[Previous] [Next] [Title]

6. Use, disclosure, and related principles


Graham Greenleaf and Nigel Waters, May 2001; revised by Graham Greenleaf 21 November 2002, Nigel Waters 18 May 2003.

= required reading

= material added since the date of the class concerning this topic

Objectives

This Reading Guide covers a number of IPPs and statutory provisions that deal with aspects of the use of personal information. These controls on use and disclose fall into the following main categories:

6.1. `Finality' - Use and disclosure limitation principles

The starting point in considering what are the allowed uses of personal information is the original purpose of collection, referred to variously as 'obtained for a particular purpose', 'the primary purpose of collection', or the purpose 'for which it was collected'.

6.1.1. The 'finality' provisions - the original purpose of collection

Legislative provisions

All these IPPs embody the key principle (`finality' in EU terms) that uses and disclosures are prima facie limited by the purposes of collection. If applied strictly, this is not an `efficiency' measure (in James Rule's terms) from the point of view of surveillance organisations - it is not in an organisation's objective interests to have to re-collect information from data subjects when they could re-use what they have or use their `information capital' for swaps with other surveillance organisations. 'Finality' principles do place objective limits on the surveillance capacity of organisations, but their significance depends on the exceptions to and exemptions from them.

Meaning of purpose of collection

Questions concerning the original purpose of collection:
Hong Kong
See B&W pg 123-4 set out the following principles: Examples from the PCO:

6.1.2. Meaning of 'disclose'

Form of disclosure

The IPPs refer to information being disclosed, not records. Disclosures can be verbal, or by actions (eg allowing another person to read a file).

The Victorian Privacy Commissioner has noted that disclosure does not necessarily mean physical transfer "To disclose is to reveal. Personal information can be disclosed even though it remains in the possession or control of its original collector. The act of sending the original or a copy to another person is not a necessary element of a disclosure, although it will be a common feature" ( IPP Guidelines Part 1)

In Hong Kong "disclosing" 'includes disclosing information inferred from the data' (s2). It also of course includes information explicit in the data.

Does 'disclosure' include information already known?

The following discussion is of general relevance, not just to Australia: This is of considerable practical importance. If disclosure did not include information already known, organisations could state that they already knew all and any information a person had disclosed to them (eg in an application form), when sending out a 'broadcast' to (say) all other credit grantors asking if anyone could confirm that the information was true. No 'yes' answer would be a disclosure, nor would silence.

6.1.3. Meaning of 'use'

Does 'use' include merely looking?

The UK case of R v Brown [1996] 1 AC 543, a case on UK privacy legislation, held that merely reading personal information is not 'use' of that information.

See the following discussion:

'Computer crime' offences concerning 'mere access'

Even if it is not a breach of an IPP to merely access (or read) a person's file, it can easily be a criminal offence under the 'computer crime' laws of most jurisdictions.
Australia
These offences will apply not only to third parties outside the agency / organisation concerned who gain access to personal information, but also to accesses (uses) by those within the agency/organisation if that use is 'without authority'.

For the meaning of 'without authority', see Gilmour v DPP (Cth) (Supreme Court of New South Wales, 15 December 1995), where there was amendment of tax files by an ATO employee who had authority to access the records concerned, but no authority to carry out the particular computing operation that he did.

There are higher penalties if access is to data which the person knows or ought reasonably to know relates to a person's 'personal affairs': Commonwealth ss76B(2)(b) and s76D(2)(b) and NSW s309(3). The NSW provision is wider in covering privacy of the dead. Courts have treated the personal affairs category with some seriousness in sentencing offenders.

In Raiser v Slodac (1995) ACT Supreme Court, the Respondent, who was employed at Grade ASO4 in the Australian Taxation Office (ATO), obtained the tax file numbers and personal details of 30 persons with the same surname as himself, and personal details of others. He was shortly to retire from the ATO and go into business by himself. Miles CJ commented, when increasing the sentence,

The average tax payer would, I am sure, be outraged at the prospect of an officer of the ATO perusing details of the tax payer's personal affairs, which the taxpayer has disclosed under threat of penalty, other than for a proper purpose. The outrage may be all the greater if the officer were motivated by commercial or other "nefarious" purpose, but, in my view, that is not to the point. In my view, it was wrong for the Magistrate to have regard to the hypothesis that it was "routine" for an officer like the respondent, authorised to obtain access to information of a private kind on the computer, to use that authority at the officer's whim in order to obtain such information, not for the purposes of the office itself, but for amusement, edification or any other private purpose.

The difference between use and disclosure - Australia

The Privacy Act 1988 s6 provides that 'use, in relation to information, does not include mere disclosure of the information, but does include the inclusion of the information in a publication.'

In relation to Commonwealth agencies, the Federal Privacy Commissioner has considered many situations where an agency passes personal information to an outside organisation or agency to be a 'use' not a 'disclosure', applying a test of 'whether or not the agency maintains control over that personal information'. It seems that outsourcing of processing of personal information has been dealt with in this way. See Federal Privacy Commissioner 'When is passing personal information outside an agency a use? in Plain English Guidelines to Information Privacy Principles 8-11 (1996).

It is questionable whether this interpretation would be upheld by a Court if challenged, and it would be unwise to simply apply it in the private sector context without further consideration.

Hong Kong
s161 Crimes Ordinance (Cap 200)- 'prohibiting access to computer with criminal or dishonest intent'

s27A Unauthorized access to computer by telecommunications Telecommunications Ordinance (Cap 106) - 'prohibiting unauthorized access to computer by telecommunication'

6.2. Relationship between disclosure and collection

The purpose of collection by a recipient may be different from the purpose for which the information was held by the discloser. Which purpose governs the recipient's obligations? The obligations of those who receive personal information are complex, and derive from a number of sources.

6.2.1. Recipients of disclosed information under IPPs

IPPs do not simply say 'those who receive personal information are bound by the same obligations as the organisation from which they received it'. In fact, IPPs rarely say anything direct about the obligations of the recipient of personal information (some exceptions are below). Nor do IPPs require a disclosing organisation to state the purposes for which information is being disclosed.

At least two situations must be distinguished:

Where organisation A discloses personal data to organisation B, why is B bound not to use the data any purposes other than those for which A held it? One approach is as follows: If this argument does not succeed, it would be necessary to rely on the law of breach of confidence, assuming the information was confidential (see 6.2.2 below).

See also B&W pgs 124-126 for a broadly similar approach.

Australia

The lack of comprehensive coverage of privacy laws in Australia causes additional complications, so that there is more likelihood of need to refer to breach of confidence laws. Now that most organisations within Australia (at least in NSW, Victoria, the ACT and the Northern Territories) are covered by either the private sector NPPs or a set of public sector IPPs, receiving personal information will usually be 'collection', and a set of IPPs will apply to any information they receive. However, not all recipients of disclosed information are bound by IPPs (eg some small businesses).

Note special provisions for Commonwealth public sector - s14 IPP 10.3.

Unauthorised access offences

These offences, discussed above, are important complements to the use and disclosure IPPs. Third parties who obtain access to personal information without authority may commit serious criminal offences, even though in some cases their actions might not breach IPPs.

6.2.2. Obligations of confidence - role in limiting use and disclosure

The law of breach of confidence can the following roles in the above situations (assuming circumstances of confidence apply and the information is confidential):

Relation ships involving obligations of confidence

See Reading Guide 4.4.1. Relationships involving obligations of confidence

See Reading Guide 4.4.3. Governments and obligations of confidence concerning Johns v Australian Securities Commission (1993) 178 CLR 408; Marcel v Commissioner of Police [1992] Ch 225 and Morris v Director of the Serious Fraud Office [1993] 3 WLR 1.

Australia - implications of Johns v ASC for IPP 11
IPP 11 does not in itself authorise any disclosures - it merely means that the exceptions are not breaches of the IPPs.

We can therefore argue:

Other relevant decisions:

6.3. Exceptions to finality principles (general considerations)

If there are more exceptions than substance to 'finality' IPPs, they just become a legitimating device for extensions of surveillance practices. Are any sets of IPPs 'more holes than cheese'?

Three types of exceptions have to be considered:

The following discussion is not exhaustive, but only covers the most common, most general and most important exceptions. Many specific exemptions for particular agencies are not mentioned here, and you must check the relevant legislation.

6.3.1. Exceptions are not requirements to disclose, nor general justifications

The exceptions discussed below to the use and disclosure principles can be used to show one thing only: that there is not a breach of an IPP.

The exemptions are not in themselves requirements to disclose (or use) personal information. Organisations may choose not to disclose information even if it is not a breach of an IPP to do so (unless some other law compels them to disclose). This discussion is confined to disclosure as the main area in which this issue arises - there are relatively few circumstances where it would arise in the context of internal use, although it technically applies to both use and disclosure.

Exemptions are not general authorisations to disclose. Furthermore, a disclosure under an exemption from an IPP breach may still leave the discloser open to other actions for wrongful disclosure, whether because of some breach of another statute, or a breach of confidence, or a breach of copyright, or some other action. If the discloser has an obligation not to disclose which arises outside privacy laws, no exception to a disclosure IPP can act as a defence. The same applies to uses which breach other duties.

The NSW Act contains a specific provision making this point clear in relation to other exemptions from the disclosure principle - s.23(6).

6.3.2. Related purposes exceptions

Most IPPs include some allowed extension of use/disclosure for 'related' or 'directly related' purposes.

Australia

Statutory provisions:

NPP/IPP2(1)(a) implies a distinction between 'related' and 'directly related', so it seems that the allowed secondary purposes need only be indirectly related to the primary purpose, although the Federal Commissioner says that the secondary purpose must be something that arises in the context of the primary purpose (emphasis added) (Guidelines to the NPPs - NPP 2.1(a)). The Victorian Commissioner says it must be "connected or associated with the primary purpose".

The reasonable expectations test
The 'reasonable expectations' test governs secondary use and disclosure by private sector organizations and Victorian government agencies, and is in addition to the `related/directly related' test.

It is the 'individual concerned who must have the 'reasonable expectations'. This might suggest that the level of knowledge of industry practices by the individual is relevant' although the Federal Commissioner says the test will be applied "from the point of view of .. an individual with no special knowledge of the industry or activity", and the Victorian Commissioner agrees "What would a reasonable person, without special knowledge, reasonably expect". The Commissioners' views accord with the traditional administrative law concept of reasonableness set out in the Wednesbury case (Associated Provisional Picture Houses Ltd. v. Wednesbury Corporation [1948] 1 K.B. 223). The Victorian Commissioner states that it is an objective test, and that "the expectations of the actual individual involved are a consideration, but they are not determinative".

Examples:

Hong Kong

The Hong Kong provision is more strictly worded than the Australian private sector provisions (see below), which distinguish 'directly related' from 'related and reasonably expected'. Is there a significant difference?

Do the 'reasonable expectations' of the data subject have any affect on what is 'directly related'? (or, for that matter, on what is objectively determined to be the 'purpose ... of the collection'). B&W p127 consider that, where the data subject has not been given notice of the purpose of collection, these reasonable expectations will affect the objective determination of purpose.

6.3.3. Direct marketing 'opt out' exception

Australian private sector

The specific provision in NPP 2 for direct marketing is the source of much confusion. Some see it primarily as an alternative exception to the finality principle that can allow direct marketing uses (not disclosures) even where there is clearly no `reasonable expectation' and where, as a result, the related purpose exception cannot apply. Others focus on its function of additional constraint on all direct marketing, imposing conditions. It is perhaps best to see 2.1(c) as an alternative basis for use, but one which carries with it certain conditions.

The main threshold condition in exception (c) is that it only applies if it is `impracticable for the organisation to seek the individual's consent before that particular [direct marketing] use' (2.1(c)(i)). The Commissioner has set out a number of factors to be considered in deciding on `impracticability', but concludes that e-mail or SMS marketing can never make this claim. (Guidelines to the NPPs - NPP 2.1(c))

A secondary threshold is whether the individual has already expressed a preference not to receive direct marketing (2.1(c)(iii)). If he/she has done so, then the organization must respect that preference and not use the information for that purpose.

The other conditions apply if the threshold tests are passed and direct marketing use is allowed. The organization must include specified information in each communication, including contact details (2.1(c)(v)), and must clearly offer an `opt-out' opportunity (2.1(c)(iv)), which it must not charge to implement (2.1(c)(ii)).

As the Commissioner points out in his Guidelines, it is open to organizations to avoid the specific constraints of exception (c) by relying instead on exception (b) - consent - but warns that in most cases express consent will be required (see 6.3.4 below). Some businesses, particularly the direct marketing specialists, maintain that much of their activity can be carried out without either express consent or even an opt-out opportunity by relying on the related purpose exception (a), arguing that most consumers have a `reasonable expectation' that organizations they have dealt with before will try to sell them other goods or services. It remains to be seen if litigation in due course pushes most direct marketing into exceptions (b) and (c), with their conditions, or allows it to operate relatively unconstrained under exception (a).

It should be noted that one of the EU criticisms of the Australian law is that it does not provide the unequivocal right of opposition to direct marketing equivalent to Article 14 of the EU Directive.

Hong Kong

PDPO s34 requires data users to inform data subjects, the first time they use particular personal data 'for direct marketing' to (i) inform the data subject of his/her right to request the data user to cease further use of that data, and (ii) to cease to use the data if so requested.

This is a very convoluted way of expressing a right to 'opt out' of direct marketing approaches. But it at least has the merit of clearly applying to all direct marketing uses, with the issue of compliance with the use and disclosure principle clearly separate. This is much more like the relevant provision in the EU Directive (Article 14).

B&W p143 make the point that notice must be given every time a data user makes use of some new item of personal data for direct marketing (and in their argument 'use' can merely include looking at the data). In effect, this means that an opt-out notice would be needed with every contact after data changed.

Alternatively, it could be argued that notice was only needed if the data item was used to initiate or change the direct marketing, not merely viewed (a separate use) in the course of direct marketing.

In practice many organisations would simply give the opt-out notice on every contact, at least if it was written.

PCO examples:

6.3.4. The consent exception

IPPs always allow data to be used for purposes other than the purpose of collection with some form of consent of the data subject, but what form suffices differs widely.

Australia - 'express or implied consent'

The Privacy Act 1988 s6 provides that 'consent means express consent or implied consent' (repeated in Vic IPA s.3)

Meanings of consent

Informed consent - The general meaning of 'consent' concerning the knowledge needed for a valid consent, in areas such as contract law and consumer law needs to be taken into account. See Jay and Hamilton Data Protection Law and Practice 2-23 on.

Free consent - If the provision of a benefit is conditional upon consent being given to personal information being obtained, is this consent?

'Opting out' - Does consent require some positive affirmation, and cannot simply be implied from inaction?

Hong Kong - 'prescribed consent' - express and voluntary

DPP 3 requires 'prescribed consent' for data to be used for a different purpose. PDPO s2(3) provides that 'prescribed consent' "(a) means the express consent of the person given voluntarily"; and (b) may be withdrawn in writing.

Express consent must involve a positive act; it cannot include failure to opt-out.

Informed consent is required, not as a statutory requirement but as part of the meaning of 'consent'. (see B&W pgs 94-96 noting that consent must be 'informed consent').

Consent need not be given in writing (but must be by a positive act, verbal or physical), but can only be withdrawn in writing.

B& W p129 notes that the data subject's consent for change of use is required irrespective of the fact that the data was not collected from the data subject.

6.3.5. Australian federal public sector - The prior notice exception

IPP 11(a) assumes some disclosure practices can be so notorious as to not require specific notice.

Could the disclosure by an agency to outsourcing contractors be justified here?

6.4. Exceptions based on public interest considerations

For Hong Kong, see B&W Chapter 12

6.4.1. Exceptions for prevention of harm to the person or others

6.4.2. Exception where authorised under law

See Federal Privacy Commissioner's Plain English Guidelines to Information Privacy Principles 8-11 (1996) and Guidelines to the National Privacy Principles - 2.1(g) and Privacy Victoria IPP Guidelines Part 1

When will the common law 'authorise' disclosure? There may be duties of care requiring disclosure (eg negligent mis-statements), or fiduciary duties.

6.4.3. Exceptions for purposes of law enforcement

Australia

Hong Kong

PDPO s58(2) - Authorises disclosures for 'prevention or detection of crime', 'serious improper conduct' and other listed matters.

6.4.4. Exceptions for prevention of financial loss, mismanagement etc

Hong Kong

PDPO s58(2)

6.5. Exemptions peculiar to certain jurisdictions

At this point we only discuss some of the exemptions which are particularly related to use and disclose of information. Bear in mind that exemptions discussed below may be exemptions to other IPPs as well as those concerning use and disclosure.

6.5.1. Australia - Exception for disclosure between related corporations (NPPs)

6.5.2. Australia - The 'small business operator' (SBO) exemption

Loss of SBO status by receiving personal information for consideration

Possible examples:

6.5.3. New South Wales exceptions - 'more holes than cheese'

There are many exceptions, including:

6.5.4. EU 'adequacy' and exceptions to finality

Australia

Some of the exceptions to finality, as well as the general exemptions from all IPPs, are among the principle stumbling blocks to Australian privacy laws being regarded as 'adequate' by the EU: Specifically, the Opinion criticises:

The exception to NPP2 where secondary use or disclosure is authorized by or under law (NPP 2.1(g)) - on the grounds that this is far too broad. The Committee also contrasts the wording with the wording of the 1999 version of the NPPs, which said `specifically authorised' as evidence that the exemption could now allow anything that was not unlawful. Article 7(c) of the EU Directive uses the term `legal obligation'.

The exemption of `generally available publications' from the definition of `record' which means that secondary uses of publicly available data is not regulated. The EU Directive and OECD Guidelines contain no such exemption

The direct marketing exception (NPP 2.1(c)) which only applies to secondary uses. The Committee points out that if direct marketing is a primary purpose of collection there is no requirement to offer an `opt-out'.

The absence of any special controls over use and disclosure of most `sensitive data'- NPP 10 only deals with collection, and NPP 2.4-2.6 deal only with `health information'.

This critique includes most of the points made by the EU Committee, and identifies some additional weaknesses (references are made here to the Commonwealth provisions but in some cases similar issues arise under the NSW and Victorian Acts):

The consent exception IPP 10.1(a) and 11.1(b) and NPP 2.1(b) does not require `unambiguous' consent, as does Article 7.1(a) of the Directive

The allowance for use & disclosure for `related purposes' (IPP10.1(e), NPP2.1(a)) is arguably similar to Articles 6(1)(b) (not incompatible), and 7(b), although the wording of the Australian provisions varies considerably both between jurisdictions and in some cases between use and disclosure, leaving considerable scope for generous interpretations of what is a related purpose

The absence of any right of opposition to uses equivalent to Article 14 of the Directive, except for the direct marketing provision in the private sector amendments (NPP2.1(c)) and a provision in the NSW Act for suppression of public register details on safety grounds (ss.57-59)

Weaknesses in relation to `onward transfer' - these are discussed separately in Reading Guide 3.

6.6. Public registers - Application of IPPs

The application of IPPs to public registers differs widely between jurisdictions, with some imposing the normal IPPs (Hong Kong), some imposing none at all (Australian federal government), and some imposing special regimes (NZ, Victoria, and NSW to some extent).

6.6.1. New Zealand

The main source of special public register rules in the Asia-Pacific is the New Zealand legislation - Privacy Act 1993 Part VII, Public Register Personal Information.

6.6.2. Australian federal government

There are no special provisions for public registers in the Privacy Act 1988 .

IPP 1 applies to the collection of information for inclusion in record or in a 'generally available publication'.

However, most IPPs and NPPs only apply to 'records', and public registers are not 'records': Privacy Act 1988 s6: 'generally available publication means a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public.'; a 'record' (to which most of the IPPs apply) does not include a generally available publication. Note that the exclusion only applies to the publicly available form of public registers, and not to the underlying databases, which remain subject to the Principles.

6.6.3. New South Wales

NSW included the first public register privacy principles in Australia, but they are very limited.

6.6.4. Victoria

6.6.5. Hong Kong

Hong Kong does not have special provisions concerning public registers, nor any special exemptions from the DPPs for them.

Agencies operating public registers are usually under a statutory duty to provide access to the public. However, this does not mean that access to public register is for any and all purposes. It would be necessary to interpret the statute creating the public register to determine the purposes for which access is provided to the public.

Data users who access the public register would then be collecting personal information for those statute-defined purposes.

As B&W p128 point out, agencies should advise data users, by notices, of the purposes for which it is legitimate to use data from a particular register.

Other DPPs will also apply to the register, such as access and correction rights, subject to any overriding provisions in the Ordinance governing it.

There seems to be a division within government over the extent to which the Ordinance applies to public registers:

6.7. Data matching

6.7.1. Australian federal government

Australia's federal government only has very piecemeal controls over data matching.

Data matching involves wholesale prima facie breaches of IPP 11 - how is it legitimated?

(See back to Part 3, `Data matching and the creeping Tax File Number`)

See Federal Privacy Commissioner's Plain English Guidelines to Information Privacy Principles 8-11 (1996) - Exceptions 10.1(c) and 11.1(d) - required or authorised by law and Exceptions 10.1(d) and 11.1(e) - law enforcement and revenue protection

G Greenleaf `Data matching in Australia - the facts' 2 PLPR 114 - This note on the Commonwealth Privacy Commissioners survey of the extent of data matching by the Commonwealth notes the following:

6.7.2. New Zealand

NZ has quite extensive data matching controls (Privacy Act 1993 Part X), based on the Australian model but of more general application

6.7.3. Hong Kong

See B&W pgs 130-137

6.7.4. Theoretical studies of data matching

6.8. Data integrity/quality principles - restrictions on use

Requirements that personal data must be 'accurate' or 'relevant' before it is used are a form of restriction of use which are found in most sets of IPPs.

See B&W p115 for examples of the scale of the problem of inaccurate records.

Bygrave (doctoral thesis, 2000) 3.5. Information Quality discusses the implementation of this principle in the EC Directive and European laws. 'The fourth core principle of data protection laws is that personal data shall be valid with respect to what they are intended to describe, and relevant and complete with respect to the purposes for which they are (intended to be) processed.'

6.8.1. Australia

These requirements of data quality at time of use ( IPP8), and use limited to relevant purposes ( IPP9) are intended to ensure that personal information is only used for purposes for which it is appropriate. For example, in Sweden in the early 1980s, it was found that, although many agencies collected information on a person's `income', they all used different definitions of `income', so any cross-matching of this information would be to use it in breach of one or both of the principles.

6.8.2. Hong Kong

See B&W Chapter 6 generally

DPP2-accuracy and duration of retention of personal data - DPP2 requires that 'All practicable steps shall be taken to ensure that- (a) personal data are accurate having regard to the purpose (including any directly related purpose) for which the personal data are or are to be used'.

"Inaccurate" 'in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete' (s2). 'Accurate' can therefore be understood as 'not inaccurate'. See B&W p114 for examples of each of 'incorrect, misleading, incomplete or obsolete'.

If data are inaccurate, then DPP2(b) requires that they (i) not be used or (ii) erased. This is a separate obligation from that found in DPP2(2), which requires permanent deletion when retention of the data is not necessary to fulfil any of its purposes of use (see later concerning the Destruction Principles).

Since 'use' includes disclosure, DPP2 imposes an obligation on a data user who is proposing to disclose data to a 3rd party to ensure that the data is accurate having regard to the purpose for which the data is being disclosed to the third party. This will be so even if the disclosure is because of the exercise of compulsory power by the 3rd party. However, difficult questions may then arise as to what degree of checking of accuracy is 'practicable', particularly if data concerning many individuals are being disclosed.

Examples:

Notification of third parties

DPP2(c) also requires that, where practicable, once a data user is aware that data which has previously been disclosed to a third party are 'materially inaccurate' (and were so at the time of disclosure),then there is an obligation to inform the third party of this and provide the corrected data.

Such a requirement for notification may arise either as a result of a data user's internal procedures picking up a previous inaccurate disclosure, or as a result of a data user exercising their rights of access and correction under DPP 6.

This right of 3rd party notification is a valuable addition to the Hong Kong DPPs. It is not found, for example, in most Australian IPPs.

Compensation for use of inaccurate data

Contraventions of the Ordinance may lead to damages claims by 'an individual who suffers damage' under s66 Compensation, but two defences are provided: See B&W p116 for discussion.

6.9. 'Objection to processing' principles

Bygrave (doctoral thesis, 2000) 3.6. Data Subject Participation and Control discusses these principles as the third main category a set of principles empowering data subjects, but they can also (from the perspective of the data user) but seen as a Principle limiting use of personal data.

6.9.1. Objections to processing in the EU Directive

Bygrave summarise that 'The EC Directive contains important instances of such a right, namely in Art 14(a) (which provides a right to object to data processing generally), Art 14(b) (which sets out a right to object to direct marketing) and, most innovatively, Art 15(1) (stipulating a right to object to decisions based on fully automated assessments of one's personal character).'

Automated processing principle

Article 15 of the EU Directive requires the grant of a "right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data", subject to various exceptions.

For a detailed assessment, see:

6.9.2. Australian examples

Direct marketing 'opt out' provisions (NPP 2.1(c))

This exception, discussed above, is also significant as one of the few examples in Australian IPPs, of a right to object to processing.

Data matching objections

Another example of this principle in Australian law is the provision in the Data matching Program (Assistance and Tax) Act 1990 for individuals to be notified before any adverse action can be taken against them (s.11, and Guidelines 5.1-5.2). This may have much the same effect as an objection to processing, as it gives a right to object before a decision based on automated processes is made.

6.9.3 Hong Kong

The only example of such a Principle is the right to opt-out of direct marketing


[Previous] [Next] [Title]