Security and related IPPs (Retention and Disposal)
Privacy and Surveillance
Nigel Waters & Graham Greenleaf
Last updated October 2008
LAWS 3037 Data Surveillance & Information Privacy Law 2
Security and related IPPs
Security Retention Destruction/Disposal
LAWS 3037 Data Surveillance & Information Privacy Law 3
Security Principles
Sources Waters, Greenleaf and Roth (2007)
‘Interpreting the Security Principle, v.6’ UNSW - this includes many examples of complaints (Materials) (cited herein as Waters, Greenleaf and Roth, 2007)
Aust Privacy Commr Info Sheet 6 Security (2001) - Sets out long list of Australian and international standards that may apply
ALRC Report 108, Chapters 28, 51 & 58
LAWS 3037 Data Surveillance & Information Privacy Law 4
Security principles
Provisions Cth IPP 4 Private sector NPP 4.1 NSW s12(b)-(d) HK DPP 4 ALRC Proposed UPP 8
LAWS 3037 Data Surveillance & Information Privacy Law 5
Security principles
Scope All require security from from misuse and loss and
from unauthorised access, modification or disclosure
so internal and external threats, and mere negligence are covered
All only require ‘reasonable steps’ or ‘practicable steps’
LAWS 3037 Data Surveillance & Information Privacy Law 6
Security – reasonable steps?
“When considering reasonableness in the security context, factors which may be relevant include: the workability of the safeguards the cost of the safeguards the risks involved the sensitivity of the information and the other safeguards in place.”
Source: OECD Information Security Guidelines 1992 cited by NZ Privacy Commissioner in [2003] NZPrivCmr 22 (Case Note 28351)
LAWS 3037 Data Surveillance & Information Privacy Law 7
Security – different aspects
physical security computer and network security communications security personnel security
Source: OFPC Guidelines to the National Privacy Principles, September 2001, Guidelines to NPP4.
LAWS 3037 Data Surveillance & Information Privacy Law 8
Security principle - example
Hong Kong has an unusally detailed security principles DPP 4 requires ‘All practicable steps … to ensure … protected
against unauthorized or accidental access, processing, erasure or other use’
Includes (as if personal data) data to which access is not practicable
Lists 5 factors to which data users must have ‘particular regard’ - reflects standard criteria -
(a) kind of data and possible harm (‘harm test’) (b) physical location / + security appropriate) (c) technical security measures (d) personnel integrity etc measures (e) communications security measures
LAWS 3037 Data Surveillance & Information Privacy Law 9
Security breach examples
Possible examples of breaches If hackers access data, data user may be liable for
inadequate security - supplements computer crime laws: sue the company, not the hacker
Mailouts in error of sensitive data Accidental destruction of data valuable to a person Security which destroys other privacy interests will not be
‘practicable’ Lax practices with cleaners etc
Personal files are regularly found at kindergartens and tips Unencrypted data on mobiles:
63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR 95-97)
LAWS 3037 Data Surveillance & Information Privacy Law 10
Security - Factors (1)
Internet information– requires cooperation to remedy E v Statutory Entity [2003] VPrivCmr 5 - - audit trail failed
to record access to customer account - settled Complainant AD & Others v The Department [2006] VPrivCmr
5
Not an absolute Cannot guarantee 100% security Other interests – may require higher standard Proportionality
LAWS 3037 Data Surveillance & Information Privacy Law 11
Security - Factors (2)
Role of standards Mixed benefit – may or may not be
adequate OECD Information Security Guidelines
1992, revised 2002 Risk assessment
LAWS 3037 Data Surveillance & Information Privacy Law 12
Security - Factors (3)
Security requirements in other legislation In Australia, ASIC and APRA
APRA Superannuation Guidance Note 140.1, paragraph 19
Action by other regulators e.g. UK FSA v Nationwide Building Society 2006 – 1
million pounds fine for inadequate security leading to loss of laptop containing customer data
LAWS 3037 Data Surveillance & Information Privacy Law 13
Security - Factors (4)
Inadvertent collection for security reasons Common access facilities W v Public Library [2005] VPrivCmr 5
Special protection for sensitive information NZ & Canadian cases in Waters, Greenleaf & Roth, page 15
'Need to know' Access control – minimum standards Logs and audit trails
E v Financial Institution [2003] PrivComrA 3 - audit trail failed to record access to customer account - settled
FH v NSW Dept Corrective Services [2003] NSWADT 72; Summary [2003] NSWPrivCmr 1- Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses
But remember employee privacy - balance
LAWS 3037 Data Surveillance & Information Privacy Law 14
Security - Factors (5)
Human (personnel) security Confidentiality deeds Training
B v Victorian Government organisation [2003] VPrivCmr 2 ($25k - $25,000 compensations settlement when agency disclosed complainant’s new address to ex-spouse ‘across the counter’ despite known risk
Canadian & NZ cases in Waters, Greenleaf & Roth pp 19-21
Enforcement disciplinary action dismissal Prosecution
LAWS 3037 Data Surveillance & Information Privacy Law 15
Security - Factors (6)
Relationship with disclosure Does unauthorised disclosure necessarily
mean a beach of security? Can authorised actions involve a security
breach? HK, Austn & NZ cases
Liability? Vicarious liability by employer?
LAWS 3037 Data Surveillance & Information Privacy Law 16
Security - Factors (7)
'Standing' for security complaints Only affected individual,or also third party? When is someone 'affected'? - only when
actual breach or also prospective?
LAWS 3037 Data Surveillance & Information Privacy Law 17
Security - Factors (8)
Communications Security Austn, NZ, Canadian and HK cases in Waters, Greenleaf &
Roth pp 25-27
Data security encryption?
Fax Postal/courier
LAWS 3037 Data Surveillance & Information Privacy Law 18
Security - Factors (9)
Security obligations when contracting Emphasised in International instruments Express requirements in some Australian
privacy laws: PA s.8(1) and 95B; IPA s.9(1)(j) and s.17 (an
agency can expressly transfer the obligations by contract); PPIPA s.4(4)(b).
LAWS 3037 Data Surveillance & Information Privacy Law 19
Security - Factors (10)
Programming errors and multiple breaches Australian PC own-motion investigations in mid 1990s
ATO, DSS, DVA, DET, private sector Potential for representative complaints
Access control must be managed L v Commonwealth Agency [2003] PrivComrA 10 -
Agency client provided password to be used to identify him; agency failed to ask for it
Other cases in Waters, Greenleaf & Roth p 31
LAWS 3037 Data Surveillance & Information Privacy Law 20
Security principle: Australian reform proposals
ALRC Report 108 (2008) Chapter 28 UPP 8.1(a) – replicates NPP 4.1, but applies to both
organisations and agencies OPC Guidance on 'reasonable steps' (Recommendation 28-3) No need for any specific additional obligations in relation to
third parties For commentary, see
Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘11.2. Data security proposals’ Dec 2007
Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008
LAWS 3037 Data Surveillance & Information Privacy Law 21
Security principle - HK Hong Kong examples - Complaints to PCO held to
breach DPP4 (security): Faxing details of donation to estate office (AR 5/05) Newspaper publication of address of complainant, endangering
him, not a breach of DPP4; DPP3 (disclosure) was only DPP relevant (AAB appeal 4/00)
Insurer sending insurance policies for 3 people to the address of one of them
Unsealed letters of demand sent to neighbours addresses Law firm’s messenger allowed duplicate cover sheet of divorce
process to be read by others at workplace while waiting to serve process: [1998] HKPrivCmr 8
Law firm left trial bundle in gap between litigant’s metal gate and door: [2003] HKPrivCmr 8
See other examples in McLeish & Greenleaf chapter in Berthold & Wacks
LAWS 3037 Data Surveillance & Information Privacy Law 22
Security managers in apartment blocks required to destroy data on visitors after a reasonable period [1998] HKPrivCmr 4
] Hong Kong examples concerning ID cards
Mobile phone Co. made first 6 numbers of ID card the default password for call data, billing etc information; debt collector accessed data and harassed complainant and friends; held breach of DPP 4: [2003] HKPrivCmr 3
Disclosure of ex- employee ID numbers in faxes to customers
Bank and dept. store jointly responsible for printing error disclosing ID nos. in mailout
Security principle – HK
LAWS 3037 Data Surveillance & Information Privacy Law 23
Data Breach Notification
History Response to identity crime 44 US States + Ontario legislated
requirements Now under consideration around the world
Canada, UK, Australia Guidelines, pending legislation
LAWS 3037 Data Surveillance & Information Privacy Law 24
Data Breach Notification Guidelines
Canadian model law (CIPPIC, 2007) Victorian Privacy Commissioner
Guide: Responding to Privacy Breaches, May 2008
Australian Privacy Commissioner Guide to handling personal information
security breaches, August 2008
LAWS 3037 Data Surveillance & Information Privacy Law 25
Data Breach Notification Proposals - Australia
ALRC Report 108 Chapter 51 Recommendation 51-1- New part of Act (not a
principle) Requirement to notify Commissioner and affected
individuals if: actual or suspected breach = acquisition of specified
information by unauthorised person AND agency, organisation or Commissioner believes real risk of
serious harm (specifed factors) 'Specified information' = particular combinations of
personal and sensitive(?)
LAWS 3037 Data Surveillance & Information Privacy Law 26
Data Breach Notification Proposals – ALRC proposal (continued)
Harm factors: Whether encrypted adequately Whether acquired in good faith by employee or agent and acting for a
permitted purpose Privacy Commissioner can waive requirement to notify individuals Civil penalty for failure to notify Commissioner For commentary, see
Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘15.1. Possible new UPP - Security breach notification’ Dec 2007
Waters & Greenleaf commentary on proposed UPPs at Symposium,
2 Oct 2008
LAWS 3037 Data Surveillance & Information Privacy Law 27
Retention / disposal principles
Sources Waters and Greenleaf (2006)
'Interpreting Retention and Disposal Principles, v.1
Aust Privacy Commr Info Sheet 6 Security (2001)
ALRC Report 108, Chapters 28 & 58
LAWS 3037 Data Surveillance & Information Privacy Law 28
Retention / disposal principles (2)
Provisions HK DPP 2(2) and s26 Cth IPPs - none Private sector NPP 4.2 ‘reasonable steps to
destroy or permanently de-identify … if it is no longer needed for any purpose’ allowed under NPP2 - Test of ‘permanent de-identification is whether it is no longer ‘personal information’
NSW s12(a) - similar to NPP 4.2
LAWS 3037 Data Surveillance & Information Privacy Law 29
Retention / disposal principles (3)
Private sector – mandatory retention Tax records – typically 5 years AML/CTF – 7 years - Guidance Note 08/04 Telco/ISP records?
EU data retention Directive 2006/24
Public sector complicated by Public Records/Archives requirements
Uncertain interaction with privacy law GR v Department of Housing [2003] NSWADT 268
LAWS 3037 Data Surveillance & Information Privacy Law 30
Retention / disposal principles (4)
Need for a policy? Tenants' Unions v TICA [2004] PrivCmrACD 3 - Failure to
delete or remove old tenancy information was a breach of NPP 4.2; PC ‘recommended’ TICA
Delete ‘history’ information in Tenancy History Database after four years;
Delete 'application' information in Enquiries Database after three years; and
Delete information moved to ‘dead tenant database’ (i.e. a database which stores deleted listings – for use in case of errors) not less than once a month
FH v Commissioner, NSW Dept of Corrective Services [2003] NSWADT 72 - missed opportunity to require a policy
Canadian cases to contrary – support TICA Determination
LAWS 3037 Data Surveillance & Information Privacy Law 31
Retention / disposal principles (5)
Deletion under Correction principle May override general policy
Technology issues Difficulty once publicly available e.g. on
Internet E v Statutory Entity [2003] VPrivCmr 5 Complainant AD & Others v The Department [2006] VPrivCmr 5
LAWS 3037 Data Surveillance & Information Privacy Law 32
Retention / disposal principles: Australian reform proposals
ALRC Report 108 Chapter 28 UPP 8.1(b) - Destroy or render non-identifiable
See definition of personal information Apply to agencies
But express priority for Archives Act retention requirements (UPP 8.2)
OPC Guidance (Recommendation 28-5) For commentary, see
Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘’11.3. Non-retention (destruction or non-identifiability)’ Dec 2007
Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008
LAWS 3037 Data Surveillance & Information Privacy Law 33
Retention / disposal principles (6)
Other jurisdictions NZ - Commissioner opinion supported retention of
information on dismissed employees for 5 years Canada – Commissioner noted 2 year retention
policy for employment records UK - 2005 Information Tribunal case on Criminal
records retention
LAWS 3037 Data Surveillance & Information Privacy Law 34
Retention / disposal principles (HK)
Hong Kong DPP 2(2) and s26 DPP 2(2): ‘Personal data shall not be kept longer
than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'.
Keeping for the purpose of some exception not allowed Only says ‘personal data’ shall not be kept - what if made
inaccessible?; what if de-identified? Is DPP 2(2) satisfied?
LAWS 3037 Data Surveillance & Information Privacy Law 35
Retention / disposal principles (HK)
HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure of personal data no longer required’)
Says ‘A data user shall erase personal data …’ Doubtful if data can be made inaccessible or de-identified in
the face of this explicit provision S26 has 2 exceptions:
'(a) any such erasure is prohibited under any law’; Archives laws etc will override DPP 2(2)
‘(b) it is in the public interest (including historical interest) for the data not to be erased.’
Q of public interest is a question of law, not of good faith belief S26(3) protects any joint controller against suits by other
controller because of erasure of data
LAWS 3037 Data Surveillance & Information Privacy Law 36
Retention / disposal principles (HK)
Hong Kong DPP2(2) and s26 - Examples of appeals to AAB against PCO: [1999] HKPrivCmrAAB 3: Telecomms Co.
retained customer details for 180 days after suspension of service, in case of reconnection - no breach
Pursuant to DPP 2(2), Consumer Credit Code requires data deletion 5 years after ‘final settlement’ - raised issues of how this applied to bankruptcies, but not necessary to decide (7/01)