[Previous] [No next] [Title]

20. Key concepts in information privacy legislation

Graham Greenleaf, revised 16 April 2003

= required reading

= material added since the date of the class concerning this topic

[The next Reading Guide is  RG 5 Collection & justification principles]

20.1. Information privacy legislation - General sources

For various information privacy laws relevant to this course, overviews of the legislation follow, and resources concerning the interpretation of the legislation.

20.1.1. Australian resources

There are numerous Australian references in these Reading Guides. No short overview is available online.

20.1.2. Hong Kong resources

20.1.2. Hong Kong resources

20.1.3. New Zealand Resources

20.1.4. European resources

20.2. Key concepts relevant to all IPPs

Many terms which are crucial to the interpretation of IPPs and provisions in privacy Acts are neither sufficiently defined in the Acts themselves, nor have they received judicial interpretation.

There is little official guidance on the meaning of key terms. An interesting exception (which was not followed in the final version) is the Federal Privacy Commissioner Draft National Privacy Principle Guidelines (May 2001) - Chapter 2 Explanation of Terms - Provides the Commissioner's interpretation of the following terms:

Access, Act (the Act), Authorised by law, Collection, Commissioner (the Commissioner), Cookie, Directly related purpose, Direct marketing, Disclosure, Enforcement bodies, Health information, Health service, Individual, Law, Lawful, List renter, Necessary, Organisation, Personal information, Practicable and impracticable, Primary purpose, Reasonable, Record, Related corporation, Related purpose, Required by law, Secondary purpose, Sensitive information, Serious and imminent threat, Serious threat to public health or public safety, Use, Web bug.

20.3. 'Interferences with privacy' and equivalents - breaches

20.3.1. Cth Privacy Act 1988 - 'Interferences with privacy'

'Interferences with privacy' Some sections use different terminology:

20.3.2. NSW PPIPA 1998 - equivalents

s21 Agencies must not contravene IPPs. s21 `Contravention' is `conduct to which Pt 5 applies' (internal review) (s21(2)) - can lead to s55 ADT review and enforceable remedies

 S45 complaints to the Privacy Commissioner can be for any `violation of, or interference with, the privacy of an individual' (all undefined). s45 complaints can not lead to any ADT review of enforceable remedies.

20.4. Personal information / data

IPPs only apply to what is variously described as 'personal information' (Australia and NZ) and 'personal data' (Hong Kong).

20.4.1. Australia - 'personal information'

All sets of privacy principles in Australian law require 'personal information' before they are applicable.

For example, s6 Privacy Act 1988 (Cth) provides:

'personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.'

 NSW PAPIPA Act s4 `personal information':

20.4.2. Hong Kong - 'personal data'

20.4.3. Other jurisdictions

New Zealand s2 `personal information' definition does not mention opinions.

20.4.4. What can be taken into account?

What information can be taken into account in deciding what is 'personal information'?

20.4.5. When are email addresses and IP addresses personal information?

20.4.6. Is the collector's 'intention to identify' relevant?

20.4.7. Opinions and attitudes

Is information indicating a person's 'attitude' personal information about them?

20.4.8. Retrievability

The HK definition of 'personal data' requires it be '(c) in a form in which access to or processing of the data is practicable'. See B&W p90 'Retrievability': 'The retrievability test qualifies the Ordinance's focus on personal data in recorded form. It recognises a harm test: recorded data may pose only negligible risks to the individual because their effective inaccessibility precludes them from being utilised.'

20.4.9. Is a person's name 'personal information'?

Siddha Yoga Case

20.5. 'Records' / 'documents

20.5.1. Hong Kong

See B&W p85

 The definition of 'data' is restricted to 'any representation of information ,,, in any document'.

 The definition of 'document' in s2 includes disks, film etc from which visual images or other data are 'capable ...of being reproduced'.

 Circumstances which do not involve the collection, use or disclosure of information in a document will fall outside the Ordinance:

20.5.2. Australia - 'Record' and 'generally available publication'

Privacy Act 1988 s6 includes these definitions: These definitions have a major effect on the scope of the various sets of IPPs: [The next Reading Guide is  RG 5 Collection & justification principles]

[Previous] [No next] [Title]