Key concepts in information privacy legislation

Graham Greenleaf, revised 16 April 2003, Nigel Waters revised 10 September 2008.

= required reading

= material added since the date of the class concerning this topic

New Developments

The latest discussion of these key concepts is contained in the ALRC Report 108 For Your Information: Australian Privacy Law & Practice, May 2008 and in the New South Wales Law Reform Commission Consultation Paper 3: Privacy Legislation in NSW, June 2008 (see 'Australian Resources' below for links), and in submissions and earlier reviews referenced in those two documents. Key recommendations and cases included in the powerpoint presentations for this topic, but not yet incorporated into this Reading Guide, include:

• ALRC Recommendations 6-1 to 6-3 concerning the definition of 'personal information'
• Cases concerning constructive identification: K v Health Service Provider [2008] PrivCmrA? 11; WL v La Trobe University ([2005] VCAT 2592) + NSWLRC Issue 19
• ALRC Recommendations 6-6 concerning definition of 'record'
• ALRC Recommendations 6-7, 11-1 & 11-2 concerning 'generally available publication'
• Cases concerning 'publicly available publication': PC v University of New South Wales [2007] NSWADT 286; WL v Randwick City Council NSWADTAP 58; NW v NSW Fire Brigades [2005] NSWADT 73
• ALRC Recommendation 19-1 concerning 'consent'

1. Objectives

2. Information privacy legislation - General sources

For various information privacy laws relevant to this course, overviews of the legislation follow, and resources concerning the interpretation of the legislation.

Australian resources

There are numerous Australian references in these Reading Guides. No short overview is available online.

• Privacy Act 1988 (Cth) - unofficial version which has more convenient navigation, but has not been updated since 2001
• T Dixon Private Sector Privacy Handbook (loose-leaf service) CCH
• Australian Privacy Commissioner's Office Federal Privacy Handbook (loose-leaf service) CCH
• For official information in concerning Australian Federal privacy law, the Australian Privacy Commissioner has a useful website.
• World Law catalog Privacy >> Australia pages contain the major starting points for research - see in particular the %u2018Other Indexes%u2019 pages for links to other substantial indexes. Searches from these pages will also be effective for finding privacy materials.
• Australian Law Reform Commission For Your Information: Australian Privacy Law and Practice Report 108, May 2008 - also Discussion Paper 72, September 2007
• New South Wales Law Reform Commission Privacy Legislation in New South Wales Consultation Paper 3, June 2008.
• Cyberspace Law and Policy Centre, 2007-08, various Submissions to the ALRC in response to DP 72.

Hong Kong resources

• Personal Data (Privacy) Ordinance (Cap 486)
• Mark Berthold Hong Kong's Personal Data (Privacy) Ordinance 1995 (1995) 2 PLPR 164; the Bill proceeding the Ordinance is discussed in Mark Berthold Hong Kong's data privacy proposals, Part I (1994) 1 PLPR 165 and Part II (1994) 1 PLPR 188.
• Mark Berthold and Raymond Wacks Data Privacy Law in Hong Kong %u2014 a Professional Guide, FT Law and Tax Asia Pacific, Hong Kong, 1997 - see book review - This is the leading text on the Ordinance.
• Cases on the Personal Data (Privacy) Ordinance (13)
• Website of the Privacy Commissioner for Personal Data, particularly:
  • Complaint Case Notes
  • Enquiry Cases Notes
• David Banisar Hong Kong in Privacy & Human Rights 2000, Electronic Privacy Information Center (EPIC)
• Stephenson, Kwan & Ellis Cyberlaw in Hong Kong (2001) Ch 14 'Data Privacy'

New Zealand Resources

• Privacy Act 1993 (NZ)
• Tim McBride? NZ's Privacy Act 1993 - Part 1 -- (1994) 1 PLPR 4 and Part II (1994) 1 PLPR 26
• E Longworth and T McBride? The Privacy Act - A Guide GP Publications, 1994
• P Roth Privacy Law and Practice (loose-leaf service) Butterworths NZ
• World Law catalog Privacy >> New Zealand pages

European resources

• Data Protection Directive (EU)
• European Commission 'Internal Market' DG Data Protection index - best location for most EU privacy materials

3. Key concepts relevant to all IPPs

Many terms which are crucial to the interpretation of IPPs and provisions in privacy Acts are neither sufficiently defined in the Acts themselves, nor have they received judicial interpretation.

There is little official guidance on the meaning of key terms. An interesting exception (which was not followed in the final version) is the Federal Privacy Commissioner Draft National Privacy Principle Guidelines (May 2001) - Chapter 2 Explanation of Terms - Provides the Commissioner's interpretation of the following terms:

Access, Act (the Act), Authorised by law, Collection, Commissioner (the Commissioner), Cookie, Directly related purpose, Direct marketing, Disclosure, Enforcement bodies, Health information, Health service, Individual, Law, Lawful, List renter, Necessary, Organisation, Personal information, Practicable and impracticable, Primary purpose, Reasonable, Record, Related corporation, Related purpose, Required by law, Secondary purpose, Sensitive information, Serious and imminent threat, Serious threat to public health or public safety, Use, Web bug.

The ALRC and NSW LRC privacy reviews have considered some of these terms and concepts in some detail in 2007-08 and the Cyberspace Law and Policy Centre submissions to those reviews also comment on them (see references in 'Australian Resources' above).

4. 'Interferences with privacy' and equivalents - breaches

Cth Privacy Act 1988 - 'Interferences with privacy'

'Interferences with privacy'

• s13 and s13A define all %u2018interferences with privacy%u2019 (see s13F) - as breaches of IPPs, NPPs, credit Codes, TFN rules, etc etc
• ss13B-E provide for some exceptions
• s36 - Commissioner can only investigate complaints of %u2018interferences with privacy%u2019
• No s52 remedies if no %u2018interference with privacy%u2019

Some sections use different terminology:

• s16 - Agencies shall not %u2018breach%u2019 IPPs
• s16A - Organsiations must not %u2018breach%u2019 NPPs or codes
• s98 (Injunctions) refers to %u2018contraventions of this Act%u2019

NSW PPIPA 1998 - equivalents

s21 Agencies must not contravene IPPs. s21 %u2018Contravention%u2019 is %u2018conduct to which Pt 5 applies%u2019 (internal review) (s21(2)) - can lead to s55 ADT review and enforceable remedies

s45 complaints to the Privacy Commissioner can be for any %u2018violation of, or interference with, the privacy of an individual%u2019 (all undefined). s45 complaints can not lead to any ADT review of enforceable remedies. See NSWLRC CP3 Issues 54 & 55 for dicussion of the distinction between 'violation of ...' and 'interference with...'.

NZ Privacy Act 1993 equivalent

s66 'interference with privacy' has two components - firstly a breach of an IPP or Code, and secondly demonstrable 'harm' (see also reading guide x on enforcement).

5. Personal information / data

IPPs only apply to what is variously described as 'personal information' (Australia and NZ) and 'personal data' (Hong Kong).

• generally:
• B & W pgs 85-91
• Patrick Gunning Personal information in 'Central Features of Australia's private sector privacy law' [2001] CyberLRes? 2
• Graham Greenleaf 3.1.What is 'personal information'? in 'Private sector privacy: Problems of interpretation' [2001] CyberLRes? 3

Australia - 'personal information'

All sets of privacy principles in Australian law require 'personal information' before they are applicable.

For example, s6 Privacy Act 1988 (Cth) provides:

' personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.'

NSW PPIPA s4 %u2018personal information%u2019:

• Ss(1) largely similar to Cth definition
• Ss(2) includes biological samples etc
• Ss(3) excludes many categories of information

• Durant v Financial Services Authority [2003] EWCA Civ 1746
• David Lindsay 'Misunderstanding "personal information": Durant v Financial Services Authority' (2003) 10(10) PLPR
• ALRC Report 108 Recommendation 6-1 and preceding discussion

Hong Kong - 'personal data'

• PDPO s2:
  • "data" means any representation of information (including an expression of opinion) in any document, and includes a personal identifier;
  • "personal data" means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable;
  • "data subject" , in relation to personal data, means the individual who is the subject of the data;

Other jurisdictions

New Zealand s2 %u2018personal information%u2019 definition does not mention opinions.

What can be taken into account?

What information can be taken into account in deciding what is 'personal information'?

• Graham Greenleaf When can a person's identity be 'reasonably ascertained'? in 'Private sector privacy: Problems of interpretation' [2001] CyberLRes? 3
• B&W p88 take a similar view concerning the HK definition
• ALRC Report 108 Recommendations 6-1 to 6-3 and preceding discussion of 'reasonably identifiable'
• NSWLRC CP3 Issues 18 (concerning visual images) and 19 (more general)

When are email addresses and IP addresses personal information?

• G Greenleaf 'Personal information in cyberspace' in 'Private sector privacy: Problems of interpretation' [2001] CyberLRes? 3
• ALRC Report 108 Recommendation 6-2 and preceding discussion of 'reasonably identifiable'

Is the collector's 'intention to identify' relevant?

• Eastweek Publisher Ltd v the Privacy Commissioner for Personal Dat a [2000] HKCA 137 (Hong Kong Court of Appeal) - This case is ambiguous as to whether it is about the meaning of 'personal data' or the meaning of 'collection'.
• Raymond Wacks What has data protection to do with privacy? (2000) 6 PLPR 143
• Graham Greenleaf ' Key concepts undermining the NPPs - A second opinion' (2001) 8 Privacy Law & Policy Reporter 1 - particularly Is intention to identify relevant? (concerning Eastweek)
• HKPCO Case No.: 200019936 'Whether a telecommunication services provider is required to provide a copy of security surveillance video tape'.
• Case No.: 200111603 'Whether a utility company could install a closed-circuit television (¡§CCTV¡ë) system in a lift for the disabled.'
• ALRC Report 108 Recommendations 6-1 and preceding discussion of 'ability to contact'

Opinions and attitudes

Is information indicating a person's 'attitude' personal information about them?

• Paul Roth http://www2.austlii.edu.au/privacy/secure/PLPR/2000/59.html#Heading4 Preliminary discussion: %u2018personal information%u2019 in Casenote: Harder v Proceedings Commissioner [2000] 3 NZLR 80 (NZ Court of Appeal) (2000) 7 PLPR 134
• B & W p87 consider, in relation to HK, that a document by a person stating that person's opinion about a topic or another person is not personal data about the author because it does not 'relate' to that person. (On this view, the reference in the HK definition of 'data' must refer to the person the opinion is about.)
• See NSWLRC CP3 Issues 14 to 17 and preceding discussion concerning exemption for information about an individual's suitability for employment

Retrievability

The HK definition of 'personal data' requires it be '(c) in a form in which access to or processing of the data is practicable'. See B&W p90 'Retrievability': 'The retrievability test qualifies the Ordinance's focus on personal data in recorded form. It recognises a harm test: recorded data may pose only negligible risks to the individual because their effective inaccessibility precludes them from being utilised.'

Is a person's name 'personal information'?

Siddha Yoga Case

ALRC Report 108 Recommendations 6-1 to 6-3 and preceding discussion of 'reasonably identifiable'

6. 'Records' / 'documents

Hong Kong

See B&W p85

The definition of 'data' is restricted to 'any representation of information ,,, in any document '.

The definition of 'document' in s2 includes disks, film etc from which visual images or other data are 'capable ...of being reproduced'.

Circumstances which do not involve the collection, use or disclosure of information in a document will fall outside the Ordinance:

• Consider HKPCO Case #2000111603 - CCTV in lift - Could this also fall outside the Ordinance if no video is kept?

Australia - 'Record' and 'generally available publication'

Privacy Act 1988 s6 includes these definitions:

• " record means: (a) a document; or (b) a database (however kept); or (c) a photograph or other pictorial representation of a person; but does not include: (d) a generally available publication; or [OTHER EXCLUSIONS OMITTED]"
• " generally available publication means a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public." [The words 'however published' were added by the 2000 amendments.]

These definitions have a major effect on the scope of the various sets of IPPs:

• Commonwealth public sector - Most of the s14 IPPs only apply to 'records that contain personal information', and therefore have no application to personal information contained in a generally available publication. The main exception is the collection principles (IPPs 1-3), which apply to information collected 'for inclusion in a record or a generally available publication'.
• Private sector - A similar result is achieved by 16C Application of National Privacy Principles .
• G Greenleaf %u2013 Casenote: FM v Macquarie University [2003] NSWADT] 78 (2003) 10(3) PLPR 51
• G Greenleaf %u2018Casenote: Macquarie University v FM (GD) [2003] NSWADTAP 43%u2019 (2004) 10(8) PLPR 151
• ALRC Report 108 Recommendations 6-6 and 6-7 and preceding discussion
• NSWLRC CP3 Issues 6 and 7

• Publicly available or Generally available information/data

• EG v Commissioner of Police [2003] NSWADT 150
• NSWLRC CP3 Issues 6 and 7