[Previous] [Next] [Title]

8. Other information privacy principles


Graham Greenleaf and Nigel Waters; revised by Graham Greenleaf 15 March 2002 and Nigel Waters 7 May 2002

= required reading

= material added since the date of the class concerning this topic

8.1. Security principle

It is a paradox that security measures can be one of the worst invaders of privacy, by imposing excessive identification requirements on people.

In the OECD's Security Guidelines, one of the principles says that security measures must not be so disproportionate as to be incompatible with a democratic society.

See Bygrave (doctoral thesis, 2000) 3.8. Information Security for a discussion of security requirements in the EC Directive and European laws.

Complement to 'unauthorised access' computer crimes

'Hackers' who obtain unauthorised access to personal data systems can inflict financial and other damage on individuals. In most jurisdictions their actions will be criminalised by computer crime laws, but this will not provide civil remedies for individuals so damaged.

While in theory data protection legislation might provides remedies against 'hackers' who obtain unauthorised access to personal data systems, in practice the only effective civil remedy will be against the data user whose system was broken into. Security principles in IPPs provide such a remedy.

8.1.1. Hong Kong

See generally, B&W Chapter 8

DPP 4-security of personal data requires of data users that 'All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use'.

The necessary 'practical steps' are to be assessed 'having particular regard to' a list of factors (a)-(e) that are set out. See B&W pgs 148-50 for detailed discussion.

B&W note that DPP 4 is not restricted to personal data in the sense of data in a form which can be effectively accessed/processed. For example, files mixed in a rubbish bin still require secure handling. Data must be securely disposed of, not only securely retained.

See HKPCO Complaints cases on DPP4


8.1.2. Australia

8.1.2. Australia

Security where information passed on to contractor

See IPP 4(b).2 - Client agency has to take reasonable steps to ensure security is not compromised by contracting out or `outsourcing' - Commissioner has used this as basis for advice that contract terms must specify required security.

There is no equivalent in NPP 4 - acts and practices of contractors are deemed to be carried out by the client organization (s.8(1). Under the Victorian IPA the IPPs apply independently to anyone engaged by an agency (s.9(1)(j) and s.17). The NSW PPIPA includes data services contractors as agencies, (and therefore directly subject to the IPPs) definition of public sector agency (g) but other contractors would only be bound by contract terms.

There have been many cases involving breaches of security under the Federal Act - usually involving careless disclosure of paper records by Commonwealth agencies and TFN recipients. These have often come to light as a result of media attention rather than formal complaints by an affected person. Although none of the Commissioner's investigations of security lapses have resulted in a formal determination, in many cases the Commissioner has found the respondent to have breached IPP 4 (or TFN Guideline 6.1) and obtained a commitment to improved security measures, as well as apologies and or other redress for affected individuals.

To date, there have been few cases involving breaches of computer security, and it remains to be seen what will be considered `reasonable' security steps or safeguards in the context of databases, web servers etc.

8.2. Destruction and related principles

The long-term protection of a person's privacy interests (at least while they are alive) is served by the complete destruction of personal data concerning them once the data user has no further legitimate use for it.

However, other public interests such as historical research, genealogical research and epidemiological research may conflict with complete destruction.

The interests of persons or their families in personal information after the data subject is dead (whether described as a 'privacy' interest or otherwise) are less, if they exist at all.

Alternatives to complete destruction of personal information include (i) irreversible de-identification of the data; and (ii) 'archiving' of the data in the sense of removing it from active administrative use and (possibly) making it non-retrievable by the identify of the data subject.

See Bygrave (doctoral thesis, 2000) 3.8. Information Security for a discussion of security requirements in the EC Directive and European laws. He notes that some European laws require destruction of personal data in the case of national emergencies (reflecting the experience of some European countries on invasion by Nazi Germany in World War II.)

8.2.1. Hong Kong

DPP 2(2) requires '(2) Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'.

This is reinforced by s26 Erasure of personal data no longer required which provides two exceptions:

'(a) any such erasure is prohibited under any law; or

(b) it is in the public interest (including historical interest) for the data not to be erased.'

This very general exception leaves a wide ambit for disputes to arise. The Commissioner has not provided any guidelines on the interpretation of this provision, nor any examples of its application.

8.2.2. Australian Private sector

8.2.3. Australian Public sector

There is no equivalent retention/disposal principle in the Commonwealth IPPs, but the Victorian Act has the same requirement as the NPPs (IPP 4.2) and the NSW PPIPA has similar retention and disposal rules as part of IPP5 (s.12).

Under Public Records or Archives laws, public sector agencies are generally required to draw up disposal schedules for different classes of information, and provided privacy interests are taken into account, these can be the practical implementation of the disposal principles.

While records managers and archivists are normally natural allies of privacy interests in promoting a systematic approach to information handling, there is a tension between the two interests in relation to retention. Public Records or Archives laws generally frown on the complete destruction or permanent deletion of information, even when it is subsequently shown to be incorrect or misleading. They favour retention of a complete history of administrative actions. A compromise is usually possible, involving separate storage or limited access to historical data, allowing operational files to be corrected or otherwise updated.

The Victorian IPPs have an equivalent destruction principle.

8.3. Use of identifier principles

8.3.1. Hong Kong

The Commissioner is required to issue a Code of Practice on identity cards, and has done so: "Code of Practice on the Identity Card Number and other Personal Identifiers" .

For further discussion, see the separate Reading Guide on identity schemes.

8.3.2. Australian private sector

This principle oOnly applies to Commonwealth identifiers, such as Medicare numbers. Tax File Numbers have been subject to a specific regime under the Privacy Act since 1989. Australian Business Numbers are expressly exempted from NPP 7, despite the ABN database having been the subject of one of the more interesting privacy debates in recent years.(see Federal Privacy Commissioner's Annual Report 1999-2000, pp23-24) [Insert link]. The objective of NPP 7 is to prevent the private sector adopting government identifiers as a general means of identification which could grow into a de-facto national identity system. The use of the US Social Insurance Number by the private sector has led to some major privacy issues including a major problem of identity theft.

There is no equivalent in the IPPs - but the potential of identifiers to facilitate data matching, and its privacy implications, have been addressed in both the see the data matching legislation Data-matching Program (Assistance and Tax Act 1990 and the Medicare and Pharmaceutical Benefit Program Guidelines under the National Health Act .


[Previous] [Next] [Title]