|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law Resources |
Working Draft by Graham Greenleaf & Nigel Waters
Asia-Pacific Privacy Charter Initiative
Baker & McKenzie Cyberspace Law and Policy Centre
University of New South Wales Faculty of Law
3 September 2003
Please cite as “G Greenleaf & N Waters The Asia-Pacific Privacy Charter, Working Draft 1.0, [2003] PrivLRes 1, Baker & McKenzie Cyberspace Law and Policy Centre, 3 September 2003”
Status of this document
Contents
People value privacy. They expect that their rights to privacy will be recognised and protected.
'Privacy' is widely used to refer to a group of related rights which are accepted nationally and internationally. People have rights to the privacy of their own body, private space, freedom from surveillance, privacy of communications, and information privacy.
This Charter expresses these rights in the form of 'privacy principles'. Privacy Principles address both the rights that each person is entitled to expect and protect, and the obligations of organisations and others to respect those rights.
A free and democratic society requires respect for the autonomy of individuals, and requires limits on the power of both state and private organisations to intrude on that autonomy.
Privacy is a value which underpins human dignity and other key values such as freedom of association and freedom of speech. It is a fundamental human right[1].
Privacy is formally recognised as a right in the laws of only some countries. Even where recognised, privacy protections and limitations on surveillance are being progressively undermined by technological and administrative changes. New forms of protection are therefore required.
Privacy is the reasonable expectation of every person. It should not be assumed that a desire for privacy means that a person has ‘something to hide’. [2] People who wish to protect their privacy should not be required to justify their desire to do so.
Although the principles have universal application[3], other public interests justify some interferences with privacy, and consequently some modifications of these Principles in particular contexts. The Charter does not attempt to specify in detail where this may occur. The onus is on those who wish to interfere with privacy to justify doing so.
The following Privacy Principles are a general statement of the privacy protection that people should expect to see observed by both the public and private sectors. They are intended to act as a benchmark against which the practices of business and government, and the adequacy of legislation and codes, may be measured. They inform people in countries of the Asia-Pacific of the privacy rights that they are entitled to expect, and should observe.
Technologies, administrative systems, commercial services or individual activities with potential to interfere with privacy should not be used or introduced unless the public interest in so doing outweighs any consequent dangers to privacy[4].
Justifications should also take into account the sensitivity to individuals or classes of persons of particular actions or information[5].
[No separate 'Sensitive Information Principle' is included[6] - this needs consideration]
The extent of any interferences with privacy must be minimum necessary to protect the other public interests that justify the interference with privacy[7].
Modifications to the Principles for particularly contexts must be clearly stated, made in accordance with law[8], proportional to the necessities giving rise to the modification, and compatible with the requirements of a democratic society[9].
Where serious interferences with privacy are proposed, organisations must publicly demonstrate justification and proportionality[10].
[Whether there is a 'Harm Principle' needs consideration here[11]]
For some Principles[12], individual consent justifies actions that would otherwise not comply with the Principle. Where consent is relied upon, it must be freely-given, informed, variable and revocable. Consent is meaningless if people are not given full information, or have no option but to consent in order to obtain a benefit or service.
For Principles where consent normally applies, there are exceptional situations where consent may be insufficient justification[13].
An organisation is accountable for its compliance with these Principles and must ensure that an identifiable person is responsible for ensuring that the organisation complies with each Principle[14].
Organisations must have a policy of openness about the existence and operation of technologies, administrative systems, services or activities with potential to interfere with privacy[15], including in relation to all matters in Parts II, III and IV of this Charter[16].
Organisations should take reasonable measures to enable any person to find out what categories of personal information are held by the organisation, the purposes for which it is held, to whom it is disclosed, any authority under which it is held, and how it can be accessed and corrected[17].
People should not be denied goods or services or offered them on unreasonably disadvantageous terms (including higher cost) in order to enjoy the rights described in this Charter [18].
The provision of reasonable facilities for the exercise of privacy rights should be a normal operating cost[19].
Where an organisation refuses to comply with one of these Principles, it must provide a statement of reasons to the person concerned[20].
People must have the option of not identifying themselves when conducting transactions or of identifying themselves using pseudonyms, where consistent with the nature of the transaction[21].
An organisation must not create information systems which do not allow anonymity or pseudonymity unless it is not possible for it to otherwise achieve its lawful purposes[22].
An organisation must not collect personal information except where it is necessary[23] for a lawful purpose directly related to its[24] functions or activities[25]. The purposes must be documented at the time of collection[26], except to the extent they are obvious.
[Issue of whether collection must be for inclusion in a record to be considered]
Collection must be by lawful and fair means[27] and not unreasonably intrusive[28]. Collection must not be by covert means except in compliance with Part III of this Charter.
The person concerned must be given notice of the purpose of collection (including intended recipients), fact of collection, identity of the organisation, authority for collection, and consequences of non-provision, at the time of collection[29].
Collection must be directly from the person concerned, unless the person has consented to collection from someone else[30].
Where personal information is collected from someone else, reasonable steps must be taken to ensure that person concerned is aware of the matters normally notified at the time of collection[31]. These steps must be taken as soon as practicable and before the information is used[32].
An organisation must not assign identifiers to individuals except where necessary for its functions or activities[33]. Organisations must take care when assigning identifiers[34].
Organisations must not adopt the identifier of another organisation, unless this sharing is publicly justified and authorised by law[35].
Organisations shall not require a person to disclose an identifier assigned to them unless the disclosure is for a purpose for which the identifier was assigned[36].
At the times of collection, use or disclosure, personal information should be accurate, complete, up-to-date, relevant and not misleading, having regard to its proposed use[37].
Personal information should only be used, or disclosed, for the purposes specified at the time of collection, except if used or disclosed for other purposes authorised by law, or with the consent of the person concerned, [or for a purpose directly related to the purpose of collection and within the reasonable expectations of the person concerned[38].] [Stricter approach is with consent only[39].- for consideration]
If personal information is disclosed, the recipient organisation must not use or disclose the information for a purpose other than the purpose for which the information was given to it[40].
[Change of information controller principle[41] needs consideration.]
An organisation must not transfer personal information to a place outside the jurisdiction in which it is located unless there is in force in that jurisdiction a law embodying principles substantially similar to these Principles[42], or with the consent of the person concerned, or the organisation has taken all reasonable steps to ensure that the personal information will be dealt with in accordance with these Principles in that place and continues to be liable for any breaches of these Principles[43].
People should have a right to access personal information held by organisations about them, and to obtain corrections to ensure its information quality.
The right of access includes the right to obtain details of uses and disclosures of the person's information, information deleted, information held[44], and the logic of any automated processes to which this information may be subject[45].
[Reasons for decisions - possible addition needs discussion[46]]
The right of correction includes a person's right to add a brief annotation to a record about them if the organisation refuses to make corrections requeste[47]. The right of correction is independent of the right of acces[48].
Where this Principle is modified to exclude direct access by individuals in particular contexts, an intermediary acceptable to both the organisation and the person concerned must be able to exercise the person's rights of access and correction on the person's behalf, consistent with the grounds of modification[49].
Where information is corrected the organisation must give the person concerned the option to have recipients of the uncorrected information informed of the corrections[50].
Organisations should keep personal information no longer than is necessary for the purpose for which it was collected[51], and it should then be destroyed or made anonymous[52].
Where a person revokes his consent to the continuing retention and use of his personal information by an organisation, the information must be destroyed or made anonymous unless the interests of the organisation or other public interests outweigh the interests of the person concerned[53].
Where access to personal information is provided by a public register, any modifications to these Principles must be limited to the extent required by the purpose for which public access is provided[54].
An organisation must not disclose information in a public register unless it is satisfied that the information is to be used for the purpose for which the register is provided[55].
Provision should be made for non-disclosure in particular contexts where other public interests outweigh the interest in disclosure[56].
Organisations and users of public registers must not provide access to the information by methods which are not consistent with the purpose for which the register is provided.[57]
Organisations should protect personal information against unauthorised or accidental access, use, modification, loss or disclosure, or other misuse, by security safeguards commensurate with its sensitivity, and adequate to ensure compliance with these Principles[58].
An organisation must not make a decision adverse to the interests of an individual based on automated processing, without the prior review of that decision by a human[59].
An organisation must take reasonable care not to allocate identifiers properly allocated to one person to any other person, or to accept those identifiers from any other person.
An organisation must take reasonable care not to deny that any person has the identity or is entitled to use identifiers properly allocated to them.
An organisation must not give publicity to a matter concerning the private life of a person, if the disclosure in extent and content is of a kind that would be seriously offensive and objectionable to a reasonable person of ordinary sensibilities and the organisation knows or ought to know that such disclosure is seriously offensive and objectionable to such a person[62].
Organisations should not undertake surveillance of any person except in accordance with the Principle of justification and proportionality.
Where surveillance is justified, an organisation should only use covert surveillance if it cannot achieve its lawful purposes by overt surveillance.
An organisation should not undertake overt surveillance of persons without taking reasonable steps to ensure they are aware of the surveillance before being subjected to it. Organisations must ensure that persons under surveillance are aware of all occasions when surveillance occurs, the identity of the surveillance user and the method of surveillance.
If an organisation carries out surveillance without complying with this Principle, it is undertaking covert surveillance[64].
An organisation must not carry out covert surveillance unless[65] it first obtains the approval of an appropriate independent arbiter, who must not approve the proposed covert surveillance unless satisfied that it will comply with these Principles[66].
Organisations should be required to keep sufficient records of the occurrence and purpose of their use of covert surveillance. Such records should be provided to an appropriate supervisory authority, which should also make sufficient details available to the public to ensure accountability.
Persons subject to covert surveillance should be notified that this has occurred once there is no longer any justification for subjecting them to covert surveillance[67].
Surveillance users must ensure all aspects of their surveillance system are secure against misuse, and are liable for their misuse.
Information obtained through surveillance of persons is to be treated as personal information and is subject to Part III of these Principles.
[To be added - refers to the problem of surveillance by organisations outside the jurisdiction in which the person is located]
A organisation should not intentionally or recklessly intrude, physically or otherwise, upon the solitude or seclusion of another or into his private affairs or concerns, wherever the intrusion is seriously offensive and objectionable to a reasonable person of ordinary sensibilities[69].
Interferences with a person's bodily privacy such as searches of a person, and measurement or monitoring of a person's characteristics or behaviour through bodily samples, physical or psychological measurement, require a very high degree of justification under the Principle of justification and proportionality[70].
The use of biometric technologies requires prior public justification, except for the non-automated use of traditional biometrics (signatures, photographs, and textual descriptions of physical characteristics).
Organisations should not make automated use of biometrics without prior approval of a competent public authority, after prior public justification, and after the design of comprehensive privacy safeguards for the particular application[72].
Biometric measures of persons must not be stored centrally.
Organisations must not capture biometric measures unless they have the consent of the person concerned or express authorisation by law[73].
People have a right to private space in which to conduct their personal affairs. This right applies not only in a person's home, but also, to varying degrees appropriate to the context, in the workplace, in the use of recreational facilities and in public places[74].
Organisations must not intrude unreasonably into such private space. In particular, the search of private spaces must be authorised by law[75].
People have a right to private cyberspace and communications.
[Principles concerning telecommunications interception, and search and seizure of computer storage, need to be added here.]
[Consideration needed of Principle providing greater personal control of person location technologies[76]]
[Consideration needed of general Principle providing limits on intrusion by unsolicited communications[77]]
The Principles in this part are directed at the State as the party with the principal responsibility to ensure the implementation and enforcement of the Principles contained in this Charter.
States must implement and enforce these Principles by law[78].
In addition to implementation by law they may be implemented by other secondary means, but these secondary means must not be a replacement for implementation and enforcement by law except with the consent of the person whose privacy has been affected[79]. [Alternative means of achieving co-regulation could be indicated here.]
States must require procedures sufficient to ensure that the Principles in this Charter are implemented by the organisations required to implement them, and understood by citizens.
The appropriate procedures will vary between countries, depending on the social, legal, administrative and commercial customs prevailing.
[Supplementary means of implementation and supervision which are considered effective , in addition to the two below, could be indicated here. These may include audits, other forms of inspection, required reports, education campaigns etc.]
States must create a public body with scope, legal powers, resources and independence, to effectively ensure that privacy interests are fully represented, to investigate complaints of non-compliance with these Principles, and take action against organisations that breach them.
The supervisory body must be independent from direction by any other body in how it carries out its functions. [Alternative means of achieving independence should be indicated here.]
States must require that each proposal to take actions that have potential to interfere seriously with privacy (as determined by an independent body[80]) must be the subject to a Privacy Impact Assessment (PIA). [81]
A PIA must include appropriate consultative processes, study of the potential negative impacts on privacy, justification of those impacts, and efforts to avoid or ameliorate them.
States must ensure that sufficient remedial procedures and remedies are available to deal with breaches of the Principles. The appropriate methods of providing remedies will vary between countries, depending on the social, legal, administrative and commercial customs prevailing.
The minimum requirements for sufficient remedies are as follows. The supervisory body, an administrative body or a Court, or a combination of these bodies, should be able to investigate the complaint in a private and inexpensive fashion, should be able to mediate, and should be able to make a binding decision on the basis of which is granted compensatory damages, and/or correction orders.
[Possible 'harm minimisation' Principle[82] needs consideration here]
[Added here should be details of other and supplementary means of enforcement which have proved to be effective, possibly including enforcement orders by supervisory authorities, and criminal offences.]
People must take reasonable care to make themselves aware of the risks involved in dealing with their own personal information, and to take reasonable preventative measures to minimise those risks[83] If a person fails to take reasonable care and this contributes to any damage they suffer through an interference with privacy, the remedies to which they would otherwise be entitled may be reduced where appropriate.
Where public bodies or co-regulatory bodies investigate privacy complaints there must be a right of appeal on all grounds by either party to a Court[84].
Where public bodies or co-regulatory bodies investigate privacy complaints they should be required to report regularly and publicly sufficient details of all complaints investigated for the types of complaints, outcomes and remedies provided to be understood fully, and further details of all complaints raising legal and procedural issues of significance so that those complaints may be understood fully as individual cases[85].
In addition to any other remedies, an individual must be empowered to take legal action directly before a Court against an organisation that breaches these Principles[86].
The minimum remedies available from a Court should be injunctive relief, compensatory damages, and correction orders.
Supervisory bodies must cooperate with supervisory bodies in other jurisdictions to ensure effective investigation and remedial action in complaints with an international element, and to ensure effective implementation measures in relation to organisations that affect privacy on an international scope[87].
States should ensure that there is certainty and transparency in the circumstances under which their privacy laws apply, so that all parties to privacy disputes know which laws apply[88].
[More references to be added]
Personal information' is information about an identified or identifiable natural person, no matter how it is stored (eg sound, image, data, fingerprints).
‘Surveillance’ means the systematic monitoring (observation or recording) of one or more people's behaviour, communications, or personal information[89].
Covert surveillance' constitutes any surveillance which does not comply with this Charter's requirements for overt surveillance.
This list of Asia-Pacific sources is not complete - in particular it does not include the privacy legislation of Korea, the Canadian provinces, Taiwan, Argentina or Japan. No attempt has been made to include sectoral laws.
[1] It is recognised by all major international instruments, in particular the Universal Declaration of Human Rights (UDHR, 1948), Article 12, which states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”. Article 17 of the International Covenant on Civil and Political Rights (ICCPR, 1966) is expressed in very similar terms
[2] Suggested additional sentence (Clarke): 'A person who wishes to protect their privacy may or may not have something to hide; and, even if they do, that something must not be assumed to be indicative of criminal, or even anti-social, behaviour. '
[3] Additional text for consideration (Clarke): "The Principles are applicable to all people equally, including, for example, non-citizens, non-residents, prisoners and the recently deceased. There may, of course, be differences in the manner in which they are interpreted and applied, eg. in the case of minors and other categories of person not capable of exercising their rights. In circumstances where the Principles are compromised in fulfilment of another interest, it must be demonstrated that the other interest is sufficiently important to justify each specific compromise to these Principles. // The Principles are applicable to all categories of organisation, without exception. There may, of course, be differences in the manner in which they are interpreted and applied, for such reasons as the degree of sensitivity of the data, or the degree of accessibility of the storage medium, or the functions of the organisation. // The Data Protection Principles are applicable to all personal data, and are not limited to personal data based on such factors as the media on which they are stored, or whether they form part of a record or document. They are also applicable to all forms of processing of data."
[4] APC Principle 1; Can s5(1) provides "An organisation may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances." This is the strongest 'justification principle' in Asia-Pacific laws.
[5] Proposed by conveners; Proposed actions that have potential to interfere with privacy must take into account the sensitivity to affected individuals of the behaviour and the data that is impinged upon by those actions. Sensitivity is not fixed according to the situation or type of data, but rather is dependent on the individual, and on cultural and contextual factors.
[6] compare A22(1); Australia NPP 10
[7] APT A29
[8] The role of 'authorised by law' needs discussion.
[9] APC Principle 1
[10] This applies to proposed legislation.
[11] See APEC v4 and APT A26 - a better view may be to leave this as an implementation principle - see Part V.
[12] Where consent is allowed, this is specified in each relevant Principle.
[13] This may be because of other public interests, or because the privacy interest itself
[14] OECD P 14 ; APC P 3;
[15] OECD P 12; APC P 5; APT A18
[16] Possible additional text (APC Principle 5): "Openness is needed to facilitate public participation in assessing justifications for technologies, systems or services; to identify purposes of collection; to facilitate access and correction by the individual concerned; and to assist in ensuring the Principles are observed."
[17] OECD P 12; CanMC 4.8; Australia IPP 5; Australia NPP 5; Victoria NPP 5; Northern Territory NPP5;
[18] APT Pt II D(1)(b), A5(3), and A13(2); APC P18; Korea
[19] APC P 18; APT A9
[20] APT A 8(2) and Australia NPP 6.7 - in relation to access and correction rights
[21] See APC P10; Australian NPP 8, Victorian NPP8; NT NPP 8
[22] Proposed by conveners
[23] This means the minimum necessary collection to achieve the purpose; CanMC 4.4; Aus
[24] This does not include assisting other organisations carry our their functions or activities, even if required by law.
[25] Hong Kong P 1(1); see also Can s5(1) quoted above for a different but equally strong approach
[26] CanMC 4.2.1
[27] APT A20(1); CanMC 4.4
[28] Australia IPP 3(d); NZ Principle 4(b)(ii)
[29] APT A13; Australia NPP 1.2; NZ Principle 3(1)
[30] Can s7(1); NSW s9 (Principle 2)
[31] Can s7(2); APT A13(2); Australia NPP 1.5
[32] Implied by Can s7(2)
[33] NZ Principle 12(1)
[34] Implied by APT A22(3); NZ Principle 12(3) is stronger: 'only to individuals whose identity is clearly established'
[35] NZ Principle 12(2); Australia NPP 7.1 is weaker in only prohibiting private sector bodies adopting public sector identifiers (with limitations); Victoria NPP 7 and Northern Territory NPP 7 prohibit public sector bodies adopting each other's identifiers; This is an essential barrier against the consolidation of personal data from many sources, which thereby works against the accretion of power by organisations over individuals, and sustains social and democratic freedoms.
[36] NZ Principle 12(4); Australia NPP 7.2 is weaker
[37] CAn MC 4.6; APT A16(3); Australia IPP 8 and IPP 3(c); NZ Principle 8
[38] similar to Australia NPP 2.1(a); NZ Principle 10(e) uses 'directly related'
[39] APT A14(2) and A15
[40] NSW s18(2) (Principle 11)
[41] APT A19
[42] NSW s19(2)(a) (Principle 12); Hong Kong s33(2)(f) is similar; Australia NPP 9(a) is weaker
[43] Hong Kong s33(2)(f) is similar
[44] APT A7
[45] APT A7
[46] A suggested additional Principle (Clarke) is : "18. Adverse decisions - Where an organisation uses personal data to make a decision adverse to the interests of an individual, it must provide a meaningful, accurate and complete statement of the reasons for the decision, and the data on which it was based."
[47] Australia NPP 6.6; NZ Principle 7(1)(b) and (3); NSW s15(2)
[48] This is a deficiency in the Australian and Hong Kong legislation.
[49] This may involve confidentiality requirements; Australia NPP 6.3 is a weak and defective version of this.
[50] APT A6(4); NZ Principle 7(4); NSW s15(3)
[51] This does not include secondary purposes.
[52] NZ Principle 9, HK Principle 2(2) and NSW s12(a) allow retention for secondary purposes
[53] APT A16; see also EU 'objections to processing'
[54] Vic s16(4)
[55] NSW s57 provides for statutory declarations to be required.
[56] NSW s58 provides for suppression to protect personal safety
[57] NZ s59
[58] NSW s12(c); NZ Principle 5(a); HK Principle 4; Aus NPP 4.1; CanMC 4.7
[59] EU A15.1; see also APT A7(6) and A13(8)
[60] This Principle deals specifically with aspects of the problems of identity theft and denial: organisations wrongly allowing another person to assume a person's identity (or incidents of that identity), and wrongly denying a person their correct identity. It does not deal with the criminalisation of the conduct of the other person.
[61] This is a 'privacy tort' principle which is broader in its coverage than 'personal information' and is based on the US privacy tort and the HKLRC draft recommendation. Since it deals with information privacy it is logically within this Part of the Charter, although it is not a
[62] HKLRC Recommendation 3 paraphrased; they also say that "matters concerning the private life of another should include information about an individual's private communications, home life, personal or family relationships, private behaviour, health or personal financial affairs."
[63] These Principles are intended to cover all forms of surveillance, including telecommunications, workplace, and public space surveillance, and whether or not the surveillance results in the recording of personal information. The Principles in Part III are based substantially on the NSWLRC recommendations
[65] Breach of covert surveillance Principles should carry the most serious level of penalties.
[66] It is likely that individual jurisdictions will codify this requirement in specific contexts such as telecommunications interception.
[67] US wiretap safeguards (ref?)
[68] Part IV is intended to cover intrusions into a person's private spaces (bodily, territorial, communications and cyberspace) in ways that do not necessarily involve the systematic intrusions constituted by surveillance. This part does not yet adequately take into account the principles applicable to search and seizure.
[69] This is a general 'privacy tort', based on US case law and paraphrasing HKLRC recommendation 1.
[70] Derived from APC P 9
[71] These principles originate from the Conveners.
[72] A stronger version is suggested (Clarke): 'Biometric technologies must be the subject of a moratorium until stringent controls have been implemented'
[73] It is suggested that breach of this sub-Principle should be a criminal offence.
[74] Derived from the Australian Privacy Charter.
[75] A more fully-developed principle concerning search and seizure is needed.
[76] See APT A30: (1) limits use other than for message transmission without consent; (2) requires temporary override by the person even where consent normally exists.
[77] APT A31
[78] APT Pt II D1(a)
[79] The purpose of this Principle is essentially to disallow self-regulation and allow co-regulation, as provided for in various ways in the privacy laws of New Zealand, Hong Kong and Australia; see also APT Pt II D2(1)
[80] In many cases organisations will voluntarily undertake a PIA so such a determination is not necessary; in other cases there may be prior determination by legislation.
[81] Examples of PIA requirements are in the laws of Canada, Ontario and Hong Kong; The conduct of PIAs aims to ensures that appropriate balances are achieved between privacy and other, competing social interests.
[82] See APT Pt II D3, and New Zealand
[83] APT A11 is similar
[84] The right may be indirect, by way of an intermediate appeal to another administrative body.
[85] Proposed by conveners.
[86] APT Pt II D3(4); In most cases individuals will prefer to make a complaint to a supervisory body such as a Privacy Commissioner, but they must have the alternative of independent recourse to the Courts which they can take if dissatisfied with the supervisory body or for any other reason.
[87] APT Pt II E
[88] Proposed by conveners
[89] NSW LRC Recommendations 1-6 limits 'surveillance' to where a surveillance device is used, and where the monitoring is not systematic
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2003/1.html