Key concepts undermining the NPPs - A second opinion

[For publication in [2001] Privacy Law & Policy Reporter Vol 8 No 1]

Graham Greenleaf
 19 July 2001
 

  • Can there be 'collection' of unsolicited information?
  • Does 'disclosure' include information already known?
  • Does 'use' include merely looking?
  • In whose hands is information 'personal'?
  • Is intention to identify relevant?
  • Can there be 'collection' from public documents or web cams?

  •  

     

    The Federal Privacy Commissioner's Draft National Privacy Principle Guidelines [1] ('Draft NPP Guidelines') take a generally robust 'pro-privacy' approach to the interpretation of the NPPs. The Commissioner's interpretation assumes meanings for certain key terms used in the NPPs (and elsewhere in the Privacy Act 1988 (Cth)), but provides little justification for these interpretations.

     Some of the Commissioner's assumptions are called into question by Patrick Gunning's recent article 'Central features of Australia's private sector privacy law' [2],(written before the Draft NPP Guidelines were released), where he analyses aspects of the meaning of the terms 'collection', 'disclosure', 'use' and 'personal information'. Gunning's interpretations, if they are correct, would give the NPPs a significantly narrower field of operation.

     In this article [3] I re-examine the key terms considered by Patrick Gunning to see whether there are counter-arguments which may support the broader interpretations assumed by the Commissioner in the Draft NPP Guidelines.
     

    Can there be 'collection' of unsolicited information?

    NPP 1 regulates where an organisation 'collects' personal information[4]. 'Collect' is not defined in the Act. The Commissioner asserts that collection 'includes information that an organisation comes across by accident or has not asked for but nevertheless keeps'[5], and in some of his examples of collection he includes receipt of information which could be unsolicited (for example 'where an organisation ... receives and keeps emails containing personal information'). The Commissioner even goes so far as to suggest that the collection of unsolicited information can be 'unfair collection', by the example 'collecting personal information from files dumped by accident on a street'[6].

     Can information be 'collected' even if it is not 'solicited' or requested by the organisation collecting it? Gunning points out that the wording of Information Privacy Principles (IPPs) 2 and 3 in s14[7] implies a distinction between 'collect' and 'solicit' (with 'collect' being the broader term). Normal principles of statutory interpretation, he argues, would lead to the conclusion that 'collect' has the same meaning in the NPPs, and so 'collect' would include information received whether solicited or unsolicited.

    However, Gunning concludes that, insofar as the NPPs are concerned, 'the better view is that the organisation does not "collect" personal information merely by receiving unsolicited information'. He argues that NPP 1.1 (collection necessary for a purpose), and NPP 1.2 (fair means) could not apply to unsolicited information, and that Parliament could not have intended NPP 1.3 (requirements to notify) to apply. Also, NPP 2.1 assumes that there is a purpose of collection which limits use and disclosure, and where information is unsolicited there is no purpose of collection on the part of the party receiving the information.

    The problem with this argument is that it is incomplete. It does not give sufficient weight to the explicit statement in s16B that the Act only applies to the collection of information by an organisation (ie where the NPPs apply) 'if the information is collected for inclusion in a record or a generally available publication'. Mere receipt of information therefore does not make the Act applicable, there must be at least an intention formed by the recipient to 'include' the information 'in a record or a generally available publication'. Since the definition of 'record' (s6) includes 'a document' it is possible that 'include' could encompass 'retain' in the case of an unsolicited document. I suggest that it is at this point of inclusion/retention that 'collection' of unsolicited information takes place, not at the point of mere receipt. Once such an intention to retain the unsolicited information is formed, the recipient (now a 'collector') will have a purpose of collection (NPP 1.1) and must disclose that purpose and other information to the subject (NPP 1.3). If the recipient does not wish to comply with the disclosure obligation, they can always dispose of the information.

    Gunning's conclusion is, however, correct insofar as it goes, because of his careful qualification that 'merely' receiving unsolicited information is not enough.

     In summary, the approach I suggest means that any information retained in a record or generally available publication will have been collected, no matter whether it was received as solicited or unsolicited information. This interpretation avoids hair-splitting over what information is solicited and what is not. It is also consistent with the usage of 'collect' in IPP 1, and so maintains consistency in the usage 'collect' within the Act, in accordance with normal principles of statutory interpretation.

     Some issues remain. If unsolicited written information is read before immediate disposal, has it been collected? I suspect not, because of s16B. How long can unsolicited information be retained before it has been 'collected'? These are, however, more minor exceptions than the wholesale exclusion of unsolicited information from 'collection'. In my view, the Commissioner is correct to include it.

    Does 'disclosure' include information already known?

    Gunning found[8] that the leading authorities on the meaning of 'disclose'[9] held that a person only 'discloses' information to another person when the recipient was not previously aware of that information, and that the one case to the contrary[10] could be explained by the mischief the offence was designed to protect against.

    He concludes that in relation to the Privacy Act 'it is hard to see any reason why "disclose" should not be interpreted in accordance with its ordinary meaning'. How does it enhance your privacy to prevent an organisation from telling someone else something about you they already know, he asks?

    However, the cases on disclosure variously deal with failures to disclose, obligations to disclose, and obligations not to disclose (as in NPP 2), each of which is likely to bring into play rather different policy considerations. 'Disclose' needs to be interpreted in its context, and divergence from its 'ordinary' meaning (if it has one) will not be surprising. In R v Glenys Ruth Scott[11] (discussed by Gunning) Doyle CJ held that to require an undischarged bankrupt to disclose this fact to others even if they already know it is 'not to impose an empty ritual' because it will serve to protect those who have forgotten that a person is bankrupt, or who have assumed from silence that the bankruptcy has terminated. Disclosure in all cases therefore served the purposes of the Act to protect persons dealing with an undischarged bankrupt. It is not difficult to argue that the purposes of NPP 2 to protect the privacy interests of individuals are best served by regarding 'disclosure' as covering all instances of disclosureof personal information.

     First, Gunning points out that his view means that a complainant under NPP 2 would have to 'establish that the recipient of the information was not previously aware of that information', but he believes that this would not matter much in the type of inquisitorial procedures followed by the Commissioner. However, complainants may have to prove their case before a Court (for example, for purposes of s55A enforcement or a s98 injunction), where the Commissioner's 'inquisitorial' procedures do not apply. If Gunning's preferred interpretation places an unfair burden on the complainant, that is in itself good reason to prefer the alternative interpretation.

    Second, information received from one source is not 'the same' as textually identical information received from a different source, because the two sources may be of different authority, and also because the mere fact that the source knows the information may be significant (for example, the difference between a wife disclosing her husband's infidelity and a priest disclosing the same information)[12]. For example, 'rating' organisations could easily abuse this approach to disclosure merely be setting up enquiry systems where A asks B 'Please confirm fact X'. If B answers 'fact X' then there will be no disclosure (already known), but if B says nothing there is simply no (express) disclosure. This interpretation therefore invites abuse.

     Third, there is no good policy reason to exclude information already known from 'disclosure'. The only consequence of including communication of information already known as 'disclosure' is likely to be that if the organisation complained about shows that it already knew the information (which it is uniquely well placed to do), the complainant is likely to be refused any damages by the Commissioner, or any injunction by a Court. This would lead to a much more fair result.

    I suggest that the better view is therefore that 'disclose' in the Privacy Act does include revealing information already known. The Commissioner does not explicitly address this issue in the Draft NPP Guidelines, but seems to take the broader view by defining 'disclosure' by an organisation as 'when it releases information outside the organisation'. In my view the Commissioner is correct, but the issue should be addressed explicitly.

    Does 'use' include merely looking?

    In R v Brown [1996] 1 AC 543 the House of Lords considered the meaning of 'use' in the context of the UK Data Protection Act 1984. There was evidence that a police office had looked at a person's record in the police national computer database, apparently on behalf of a debt-collector friend, but there was no evidence that he had disclosed the information to anyone else, nor that he had made any other use of the information. The House of Lords held that 'use' was to be given its normal meaning of 'to employ for a purpose', and that merely looking at data on a computer terminal was not a use in itself. Retrieval was only a prerequisite for use, not a use in itself.

     As well as its more obvious significance in relation when there can be a breach of NPP 2, the restriction of 'use' to exclude 'mere browsing' or 'mere access' also has significant consequences for the individual's rights of access and correction to 'existing information'[13] under NPP 6, because those rights only arise if the information is used or disclosed (s16C(3)).

     This aspect of Brown does not appear to have been considered by Australian Courts. The Draft NPP Guidelines do not address the question[14]. Gunning expects that Brown will be followed in Australia [15]. In my view he is correct, at least in relation to the NPPs and the Privacy Act 1988 (Cth). There is nothing in NPP 2 to indicate that the context in which 'use' is employed gives it a different meaning from its ordinary usage. Furthermore, NPP 4.1 provides that 'An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure', thereby implying that misuse (and use) does not include access, because the use of 'access' would then be redundant.

     One apparent problem with the Brown interpretation is that it means that NPP 2 does not deal with some objectionable invasions of privacy, such as where staff member of an organisation that holds files concerning well-known people, or the neighbours or acquaintances of the staff member, accesses those files out of a prurient interest in the other person's affairs, but there is no evidence of other use being made of the information.

    The problem is resolved in part by NPP 4.1, quoted above, which requires the organisation concerned to take reasonable steps to prevent 'unauthorised access ... or disclosure'. The distinction between 'access' and 'disclosure' seems to imply a distinction between unauthorised access by those within the organisation and those outside the organisation. A person within an organisation may have authority to access personal information for certain purposes, but access by them for other purposes may still be unauthorised. In Gilmour v DPP (Cth)[16] it was held that 'the applicant had a limited authority to make entries into the computer and therefore, by going outside the limitations imposed, he was acting without authority'. Other cases have held similarly[17].

     The Draft NPP Guidelines take an approach similar to what I suggest, interpreting NPP 4.1 as requiring organisations to protect 'confidentiality [which] involves limiting the availability of information to authorised users for approved purposes in order to prevent unauthorised use and disclosure'[18]. They suggest that organisations may need to consider 'personnel measures such as ... implementing the need-to-know principle that limits access to information to those people who need the information to carry out their duties'[19], and that it may involve 'automatically removing or downgrading a user's access when they change areas or roles within an organisation'[20].

     NPP 4.1 therefore provides a limited remedy. The mere fact of internal access for a purpose outside the legitimate purposes for which the information is held will not in itself constitute an 'unauthorised access' breach of NPP 4.1. The organisation must also have failed to take 'reasonable steps' to prevent such unauthorised access. The Draft NPP Guidelines give a reasonably strong interpretation of what steps organisations may be required to take in order to have acted reasonably, but they are requirements which are justified by NPP 4 and the relevant case law. The 'gap' in NPP2 caused by the Brown interpretation of 'use' is therefore not as serious as might otherwise be the case.

    In whose hands is information 'personal'?

    The Privacy Act's protections only apply to 'personal information', defined as any information `about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion' in question (s6). If a person's identity is apparent or obvious from information, then it is clearly personal information. The difficult question arises when the item of information in question does not in itself explicitly identify the person concerned, but where some other source of information must also be consulted in order to identify the person.

    The definition in the Australian legislation is unusual in saying that the reasonable ascertaining of identity must be from the information or opinion'. However, the definition does not say that the person's identify must be able to be ascertained solely from the information concerned, and it should not be interpreted that way. If it did mean that, then in any system which stored substantive information according to (and containing) a person's identification number, but kept a separate master file containing only ID numbers and identification details, the substantive information plus ID number would not constitute 'personal information' and attract the protections of the Act (security, access etc).

    The better view is therefore that other sources of information may be taken into account. I suggest[21] it is a question of fact in any given situation whether an individual's identity can be ascertained, and it is a further question of fact whether it can `reasonably' be so ascertained. Information that one person may easily be able to obtain may be completely inaccessible to another person. The Draft NPP Guidelines take a similar approach when they say 'Whether a person's identity is reasonably ascertainable will depend on the context and on who holds the information'[22], though they do not justify their assumption that cookies, web bugs, email addresses and browsing trails will always be 'personal information'[23].

     We next need to ask who must be able to 'reasonably ascertain' a person's identity before there is personal information? The most obvious answer is 'the person who may have breached the NPP in question'. This seems clear enough when we are talking about the NPPs concerning collection, use or the provision of access to personal information, but it could lead to surprising results in the case of NPP 2 dealing with disclosure, as the question will be 'is it personal information in the hands of the person disclosing the information?', not 'is it personal information in the hands of the person receiving it?'. It would be undesirable if organisations that had no capacity to identify data that they held could sell it unrestricted to any organisation that they knew did have that capacity. Since disclosure requires two parties, I think that the better view is that the question in that case is 'is it personal information in the hands of either the person disclosing or the person receiving the information?'.

     The Draft NPP Guidelines do not explicitly address this issue, and it would be valuable if the final Guidelines did so.

    Is intention to identify relevant?

    On a similar point, the meaning of 'personal data collection' under Hong Kong's Personal Data (Privacy) Ordinance was considered by the Hong Kong Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692. A press photographer took a photo of an unknown woman in a public place, which his employer's magazine published, without identifying the woman but ridiculing her dress sense ('Japanese Mushroom Head'). The main issue before the Court was whether the publisher had collected personal data using unfair means. The majority of the Court (Ribero JA and Godfrey VP) concluded that this was not 'personal data collection' (an expression not used in the Ordinance) because the data user was not 'compiling information about an identified person or about a person whom the data user intends or seeks to identify' (emphasis added)[24].

    If Eastweek was followed in Australia it would be necessary to assess an information collector's intentions to identify a person before it was possible to determine whether the information they collected was 'personal information'. Gunning treats Eastweek as a case on the meaning of 'collection', but I think it makes more sense to read it as a case on the meaning of 'personal data' ('personal information' under the Australian legislation). The judgments in the Court of Appeal are ambiguous as to whether their Honours are discussing 'collection' or 'personal data'.

     A case like Eastweek would raise the question under the Australian legislation: 'Is it personal information if you have no intention of ascertaining the person's identity, even if you could do so with reasonable ease?' Gunning gives good examples of where this could be important (though he considers them as questions of 'collection'):

    Gunning considers that there are 'sound reasons for an Australian court to follow Eastweek'[25]. He considers that Eastweek could be used to exclude from the ambit of 'collection' (or, on my approach, from the ambit of 'personal information') information satisfying the following conditions: This would be a significant restriction on the scope of NPP 1, as the 'web cam' example illustrates. Should we be subjected to systematic video surveillance of our activities without even the requirement of notice that NPP 1 can provide?

    Can there be 'collection' from public documents or web cams?

    One of Gunning's principal justifications for supporting the 'Eastweek gloss', is that it would avoid what he considers to be the 'absurd result' that a firm of solicitors who research law reports in order to use excerpts in briefs or submissions could be in the position of 'collecting' personal information about the individuals named in the law reports, with corresponding obligations to notify them of the purpose of collection etc. This is just one example of the more generic problem of whether it is 'collection' to extract personal information from a newspaper, a law report, a book, a database, or some other publicly available source of information. Do you have to give individuals notice that you have collected newspaper clippings that identify them?

     The answer to Gunning's quandary is found elsewhere. The NPPs requiring notice of collection to be given to the individual concerned only apply if information is obtained from a person: NPP 1.3 applies to information collected 'from the individual' and NPP 1.5 applies to information collected 'from someone else'. It is therefore arguable that where information is extracted by the collector from a book (such as the law report in Gunning's example) or some other 'generally available publication' it is not obtained from a person (in terms of either 1.3 or 1.5), and therefore there is no requirement to give notice of collection. There may be important grey areas where information is extracted by the collector from a database (eg a credit reference computer system) or some public register (eg at the Land Titles Office) where it is arguable whether the information was collected from a person (a legal person in these cases).

    This interpretation stops the result that Gunning considers absurd in the case of collection from published printed sources. It may also mean that NPP 1.3 and 1.5 do not apply in the case of video cams, security cameras, or news photographers (as in Eastweek), as these forms of collection might not be considered to be collection 'from the individual' [26]. However, in all these cases, the requirements of collection necessary for purpose (NPP 1.1) lawful fair and non-intrusive collection (NPP 1.2), and collection from the individual where practicable (NPP 1.4), would all still apply. This would give a far better result in terms of policy, as these parts of NPP 1 should apply to all forms of collection, as it is only the notice requirement that can produce absurd results if wrongly applied.

     In the case of 'web cams' and security cameras, NPP 1.2 may still require notices to be displayed even though NPP 1.3 does not apply. In the case of news photography, the issues are more sensibly addressed from the perspective of whether the collection is 'fair' or 'intrusive', rather than through an imposed and artificial question of whether the collector was interested in the identity of the person photographed. The Act already requires that the collector must be able to 'reasonably ascertain' the identity of the person concerned. The additional 'Eastweek gloss', whether it is on the meaning of 'collection' or the meaning of 'personal information', would best be avoided by Australian courts. We can make sense of the NPPs without it.

     The Draft NPP Guidelines do not address these last two issues directly, and the examples of collection it uses do not include examples of 'web cams' or collection from published sources. It would be desirable if the final Guidelines took a position on these issues, as they will be important.


    [1] Federal Privacy Commissioner, May 2001

    [2] (2001) 7 PLPR 189

    [3] An earlier version of some of these arguments is in Graham Greenleaf 'Private sector privacy: Problems of interpretation' The New Australian Privacy Landscape, Conference, 14 March 2001, Baker & McKenzie Cyberspace Law and Policy Centre / Centre for Continuing Legal Education, University of New South Wales Faculty of Law

    [4] NPP 1 only applies to information collected after the commencement of the Act (s16C).

    [5] Draft NPP Guidelines, Chapter 4 'Meaning of collection'

    [6] Draft NPP Guidelines, Chapter 4 'Examples of unfair collection'

    [7] The Information Privacy Principles (IPPs) applying to Commonwealth Government agencies.

    [8] (2001) 7 PLPR 189 at 196

    [9] Bank of Credit and Commerce International (overseas) Ltd (in liq) v Price Waterhouse [1997] 4 All ER 781; King v South Australian Psychological Board [1998] SASC 6621; Gunning has subsequently noted that the High Court in Foster v FCT (1951) 82 CLR 60 gives additional support to this interpretation

    [10] R v Glenys Ruth Scott [1996] SASC 5545; (1996) 131 FLR 137

    [11] ibid

    [12] Alternatively, disclosurefrom a more authoritative source may be regarded as disclosing more (implied) information.

    [13] 'Existing information' can be used to refer to any information collected up to 21 December 2001. Existing information is not subject to the use and disclosure limits of NPP 2 (s16C(1A)). It is subject to access and correction rights, but only when and if it is 'used or disclosed' (s16C(3), and only then if this is not unreasonably administratively burdensome or expensive.

    [14] Draft NPP Guidelines Chapter 5 'Meaning of use and disclosure'

    [15] (2001) 7 PLPR 189 at 196

    [16] (1995) 43 NSWLR 243; (1995) 125 FLR 114; (1995) 134 ALR 631 - http://www.austlii.edu.au/au/cases/nsw/supreme_ct/unrep209.html

    [17] see Raiser v Sladic [1995] ACTSC 132 - http://www.austlii.edu.au/au/cases/act/ACTSC/1995/132.html

    [18] Draft NPP Guidelines, Chapter 7 'About NPP 4'.

    [19] Draft NPP Guidelines, Chapter 7 'Physical security'

    [20] Draft NPP Guidelines, Chapter 7 'Computer and network security'

    [21] An earlier version of this approach was published as G Greenleaf 'Privacy Principles - irrelevant to cyberspace?' (1996) 3 PLPR 114

    [22] Draft NPP Guidelines, Chapter 2 'Personal information'

    [23] These are complex an d technical issues which cannot be addressed here. For an early and now technically out of date interpretation, see G Greenleaf 'Privacy Principles - irrelevant to cyberspace?' (1996) 3 PLPR 114 .

    [24] See Raymond Wacks 'Privacy and media intrusion: A new twist' (1999) 6 PLPR 48 (re first instance decision) and Raymond Wacks 'What has data protection to do with privacy?' (2000) 6 PLPR 143 (re Court of Appeal decision) ; Gunning (2001) 7 PLPR 189 at 194 also gives a detailed summary of the Court of Appeal decision

    [25] (2001) 7 PLPR 189 at 194

    [26] This question requires separate analysis not possible here.