collection & related principles
Post on 15-Jan-2016
74 Views
Preview:
DESCRIPTION
TRANSCRIPT
Collection & Related Principles
Information Privacy & Data Surveillance
Nigel Waters & Graham Greenleaf
Last updated September 2008
2
Issues in collection Principles
What types of 'collection' are regulated? Required notice when collecting
n What types of collection require notice?n Requirement to collect from data subject
Permitted purposes of collectionn Purpose justification principlesn Anonymity principles
Fair collection requirements Special rules for 'sensitive' subjects Other laws relevant to collection
3
Meaning of ‘collection’ Not defined - examples:
Aust NPP 1.1 An organisation must not collect personal information unless …’
HK DPP1 merely says ‘Personal data shall not be collected unless …’
‘Collection’ remains largely undefined in privacy law
4
Possible types of ‘collection’
Must consider whether at least the following types of ‘obtaining’ data are ‘collection’:
Information solicited from a person (data subject or 3rd party); Unsolicited information (data subject or 3rd party); Information obtained from observations ('surveillance') of the
data subject; Information extracted from documentary or other sources
(observation other than of data subject). What will this determine?
Whether purpose and extent of obtaining data is limited by law Whether fair collection rules apply Whether notice must be given - but this may apply to only some
forms of obtaining data, even if they are collection
5
Solicited information Whether solicited from data subject or 3rd party, this
is the clearest case of ‘collection’ Most IPPs include both as ‘collection’
Notice obligations may depend whether data is solicited, and whether collected from data subject:
Cth IPP 2 notice required only if solicited from data subject (all others only require data ‘collected’)
HK DPP1(3) - only applies if data is collected (does not say ‘solicited’) from the data subject (ie no notice required if collected from 3rd party)
6
Solicited information – direct collection
Some laws do not require collection from data subject in preference to other sources (eg HK)
Others require collection from the data subject (as distinct from another source) in some situations, but they differ considerably
NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’
When would this be so? (Must you rely on honesty?) Is it OK to then ‘double check’ with a 3rd P?
NSW IPP 1 (s10) requires collection ‘directly from the individual’ unless
(a) The individual ‘has authorised’ collection from 3rd P; or (b) Provided by parent/guardian if under 16
7
Solicited information – direct collection (2)
NSW IPP 1 (s10) (cont) DO v UNSW[2002] NSWADT 211
Form allowing collection ‘from any tertiary institutions previously attended by me’ did ‘authorise’
NSW s18 - individual may give ‘express consent’ that s10 does not apply;
does not seem to limit scope of ‘authorised’ in s10 If s10 applies, is it OK to then ‘double check’ with a 3rd P
after collecting from individual? Better view is such collection must be ‘authorised’
8
Solicited information – direct collection (3)
Cth IPPs - no express obligation to collect from individual (see general data quality obligations)
ALRC Report 108 R21-1 – preference for direct collection from individual to carry over from NPP to new UPPs applying also to government agencies – agency concerns to be addressed in Privacy Commissioner guidance (R21-2)
NSWLRC CP3 – preference for direct collection unless 'unreasonable or impracticable' (Proposal 8)
9
Unsolicited information Some Acts explicitly exclude unsolicited information
from the meaning of ‘collection’: NSW s4(5): ‘not collected … if the receipt is unsolicited’ NZ s2: ``Collect'' does not include receipt of unsolicited info
Others leave this as a matter of interpretation Cth Act does not specify - depends on meaning of ‘collect’ HK likewise
NSW - effect of exclusion of unsolicited information: NSW IPPs 1-4 do not apply (collection and quality) But IPPs 5-12 do apply (the agency still ‘holds’ personal
information)
10
Unsolicited information received from data subject
Hong Kong suggest it is collected but only if and when the data user
makes it ‘personal data’ by recording / retrievability (B&W Ch 8 is silent on the Q)
Is Notice required? - nothing in DPP 1(3) to preclude this, but would only occur if and when data retained; PCO may take different view
Aust federal contrast Gunning (not included) and Greenleaf - suggest
s16B resolves this by (in effect) only creating obligation once decision is made to retain data in a record - collection obligations only then arise
11
What does ‘solicited’ mean?
Two contrary views from NZ: [2002] NZPrivCmr 5 - NZPC recognises ‘passive’
collection - where applicant submitted extra information with a form, this was not ‘unsolicited’ (see Paul Roth (2002) 9(7) PLPR 121)
Harder v Proceedings Commissioner (NZ) – NZ Court of Appeal held recording of unsolicited comments by data subject was not ‘collection’ - act of turning on recorder did not stop it being ‘receipt of unsolicited information'
12
Unsolicited information (cont) Unsolicited info from 3rd parties
Hong Kong suggest same as when received from data subject (ie only
collected if and when the recipient includes it in its records) No notice required even if retained: DPP 1(3) only applies to
collection from data subject Same argument applies re Aust NPPs and Cth IPPs
How important is this question? Usually, if excluded from collection, other IPPs would still
apply because it is still ‘personal information’ If included, main effect may be to create obligations to give
notice (But only when the unsolicited information is retained) Also means information can only be retained if for proper
purpose, and collection is ‘fair’
13
Unsolicited information (cont)
Little v Melbourne CC [2006] VCAT 2190 WJ v Commissioner for Fair Trading [2007]
NSWADT 11 ALRC Report 108 R21-3 – must either destroy
unsolicited info or it becomes subject to Principles – gives effect to CLPC Submission DP72-16
14
Notice when collecting from 3rd Parties
This is a different question from whether it is ‘collection’ Summary (see full discussion later): Is notice required where info collected from a 3rd
Pty? HK - No (DPP 1(3) says ‘from … the data subject’) NPP 1.5 - Yes (lesser notice than NPP 1.3) - also applies to
unsolicited info Cth IPP 2 - No (only 'from the individual') ALRC Report 108 recommends Yes under UPP3
15
Notice when collecting from 3rd Parties (2)
Is notice required where info collected from a 3rd Pty? (continued):
NSW IPP 3 (s10) - arguably Yes (‘collects … from an individual’ requires notice to ‘the individual to whom the information relates’) - but not to unsolicited info (s4(5))
but to the contrary: HW v Director of Public Prosecutions (No 2) [2004] NSWADT 73
Principles vary in this respect
16
Observation of data subject Is observation ‘collection’?
Acts do not specify - Q of ordinary meaning of ‘collect*’ No significant contrary views
Eastweek did not rely on their being no collection Surveillance limitation laws do not already cover this Limitation of Notice provisions to collection from data subject
does not support either view: the distinction may be from collection from 3rd parties, not observation
Remedial nature of privacy laws supports a ‘yes’ answer So requirements of minimum collection, fair collection, etc will
still apply to observations ALRC Report 108 concludes not necessary to expressly include
collection by observation (21.81) but NSWLRC CP3 disagrees (implicitly - Proposal 11)
17
Observation of data subject Is notice required (if observation is collection)?
HK DPP 1(3) requires collection ‘from’ data subject; 1(3)(a)(I) also refers to ‘supply’ of the data by the data subject. HK is clearest case where no notice is required
Cth IPP notice requirements only apply if data is ‘solicited’ NPP 1(3) notice requires collection ‘from the individual’?; Cth
IPP 3 requires info ‘solicited … from the individual’; NSW IPP 3 (s10) similar - in these cases it is not so clear
Is observation collecting ‘from’ a person? Better view is ‘no’ - excludes notice requirement Result is sensible: observation is collection, but does not
require notice (unless surveillance laws provide otherwise - as some do)
18
Information extracted Much personal information is extracted from
documentary or other sources It is ‘collection’ - most NPPs, IPPs apply ALRC Report 108 concludes not necessary to expressly include
collection by extraction (21.81) Is notice required of collection by extraction?
HK - no, it is not ‘from’ data subject, not ‘supply’ NPP 1.5 applies to collection ‘from someone else’ Cth IPP 2 only applies to collection from the individual NSW IPP 3 (s10) requires collection ‘from an individual’ In all 3, extracted info will not require notice
19
Information extracted
Result is sensible: extraction is collection, but does not require notice unless some other law requires it
Contra: Cth PComm Info Sheet 18: Taking reasonable steps…: suggests archivists collecting documents need to consider notice
20
Medium of collection
Collection may be in any medium Sound recording (Harder (NZ)) Photograph (Eastweek (HK)) Videos (HKPCO domestic helper case)
But data must be recorded (see Key Concepts)
21
Other modes of collection
Can you have collection by the following (no authority as yet?): Bodily samples Thermal imaging etc Remote tracking devices 'internal' generation from transactions
ALRC Report 108 concludes not necessary to expressly include collection by these methods (21.81)
22
Required notice on collection: form and content
NPP 1.3 & 1.5; Cth IPP 2; NSW s10; HK DPP 1(3) Why so significant?:
cost involved to the data collector data subject is put on notice of risk Notice of purposes affects use/disclosure
ALRC Report 108 R23-1recommends separate notification Principle (UPP 3)
23
Notice – circumstances and content
Situations where notice required varies See earlier re notice requirements for 3rd P collection,
unsolicited info etc Form of notice required -
All require ‘reasonable’ or ‘practicable’ steps to ensure person is aware - written notice is not necessarily required
Eg reasonable notice on web pages, or signs Verbal notice on collection of verbal information
24
Required notice (2)
Time of notice varies considerably Aust - all require notice before collection where
practicable, otherwise allow notice after collection HK - Notice must be ‘on or before’ disclosure, but
notice of access rights must be before first use Exceptions to notice requirement
HK DPP 1(3) proviso exempts where notice would prejudice purpose, and Pt VIII exempts access
HK S35 exempts repeated collections (in a year)
25
Required notice (3) Aust Cth PCO Info Sheet 18: Taking reasonable steps…
Useful ‘general guide’ - where consequences to individual are greater, or information is more sensitive, then organisations are expected to expend more effort
Includes useful examples but some are contentious (eg Pt B a - Archivist eg - suggests they need to consider giving notice when archiving documents referring to 3rd Ps other than the donor)
Tenants’ Union v TICA Determination 4/2004- TICA form misleading as to info TICA collected (note: is example
of notice given re collection from a 3rd P, its members) TICA had 4 other sources of info about privacy, but P Comm held
that if one form purports to be notice, ‘it would generally need to alert individuals to the fact the other information was available’.
Held: Failure to take reasonable steps to comply with NPP 1.5
26
Required notice (4)
Hong Kong examples of notice complaints Search results Inadequate display of notice [1999] HKPrivCmrAAB 2
Exercise Find a print/online notice and test it Send your comments to the class list for
discussion
27
Required notice (5) Content of notice - fairly uniform
Purpose of collection / proposed use If obligatory, and consequences (can be implicit) Usual recipients of disclosures of data
Must be within purpose; cannot sidestep Access and correction rights and procedures
HK DPP(1) requires explicit notice of (3)(b) items (PICS - Personal Information Collection Statement) but only implicit notice of (3)(a) items
Examples A v Insurer [2002] PrivCmrA 1 - found insurer’s travel insurance
claim form was deficient in not identifying ‘other consultants’ info disclosed to
N v Private Insurer [2004] PrivCmrA 1- “any other person necessary for claims determination purposes” too wide - but in fact no notice was required because this was a related secondary purpose which was reasonably expected!
28
Permitted purpose & extent of collection
Standard purpose limits: lawful, relevant and minimal - we examine
Example - HK DPP1(1) Personal data shall not be collected unless-
(a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;
(b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and
(c) the data are adequate but not excessive in relation to that purpose.
29
Purpose (1) Lawful purpose
Required by Cth IPP 1; NSW s8; HK DPP 1 Not expressly required by NPP 1 - implied?
A minimal objective negative standard Statutory and common law lawful purpose
Eg collection for illegal gambling; blackmail; fraud; spamming
Significance: Lack of a lawful purpose means collection is itself a breach of IPPs that require it
May result in damages claim not otherwise available
30
Purpose (2) - Positive limits?
Positive ‘purpose justification’ limits are rare Canada s5(3) ‘only for purposes that a reasonable person
would consider are appropriate in the circumstances’ EU Directive A7 `necessary for the purposes of the
legitimate interests pursued by the controller or by the third party … to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...'
No such limits in NPPs, or Cth/NSW IPPs, or HK Q: Can organisations define their own purposes with
no limits except lawfulness?
31
Purpose of collection (3)
ALRC Report 108 R21-5 fails to include tests of 'proportionality' or 'objective reasonableness', as suggested by CLPC (Submission DP72-17), OPC and VPC
ALRC doesn't address question of whether there can be multiple purposes of collection – highly relevant to application of use and disclosure principle (CLPC Submission DP72-19)
Breadth of purpose – see AK v Gosford City Council [2007] NSWADT 289 – very narrow - incentive mailing for early payment of rates not a 'directly related' purpose
32
Purpose (4) - Deemed purpose(s)
Info can only be collected for a ‘function or activity’ of the organisation -
Cth IPP 1.1, NSW s8, HK DPP 1 - ‘a … purpose directly related to a function or activity’
NPP 1.1 - ‘necessary for one of more of its functions or activities Is this an objective test, or completely subjective (within limits of
lawfulness)? Objective - look at the actual/probable activities of the organisation
- any purpose must be ‘necessary’ for those activities - no other purposes allowed
Purposes of agencies are limited by ultra vires; Articles limit purposes of companies (somewhat)
33
Deemed purpose(s)
• Determining this purpose of collectionDetermining such a purpose will usually be the first
task in analysing any data protection problem Stated purpose - wherever notice of
purpose of collection required (and given) Objective test limits legitimate scope of notices
Inferred purpose - required if observed, extracted, or required notice not given
Objective test based on actual activities
34
Minimal collection
Minimal collection - statutes vary NPPs - ‘necessary for …’ Cth IPP1(b) ‘necessary for or directly related to ..’ NSW s8 - ‘reasonably necessary for …’ HK DPP 1 (c) ‘adequate but not excessive in relation to …’
What is ‘necessary’ depends on deemed purpose Tenants’ Union v TICA Determination 4/2004- PComm:
‘necessary’ ‘requires consideration of whether or not it is clearly appropriate and relevant to the functions or activities of the organisation’ - can they be done without it? - how sensitive is the information? - Found the Enquiries Database was necessary, without considering the overall privacy detriment that its operation might cause.
35
Minimal collection (2) Examples
Data not needed now, only potentially in future Whole documents collected when extracts would do, or
merely a notation that document sighted N v Private Insurer [2004] PrivCmrA 1 - Insurers form
authorising any health provider to disclose any health information to the insurer (whether related to claim or not) was excessive
Union complaints of company’s introduction of finger-scanning of employees as unnecessary and ‘overkill’ dismissed by NZ PC: [2003] NZPrivCmr 5
HK PC enquiry 2005 ‘discourages’ fingerprint recognition device to record attendance at work - good discussion
Search FOI & Privacy Project for ‘collect* near necessary’ for other examples
36
Minimal collection (3) - Anonymity
Anonymity principle - only in the NPPs? 'NPP 8 Anonymity : 'Wherever it is lawful and practicable,
individuals must have the option of not identifying themselves when entering transactions with an organisation.'
Anonymity and minimum collection Is an anonymity principle implied by the minimal collection
requirement? Or is it narrower? Can ‘not excessive’ personal data require ‘no personal data
at all’? Under what circumstances? Or is there normally a right to ‘know your customer’? E.g. Does HK DPP 1 mean that Octopus is required to
continue to offer the option of an anonymous card? What is to stop it ‘reinventing’ itself with a new business model involving marketing to all Octopus users?
37
Anonymity (2)
ALRC Report 108, R20-1: New UPP 1 to apply to private and public sectors Expressly includes 'pseudonymity' (accepting CLPC
Submissions DP72-13 & 14, including removal of 'not misleading' from DP72 proposal)
P v Health Service Provider [2008] PrivCmrA 16 – NPP8 not considered in context of patient's request for deletion of record before consultation
38
Minimal collection - Anonymity (3)
Is it a breach of NPP 8 to build systems which make anonymity impracticable?
Does NPP8 require anonymity to be ‘designed in’? Wykanak v Dept Local Govt [2002] NSWADT 208 (summary
) - ADT could not review a complaint of an anticipated breach of a NSW IPP
FH v NSW Dept Corrective Services [2003] NSWADT 72 - No breach of security where it would cost millions for Dept to log accesses
Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’
39
Fair collection requirements
Statutory requirements - similar NPP 1 requires lawful, and fair means, prohibits
unreasonably intrusive means Applies to 3rd party collections
Cth IPP 1.2 requires lawful and fair means prohibits unreasonably intrusive collection where info.
solicited (including from 3rd parties), but not where observed or extracted
NSW prohibits unlawful (s8) and unreasonably intrusive means (s11); but not unfair means
HK DPP 1(2) requires lawful and fair means
40
Fair collection (2) Lawful means
Irrespective of lawful purpose, means of collection may breach statute (eg surveillance law) or common law (eg breach of confidence)
Interaction with surveillance laws significant here If disclosure by data provider is unlawful, can the
collection by the recipient be fair (or lawful)? Discussed under Use & Disclosure topic
41
Fair collection (3) Fair means Deception and undue pressure most important
Examples in Cth PC draft Guidelines (Dixon p2,063) ‘Not intrusive’ may be encompassed by ‘fair means’ Does this mean ‘objectively fair to the data subject’ or
‘subjectively fair by the collector’? UK case takes first view, which seems correct
Fairness of covert data collection Hong Kong PCO examples held unfair HKPCO ‘Hongkong Post pinhole camera’ s48(2) Report Harder (NZ) - restrictive approach- only ‘to prevent people from
being induced by unfair means into supplying information which they would otherwise not have supplied’
L v Tertiary Institution [2004] VPrivCmr 6 - L not informed of email monitoring at work - settled by agreement to review policy
42
Fair means - examples ‘Blind’ employment advertisements - of considerable
concern to HKPCO Finding #10, 2001 CanLII 21538 (P.C.C.) Trucking company
collected personal information intended for Canada Customs; held threatening employees with loss of their jobs was not a fair means of collection.
Finding #106, 2002 CanLII 42350 (P.C.C.) - Airline requiring Canadian pilots to complete US form that did not meet collection standards in order to obtain US training, at risk of loss of jobs, was unfair collection
Employee objects to employer's hidden tape recording in theft investigation - (Case Note 16479) [2001] NZPrivCmr 6- held unfair collection as employee was unaware of seriousness of interview
43
Special rules for 'sensitive' information
Sensitive information Principles Some IPPs have special Principles for defined
information (medical, political etc) Eg NPP 10, NSW s19(1) (only re disclosure); Cth IPPs and HK do not
Spent convictions laws All Aust jurisdictions have old conviction laws
(except Victoria) HK Rehabilitation of Offenders Ordinance may
prevent some collection
44
Sensitive information (2)
ALRC Report 108 recommends consent requirement in collection principle UPP2 for sensitive information, but generous exceptions (R22-2 & 22-3)
CLPC Submission DP72-20 to 22 – argued for narrower exceptions
NSWLRC CP3 – Issue 30
top related