[Previous] [Next] [Title]

5. Collection & justification principles


Graham Greenleaf, revised 30 April 2003

[The previous Reading Guide is RG 20. Key concepts in information privacy legislation - the existing numbering scheme no longer works!!]

= required reading

= material added since the date of the class concerning this topic

This Reading Guide deals with two related sets of privacy principles: those requiring the creation of information systems to be 'justified' in some way; and those placing limitations on the collection of personal information for inclusion in information systems.

5.1. Collection - Statutory provisions and analysis

The following resources are relevant to all aspects of the collection principles. Specific references to parts of these resources are given in the following sections, but you may prefer to read them in their entirety first.

5.1.1. Australia

Statutory provisions


Analysis

Analysis

5.1.2. Hong Kong

Statutory provisions

Analysis

5.2. Meaning of 'collection'

`Collection' remains largely undefined in privacy law. Privacy legislation does not usually provide a definition, but merely uses the words 'collect' or 'collection'. Case law has only dealt with the question indirectly.

5.2.1. Methods of receiving information

At least the following methods of receiving information about a person require separate consideration as to whether they are 'collection' for IPP purposes:

5.2.2. (1) Solicited information

The first category, information solicited from another person, is clearly within the meaning of 'collected', whether solicited from the data subject or a 3rd party. (eg HK DPP 1(3) assumes there can be collection from 3rd parties).

The distinction between solicitation from the data subject and from 3rd parties can be important in two areas:

DO v University of New South Wales [2002] NSWADT 211

( on AustLII)

Privacy and Personal Information Protection Act 1998 (NSW) - IPP 9 collection of personal information directly from the individual to whom the information relates (s9)

DO applied for admission to a PhD programme at the University of New South Wales (UNSW), which is an agency for the purposes of the Privacy and Personal Information Protection Act 1998. In his application DO signed a declaration stating in part that 'I authorise the University to obtain official records from any tertiary institutions previously attended by me. If any information supplied by me may be considered to be untrue or misleading in any respect, I understand the University may take such action as it believes necessary ... I understand that the University reserves the right to vary or reverse and decision made on the basis of incorrect or incomplete information.'.

Under the heading 'Academic Qualifications' DO indicated he had obtained two qualifications from 'the ANU' (Australian National University). DO was admitted to the programme but his enrolment was subsequently terminated by UNSW which stated 'you did not declare on your application for admission to the PhD program your previously (sic) enrolments at the University of Adelaide (1997), the University of Queensland (1998), Macquarie University (1999) and the University of Tasmania (2000 and 2001).'

DO complained that UNSW breached the Act by obtaining personal information about him from universities (other than ANU) without his consent. UNSW conducted an internal review which concluded that it had not acted outside the authority provided by DO in collecting information from the other universities. Do sought a review of UNSW's conduct by the ADT under s55 of the Act.

Deputy President Hennessy dismissed the application. There was no breach of information protection principle (IPP) 8 (s8) because UNSW had collected the information from the other universities for the lawful purpose of considering whether DO was an appropriate person to enrol in a PhD programme, and information about his previous academic history was reasonably necessary for this purpose.

IPP 9 (s9) requires that personal information must be collected 'directly from the individual to whom the information relates unless' 'the individual has authorised collection of the information from someone else'. Hennessy DP held the declaration DO signed authorising UNSW to obtain information 'from any tertiary institutions previously attended by me' was not qualified in any way and did authorise the collection that took place.

Comment (G Greenleaf)

Although Hennessy DP's decision is not surprising, the case illustrates the risk of breaching IPP 9 that NSW agencies face if they obtain personal information from third parties without first obtaining authorisation from the individual concerned.

IPP 9 has a three-fold effect in that (i) it requires prior notice of intent to collect from third parties to be given to the individual concerned; and (ii) it prevents collection from the third party unless the individual authorises this. In most cases this will mean in practice that (iii) the agency also collects the information from the individual concerned, but it is significant that IPP 9 does not require this. It is also important that IPP 9 does not prevent the agency from checking with a third party that the information provided by individual is correct or complete.

In this case, UNSW did not appear (on the facts reported) to explicitly ask DO to list all universities he had attended. However, it did obtain authorisation to obtain personal information from all such institutions. If (as would be more usual) UNSW had explicitly asked DO to list all universities he had attended, UNSW would still have been entitled to check the information he provided with those universities (provided this complied with IPP 8).

The Commonwealth Privacy Act 1988 imposes requirements on private sector organisations concerning collection from third parties (it imposes no such requirement on Commonwealth agencies). NPP 1.4 provides that 'If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual'. It goes on to say in NPP 1.5 that 'If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual'. These obligations are very different from those imposed on NSW agencies: there is no obligation to obtain the individual's authorisation to collect from third parties (though NPP 1/4 imposes an obligation of notice in general terms), but the information must also be collected from the individual wherever reasonable and practicable, and must not check with third parties if it is reasonable not to check.

While the NSW agency provisions and the Commonwealth private sector provisions are rather different, in general the NSW provisions impose a higher level of obligation. The Commonwealth agency provisions impose none.

5.2.3. (2) Unsolicited information

When is unsolicited information 'collected' (if at all)?

In Australia's Federal law it is argued that unsolicited information, whether from the data subject or from 3rd parties, can be 'collected':

The Australian Privacy Commissioner took a similar view in his IPP 1-3 Guidelines.

(The NSW public sector law excludes unsolicited information from 'collection': s4(4).)

In HK, B&W p97 seem to accept that unsolicited information is collected, but not 'until the data user takes active steps to incorporate them into the official working material of the organisation'.

However, in NZ a majority of the Court of Appeal has held unsolicited information is not 'collected':

In light of Harder, a decision of the NZ Court of Appeal, the question of whether unsolicited information is 'collected' must also be considered open in Australia and HK.

The consequence of adopting the Harder approach is that any contact with an organisation initiated by the data subject will result in any information so provided not being regarded as 'collected'. However, it is still personal information. Other IPPs may still apply, but those that depend on information being 'collected' will not.

Drawing a line between solicited and unsolicited information is also very difficult.

5.2.4. (3) Observations / surveillance of the data subject

Personal information is obtained and recorded in many situations from observations of the data subject:

If the obtaining of these types of observed personal information did not constitute 'collection', then data protection laws would be drastically limited in scope and would be largely useless.

Information obtained from observations ('surveillance') of the data subject is 'collected', but it is not 'solicited' from (in some Australian IPPs) or 'supplied' by (HK) the data subject. As a result, some notice requirements do not apply in some laws (see later).

In Eastweek, a case of obtaining information by photographic observation, the HK Court of Appeal majority found that there was not 'personal data collection' but only because of the intent of the recipient of the information. The case is better viewed as about 'personal data' not 'collection', and is therefore not significant on the question of whether observations can constitute 'collection'.

5.2.5. (4) Information extracted

Much personal information is extracted from documentary or other sources. If information is not solicited from, or observed in relation to, any person, but extracted from a book or a database, is it 'collected'?

In relation to Australian Federal legislation, Gunning argued extraction was not collection, but this is not supportable:

In Hong Kong, does DPP 1(3) assume there is collection from a person? If so, extracted information is not collected. The better view, in keeping with the privacy-protection purpose of the Ordinance, is that extraction is collection. Absurd results are avoided because HK DPP 1(3) does not require notice since there is no collection from the data subject. Use, disclosure etc DPPS will apply, but data can be re-collected for other purposes.

5.2.6. Medium of collection - video, audio etc

It seems that the collection of personal information may be in any medium, such as sound, photo or video, and not only text.

5.2.7. Relevance of purpose/intent of recipient

Is the purpose/intention of the recipient significant in determining if it is 'collection'? If Eastweek is interpreted as a case about the meaning of 'collection', not about the meaning of 'personal data', then its consequences are less severe, as it will only affect the operation of IPPs dependent upon collection. However, the better view is that it is a case about the meaning of 'personal data'.

5.3. Permitted purpose(s) / extent of collection

5.3.1. Standard limits: lawful, relevant and minimal

Hong Kong

DPP1(1) Personal data shall not be collected unless-

(a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

(b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and

(c) the data are adequate but not excessive in relation to that purpose.

Australia

Europe

5.3.2. Lawful purposes

A minimal objective negative standard.

B&W p98 state:

What are the implications of these interpretations?

5.3.3. Purpose justification principles

The key weakness of the collection principles is shown by the question : `how do you define the `function or activity' of the collector ?' In the absence of a `purpose justification principle', it is largely self-defined. Beyond the negative requirement of a 'lawful purpose', positive tests of justifiable purposes of collection can only be found in the EU and Canada.

5.7.1. EU privacy Directive

There is a form of 'purpose justification' principle in the European privacy Directive - see the discussion in G Greenleaf 'Purposes' and the Directive' in 'Stopping surveillance: Beyond 'efficiency' and the OECD' (1996) 3 PLPR 148 - in summary A7 requires that, where legitimate processing has to be justified by the interests of the data collector or a third party, it must be 'necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...'

5.7.2. Canadian justification principle

Perhaps the first privacy legislation outside Europe to give some recognition to such a principle is s5(3) of the new Canadian Personal Information Protection and Electronic Documents Act 1999, which requires '(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.'

The limit on collection limits the purposes for which systems may be developed to a form of public interest test. This has no counterpart in other Asia-Pacific legislation.

Australia

There is no purpose justification requirement in IPP1 or NPP 1. Like many other legislative sets of information privacy principles the NPPs do not contain any 'purpose justification principle' (called 'prior justification' in the Australian Privacy Charter). 'Purpose justification' essentially means that there should be some test of public interest which is satisfied before a personal information system is established at all. None of the existing privacy principles requires system operators to have 'legitimate' purposes for establishing a system, but instead they measure privacy protection against how well it adheres to the original purpose for which the system operator declared that it collected the information, which the Europeans call the 'finality' test.

5.3.4. Relevance to purposes or 'directly related' purposes

How to determine purpose of collection?

See B&W p100


* HKPCO Case No.: 200102210 'Whether a statutory body could collect data from two organizations charged with providing rehabilitation programmes for the purpose of programme evaluation'.

5.3.5. Excessive collection

HK DPP1(1) (c) requires 'the data are adequate but not excessive in relation to that purpose.' (and (b) requires it to be 'necessary'). The Australian provisions use 'necessary' in relation to the private sector.

This requirement relates to the quantity and relevance of collection, not the means (see below concerning fair collection.

Examples:

5.3.6. Anonymity principles

This principle is broader than collection, but will have its main effects felt in relation to collection.

The only examples are in the Australian private sector and Victorian legislation, NPP8 of which say 'NPP 8 Anonymity : 'Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.' '

Is an anonymity principle implied by the minimal collection requirement in normal collection IPPs? Or are these narrower? Does NPP8 require anonymity to be `designed in'?

5.4. Required notice of collection

The requirement to give the data subject notice in the course of collection of personal information is one of the most significant practical aspects of IPPs, because of:

5.4.1. What sources/forms of collection require notice?

Hong Kong

See B&W p105

Notification i s only required by DPP 1.3 'Where the person from whom personal data are or are to be collected is the data subject ...'

There is therefore no requirement of notification where collection is from (i) 3rd parties or (ii) documentary sources.

What if collection is from observations / surveillance of the data subject?:

Australia

All IPPs require the collector of the information to advise the subject of the information that personal information about him/her has been collected, and other information, but the NPPs and the s14 IPPs expressed this requirement very differently.

The difference in the notice requirement is one of the most commercially important aspects of the NPPs.

5.4.2. When is notice not required?

Can it be 'reasonable' not to give any notice?

Repeated collections

5.4.3. Requirement to collect from the data subject

Hong Kong

There is also no obligation to collect from the data subject where possible, and this is one of the weaknesses of the Ordinance, when combined with the lack of a notice requirement.

Australia

NPP 1.4 requires collection from the individual where 'reasonable and practicable'. The s14 IPPs have no such requirement.

5.4.4. Content of notice

Hong Kong

DPP 1.3 has the following notice requirements: See B&W p107 for the forms notice can take; no form is specified.

Australia

The information that is communicated must include: Failure to disclose the required information will be a breach of the IPPs.

5.5. Fair collection - lawful, fair and non-intrusive means

Hong Kong

DPP 1(2) requires that 'Personal data shall be collected by means which are - (a) lawful; and (b) fair in the circumstances of the case.' Intrusiveness is not mentioned specifically.

Australia

5.5.1. Lawfulness of means of collection

See B&W p103 for illustrations of how this requirement focuses not on the lawfulness of the purposes of collection, but on the means employed. As with purposes, means can be unlawful because of a breach of criminal law or civil law requirements (trespass, inducing breach of contract etc).

But query B&W's comments concerning where information is provided in breach of confidence. Is there an alternative view?

5.5.2. Fairness of covert data collection

Covert forms of data collection might not be illegal, but they may still be a breach because they are unfair. The NZ Court of Appeal takes a much more restrictive view than the HK Privacy Commissioner.

The Australian Privacy Commissioner has issued Guidelines on covert surveillance.

5.6. Special collection limits for 'sensitive' subjects

These IPPs mainly affect collection of information, but may also affect some other IPPs (eg the precautions necessary to satisfy the security principle).

5.6.1. Sensitive information principles

Australia

5.6.2. Spent convictions laws

Hong Kong

The Rehabilitation of Offenders Ordinance (Cap. 297) may prevent some collection of information.

Australia

Federal and State legislation dealing with old convictions prohibits the collection of some information about old convictions.

5.6.3. Computer crime legislation - more serious offences

Australia

Federal and State computer crime laws sometimes provide a higher level of penalties for unauthorised access to, or destruction of, various defined categories of personal information.

5.7. Other laws relevant to collection

Surveillance laws


* The Telecommunications (Interception) Act 1979 (Cth) makes certain forms of collection illegal and also subject to civil remedies. See also the later Reading Guide concerning telecommunications.

Other relevant laws: Statutes and general law analogies

Possible relevance:

Relevance of privacy clauses in human rights treaties

Many of the cases under A8 of the ECHR concern unfair or excessive collection of personal information. By analogy, A17 of the ICCPR may be relevant to (i) resolving ambiguities in collection principles; and (ii) as a source of individual complaints about collection practices under the First Optional Protocol.

EU 'adequacy' of collection principles

Whether the Australian IPPs meet the European standards of the EU Directive needs to be assessed in relation to both specific principles and specific sectors.


6.


[Previous] [Next] [Title]