Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and related IPPs (Retention and Disposal) Privacy and Surveillance Nigel Waters & Graham Greenleaf Last updated October 2008.

Published byJessica Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and related IPPs (Retention and Disposal) Privacy and Surveillance Nigel Waters & Graham Greenleaf Last updated October 2008."— Presentation transcript:

1 Security and related IPPs (Retention and Disposal) Privacy and Surveillance Nigel Waters & Graham Greenleaf Last updated October 2008

2 LAWS 3037 Data Surveillance & Information Privacy Law2 Security and related IPPs Security Retention Destruction/Disposal

3 LAWS 3037 Data Surveillance & Information Privacy Law3 Security Principles Sources Waters, Greenleaf and Roth (2007) ‘Interpreting the Security Principle, v.6’ UNSW - this includes many examples of complaints (Materials) (cited herein as Waters, Greenleaf and Roth, 2007) ‘Interpreting the Security Principle, v.6’ Aust Privacy Commr Info Sheet 6 Security (2001) - Sets out long list of Australian and international standards that may applySecurity ALRC Report 108, Chapters 28, 51 & 58285158

4 LAWS 3037 Data Surveillance & Information Privacy Law4 Security principles Provisions Cth IPP 4 Private sector NPP 4.1 NSW s12(b)-(d)‏ HK DPP 4 ALRC Proposed UPP 8

5 LAWS 3037 Data Surveillance & Information Privacy Law5 Security principles Scope All require security from from misuse and loss and from unauthorised access, modification or disclosure so internal and external threats, and mere negligence are covered All only require ‘reasonable steps’ or ‘practicable steps’

6 LAWS 3037 Data Surveillance & Information Privacy Law6 Security – reasonable steps? “When considering reasonableness in the security context, factors which may be relevant include: the workability of the safeguards the cost of the safeguards the risks involved the sensitivity of the information and the other safeguards in place.” Source: OECD Information Security Guidelines 1992 cited by NZ Privacy Commissioner in [2003] NZPrivCmr 22 (Case Note 28351)‏

7 LAWS 3037 Data Surveillance & Information Privacy Law7 Security – different aspects physical security computer and network security communications security personnel security Source: OFPC Guidelines to the National Privacy Principles, September 2001, Guidelines to NPP4.

8 LAWS 3037 Data Surveillance & Information Privacy Law8 Security principle - example Hong Kong has an unusally detailed security principles DPP 4 requires ‘All practicable steps … to ensure … protected against unauthorized or accidental access, processing, erasure or other use’ DPP 4 Includes (as if personal data) data to which access is not practicable Lists 5 factors to which data users must have ‘particular regard’ - reflects standard criteria - (a) kind of data and possible harm (‘harm test’)‏ (b) physical location / + security appropriate)‏ (c) technical security measures (d) personnel integrity etc measures (e) communications security measures

9 LAWS 3037 Data Surveillance & Information Privacy Law9 Security breach examples Possible examples of breaches If hackers access data, data user may be liable for inadequate security - supplements computer crime laws: sue the company, not the hacker Mailouts in error of sensitive data Accidental destruction of data valuable to a person Security which destroys other privacy interests will not be ‘practicable’ Lax practices with cleaners etc Personal files are regularly found at kindergartens and tips Unencrypted data on mobiles: 63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR 95-97)‏

10 LAWS 3037 Data Surveillance & Information Privacy Law10 Security - Factors (1) Internet information– requires cooperation to remedy E v Statutory Entity [2003] VPrivCmr 5 - - audit trail failed to record access to customer account - settled E v Statutory Entity Complainant AD & Others v The Department [2006] VPrivCmr 5 Complainant AD & Others v The Department Not an absolute Cannot guarantee 100% security Other interests – may require higher standard Proportionality

11 LAWS 3037 Data Surveillance & Information Privacy Law11 Security - Factors (2) Role of standards Mixed benefit – may or may not be adequate OECD Information Security Guidelines 1992, revised 20022002 Risk assessment

12 LAWS 3037 Data Surveillance & Information Privacy Law12 Security - Factors (3) Security requirements in other legislation In Australia, ASIC and APRA APRA Superannuation Guidance Note 140.1, paragraph 19Superannuation Guidance Note 140.1 Action by other regulators e.g. UK FSA v Nationwide Building Society 2006 – 1 million pounds fine for inadequate security leading to loss of laptop containing customer data

13 LAWS 3037 Data Surveillance & Information Privacy Law13 Security - Factors (4) Inadvertent collection for security reasons Common access facilities W v Public Library [2005] VPrivCmr 5 Special protection for sensitive information NZ & Canadian cases in Waters, Greenleaf & Roth, page 15 'Need to know' Access control – minimum standards Logs and audit trails E v Financial Institution [2003] PrivComrA 3 - audit trail failed to record access to customer account - settled E v Financial Institution FH v NSW Dept Corrective Services [2003] NSWADT 72; Summary [2003] NSWPrivCmr 1- Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses FH v NSW Dept Corrective Services[2003] NSWPrivCmr 1 But remember employee privacy - balance

14 LAWS 3037 Data Surveillance & Information Privacy Law14 Security - Factors (5) Human (personnel) security Confidentiality deeds Training B v Victorian Government organisation [2003] VPrivCmr 2 ($25k - $25,000 compensations settlement when agency disclosed complainant’s new address to ex-spouse ‘across the counter’ despite known risk B v Victorian Government organisation Canadian & NZ cases in Waters, Greenleaf & Roth pp 19-21 Enforcement disciplinary action dismissal Prosecution

15 LAWS 3037 Data Surveillance & Information Privacy Law15 Security - Factors (6) Relationship with disclosure Does unauthorised disclosure necessarily mean a beach of security? Can authorised actions involve a security breach? HK, Austn & NZ cases Liability? Vicarious liability by employer?

16 LAWS 3037 Data Surveillance & Information Privacy Law16 Security - Factors (7) ' Standing' for security complaints Only affected individual,or also third party? When is someone 'affected'? - only when actual breach or also prospective?

17 LAWS 3037 Data Surveillance & Information Privacy Law17 Security - Factors (8) Communications Security Austn, NZ, Canadian and HK cases in Waters, Greenleaf & Roth pp 25-27 Data security encryption? Fax Postal/courier

18 LAWS 3037 Data Surveillance & Information Privacy Law18 Security - Factors (9) Security obligations when contracting Emphasised in International instruments Express requirements in some Australian privacy laws: PA s.8(1) and 95B; IPA s.9(1)(j) and s.17 (an agency can expressly transfer the obligations by contract); PPIPA s.4(4)(b).

19 LAWS 3037 Data Surveillance & Information Privacy Law19 Security - Factors (10) Programming errors and multiple breaches Australian PC own-motion investigations in mid 1990s ATO, DSS, DVA, DET, private sector Potential for representative complaints Access control must be managed L v Commonwealth Agency [2003] PrivComrA 10 - Agency client provided password to be used to identify him; agency failed to ask for it L v Commonwealth Agency Other cases in Waters, Greenleaf & Roth p 31

20 LAWS 3037 Data Surveillance & Information Privacy Law20 Security principle: Australian reform proposals ALRC Report 108 (2008) Chapter 28 Chapter 28 UPP 8.1(a) – replicates NPP 4.1, but applies to both organisations and agencies OPC Guidance on 'reasonable steps' (Recommendation 28-3)‏ No need for any specific additional obligations in relation to third parties For commentary, see Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘11.2. Data security proposals’ Dec 2007‘11.2. Data security proposals’ Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008commentary on proposed UPPs

21 LAWS 3037 Data Surveillance & Information Privacy Law21 Security principle - HK Hong Kong examples - Complaints to PCO held to breach DPP4 (security): Faxing details of donation to estate office (AR 5/05)‏ Newspaper publication of address of complainant, endangering him, not a breach of DPP4; DPP3 (disclosure) was only DPP relevant (AAB appeal 4/00) Insurer sending insurance policies for 3 people to the address of one of them Unsealed letters of demand sent to neighbours addresses Law firm’s messenger allowed duplicate cover sheet of divorce process to be read by others at workplace while waiting to serve process: [1998] HKPrivCmr 8 [1998] HKPrivCmr 8 Law firm left trial bundle in gap between litigant’s metal gate and door: [2003] HKPrivCmr 8 [2003] HKPrivCmr 8 See other examples in McLeish & Greenleaf chapter in Berthold & Wacks

22 LAWS 3037 Data Surveillance & Information Privacy Law22 Security managers in apartment blocks required to destroy data on visitors after a reasonable period [1998] HKPrivCmr 4 ]1998] HKPrivCmr 4 Hong Kong examples concerning ID cards Mobile phone Co. made first 6 numbers of ID card the default password for call data, billing etc information; debt collector accessed data and harassed complainant and friends; held breach of DPP 4: [2003] HKPrivCmr 3 [2003] HKPrivCmr 3 Disclosure of ex- employee ID numbers in faxes to customers Bank and dept. store jointly responsible for printing error disclosing ID nos. in mailout Security principle – HK

23 LAWS 3037 Data Surveillance & Information Privacy Law23 Data Breach Notification History Response to identity crime 44 US States + Ontario legislated requirementsUS States Now under consideration around the world Canada, UK, Australia Guidelines, pending legislation

24 LAWS 3037 Data Surveillance & Information Privacy Law24 Data Breach Notification Guidelines Canadian model law (CIPPIC, 2007)‏ Victorian Privacy Commissioner Guide: Responding to Privacy Breaches, May 2008 Guide Australian Privacy Commissioner Guide to handling personal information security breaches, August 2008 Guide

25 LAWS 3037 Data Surveillance & Information Privacy Law25 Data Breach Notification Proposals - Australia ALRC Report 108 Chapter 51Chapter 51 Recommendation 51-1- New part of Act (not a principle)‏ Requirement to notify Commissioner and affected individuals if: actual or suspected breach = acquisition of specified information by unauthorised person AND agency, organisation or Commissioner believes real risk of serious harm (specifed factors)‏ 'Specified information' = particular combinations of personal and sensitive(?)

26 LAWS 3037 Data Surveillance & Information Privacy Law26 Data Breach Notification Proposals – ALRC proposal (continued)‏ Harm factors: Whether encrypted adequately Whether acquired in good faith by employee or agent and acting for a permitted purpose Privacy Commissioner can waive requirement to notify individuals Civil penalty for failure to notify Commissioner For commentary, see Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘15.1. Possible new UPP - Security breach notification’ Dec 2007 ‘15.1. Possible new UPP - Security breach notification’ Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008commentary on proposed UPPs

27 LAWS 3037 Data Surveillance & Information Privacy Law27 Retention / disposal principles Sources Waters and Greenleaf (2006) 'Interpreting Retention and Disposal Principles, v.1 'Interpreting Retention and Disposal Principles, v.1 Aust Privacy Commr Info Sheet 6 Security (2001)‏Security ALRC Report 108, Chapters 28 & 582858

28 LAWS 3037 Data Surveillance & Information Privacy Law28 Retention / disposal principles (2)‏ Provisions HK DPP 2(2) and s26 Cth IPPs - none Private sector NPP 4.2 ‘reasonable steps to destroy or permanently de-identify … if it is no longer needed for any purpose’ allowed under NPP2 - Test of ‘permanent de-identification is whether it is no longer ‘personal information’NPP 4.2 NSW s12(a) - similar to NPP 4.2s12(a)

29 LAWS 3037 Data Surveillance & Information Privacy Law29 Retention / disposal principles (3)‏ Private sector – mandatory retention Tax records – typically 5 years AML/CTF – 7 years - Guidance Note 08/04Guidance Note 08/04 Telco/ISP records? EU data retention Directive 2006/24Directive 2006/24 Public sector complicated by Public Records/Archives requirements Uncertain interaction with privacy law GR v Department of Housing [2003] NSWADT 268 GR v Department of Housing

30 LAWS 3037 Data Surveillance & Information Privacy Law30 Retention / disposal principles (4)‏ Need for a policy? Tenants' Unions v TICA [2004] PrivCmrACD 3 - Failure to delete or remove old tenancy information was a breach of NPP 4.2; PC ‘recommended’ TICA Tenants' Unions v TICA [2004 Delete ‘history’ information in Tenancy History Database after four years; Delete 'application' information in Enquiries Database after three years; and Delete information moved to ‘dead tenant database’ (i.e. a database which stores deleted listings – for use in case of errors) not less than once a month FH v Commissioner, NSW Dept of Corrective Services [2003] NSWADT 72 - missed opportunity to require a policy FH v Commissioner, NSW Dept of Corrective Services Canadian cases to contrary – support TICA Determination

31 LAWS 3037 Data Surveillance & Information Privacy Law31 Retention / disposal principles (5)‏ Deletion under Correction principle May override general policy Technology issues Difficulty once publicly available e.g. on Internet E v Statutory Entity [2003] VPrivCmr 5 E v Statutory Entity Complainant AD & Others v The Department [2006] VPrivCmr 5 Complainant AD & Others v The Department

32 LAWS 3037 Data Surveillance & Information Privacy Law32 Retention / disposal principles: Australian reform proposals ALRC Report 108 Chapter 28 Chapter 28 UPP 8.1(b) - Destroy or render non-identifiable See definition of personal information Apply to agencies But express priority for Archives Act retention requirements (UPP 8.2)‏ OPC Guidance (Recommendation 28-5) For commentary, see Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘’ 11.3. Non-retention (destruction or non-identifiability)’ Dec 2007 ‘’ 11.3. Non-retention (destruction or non-identifiability) Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008commentary on proposed UPPs

33 LAWS 3037 Data Surveillance & Information Privacy Law33 Retention / disposal principles (6)‏ Other jurisdictions NZ - Commissioner opinion supported retention of information on dismissed employees for 5 yearsopinion Canada – Commissioner noted 2 year retention policy for employment records UK - 2005 Information Tribunal case on Criminal records retentioncase

34 LAWS 3037 Data Surveillance & Information Privacy Law34 Retention / disposal principles (HK)‏ Hong Kong DPP 2(2) and s26s26 DPP 2(2): ‘Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'. Keeping for the purpose of some exception not allowed Only says ‘personal data’ shall not be kept - what if made inaccessible?; what if de-identified? Is DPP 2(2) satisfied?

35 LAWS 3037 Data Surveillance & Information Privacy Law35 Retention / disposal principles (HK)‏ HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure of personal data no longer required’)s26 Says ‘A data user shall erase personal data …’ Doubtful if data can be made inaccessible or de-identified in the face of this explicit provision S26 has 2 exceptions: '(a) any such erasure is prohibited under any law’; Archives laws etc will override DPP 2(2)‏ ‘(b) it is in the public interest (including historical interest) for the data not to be erased.’ Q of public interest is a question of law, not of good faith belief S26(3) protects any joint controller against suits by other controller because of erasure of data

36 LAWS 3037 Data Surveillance & Information Privacy Law36 Retention / disposal principles (HK)‏ Hong Kong DPP2(2) and s26 - Examples of appeals to AAB against PCO: [1999] HKPrivCmrAAB 3: Telecomms Co. retained customer details for 180 days after suspension of service, in case of reconnection - no breach [1999] HKPrivCmrAAB 3 Pursuant to DPP 2(2), Consumer Credit Code requires data deletion 5 years after ‘final settlement’ - raised issues of how this applied to bankruptcies, but not necessary to decide (7/01)‏

Download ppt "Security and related IPPs (Retention and Disposal) Privacy and Surveillance Nigel Waters & Graham Greenleaf Last updated October 2008."

Similar presentations

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
The other IPPs - Access, correction, openness, security and destruction Privacy and Surveillance Graham Greenleaf January 2006.

The other IPPs - Access, correction, openness, security and destruction Privacy and Surveillance Graham Greenleaf January 2006.
Data Protection.

Data Protection.
Cross-border Data Flows and Privacy Reform Patrick Sefton | Principal, Brightline Lawyers.

Cross-border Data Flows and Privacy Reform Patrick Sefton | Principal, Brightline Lawyers.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Data Protection and Records Management

Data Protection and Records Management
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Act.

Data Protection Act.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Similar presentations

Ads by Google