Security and related IPPs (Retention and Disposal)

Security and related IPPs (Retention and Disposal)

Privacy and Surveillance

Nigel Waters & Graham Greenleaf

Last updated October 2008

LAWS 3037 Data Surveillance & Information Privacy Law 2

Security and related IPPs

Security Retention Destruction/Disposal


Security Principles

Sources Waters, Greenleaf and Roth (2007)

‘Interpreting the Security Principle, v.6’ UNSW - this includes many examples of complaints (Materials) (cited herein as Waters, Greenleaf and Roth, 2007)

Aust Privacy Commr Info Sheet 6 Security (2001) - Sets out long list of Australian and international standards that may apply

ALRC Report 108, Chapters 28, 51 & 58


Security principles

Provisions Cth IPP 4 Private sector NPP 4.1 NSW s12(b)-(d) HK DPP 4 ALRC Proposed UPP 8


Security principles

Scope All require security from from misuse and loss and

from unauthorised access, modification or disclosure

so internal and external threats, and mere negligence are covered

All only require ‘reasonable steps’ or ‘practicable steps’


Security – reasonable steps?

“When considering reasonableness in the security context, factors which may be relevant include: the workability of the safeguards the cost of the safeguards the risks involved the sensitivity of the information and the other safeguards in place.”

Source: OECD Information Security Guidelines 1992 cited by NZ Privacy Commissioner in [2003] NZPrivCmr 22 (Case Note 28351)


Security – different aspects

physical security computer and network security communications security personnel security

Source: OFPC Guidelines to the National Privacy Principles, September 2001, Guidelines to NPP4.


Security principle - example

Hong Kong has an unusally detailed security principles DPP 4 requires ‘All practicable steps … to ensure … protected

against unauthorized or accidental access, processing, erasure or other use’

Includes (as if personal data) data to which access is not practicable

Lists 5 factors to which data users must have ‘particular regard’ - reflects standard criteria -

(a) kind of data and possible harm (‘harm test’) (b) physical location / + security appropriate) (c) technical security measures (d) personnel integrity etc measures (e) communications security measures


Security breach examples

Possible examples of breaches If hackers access data, data user may be liable for

inadequate security - supplements computer crime laws: sue the company, not the hacker

Mailouts in error of sensitive data Accidental destruction of data valuable to a person Security which destroys other privacy interests will not be

‘practicable’ Lax practices with cleaners etc

Personal files are regularly found at kindergartens and tips Unencrypted data on mobiles:

63,000 mobile phones, 6,000 pocket PCs and 5,000 PCs left in London cabs in 6 months (UK Taxi survey 2005, 21 (2) CLSR 95-97)


Security - Factors (1)

Internet information– requires cooperation to remedy E v Statutory Entity [2003] VPrivCmr 5 - - audit trail failed

to record access to customer account - settled Complainant AD & Others v The Department [2006] VPrivCmr

5

Not an absolute Cannot guarantee 100% security Other interests – may require higher standard Proportionality



Role of standards Mixed benefit – may or may not be

adequate OECD Information Security Guidelines

1992, revised 2002 Risk assessment



Security requirements in other legislation In Australia, ASIC and APRA

APRA Superannuation Guidance Note 140.1, paragraph 19

Action by other regulators e.g. UK FSA v Nationwide Building Society 2006 – 1

million pounds fine for inadequate security leading to loss of laptop containing customer data



Inadvertent collection for security reasons Common access facilities W v Public Library [2005] VPrivCmr 5

Special protection for sensitive information NZ & Canadian cases in Waters, Greenleaf & Roth, page 15

'Need to know' Access control – minimum standards Logs and audit trails

E v Financial Institution [2003] PrivComrA 3 - audit trail failed to record access to customer account - settled

FH v NSW Dept Corrective Services [2003] NSWADT 72; Summary [2003] NSWPrivCmr 1- Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses

But remember employee privacy - balance



Human (personnel) security Confidentiality deeds Training

B v Victorian Government organisation [2003] VPrivCmr 2 ($25k - $25,000 compensations settlement when agency disclosed complainant’s new address to ex-spouse ‘across the counter’ despite known risk

Canadian & NZ cases in Waters, Greenleaf & Roth pp 19-21

Enforcement disciplinary action dismissal Prosecution



Relationship with disclosure Does unauthorised disclosure necessarily

mean a beach of security? Can authorised actions involve a security

breach? HK, Austn & NZ cases

Liability? Vicarious liability by employer?



'Standing' for security complaints Only affected individual,or also third party? When is someone 'affected'? - only when

actual breach or also prospective?



Communications Security Austn, NZ, Canadian and HK cases in Waters, Greenleaf &

Roth pp 25-27

Data security encryption?

Fax Postal/courier



Security obligations when contracting Emphasised in International instruments Express requirements in some Australian

privacy laws: PA s.8(1) and 95B; IPA s.9(1)(j) and s.17 (an

agency can expressly transfer the obligations by contract); PPIPA s.4(4)(b).



Programming errors and multiple breaches Australian PC own-motion investigations in mid 1990s

ATO, DSS, DVA, DET, private sector Potential for representative complaints

Access control must be managed L v Commonwealth Agency [2003] PrivComrA 10 -

Agency client provided password to be used to identify him; agency failed to ask for it

Other cases in Waters, Greenleaf & Roth p 31


Security principle: Australian reform proposals

ALRC Report 108 (2008) Chapter 28 UPP 8.1(a) – replicates NPP 4.1, but applies to both

organisations and agencies OPC Guidance on 'reasonable steps' (Recommendation 28-3) No need for any specific additional obligations in relation to

third parties For commentary, see

Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘11.2. Data security proposals’ Dec 2007

Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008


Security principle - HK Hong Kong examples - Complaints to PCO held to

breach DPP4 (security): Faxing details of donation to estate office (AR 5/05) Newspaper publication of address of complainant, endangering

him, not a breach of DPP4; DPP3 (disclosure) was only DPP relevant (AAB appeal 4/00)

Insurer sending insurance policies for 3 people to the address of one of them

Unsealed letters of demand sent to neighbours addresses Law firm’s messenger allowed duplicate cover sheet of divorce

process to be read by others at workplace while waiting to serve process: [1998] HKPrivCmr 8

Law firm left trial bundle in gap between litigant’s metal gate and door: [2003] HKPrivCmr 8

See other examples in McLeish & Greenleaf chapter in Berthold & Wacks


Security managers in apartment blocks required to destroy data on visitors after a reasonable period [1998] HKPrivCmr 4

] Hong Kong examples concerning ID cards

Mobile phone Co. made first 6 numbers of ID card the default password for call data, billing etc information; debt collector accessed data and harassed complainant and friends; held breach of DPP 4: [2003] HKPrivCmr 3

Disclosure of ex- employee ID numbers in faxes to customers

Bank and dept. store jointly responsible for printing error disclosing ID nos. in mailout

Security principle – HK


Data Breach Notification

History Response to identity crime 44 US States + Ontario legislated

requirements Now under consideration around the world

Canada, UK, Australia Guidelines, pending legislation


Data Breach Notification Guidelines

Canadian model law (CIPPIC, 2007) Victorian Privacy Commissioner

Guide: Responding to Privacy Breaches, May 2008

Australian Privacy Commissioner Guide to handling personal information

security breaches, August 2008


Data Breach Notification Proposals - Australia

ALRC Report 108 Chapter 51 Recommendation 51-1- New part of Act (not a

principle) Requirement to notify Commissioner and affected

individuals if: actual or suspected breach = acquisition of specified

information by unauthorised person AND agency, organisation or Commissioner believes real risk of

serious harm (specifed factors) 'Specified information' = particular combinations of

personal and sensitive(?)


Data Breach Notification Proposals – ALRC proposal (continued)

Harm factors: Whether encrypted adequately Whether acquired in good faith by employee or agent and acting for a

permitted purpose Privacy Commissioner can waive requirement to notify individuals Civil penalty for failure to notify Commissioner For commentary, see

Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘15.1. Possible new UPP - Security breach notification’ Dec 2007

Waters & Greenleaf commentary on proposed UPPs at Symposium,

2 Oct 2008


Retention / disposal principles

Sources Waters and Greenleaf (2006)

'Interpreting Retention and Disposal Principles, v.1

Aust Privacy Commr Info Sheet 6 Security (2001)

ALRC Report 108, Chapters 28 & 58


Retention / disposal principles (2)

Provisions HK DPP 2(2) and s26 Cth IPPs - none Private sector NPP 4.2 ‘reasonable steps to

destroy or permanently de-identify … if it is no longer needed for any purpose’ allowed under NPP2 - Test of ‘permanent de-identification is whether it is no longer ‘personal information’

NSW s12(a) - similar to NPP 4.2



Private sector – mandatory retention Tax records – typically 5 years AML/CTF – 7 years - Guidance Note 08/04 Telco/ISP records?

EU data retention Directive 2006/24

Public sector complicated by Public Records/Archives requirements

Uncertain interaction with privacy law GR v Department of Housing [2003] NSWADT 268



Need for a policy? Tenants' Unions v TICA [2004] PrivCmrACD 3 - Failure to

delete or remove old tenancy information was a breach of NPP 4.2; PC ‘recommended’ TICA

Delete ‘history’ information in Tenancy History Database after four years;

Delete 'application' information in Enquiries Database after three years; and

Delete information moved to ‘dead tenant database’ (i.e. a database which stores deleted listings – for use in case of errors) not less than once a month

FH v Commissioner, NSW Dept of Corrective Services [2003] NSWADT 72 - missed opportunity to require a policy

Canadian cases to contrary – support TICA Determination



Deletion under Correction principle May override general policy

Technology issues Difficulty once publicly available e.g. on

Internet E v Statutory Entity [2003] VPrivCmr 5 Complainant AD & Others v The Department [2006] VPrivCmr 5


Retention / disposal principles: Australian reform proposals

ALRC Report 108 Chapter 28 UPP 8.1(b) - Destroy or render non-identifiable

See definition of personal information Apply to agencies

But express priority for Archives Act retention requirements (UPP 8.2)

OPC Guidance (Recommendation 28-5) For commentary, see

Greenleaf, Waters & Bygrave, CLPC Submission to ALRC on DP 72, ‘’11.3. Non-retention (destruction or non-identifiability)’ Dec 2007

Waters & Greenleaf commentary on proposed UPPs at Symposium, 2 Oct 2008



Other jurisdictions NZ - Commissioner opinion supported retention of

information on dismissed employees for 5 years Canada – Commissioner noted 2 year retention

policy for employment records UK - 2005 Information Tribunal case on Criminal

records retention


Retention / disposal principles (HK)

Hong Kong DPP 2(2) and s26 DPP 2(2): ‘Personal data shall not be kept longer

than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'.

Keeping for the purpose of some exception not allowed Only says ‘personal data’ shall not be kept - what if made

inaccessible?; what if de-identified? Is DPP 2(2) satisfied?



HK DPP 2(2) is supplemented by s26 ( titled ‘Erasure of personal data no longer required’)

Says ‘A data user shall erase personal data …’ Doubtful if data can be made inaccessible or de-identified in

the face of this explicit provision S26 has 2 exceptions:

'(a) any such erasure is prohibited under any law’; Archives laws etc will override DPP 2(2)

‘(b) it is in the public interest (including historical interest) for the data not to be erased.’

Q of public interest is a question of law, not of good faith belief S26(3) protects any joint controller against suits by other

controller because of erasure of data



Hong Kong DPP2(2) and s26 - Examples of appeals to AAB against PCO: [1999] HKPrivCmrAAB 3: Telecomms Co.

retained customer details for 180 days after suspension of service, in case of reconnection - no breach

Pursuant to DPP 2(2), Consumer Credit Code requires data deletion 5 years after ‘final settlement’ - raised issues of how this applied to bankruptcies, but not necessary to decide (7/01)

Documents

Security and related IPPs (Retention and Disposal)