1 / 28

Privacy law in Australia: An overview

Privacy law in Australia: An overview. Graham Greenleaf Last updated: September 2008. Sources of Australian privacy law. International privacy standards Developing as both carrot and stick (data exports) General law protection of privacy Constitutional, torts, breach of confidence etc

keita
Télécharger la présentation

Privacy law in Australia: An overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy law in Australia: An overview Graham Greenleaf Last updated: September 2008

  2. Sources of Australian privacy law • International privacy standards • Developing as both carrot and stick (data exports) • General law protection of privacy • Constitutional, torts, breach of confidence etc • General information privacy (data protection) laws • Based on information privacy principles (IPPs) • Sectoral information privacy laws • Credit, medical, telecomms, TFN, etc • Surveillance limitation laws • Complex overlaps with IPPs • Surveillance authorisation laws • Data surveillance & other forms of surveillance

  3. Privacy Resources See RG - Forms and sources of privacy law See RG - History of Australian privacy legislation

  4. General law on privacy • Why is special privacy legislation needed? • International law • Limited direct effect on the general law • Constitutional protections • Few significant • ‘Privacy torts’? • New beginning (Lenah) or dead end (Wainwright)? • Other tortious protection • Piecemeal but sometimes important • Breach of confidence • Expanding in UK but still under-used here - divergence?

  5. Information privacy laws • Since 1970 (Swedish Data Act), all European countries have enacted data protection (information privacy) laws based on: • ‘information privacy principles’ (IPPs) applying generally • A Data Protection/ Privacy Commissioner • NZ, Aust, Canada, and HK SAR - an Asia-Pacific common law model? (Is Korea following?) • Japan, Taiwan have IPPs + an agency-based (civil law?) model • Macao SAR has a very EU-inspired law, and a Commissioner • USA exception: no IPPs but sectoral; greater constitutional and common law protection; ; no Commissioner; • Other APEC jurisdictions are now choosing models - laws under development in China (PRC), Thailand and the Philippines

  6. Data protection as a bundle of rights

  7. Data surveillance laws • The opposite of data protection laws • Laws mandating data surveillance practices (eg laws requiring data matching) • Laws authorising data surveillance practices so as to provide exceptions to privacy laws • No systematic studies have yet been done; see RG Anonymity and Identity for • Australia Card and ‘Access Card’ analyses • Data matching legislation analyses

  8. Australian IPPs All of what follows now under review following ALRC Report 2008 • Private sector • National Privacy Principles (NPPs) • in Privacy Act 1988 (Cth) since 2000 • Most of private sector covered, but many exceptions • Public sector - similar but diverging IPPs • Commonwealth - Information Privacy Principles (IPPs) • also in Privacy Act 1988 • NSW - Information Protection Principles (IPPS) (like Cth) • Victoria & NT Acts - follow NPPs, with Commissioner • Tasmanian Act and WA Bill use Ombudsman, not a Commissioner • Sectoral IPPs • Credit, telecomms, health and medical, TFNs

  9. Scope of IPP legislation - Key concepts • ‘Interference with privacy’ (or equivalent) required - breach of IPP • No general definition of ‘privacy’, or protection provided • ‘Personal information’ (eg Privacy Act 1988 (Cth)) • ‘personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’ • IPPsapply to any ‘personal information’, not just ‘sensitive’ or ‘private’ information (now contested - see case law) • ‘Records’ • Most IPPs only apply to information after it has entered a ‘record’ • NSW was a major exception but no longer (see case law)

  10. Enforcement of IPPs • Complaints - the basis of the Acts • Cth Act explicitly allows representative complaints • Conciliation and internal review • Privacy Comms conciliate complaints • >90% of complaints resolved this way • Enforceable remedies - 2 very different models • Cth - PComm can make ‘binding’ determinations • Federal Court de novo hearing required to enforce • NSW - PComm cannot make any findings re remedies • internal review by agency required before enforcement • NSW Administrative Decisions Tribunal (ADT) makes enforcement orders by reviewing agency internal review

  11. Enforcement of IPPs (2): Appeals, judicial review and injunctions • Cth - No right of appeal to complainants • Respondent has de facto right of appeal • Judicial review is available (none yet) • NSW - Parties have complete appeal rights • Appeal from agency review to ADT (many cases) • Either party can appeal further to ADT Appeal Panel and then to the Supreme Court (2 cases) • Injunctions - Anyone can seek Fed Ct injunction to enforce Cth IPPs / NPPs • No such right in NSW

  12. Enforcement of the IPPs (3): Remedies / Offences • Civil remedies - generally extensive (eg Cth) • Compensatory damages possible • Includes injuries to feelings • Respondents required to take restorative actions • Criminal offences - rarely used • Enforcement mainly by civil actions, not prosecution • Exceptions for very serious breaches (eg NSW)

  13. Commissioners’ other functions • These functions address more systemic privacy problems than individual complaints - wide variety of differences • Power to make public statements (both) • Power to audit (Cth public sector only) • Requiring ‘management plans’ (NSW) • Privacy impact assessments (neither)

  14. Co-regulation: Codes etc • Variously named and varying in functions • Flexibility vs danger of ‘silos’ and weakened IPPs • Cth private sector Codes of Practice - if approved, replace NPPs and/or enforcement procedures (2 as yet) • Right of appeal to PComm has reduced attraction • NSW public sector Codes of Practice - can weaken IPPs (> 10) • Cth public sector ‘Public Interest Determinations’ - can weaken IPPs (< 10)

  15. A quick tour of some IPPs • Use as example a summary of the NPPs applying to the private sector (RG 1 @ 3.3.3.) • You should find the equivalent IPPs for the public sector (Cth and NSW) and compare them • Sets of IPPs have general similarities, but many important differences - you must understand both common elements and differences

  16. NPP1 - Collection limitation • Summary - An organisation may only collect personal information which is necessary for its activities; only by lawful and fair means and not in an unreasonably intrusive way. Wherever reasonable, an organisation must collect personal information about a person only from that person, and must make the person aware of the purpose of collection, any laws requiring the collection, the organisations to which the information is usually disclosed, and other matters. If personal information is collected from a third party, the organisation must still take steps to inform the person about the collection and these matters. • only as much as is necessary for its activities • by means lawful, fair and not intrusive • data subject must be given notice of obligations, purposes, intended disclosures, and rights

  17. DPP3 - Use/ disclosure limitation • Summary - An organisation may only use or disclose personal information for the purpose for which it was collected (the primary purpose), except for a directly related use or disclosure (the secondary purpose) that the person would reasonably expect, or where the person has consented. • Personal information may be used for the secondary purpose of direct marketing (even where this is not within a person's reasonable expectations) where it is impracticable for the organisation to seek the person's consent before that particular use, the person has been given an opportunity when first contacted to 'opt-out' from receiving further direct marketing communications, but the person has not opted out. • There are special rules for sensitive information, and many other exceptions for health information, protection of individual and public health, other uses authorised by law, prevention, investigation and enforcement concerning breaches of the law, and similar matters.

  18. DPP3 - Use/ disclosure limitation • The ‘finality’ principle • Purpose of collection largely determines subsequent use • The core principle, along with access & correction rights • Data can only be used / disclosed in 4 ways: • (I) For the purpose for which it was collected; • (ii) For a directly related purpose that the person would reasonably expect (+direct marketing ‘opt out’ exception) • (iii) With consent (see definition ‘express or implied’) • (iv) Subject to statutory exceptions

  19. NPP 3 - Data quality • Summary - An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. • Where records are inaccurate etc, the correction principle gives a right to correct, but the quality principle may give other remedies where the errors etc were unreasonable • Particularly important for addressing systemic errors

  20. NPP 4 - Security & Retention • Summary - An organisation must take reasonable steps to protect personal information from misuse, loss or unauthorised access, modification or disclosure. • An organisation must destroy or permanently de-identify personal information if it is no longer needed for any purpose under NPP 2. • ‘…reasonable steps …’ to secure • Hacking etc may give remedies against system operator • ‘destroy or permanently de-identify’ when it has no more uses • A right to have information forgotten

  21. DPP5 - Information generally available • Summary - An organisation must document its policies on its management of personal information and make the document available to anyone who asks for it. On request it must provide general information about what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. • Rights to obtain information not restricted to data subjects (contra NPP 6) • ‘Openness’ principle which should be important to the media and community organisations

  22. NPP6 - Access & correction • Summary - A person generally has a right of access to personal information held by an organisation about him or her, subject to a list of exceptions. If an exception applies, the organisation must consider the use of a mutually agreed intermediary. If a person is able to establish that information about him or her is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information. In any event, the person has a right to the addition of a statement claiming that information is incorrect. • Right to access and correct your own data • Many exceptions to access apply • Problem: correction often tied to right of access

  23. NPP 7 - Identifiers • Summary - Organisations must not use as their own identifiers any personal identifiers assigned by Commonwealth government agencies, and must not use or disclose such identifiers (with limited exceptions). • A very limited IPP, does not deal with generally with re-use of identifiers from other systems

  24. NPP 8 - Anonymity • Summary - A person must have the option of not identifying himself or herself when entering transactions with an organisation wherever this is lawful and practicable. • An original and important new IPP - potential wide implications (untested) • No equivalent in Cth or NSW IPPs

  25. NPP 9 - Transborder data flows • Summary - An organisation in Australia may only transfer personal information to someone else in a foreign country if it reasonably believes that the recipient is subject to a law, binding scheme or contract which effectively upholds principles substantially similar to the NPPs. • Transfers may also be made to organisations that have taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient of the information inconsistently with the NPPs, and for four other reasons. • To prevent ‘data exports’ to less protected countries • Commonwealth Act also has limited extra-territorial effect • Exceptions are quite extensive • No equivalent in Cth public sector IPPs; provision in NSW Act not yet effective; Victorian is in effect

  26. NPP 10 - Sensitive information • Summary - An organisation must not collect sensitive information unless the person has consented, or the collection is required by law, or in limited other circumstances. Special rules apply to health information. • An extra collection limitation; see NPP 2 for an extra disclosure limitation • No equivalent in other Australian IPPs

  27. Effect of international standards • OECD privacy Guidelines 1981 • Australia ‘adheres to’ the Guidelines • European Union privacy Directive 1995 • Prevents EU countries from exporting personal data to countries without ‘adequate’ protection • Adequacy of Australian law still being assessed (since 05) • APEC Privacy Framework 2004 • An ‘OECD Lite’ set of IPPs; no required means of enforcement • Takes no position on data exports; ‘Pathfinder’ projects seek to find a common method of facilitating exports • Has the APEC Framework achieved anything? • Council of Europe Convention 108 (1981) • As of July 2008, effectively open to non-European countries • Does it offer an alternative to APEC?

More Related