2001] HKPrivCmr 5: C complained that University had not provided all documents it held about her PC issued enforcement notice requiring Uni to (I) do a ‘thorough search’ and (ii) provide to C a ‘consolidated documents list’ AAB held both requirements invalid under s18(1): (I) ‘thorough search is a higher burden than ‘due diligence’; (ii) data user must identify documents to which access is requested. Suggest: s18 does not require requestor to identify documents, may instead request ‘all documents held’ In previous AAB Case 1/01, AAB held s18(1)(a) only requires data user to confirm data is held, not to list it
Access, correction and Openness Intermediary access The problem Data exempted from access is usually the most prejudicial and important data about a person Refusal of access prevents putting a counter-case, and stopping abuse of other rights (eg disclosure) Correction is often tied to right of access (see later) - compounds the problem of lack of direct access Access exemptions are more absolute than they need to be, because it is impossible to define the line Access to part of the information via a 3rd party trusted by both sides can reduce this - but is this possible?
Access, correction and Openness Intermediary access (2) Australian law NPP 6.3 defective attempt - org. must only ‘consider’ ‘mutually agreed intermediaries’ No other explicit provisions Do P Comms have powers to so act? Complainant will first have to credibly allege a breach of an IPP What can Commissioner then disclose? Can Commissioner then use own motion powers?
Access, correction and Openness Intermediary access (3) ALRC Report 108 Must offer intermediary access where reasonable (Recommendation 29-4)
Access, correction and Openness Intermediary access (HK) Hong Kong law No general provision for intermediary access Pointless to make PCO a ‘relevant person’ in s2 Privacy Commissioner can access exempt records, if has reasonable grounds to suspect breach of PDPO / DPP (s38) Possible complaint: suspected inaccurate records as lack of data quality (DPP2) Some reasonable grounds needed
Access, correction and Openness Access exemptions: 3rd pty privacy When does 3rd Party privacy 'trump' the access right? Cth IPPs -FOIA s41 - ‘unreasonable disclosure of personal information about any person’ (same definition as in PA since 1991) Waters - problem of conflicting FOI objectives of openness leads to narrow reading of privacy exceptions Private sector NPP 6.1(c) - ‘an unreasonable impact upon the privacy of other individuals’ No FOI objectives of openness to balance > could result in more protection of 3rd Pty privacy than in FOIA ‘Privacy’ is narrower than ‘personal information’ > but is it the same so long as ‘unreasonable’ relates to privacy?
Access, correction and Openness Access exemptions:3rd party privacy (2) NSW IPPs - NSW FOIA Sch 1 cl 6 ‘the unreasonable disclosure of information concerning the personal affairs of any person (whether living or deceased)’ ‘Personal affairs’ is narrower than ‘personal information’ Perrin’s Case (1993) NSW CA - names of Police carrying out their duties was not ‘personal affairs’ Followed in Robinson [2002] NSWADT 222 and Woods [2002] NSWADT 253 Effect is also to limit correction rights under NSW FOIA See Timmins ‘Decisions on the ‘personal affairs’ exemption in NSW FOI’ [2003] 10 PLPR 43
Access, correction and Openness Access exemptions:3rd party privacy (3) Victoria even worse, 1999 amendt to FOIA gave absolute exemption to all ‘personal information’: privacy destroys FOI Solutions? - Waters [2002] PLPR 24 Considers ‘personal information’ a worse starting point than ‘personal affairs’ [Greenleaf disagrees] Recommends (i) all individual access be dealt with separately under privacy legislation; (ii) statutory statement that identities/actions of public servants is not exempted from access, following WA FOIA 1992 Sch 1 Cl 3(3) & Reg 9
Access, correction and Openness Access exemptions:3rd party privacy (4) Is motive of applicant relevant to what is ‘unreasonable’? - see Timmins article NSW cases inconsistent Saleam v Dept Community Services [2002] NSWADT 41 - O’Connor J rejects any relevance Contra Saleam v NSW Police Service [2002] NSWADT 40 - Robinson JM found ‘mosaic effect’ of disclosures justified refusal of access Cth AAT cases inconsistent Vic VCAT cases consider motive and purpose
Access, correction and Openness Access exemptions:3rd party privacy (5) ‘Reverse FOI’ provisions Cth FOIA s27; NSW FOIA s31 - If agency is going to grant access to documents containing 3rd Pty personal information, must give 3rd Pty opportunity to object on grounds of unreasonableness No equivalent in NPPs - 3rd Parties have no opportunity to object (unless organisation chooses to offer in making a decision under NPP 6.1(c)) No HK equivalent - another aspect of HK’s very restrictive access regime
Access, correction and Openness Access exemptions:3rd party privacy (HK) S20(1)(b) requires data users to refuse accesses which contain [any] personal data about a 3rd party unless: (I) the 3rd pty data can be edited out (ss(2)(b); or (ii) the 3rd pty has consented to disclosure (ss(1)(b) But no ‘reverse FOI’ obligation on data user to ask 3rd Pty Mere identification of source of data is no bar to access unless the source is explicitly named (ss(2)(a)) Extremely restrictive compared with Australian exemptions which require ‘unreasonable disclosure’ re 3rd ptys, not just any identification A PD(P)O provision needing reform? Most cases from other jurisdictions are irrelevant
Access, correction and Openness Forced access by 3rd parties Can 3rd parties force use of access rights? e.g. employers, insurers etc requiring data subject to obtain a copy of own record Would this constitute unfair collection by the party forcing access? Better view is ‘yes’ (see Berthold & Wacks 1st Ed pp. 170-1) - This argument will apply in HK and Australia Only a breach once the 3rd pty is provided with the data? Do IPPs need amendment to prevent this? not certain until ‘unfair collection’ approach is tested ALRC Report 108
Access, correction and Openness Correction rights • Issues • What does correction require? • Do correction rights depend on access rights? • Intermediaries • Notification of 3rd pty recipients • Remedies for access & correction breaches • Sources • See Waters and Greenleaf ‘IPPs examined: the correction principle’ (2005) 11 PLPR 137 • ALRC Report 108 (2008), Chapter 29; ), Chapter 29; For commentary, see • Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘12. Access and Correction (UPP 9)’ Dec 2007 • Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008
Access, correction and Openness Meaning of correction NPP 6.5 - accurate, complete and up-to-date IPP 7.1 – also relevant and not misleading ALRC Report 108 UPP 9.6 – like IPP, all five criteria With reference to purpose of holding Onus no longer on individual to prove OPC Guidance on manner of correction – c.f. HK DPP6 "correction" ‘means rectification, erasure or completion’ (s2)
Access, correction and Openness Correction rights: Do they depend on access? Do correction rights depend on access rights? Cth FOIA s48 correction - only to docs ‘to which access has been lawfully provided to the person’ = no correction of exempt docs unless lawfully acquired by other means Cth IPP 7.1 obligation to correct only refers to ‘a record’ but 7.2 says this ‘is subject to any applicable limitation in a law… that provides a right to require the correction or amendment of documents’ does this mean FOIA s48 limits? - probably ‘yes’ Private sector NPP 6.5 correction only requires that organisation ‘holds personal information’ - no access precondition
Access, correction and Openness Correction rights: Do they depend on access? (2) NSW s15 correction right only requires that agency ‘holds personal information’ But s20(5) imposes FOIA ‘conditions or limitations (however expressed)’ NSW FOIA s39 only allows correction to ‘A person to whom access to an agency’s document has been given’ so exempt docs cannot be corrected in NSW either Is refusal of correction to exempt documents unfair? What does refusal of access imply? ALRC – UPP 9 like NPP 6 – no access precondition
Access, correction and Openness Correction rights: Do they depend on access? (3) Hong Kong: Does correction require access? DPP 6 does not: 6(e) independent of 6(b) BUT s22 makes correction depend on official access 'where... (a) a copy of personal data has been supplied by a data user in compliance with a data access request; and (b) the ... data subject considers that the data are inaccurate, then that individual or relevant person, as the case may be, may ... request... correction to the data' Can’t argue DPP6 gives a broader right S58(1) exemption is from DPP6 as a whole DPPs generally subject to the rest of the PDPO (s4) -
Access, correction and Openness Correction rights: Do they depend on access? (4) Hong Kong: Can Data Subject (DS) obtain correction without access? If DS has ‘unofficial’ knowledge of data content DS can complain to PCO of DPP2(1) breach - inaccurate PCO can then access records, (I) find DPP2 breach if inaccurate, (ii) require non-use or erasure, and (iii) require notice to 3rd party recipients (but cannot disclose to DS) Also, DS can sue under s66 for damages for DPP2 breach - if prima facie inaccurate, then DU must establish defences. Can DS obtain discovery despite s58(1)? If DS has no knowledge of data content How to frame a complaint to the PCO? How to establish prima facie DPP2 breach for s66?
Access, correction and Openness Correction rights: Intermediaries and correction Intermediaries and correction Cth PA 1988 s35 gives (defective) intermediary addition rights via Privacy Commissioner Depends on exhausting FOIA AAT appeals first! Comm'r can only recommend correction of exempt record, but can require addition to it does not cover access or correction, merely equivalent of FOIA s51 / IPP 7.3 annotations Alternative approaches Complaint to Comm'r under IPP 8 (data quality) about prior or subsequent use of incorrect record? s98 injunction?
Access, correction and Openness Correction rights:Notification to 3rd Pty recipients Notification to 3rd party recipients of corrections NSW s15 requires this, at request of applicant, where ‘reasonably practicable’ Only applies where individual is aware that correction is made Draft Australian Casinos Code requires this Neither Cth IPPs nor NPPs explicitly require this Would refusal to do so on request be a failure to mitigate damage? Would failure to do so where individual is not aware be a failure to mitigate damage? Would failure to do so = lack of reasonable steps to maintain data quality (NPP 3)?
Access, correction and Openness Correction rights:Notification to 3rd Pty recipients ALRC Report 108, Chapter 29 Obligation to notify third pty recipients (Recommendation 29-5(b)), but only: on request, and where practicable in the circumstances
Access, correction and Openness Correction rights:3rd pty notification (HK) Hong Kong DPP 2(1)(c) requires notification by data user to 3rd Ps to whom data has been disclosed Where it is ‘practicable’ for data user to know that the data are ‘materially inaccurate’ for the purpose for which they are to be used by the 3rd P Information necessary to ‘rectify’ inaccuracies also to be provided Breach of this provision could lead to s66 liability ‘Inaccurate’ is not defined, but "correction" ‘means rectification, erasure or completion’ (s2) and ‘inaccurate may have a similarly broad meaning
Access, correction and Openness Limits on the correction right Privacy Commissioners (and tribunals) are generally unwilling to adjudicate issues of ‘inaccuracy’ of records where Another adjudicative body is more appropriate; or The ‘inaccuracy’ is largely a question of opinion They then use powers to refuse investigation Should they only do so if there is some reasonable alternative access to another adjudicator?
Access, correction and Openness Annotation rights Where difference of opinion, and agency or organisation can justify not correcting, some laws provide alternative of a right to have a disputed record annotated: IPP7 – 'attach' NPP 6 – 'associate' HK s25(2)-(3)? - 'make a note' – and ensure it is seen when data is used ALRC UPP 9.7 – 'associate .. a statement..'
Access, correction and Openness Limits on the correction right [2001] HKPrivCmrAAB 4: Complainant alleged that press report about him largely consisted of lies; PCO ’considered it to be a question on the manner of reporting and, as such, was not meant to be regulated by the PDPO’; ‘AAB ruled that fabrication or lies told about a person did not amount to his "personal data"‘ Demonstrates the lengths PCO and AAB will go to in order to avoid applying the PDPO to the media Could not possibly be held similarly if a credit bureaux was involved [2000] HKPrivCmrAAB 2: AAB held comments or opinions in a letter of dismissal were inherently contentious , and the proper forum to resolve the dispute was by bringing of legal proceedings in the Labour Tribunal instead of resorting to a data correction request.
Access, correction and Openness Reasons for decision NPP 6.7 expressly requires reason for refusal of access or correction to be given FOIA requires for agencies ALRC UPP 9.8 requires notice reasons and avenues of complaint
Access, correction and Openness Who decides access/correction complaints? Australia - Cth P Comm'r has declined to investigate public sector access / correction complaints, requiring complainants to go to the AAT - Legitimate? see s41(1)(f) ‘a more appropriate remedy’ But FOIA does not allow for compensation etc Cth PC must investigate private sector complaints - no FOI option NSW PC - agency internal review or P Comm'r can investigate HK – P Comm'r can use s39(2)(d) to divert access complaints, but no FOI mechanism to divert them to – therefore Cmm'r must decide access complaints in both sectors
Access, correction and Openness Remedies for access & correction breaches Australia FOIAs do not provide for compensation Refusal to allow access or make corrections is a breach of IPPs/NPPs; if injury has resulted, compensation may follow Cth IPP 7 accuracy obligation on agencies is independent of correction requests or use [not so for NPPs or NSW PPIPA] Fed P Comm'r can refuse to investigate (s41(1)) or defer (s41(3)) should not do so if damages could be relevant Data Quality principles may be needed to supplement correction claims - requires use (Cth IPPs 7, 8, NPP 3)
Access, correction and Openness Remedies for access & correction breaches Hong Kong s66 can apply to where damage to a person results from a refusal to correct a record (DPP6) Failure to notify inaccuracies to a third party (DPP2) Failure to comply with ‘data quality’ (DPP2) note s66(3) defences in relation to incorrect data received from a 3rd party
Access, correction and Openness ‘Openness’ principle:Information generally available ‘Openness’ / ‘FOI’ principle valuable to the media, community organisations etc but is little used by anyone Cth IPP 5 Cth IPP 5.1 requires reasonable steps to allow anyone to ascertain (subject to FOI etc exemptions: IPP 5.2) If they possess/control ‘any records that contain personal information’ and ‘the nature of that information’ Requires answers, not documents Does not refer to records about the applicant Cth IPP 5.3 requires a record to be kept (and made available to public: IPP 5.4) detailing nature and purpose of classes of records; classes of data subjects, recipients and conditions of access.
Access, correction and Openness Openness – Cth agencies (2) No requirement on agencies to make available in any particular form, and no common standards e.g. for online availability Agencies required to provide each year a copy of IPP 5.3 record to Privacy Commissioner who publishes all of them in an annual Personal Information Digest No evidence of much use - despite potential for research, media use.
Access, correction and Openness Openness - private sector NPP 5.1 requires a document containing ‘clearly expressed policies on its management of personal info’, available on request [relevant to collection] NPP 5.2 requires reasonable steps to answer requests on matters equivalent to Cth IPP 5.3; but only ‘generally’, not in relation to the individual applicant
Access, correction and Openness Openness – NSW agencies PPIPA s.13 requires agencies to take reasonable steps to allow a person to ascertain matters equivalent to Cth IPP 5.1, but more specifically directed at information ‘relating to that person’ Relationship to access right unclear s.40 discretion for Privacy Commissioner to compile and publish a Digest based on returns required from selected agencies [contra Cth Digest – all agencies] Never implemented in ten years s.33 requirement for agencies to prepare and update 'Privacy Management Plans' and submit to the Privacy Commissioner, but no requirement to publish (either by agency or Comm'r)
Access, correction and Openness Openness – Australian reform? ALRC Report 108, Chapter 24 UPP 4 – requirement for Privacy Policy to be publicly available free, both electronically, and on request in hard copy, to include specified matters: Sort of personal information held Purposes for which held Avenues of complaint and steps to gain access Whether likely to transfer outside Australia and if so, to which countries Pulled back from more prescriptive proposal in DP 72 For commentary, see Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘7. Openness (UPP 4)’Dec 2007 Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008
Access, correction and Openness Openness – Aust'n reform (2) ALRC also recommends OPC Guidance in support of short form notices and layered approach to information – taking account of both Openness and specific Collection Notification requirements (Recommendation 24-3). ALRC also recommends removal of Digest requirements for Cth agencies (Recommendation 47-3) Arguably a loss of a resource with untapped potential, for only a marginal cost saving – alternative could have been improved accessibility for comparisons etc.
Access, correction and Openness ‘Openness’ principle (HK) DPP 5 right of any person to ascertain: a data user's policies and practices the kind of personal data held by a data user; the main purposes for which data are used PDPO Pt V - Data User Returns PCO can require specified classes of users to submit returns (S14) PCO must then provide public access database (s15) and other access to returns Pt V has not yet been used - similar to NSW s40
Access, correction and Openness ‘Openness’ principle (HK) (2) Examples: HongKong Post pinhole camera report - also a breach of DPP 5 in not having PICS to inform employees of correction practices Public body breached by not having a written data protection policy (AAB 5/01)