Transcript Document

The other IPPs - Access, correction,
openness, security and destruction
Privacy and Surveillance
Graham Greenleaf
January 2006
The other IPPs






Access rights
Correction rights
Remedies and access & correction rights
‘Openness’ - Information generally available
Security
Destruction
Access rights under Privacy Acts

Australian access rights

Generally: access under IPPs limited by FOIA exemptions


Cth IPP 6 access right


Subject to NSW FOIA 1989 Sch 1 exemptions (s20(5))
Private sector NPP 6 access right



Subject to Cth FOIA 1982 Pt IV exemptions
NSW s14 access right


Exemptions do not forbid access, just deny a right
Exemptions in NPP 6.1(a)-(k) & 6.2
Similar but not identical to FOIA exemptions
Victoria NPP 6 access right

Exemptions as above, then overridden by Vic FOIA (s12)!
Hong Kong DPP6 - Access

Hong Kong DPP6 - Access and correction



Pt V detailed regime prevails if inconsistent with DPP 6 (s4)
HK does not have a FOIA
HK Exceptions to access (Pt VIII)



Many exceptions apply (see Berthold summary)
Exemptions relate to data, not specific data users
S58(1) broad exemption requires that access either



(i) prejudices interests listed or
(ii) in/directly disclose source [broader than s20]
Why should (ii) always be a bar to access?
Practical aspects of access

Access fees





Provided they are not abused, a significant
restraint on frivolous and burdensome requests
Cth IPPs - governed by FOIA
NSW s14 - ‘without excessive delay or expense’
Private sector NPP 6.4 ‘must not be excessive’
and ‘must not apply to lodging a request’
HK - May charge but may not be excessive (s28);


If two forms of access possible, lower fee must be
charged; can charge merely for enquiring if file held (s18)
Cannot charge for correction of file
Practical aspects of access

Tenants Union v TICA #1 [2004] PrivCmrACD 1


$11 by mail for enquiry/copy; held both breach NPP 6;
cannot charge for enquiry; recommended $8:80 charge
(marginal cost of provision) for copies, credit card facility
(only accepted cash or bank chqs before), and within 10
days [refuses to direct, but does indicate what will satisfy]
$5.45/minute by phone ($327/hour) not a breach of NPP6;



mail enquiries were ‘reasonable steps’ to provide access
[but $327/hr would not be reasonable steps to ensure NPP 3
data quality]
TICA failure to provide access via property managers not a
breach
Practical aspects of access

Who decides access request complaints?

Australia - Cth P Comm refused to investigate public sector
access / correction complaints, forcing complainants to go to
the AAT - Legitimate?





see s41(1)(f) ‘a more appropriate remedy’
But FOIA does not allow for compensation etc
Cth PC must investigate private sector complaints - no FOI
option
NSW PC? - agency internal review or PComm can
investigate
HK - PC can use s39(2)(d) to divert access complaints, but
no FOI to divert them to

HKPCO must decide access complaints in both sectors
HK Access Examples


PCO complaint examples

[1998] HKPrivCmr 11: $230 per slide for 250 clinical slides

was excessive, and on recalculation reduced to $7.20 actual cost + 20% administration fee was OK
Employer could not refuse employee a copy of investigation
report on which his summary dismissal was based - only
grounds are s20 or Pt VIII
Appeals to AAB against PCO

[1999] HKPrivCmrAAB 1: Hospital had attempted but failed to
locate minutes to which C wanted access - no breach, even
though minutes did exist (7/00)

[2001] HKPrivCmr 5: AAB held University was not required to
provide complainant with a ‘consolidated document list’ so she
could choose what documents to access.
HK Access Examples

AAB Case 24/2001 [2001] HKPrivCmr 5:





C complained that University had not provided all documents
it held about her
PC issued enforcement notice requiring Uni to (I) do a
‘thorough search’ and (ii) provide to C a ‘consolidated
documents list’
AAB held both requirements invalid under s18(1): (I)
‘thorough search is a higher burden than ‘due diligence’; (ii)
data user must identify documents to which access is
requested.
Suggest: s18 does not require requestor to identify
documents, may instead request ‘all documents held’
In previous AAB Case 1/01, AAB held s18(1)(a) only
requires data user to confirm data is held, not to list it
Intermediary access

The problem





Data exempted from access is usually the most prejudicial
and important data about a person
Refusal of access prevents putting a counter-case, and
stopping abuse of other rights (eg disclosure)
Correction is often tied to right of access (see later) compounds the problem of lack of direct access
Access exemptions are more absolute than they need to be,
because it is impossible to define the line
Access to part of the information via a 3rd party trusted by
both sides can reduce this - but is this possible?
Intermediary access (2)

Australian law



NPP 6.3 defective attempt - org. must only
‘consider’ ‘mutually agreed intermediaries’
No other explicit provisions
Do P Comms have powers to so act?



Complainant will first have to credibly allege a breach of
an IPP
What can Commissioner then disclose?
Can Commissioner then use own motion powers?
Intermediary access (3)

Hong Kong law




No general provision for intermediary access
Pointless to make PCO a ‘relevant person’ in s2
Privacy Commissioner can access exempt
records, if has reasonable grounds to suspect
breach of PDPO / DPP (s38)
Possible complaint: suspected inaccurate records
as lack of data quality (DPP2)
 Some reasonable grounds needed
Access exemptions:
3rd party privacy


When does 3rd P privacy exempt disclosure?
Hong Kong



S20(1)(b) requires data users to refuse accesses which contain
[any] personal data about a 3rd party unless:
(I) the 3rd P data can be edited out (ss(2)(b); or
(ii) the 3rd P has consented to disclosure (ss(1)(b)



But no ‘reverse FOI’ obligation on data user to ask 3rd P
Mere identification of source of data is no bar to access unless the
source is explicitly named (ss(2)(a))
Extremely restrictive compared with Australian exemptions which
require ‘unreasonable disclosure’ re 3rd Ps, not just any
identification
 A PD(P)O provision needing reform?
 Most cases from other jurisdictions are irrelevant
Access exemptions: 3rd party privacy

Australian provisions

Cth IPPs - FOIA s41 - ‘unreasonable disclosure of
personal information about any person’ (same
definition as in PA since 1991)


Waters - problem of conflicting FOI objectives of
openness leads to narrow reading of privacy exceptions
Private sector NPP 6.1(c) - ‘an unreasonable
impact upon the privacy of other individuals’


No FOI objectives of openness to balance -> could result
in more protection of 3rd P privacy than in FOIA
‘Privacy’ is narrower than ‘personal information’ -> but is
it the same so long as ‘unreasonable’ relates to privacy?
Access exemptions:
3rd party privacy (2)

NSW IPPs - NSW FOIA Sch 1 cl 6
‘the unreasonable disclosure of information concerning
the personal affairs of any person (whether living or
deceased)’
‘Personal affairs’ is narrower than ‘personal information’






Perrin’s Case (1993) NSW CA - names of Police carrying out
their duties was not ‘personal affairs’
Followed in Robinson [2002] NSWADT 222 and Woods [2002]
NSWADT 253
Effect is also to limit correction rights under NSW FOIA
See Timmins ‘Decisions on the ‘personal affairs’ exemption
in NSW FOI’ (2003) 10(3) PLPR 43
Access exemptions:
3rd party privacy (3)

Victoria


even worse, 1999 amendt to FOIA gave absolute
exemption to all ‘personal information’: privacy
destroys FOI
Solutions? - Waters [2002] PLPR 24



Considers ‘personal information’ a worse starting
point than ‘personal affairs’ [I disagree]
Recommends (i) all individual access be dealt
with separately under privacy legn;
(ii) statutory statement that identities/actions of
public servants is not exempted from access,
following WA FOIA 1992 Sch 1 Cl 3(3) & Reg 9
Access exemptions:
3rd party privacy

Is motive of applicant relevant to what is
‘unreasonable’? - see Timmins article

NSW cases inconsistent




Saleam v Dept Community Services [2002] NSWADT 41
- O’Connor J rejects any relevance
Contra Saleam v NSW Police Service [2002] NSWADT
40 - Robinson JM found ‘mosaic effect’ of disclosures
justified refusal of access
Cth AAT cases inconsistent
Vic VCAT cases consider motive and purpose
Access exemptions:
3rd party privacy (3)

‘Reverse FOI’ provisions



Cth FOIA s27; NSW FOIA s31 - If agency is going
to grant access to documents containing 3rd P
personal information, must give 3rd P opportunity
to object on grounds of unreasonableness
No equivalent in NPPs - 3rd Ps have no
opportunity to object
No HK equivalent - another aspect of HK’s very
restrictive access regime
Forced access by 3rd parties

Can 3rd parties force use of access rights?


eg employers, insurers etc require data subject to
obtain a copy of own record
Would this constitute unfair collection by the party
forcing access?




Better view is ‘yes’ (see B&W 1st Ed pgs 170-1)
This argument will apply in HK and Australia
Only a breach once the 3rd P is provided with the data?
Do IPPs need amendment to prevent this?

not certain until ‘unfair collection’ approach is tested
Correction rights

Issues




Do correction rights depend on access rights?
What does correction require?
Remedies for access & correction breaches
Sources

See Waters and Greenleaf ‘IPPs examined: the
correction principle’ (2005) 11 PLPR 137
(Materials #5)
Meaning of correction

For HK DPP6 "correction" ‘means
rectification, erasure or completion’ (s2)
Correction rights:
Do they depend on access?

Do correction rights depend on access rights?


Cth FOIA s48 correction only to docs ‘to which access has
been lawfully provided to the person’ - no correction of
exempt docs
Cth IPP 7.1 obligation to correct only refers to ‘a record’



but 7.2 says this ‘is subject to any applicable limitation in a
law… that provides a right to require the correction or
amendment of documents’
does this mean FOIA s48 limits? - probably ‘yes’
Private sector NPP 6.5 correction only requires that
organisation ‘holds personal information’

BUT only if ‘the individual is able to establish that the
information is not accurate, complete and up-to-date’ - onus of
proof of error is on the individual [but see NPP 3 Data Quality]
Correction rights:
Do they depend on access? (2)


NSW s15 correction right

only requires that agency ‘holds personal information’

But s20(5) imposes FOIA ‘conditions or limitations (however

expressed)’
NSW FOIA s39 only allows correction to ‘A person to whom
access to an agency’s document has been given’

so exempt docs cannot be corrected in NSW either
Is refusal of correction to exempt documents unfair?

What does refusal of access imply?
Correction rights:
Do they depend on access? (3)

Hong Kong: Does correction require access?


DPP 6 does not: 6(e) independent of 6(b)
BUT s22 makes correction depend on official
access


'where... (a) a copy of personal data has been supplied
by a data user in compliance with a data access request;
and (b) the ... data subject considers that the data are
inaccurate, then that individual or relevant person, as the
case may be, may ... request... correction to the data'
Can’t argue DPP6 gives a broader right


S58(1) exemption is from DPP6 as a whole
DPPs generally subject to the rest of the PDPO (s4) -
Correction rights:
Do they depend on access? (4)

Hong Kong: Can DS obtain correction without
access?

If DS has ‘unofficial’ knowledge of data content




DS can complain to PCO of DPP2(1) breach - inaccurate
PCO can then access records, (I) find DPP2 breach if
inaccurate, (ii) require non-use or erasure, and (iii) require
notice to 3rd party recipients (but cannot disclose to DS)
Also, DS can sue under s66 for damages for DPP2 breach - if
prima facie inaccurate, then DU must establish defences. Can
DS obtain discovery despite s58(1)?
If DS has no knowledge of data content


How to frame a complaint to the PCO?
How to establish prima facie DPP2 breach for s66?
Correction rights:
Intermediaries and correction

Intermediaries and correction

Cth PA 1988 s35 gives (defective) intermediary
addition rights via PComm




Depends on exhausting AAT appeals first!
P.Comm can only recommend correction of exempt
record, but can require addition to it
does not cover access or correction, merely equivalent of
FOIA s51 / IPP 7.3 annotations
Alternative approaches

What if individual complains to P. Comm under
IPP 8 (data quality) about prior or subsequent use
of incorrect record? Or seeks a s98 injunction?
Correction rights:
Notification to 3rd party recipients

Notification to 3rd party recipients of corrections

NSW s15 requires this, at request of applicant, where
‘reasonably practicable’



Only applies where individual is aware that correction is made
Draft Australian Casinos Code requires this
Neither Cth IPPs nor NPPs explicitly require this



Would refusal to do so on request be a failure to mitigate
damage?
Would failure to do so where individual is not aware be a failure
to mitigate damage?
Would failure to do so = lack of reasonable steps to maintain
data quality (NPP 3)?
Correction rights:
Notification to 3rd party recipients

Hong Kong DPP 2(1)(c) requires notification
by data user to 3rd Ps to whom data has
been disclosed




Where it is ‘practicable’ for data user to know that
the data are ‘materially inaccurate’ for the purpose
for which they are to be used by the 3rd P
Information necessary to ‘rectify’ inaccuracies also
to be provided
Breach of this provision could lead to s66 liability
‘Inaccurate’ is not defined, but "correction" ‘means
rectification, erasure or completion’ (s2) and
‘inaccurate may have a similarly broad meaning
Limits on the correction right

PCOs (and tribunals) are generally unwilling
to adjudicate issues of ‘inaccuracy’ of records
where



Another adjudicative body is more appropriate; or
The ‘inaccuracy’ is largely a question of opinion
They then use powers to refuse investigation


Should they only do so if there is some reasonable
alternative access to another adjudicator?
Are rights of annotation of disputed records a
sufficient alternative? Eg HK s25(2)-(3)
Limits on the correction right

[2001] HKPrivCmrAAB 4: Complainant alleged that press report
about him largely consisted of lies; PCO ’considered it to be a
question on the manner of reporting and, as such, was not meant
to be regulated by the PDPO’; ‘AAB ruled that fabrication or lies told
about a person did not amount to his "personal data" ‘

Demonstrates the lengths PCO and AAB will go to in order to avoid
applying the PDPO to the media

Could not possibly be held similarly if a credit bureaux was involved

[2000] HKPrivCmrAAB 2: AAB held comments or opinions in a
letter of dismissal were inherently contentious , and the proper
forum to resolve the dispute was by bringing of legal
proceedings in the Labour Tribunal instead of resorting to a data
correction request.
Remedies for access &
correction breaches

Hong Kong

s66 can apply to where damage to a person results from




a refusal to correct a record (DPP6)
Failure to notify inaccuracies to a third party (DPP2)
Failure to comply with ‘data quality’ (DPP2)
note s66(3) defences in relation to incorrect data received
from a 3rd party
Remedies for access &
correction breaches

Australia




FOIAs do not provide for compensation
Refusal to allow access or make corrections is a breach; if
injury has resulted, compensation may follow
Cth IPP 7 accuracy obligation on agencies is independent of
correction requests or use [not so for NPPs or NSW]
Fed P Comm can refuse to investigate (s41(1)) or defer
(s41(3))


should not do so if damages could be relevant
Data Quality principles may be needed to supplement
correction claims - requires use (Cth IPPs 7, 8, NPP 3)
‘Openness’ principle:
Information generally available

‘Openness’ / ‘FOI’ principle



valuable to the media, community organisations etc
but is little used by anyone
Cth IPP 5

Cth IPP 5.1 requires reasonable steps to allow anyone to ascertain
(subject to FOI etc exemptions: IPP 5.2)

Requires answers, not documents
 Does not refer to records about the applicant
Cth IPP 5.3 requires a record to be kept (and made available to
public: IPP 5.4) detailing nature and purpose of classes of records;
classes of data subjects, recipients and conditions of access.
Annual copy to Commissioner for Personal Information Digest - no
one ever reads it.



If they posses/control ‘any records that contain personal information’
and ‘the nature of that information’
‘Openness’ principle:
Information generally available

Private sector NPP 5



NPP 5.1 requires a document containing ‘clearly expressed policies
on its management of personal info’, available on request [relevant
to collection]
NPP 5.2 requires reasonable steps to answer requests on matters
equivalent to Cth IPP 5.3; but only ‘generally’, not in relation to the
individual applicant
NSW PPIPA s13 & s40

S13 requires agencies to take reasonable steps to allow a person
to ascertain matters equivalent to Cth IPP 5.1




But s13(b) refers to info ‘relating to that person’ - Would provide the ‘list
of documents’ refused in HK; differs from NPPs and Cth IPPs
S40 discretion for Privacy Commissioner to require returns from
selected agencies (s40(3)) [contra Cth - not all]
Compile and publish a Digest based on that info (s40(1),(2))
Not done as yet
‘Openness’ principle:
Hong Kong

DPP 5 right of any person to ascertain:




a data user's policies and practices
the kind of personal data held by a data user;
the main purposes for which data are used
PDPO Pt V - Data User Returns



PCO can require specified classes of users to submit
returns (S14)
PCO must then provide public access database (s15)
and other access to returns
Pt V has not yet been used - similar to NSW s40
‘Openness’ principle:
Hong Kong

Examples:


HongKong Post pinhole camera report also a breach of DPP 5 in not having PICS
to inform employees of correction practices
Public body breached by not having a
written data protection policy (AAB 5/01)
Security principle

Provisions





Cth IPP 4
Private sector NPP 4.1
NSW s12(b)-(d)
HK DPP 4
Sources


Waters & Greenleaf ‘IPPs examined: The security principle’
(2004) 11(4) PLPR 96 (Materials) - this includes many
examples of complaints
Aust. Comm PC Info Sheet 6 Security (2001) - Sets out long
list of Australian and international standards that may apply
Security principle

Scope



All require security from from misuse and loss and
from unauthorised access, modification or
disclosure
so internal and external threats, and mere
negligence are covered
All only require ‘reasonable steps’ or ‘practicable
steps’
Security principle: Hong Kong



DPP 4 requires ‘All practicable steps … to ensure …
protected against unauthorized or accidental access,
processing, erasure or other use’
Includes (as if personal data) data to which access is
not practicable
Lists 5 factors to which data users must have
‘particular regard’ - reflects standard criteria 




(a) kind of data and possible harm (‘harm test’)
(b) physical location / + security appropriate)
(c) technical security measures
(d) personnel integrity etc measures
(e) communications security measures
Security principle

Possible examples of breaches





If hackers access data, data user may be liable for
inadequate security - supplements computer crime laws: sue
the company, not the hacker
Mailouts in error of sensitive data
Accidental destruction of data valuable to a person
Security which destroys other privacy interests will not be
‘practicable’
Lax practices with cleaners etc


Personal files are regularly found at kindergartens and tips
Unencrypted data on mobiles:

63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in
London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR
95-97)
Security principle

Australian examples

See these and more examples in Waters & Greenleaf article

Agency client provided password to be used to identify him;
agency failed to ask for it (L v Commonwealth Agency [2003]
PrivCmrA 10)

ATO web site disclosing ABN details
FH v NSW Dept Corrective Services [2003] NSWADT 72 ; Summary
[2003] NSWPrivCmr 1- Equivocal on whether breach of security
principle where it would cost millions for Dept to change system to
log accesses (see Waters & Greenleaf article)
E v Financial Institution [2003] PrivComA 3 - audit trail failed to
record access to customer account - settled
B v Victorian Government organisation [2003] VicPrivCom 2 $25,000 compensations settlement when agency disclosed
complainant’s new address to ex-spouse ‘across the counter’
despite known risk



Security principle

Hong Kong examples - Complaints to PCO held to
breach DPP4 (security):







Faxing details of donation to estate office (AR 5/05)
Newspaper publication of address of complainant, endangering
him, not a breach of DPP4; DPP3 (disclosure) was only DPP
relevant (AAB appeal 4/00)
Insurer sending insurance policies for 3 people to the address of
one of them
Unsealed letters of demand sent to neighbours addresses
Law firm’s messenger allowed duplicate cover sheet of divorce
process to be read by others at workplace while waiting to serve
process: [1998] HKPrivCmr 8
Law firm left trial bundle in gap between litigant’s metal gate and door:
[2003] HKPrivCmr 8
See other examples in McLeish and Greenleaf chapter
Security principle

Security managers in apartment blocks required to destroy
data on visitors after a reasonable period [1998] HKPrivCmr
4

Hong Kong examples concerning ID cards



Mobile phone Co. made first 6 numbers of ID card the
default password for call data, billing etc information; debt
collector accessed data and harassed complainant and
friends; held breach of DPP 4: [2003] HKPrivCmr 3
Disclosure of ex- employee ID numbers in faxes to
customers
Bank and dept. store jointly responsible for printing error
disclosing ID nos. in mailout
Retention / deletion principles

Sources



Waters & Greenleaf ‘IPPs examined: The retention principle’
(2004) 11(4) PLPR 96
Aust. Cth PC Info Sheet 6 Security (2001)
Provisions




HK DPP 2(2) and s26
Cth IPPs - none
Private sector NPP 4.2 ‘reasonable steps to destroy or
permanently de-identify … if it is no longer needed for any
purpose’ allowed under NPP2 - Test of ‘permanent deidentification is whether it is no longer ‘personal information’
NSW s12(a) - similar to NPP 4.2
Retention / deletion principles

For Australian and other examples, see Waters &
Greenleaf article, including:
Tenants Unions v TICA (No3) [2004] PrivCmrACD 3 Failure to delete or remove old tenancy information
was a breach of NPP 4.2; PC ‘recommended’ TICA



Delete ‘history’ information in Tenancy History Database
after four years;
Delete 'application' information in Enquiries Database
after three years; and
Delete information moved to ‘dead tenant database’ (ie
database which stores deleted listings) not less than once
a month - in case of errors
Retention / deletion principles

NZ Comm supports retention of
information on dismissed employees for
5 years
Retention / deletion principles (HK)

Hong Kong DPP 2(2) and s26

DPP 2(2): ‘Personal data shall not be kept longer
than is necessary for the fulfilment of the purpose
(including any directly related purpose) for which
the data are or are to be used'.


Keeping for the purpose of some exception not allowed
Only says ‘personal data’ shall not be kept - what if made
inaccessible?; what if de-identified? Is DPP 2(2)
satisfied?
Retention / deletion principles (HK)

HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure
of personal data no longer required’)



Says ‘A data user shall erase personal data …’
Doubtful if data can be made inaccessible or de-identified in
the face of this explicit provision
S26 has 2 exceptions:

'(a) any such erasure is prohibited under any law’;


‘(b) it is in the public interest (including historical interest) for
the data not to be erased.’


Archives laws etc will override DPP 2(2)
Q of public interest is a question of law, not of good faith belief
S26(3) protects any joint controller against suits by other
controller because of erasure of data
Retention / deletion principles

Hong Kong DPP2(2) and s26 - Examples of
appeals to AAB against PCO:


[1999] HKPrivCmrAAB 3: Telecomms Co.
retained customer details for 180 days after
suspension of service, in case of reconnection no breach
Pursuant to DPP 2(2), Consumer Credit Code
requires data deletion 5 years after ‘final
settlement’ - raised issues of how this applied to
bankruptcies, but not necessary to decide (7/01)