Collection & Related Principles

Information Privacy & Data Surveillance

Nigel Waters & Graham Greenleaf

Last updated September 2008

2

Issues in collection Principles

What types of 'collection' are regulated? Required notice when collecting

n What types of collection require notice?n Requirement to collect from data subject

Permitted purposes of collectionn Purpose justification principlesn Anonymity principles

Fair collection requirements Special rules for 'sensitive' subjects Other laws relevant to collection

3

Meaning of ‘collection’ Not defined - examples:

Aust NPP 1.1 An organisation must not collect personal information unless …’

HK DPP1 merely says ‘Personal data shall not be collected unless …’

‘Collection’ remains largely undefined in privacy law

4

Possible types of ‘collection’

Must consider whether at least the following types of ‘obtaining’ data are ‘collection’:

Information solicited from a person (data subject or 3rd party); Unsolicited information (data subject or 3rd party); Information obtained from observations ('surveillance') of the

data subject; Information extracted from documentary or other sources

(observation other than of data subject). What will this determine?

Whether purpose and extent of obtaining data is limited by law Whether fair collection rules apply Whether notice must be given - but this may apply to only some

forms of obtaining data, even if they are collection

5

Solicited information Whether solicited from data subject or 3rd party, this

is the clearest case of ‘collection’ Most IPPs include both as ‘collection’

Notice obligations may depend whether data is solicited, and whether collected from data subject:

Cth IPP 2 notice required only if solicited from data subject (all others only require data ‘collected’)

HK DPP1(3) - only applies if data is collected (does not say ‘solicited’) from the data subject (ie no notice required if collected from 3rd party)

6

Solicited information – direct collection

Some laws do not require collection from data subject in preference to other sources (eg HK)

Others require collection from the data subject (as distinct from another source) in some situations, but they differ considerably

NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’

When would this be so? (Must you rely on honesty?) Is it OK to then ‘double check’ with a 3rd P?

NSW IPP 1 (s10) requires collection ‘directly from the individual’ unless

(a) The individual ‘has authorised’ collection from 3rd P; or (b) Provided by parent/guardian if under 16

7

Solicited information – direct collection (2)

NSW IPP 1 (s10) (cont) DO v UNSW[2002] NSWADT 211

Form allowing collection ‘from any tertiary institutions previously attended by me’ did ‘authorise’

NSW s18 - individual may give ‘express consent’ that s10 does not apply;

does not seem to limit scope of ‘authorised’ in s10 If s10 applies, is it OK to then ‘double check’ with a 3rd P

after collecting from individual? Better view is such collection must be ‘authorised’

8

Solicited information – direct collection (3)

Cth IPPs - no express obligation to collect from individual (see general data quality obligations)

ALRC Report 108 R21-1 – preference for direct collection from individual to carry over from NPP to new UPPs applying also to government agencies – agency concerns to be addressed in Privacy Commissioner guidance (R21-2)

NSWLRC CP3 – preference for direct collection unless 'unreasonable or impracticable' (Proposal 8)

9

Unsolicited information Some Acts explicitly exclude unsolicited information

from the meaning of ‘collection’: NSW s4(5): ‘not collected … if the receipt is unsolicited’ NZ s2: ``Collect'' does not include receipt of unsolicited info

Others leave this as a matter of interpretation Cth Act does not specify - depends on meaning of ‘collect’ HK likewise

NSW - effect of exclusion of unsolicited information: NSW IPPs 1-4 do not apply (collection and quality) But IPPs 5-12 do apply (the agency still ‘holds’ personal

information)

10

Unsolicited information received from data subject

Hong Kong suggest it is collected but only if and when the data user

makes it ‘personal data’ by recording / retrievability (B&W Ch 8 is silent on the Q)

Is Notice required? - nothing in DPP 1(3) to preclude this, but would only occur if and when data retained; PCO may take different view

Aust federal contrast Gunning (not included) and Greenleaf - suggest

s16B resolves this by (in effect) only creating obligation once decision is made to retain data in a record - collection obligations only then arise

11

What does ‘solicited’ mean?

Two contrary views from NZ: [2002] NZPrivCmr 5 - NZPC recognises ‘passive’

collection - where applicant submitted extra information with a form, this was not ‘unsolicited’ (see Paul Roth (2002) 9(7) PLPR 121)

Harder v Proceedings Commissioner (NZ) – NZ Court of Appeal held recording of unsolicited comments by data subject was not ‘collection’ - act of turning on recorder did not stop it being ‘receipt of unsolicited information'

12

Unsolicited information (cont) Unsolicited info from 3rd parties

Hong Kong suggest same as when received from data subject (ie only

collected if and when the recipient includes it in its records) No notice required even if retained: DPP 1(3) only applies to

collection from data subject Same argument applies re Aust NPPs and Cth IPPs

How important is this question? Usually, if excluded from collection, other IPPs would still

apply because it is still ‘personal information’ If included, main effect may be to create obligations to give

notice (But only when the unsolicited information is retained) Also means information can only be retained if for proper

purpose, and collection is ‘fair’

13

Unsolicited information (cont)

Little v Melbourne CC [2006] VCAT 2190 WJ v Commissioner for Fair Trading [2007]

NSWADT 11 ALRC Report 108 R21-3 – must either destroy

unsolicited info or it becomes subject to Principles – gives effect to CLPC Submission DP72-16

14

Notice when collecting from 3rd Parties

This is a different question from whether it is ‘collection’ Summary (see full discussion later): Is notice required where info collected from a 3rd

Pty? HK - No (DPP 1(3) says ‘from … the data subject’) NPP 1.5 - Yes (lesser notice than NPP 1.3) - also applies to

unsolicited info Cth IPP 2 - No (only 'from the individual') ALRC Report 108 recommends Yes under UPP3

15

Notice when collecting from 3rd Parties (2)

Is notice required where info collected from a 3rd Pty? (continued):

NSW IPP 3 (s10) - arguably Yes (‘collects … from an individual’ requires notice to ‘the individual to whom the information relates’) - but not to unsolicited info (s4(5))

but to the contrary: HW v Director of Public Prosecutions (No 2) [2004] NSWADT 73

Principles vary in this respect

16

Observation of data subject Is observation ‘collection’?

Acts do not specify - Q of ordinary meaning of ‘collect*’ No significant contrary views

Eastweek did not rely on their being no collection Surveillance limitation laws do not already cover this Limitation of Notice provisions to collection from data subject

does not support either view: the distinction may be from collection from 3rd parties, not observation

Remedial nature of privacy laws supports a ‘yes’ answer So requirements of minimum collection, fair collection, etc will

still apply to observations ALRC Report 108 concludes not necessary to expressly include

collection by observation (21.81) but NSWLRC CP3 disagrees (implicitly - Proposal 11)

17

Observation of data subject Is notice required (if observation is collection)?

HK DPP 1(3) requires collection ‘from’ data subject; 1(3)(a)(I) also refers to ‘supply’ of the data by the data subject. HK is clearest case where no notice is required

Cth IPP notice requirements only apply if data is ‘solicited’ NPP 1(3) notice requires collection ‘from the individual’?; Cth

IPP 3 requires info ‘solicited … from the individual’; NSW IPP 3 (s10) similar - in these cases it is not so clear

Is observation collecting ‘from’ a person? Better view is ‘no’ - excludes notice requirement Result is sensible: observation is collection, but does not

require notice (unless surveillance laws provide otherwise - as some do)

18

Information extracted Much personal information is extracted from

documentary or other sources It is ‘collection’ - most NPPs, IPPs apply ALRC Report 108 concludes not necessary to expressly include

collection by extraction (21.81) Is notice required of collection by extraction?

HK - no, it is not ‘from’ data subject, not ‘supply’ NPP 1.5 applies to collection ‘from someone else’ Cth IPP 2 only applies to collection from the individual NSW IPP 3 (s10) requires collection ‘from an individual’ In all 3, extracted info will not require notice

19

Information extracted

Result is sensible: extraction is collection, but does not require notice unless some other law requires it

Contra: Cth PComm Info Sheet 18: Taking reasonable steps…: suggests archivists collecting documents need to consider notice

20

Medium of collection

Collection may be in any medium Sound recording (Harder (NZ)) Photograph (Eastweek (HK)) Videos (HKPCO domestic helper case)

But data must be recorded (see Key Concepts)

21

Other modes of collection

Can you have collection by the following (no authority as yet?): Bodily samples Thermal imaging etc Remote tracking devices 'internal' generation from transactions

ALRC Report 108 concludes not necessary to expressly include collection by these methods (21.81)

22

Required notice on collection: form and content

NPP 1.3 & 1.5; Cth IPP 2; NSW s10; HK DPP 1(3) Why so significant?:

cost involved to the data collector data subject is put on notice of risk Notice of purposes affects use/disclosure

ALRC Report 108 R23-1recommends separate notification Principle (UPP 3)

23

Notice – circumstances and content

Situations where notice required varies See earlier re notice requirements for 3rd P collection,

unsolicited info etc Form of notice required -

All require ‘reasonable’ or ‘practicable’ steps to ensure person is aware - written notice is not necessarily required

Eg reasonable notice on web pages, or signs Verbal notice on collection of verbal information

24

Required notice (2)

Time of notice varies considerably Aust - all require notice before collection where

practicable, otherwise allow notice after collection HK - Notice must be ‘on or before’ disclosure, but

notice of access rights must be before first use Exceptions to notice requirement

HK DPP 1(3) proviso exempts where notice would prejudice purpose, and Pt VIII exempts access

HK S35 exempts repeated collections (in a year)

25

Required notice (3) Aust Cth PCO Info Sheet 18: Taking reasonable steps…

Useful ‘general guide’ - where consequences to individual are greater, or information is more sensitive, then organisations are expected to expend more effort

Includes useful examples but some are contentious (eg Pt B a - Archivist eg - suggests they need to consider giving notice when archiving documents referring to 3rd Ps other than the donor)

Tenants’ Union v TICA Determination 4/2004- TICA form misleading as to info TICA collected (note: is example

of notice given re collection from a 3rd P, its members) TICA had 4 other sources of info about privacy, but P Comm held

that if one form purports to be notice, ‘it would generally need to alert individuals to the fact the other information was available’.

Held: Failure to take reasonable steps to comply with NPP 1.5

26

Required notice (4)

Hong Kong examples of notice complaints Search results Inadequate display of notice [1999] HKPrivCmrAAB 2

Exercise Find a print/online notice and test it Send your comments to the class list for

discussion

27

Required notice (5) Content of notice - fairly uniform

Purpose of collection / proposed use If obligatory, and consequences (can be implicit) Usual recipients of disclosures of data

Must be within purpose; cannot sidestep Access and correction rights and procedures

HK DPP(1) requires explicit notice of (3)(b) items (PICS - Personal Information Collection Statement) but only implicit notice of (3)(a) items

Examples A v Insurer [2002] PrivCmrA 1 - found insurer’s travel insurance

claim form was deficient in not identifying ‘other consultants’ info disclosed to

N v Private Insurer [2004] PrivCmrA 1- “any other person necessary for claims determination purposes” too wide - but in fact no notice was required because this was a related secondary purpose which was reasonably expected!

28

Permitted purpose & extent of collection

Standard purpose limits: lawful, relevant and minimal - we examine

Example - HK DPP1(1) Personal data shall not be collected unless-

(a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;

(b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and

(c) the data are adequate but not excessive in relation to that purpose.

29

Purpose (1) Lawful purpose

Required by Cth IPP 1; NSW s8; HK DPP 1 Not expressly required by NPP 1 - implied?

A minimal objective negative standard Statutory and common law lawful purpose

Eg collection for illegal gambling; blackmail; fraud; spamming

Significance: Lack of a lawful purpose means collection is itself a breach of IPPs that require it

May result in damages claim not otherwise available

30

Purpose (2) - Positive limits?

Positive ‘purpose justification’ limits are rare Canada s5(3) ‘only for purposes that a reasonable person

would consider are appropriate in the circumstances’ EU Directive A7 `necessary for the purposes of the

legitimate interests pursued by the controller or by the third party … to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...'

No such limits in NPPs, or Cth/NSW IPPs, or HK Q: Can organisations define their own purposes with

no limits except lawfulness?

31

Purpose of collection (3)

ALRC Report 108 R21-5 fails to include tests of 'proportionality' or 'objective reasonableness', as suggested by CLPC (Submission DP72-17), OPC and VPC

ALRC doesn't address question of whether there can be multiple purposes of collection – highly relevant to application of use and disclosure principle (CLPC Submission DP72-19)

Breadth of purpose – see AK v Gosford City Council [2007] NSWADT 289 – very narrow - incentive mailing for early payment of rates not a 'directly related' purpose

32

Purpose (4) - Deemed purpose(s)

Info can only be collected for a ‘function or activity’ of the organisation -

Cth IPP 1.1, NSW s8, HK DPP 1 - ‘a … purpose directly related to a function or activity’

NPP 1.1 - ‘necessary for one of more of its functions or activities Is this an objective test, or completely subjective (within limits of

lawfulness)? Objective - look at the actual/probable activities of the organisation

- any purpose must be ‘necessary’ for those activities - no other purposes allowed

Purposes of agencies are limited by ultra vires; Articles limit purposes of companies (somewhat)

33

Deemed purpose(s)

• Determining this purpose of collectionDetermining such a purpose will usually be the first

task in analysing any data protection problem Stated purpose - wherever notice of

purpose of collection required (and given) Objective test limits legitimate scope of notices

Inferred purpose - required if observed, extracted, or required notice not given

Objective test based on actual activities

34

Minimal collection

Minimal collection - statutes vary NPPs - ‘necessary for …’ Cth IPP1(b) ‘necessary for or directly related to ..’ NSW s8 - ‘reasonably necessary for …’ HK DPP 1 (c) ‘adequate but not excessive in relation to …’

What is ‘necessary’ depends on deemed purpose Tenants’ Union v TICA Determination 4/2004- PComm:

‘necessary’ ‘requires consideration of whether or not it is clearly appropriate and relevant to the functions or activities of the organisation’ - can they be done without it? - how sensitive is the information? - Found the Enquiries Database was necessary, without considering the overall privacy detriment that its operation might cause.

35

Minimal collection (2) Examples

Data not needed now, only potentially in future Whole documents collected when extracts would do, or

merely a notation that document sighted N v Private Insurer [2004] PrivCmrA 1 - Insurers form

authorising any health provider to disclose any health information to the insurer (whether related to claim or not) was excessive

Union complaints of company’s introduction of finger-scanning of employees as unnecessary and ‘overkill’ dismissed by NZ PC: [2003] NZPrivCmr 5

HK PC enquiry 2005 ‘discourages’ fingerprint recognition device to record attendance at work - good discussion

Search FOI & Privacy Project for ‘collect* near necessary’ for other examples

36

Minimal collection (3) - Anonymity

Anonymity principle - only in the NPPs? 'NPP 8 Anonymity : 'Wherever it is lawful and practicable,

individuals must have the option of not identifying themselves when entering transactions with an organisation.'

Anonymity and minimum collection Is an anonymity principle implied by the minimal collection

requirement? Or is it narrower? Can ‘not excessive’ personal data require ‘no personal data

at all’? Under what circumstances? Or is there normally a right to ‘know your customer’? E.g. Does HK DPP 1 mean that Octopus is required to

continue to offer the option of an anonymous card? What is to stop it ‘reinventing’ itself with a new business model involving marketing to all Octopus users?

37

Anonymity (2)

ALRC Report 108, R20-1: New UPP 1 to apply to private and public sectors Expressly includes 'pseudonymity' (accepting CLPC

Submissions DP72-13 & 14, including removal of 'not misleading' from DP72 proposal)

P v Health Service Provider [2008] PrivCmrA 16 – NPP8 not considered in context of patient's request for deletion of record before consultation

38

Minimal collection - Anonymity (3)

Is it a breach of NPP 8 to build systems which make anonymity impracticable?

Does NPP8 require anonymity to be ‘designed in’? Wykanak v Dept Local Govt [2002] NSWADT 208 (summary

) - ADT could not review a complaint of an anticipated breach of a NSW IPP

FH v NSW Dept Corrective Services [2003] NSWADT 72 - No breach of security where it would cost millions for Dept to log accesses

Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’

39

Fair collection requirements

Statutory requirements - similar NPP 1 requires lawful, and fair means, prohibits

unreasonably intrusive means Applies to 3rd party collections

Cth IPP 1.2 requires lawful and fair means prohibits unreasonably intrusive collection where info.

solicited (including from 3rd parties), but not where observed or extracted

NSW prohibits unlawful (s8) and unreasonably intrusive means (s11); but not unfair means

HK DPP 1(2) requires lawful and fair means

40

Fair collection (2) Lawful means

Irrespective of lawful purpose, means of collection may breach statute (eg surveillance law) or common law (eg breach of confidence)

Interaction with surveillance laws significant here If disclosure by data provider is unlawful, can the

collection by the recipient be fair (or lawful)? Discussed under Use & Disclosure topic

41

Fair collection (3) Fair means Deception and undue pressure most important

Examples in Cth PC draft Guidelines (Dixon p2,063) ‘Not intrusive’ may be encompassed by ‘fair means’ Does this mean ‘objectively fair to the data subject’ or

‘subjectively fair by the collector’? UK case takes first view, which seems correct

Fairness of covert data collection Hong Kong PCO examples held unfair HKPCO ‘Hongkong Post pinhole camera’ s48(2) Report Harder (NZ) - restrictive approach- only ‘to prevent people from

being induced by unfair means into supplying information which they would otherwise not have supplied’

L v Tertiary Institution [2004] VPrivCmr 6 - L not informed of email monitoring at work - settled by agreement to review policy

42

Fair means - examples ‘Blind’ employment advertisements - of considerable

concern to HKPCO Finding #10, 2001 CanLII 21538 (P.C.C.) Trucking company

collected personal information intended for Canada Customs; held threatening employees with loss of their jobs was not a fair means of collection.

Finding #106, 2002 CanLII 42350 (P.C.C.) - Airline requiring Canadian pilots to complete US form that did not meet collection standards in order to obtain US training, at risk of loss of jobs, was unfair collection

Employee objects to employer's hidden tape recording in theft investigation - (Case Note 16479) [2001] NZPrivCmr 6- held unfair collection as employee was unaware of seriousness of interview

43

Special rules for 'sensitive' information

Sensitive information Principles Some IPPs have special Principles for defined

information (medical, political etc) Eg NPP 10, NSW s19(1) (only re disclosure); Cth IPPs and HK do not

Spent convictions laws All Aust jurisdictions have old conviction laws

(except Victoria) HK Rehabilitation of Offenders Ordinance may

prevent some collection

44

Sensitive information (2)

ALRC Report 108 recommends consent requirement in collection principle UPP2 for sensitive information, but generous exceptions (R22-2 & 22-3)

CLPC Submission DP72-20 to 22 – argued for narrower exceptions

NSWLRC CP3 – Issue 30