Greenleaf, Graham --- "Key concepts undermining the NPPs - a second opinion" [2001] PrivLawPRpr 20; (2001) 8(1) Privacy Law and Policy Reporter 1
Key concepts undermining the NPPs — a second opinion
Graham Greenleaf
The Federal Privacy Commissioner’s Draft National Privacy Principle Guidelines[1] (Draft NPP Guidelines) take a generally robust ‘pro-privacy’ approach to the interpretation of the NPPs. The Commissioner’s interpretation assumes meanings for certain key terms used in the NPPs (and elsewhere in the Privacy Act 1988 (Cth) (the Act)), but provides little justification for these interpretations.
Some of the Commissioner’s assumptions are called into question by Patrick Gunning’s recent article ‘Central features of Australia’s private sector privacy law’[2] (written before the Draft NPP Guidelines were released) where he analyses aspects of the meaning of the terms ‘collection’, ‘disclosure’, ‘use’ and ‘personal information’. Gunning’s interpretations, if they are correct, would give the NPPs a significantly narrower field of operation.
In this article[3] I re-examine the key terms considered by Patrick Gunning to see whether there are counter arguments which may support the broader interpretations assumed by the Commissioner in the Draft NPP Guidelines.
Can there be ‘collection’ of unsolicited information?
NPP 1 regulates where an organisation ‘collects’ personal information.[4] ‘Collection’ is not defined in the Act. The Commissioner asserts that collection ‘includes information that an organisation comes across by accident or has not asked for but nevertheless keeps’,[5] and in some of his examples of collection he includes receipt of information which could be unsolicited (for example ‘where an organisation ... receives and keeps emails containing personal information’). The Commissioner even goes so far as to suggest that the collection of unsolicited information can be ‘unfair collection’, by the example ‘collecting personal information from files dumped by accident on a street’.[6]
Can information be ‘collected’ even if it is not ‘solicited’ or requested by the organisation collecting it? Gunning points out that the wording of Information Privacy Principles (IPPs)[7] 2 and 3 in s 14 of the Act implies a distinction between ‘collect’ and ‘solicit’ (with ‘collect’ being the broader term). Normal principles of statutory interpretation, he argues, would lead to the conclusion that ‘collect’ has the same meaning in the NPPs, and so information ‘collected’ would include information received whether solicited or unsolicited.
However, Gunning concludes that, insofar as the NPPs are concerned, ‘the better view is that the organisation does not “collect” personal information merely by receiving unsolicited information’. He argues that NPP 1.1 (collection necessary for a purpose) and NPP 1.2 (fair means) could not apply to unsolicited information, and that Parliament could not have intended NPP 1.3 (requirements to notify) to apply. Also, NPP 2.1 assumes that there is a purpose of collection which limits use and disclosure — where information is unsolicited there is no purpose of collection on the part of the party receiving the information.
The problem with this argument is that it is incomplete. It does not give sufficient weight to the explicit statement in s 16B that the Act only applies to the collection of information by an organisation (that is, where the NPPs apply) ‘if the information is collected for inclusion in a record or a generally available publication’. Mere receipt of information, therefore, does not make the Act applicable; there must be at least an intention formed by the recipient to ‘include’ the information ‘in a record or a generally available publication’. Since the definition of ‘record’ (s 6) includes ‘a document’ it is possible that ‘include’ could encompass ‘retain’ in the case of an unsolicited document. I suggest that it is at this point of inclusion/retention that ‘collection’ of unsolicited information takes place, not at the point of mere receipt. Once such an intention to retain the unsolicited inform-ation is formed, the recipient (now a ‘collector’) will have a purpose of collection (NPP 1.1) and must disclose that purpose and other information to the subject (NPP 1.3). If the recipient does not wish to comply with the disclosure obligation, they can always dispose of the information.
Gunning’s conclusion is, however, correct insofar as it goes, because of his careful qualification that ‘merely’ receiving unsolicited information is not enough.
In summary, the approach I suggest means that any information retained in a record or generally available publication will have been collected, no matter whether it was received as solicited or unsolicited information. This interpretation avoids hair splitting over what information is solicited and what is not. It is also consistent with the usage of ‘collect’ in IPP 1, and so maintains consistency in the usage ‘collect’ within the Act, in accordance with normal principles of statutory interpretation.
Some issues remain. If unsolicited written information is read before immediate disposal, has it been collected? I suspect not, because of s 16B. How long can unsolicited information be retained before it has been ‘collected’? These are, however, more minor exceptions than the wholesale exclusion of unsolicited information from ‘collection’. In my view, the Commissioner is correct to include it.
Does ‘disclosure’ include information already known?
Gunning found[8] that the leading authorities on the meaning of ‘disclose’[9] held that a person only ‘discloses’ information to another person when the recipient was not previously aware of that information, and that the one case to the contrary[10] could be explained by the mischief the offence was designed to protect against.
He concludes that in relation to the Act ‘it is hard to see any reason why “disclose” should not be interpreted in accordance with its ordinary meaning’. How does it enhance your privacy to prevent an organisation from telling someone else something about you they already know, he asks?
However, the cases on disclosure variously deal with failures to disclose, obligations to disclose, and obligations not to disclose (as in NPP 2), each of which is likely to bring into play rather different policy considerations. ‘Disclose’ needs to be interpreted in its context, and divergence from its ‘ordinary’ meaning (if it has one) will not be surprising. In R v Glenys Ruth Scott[11] (discussed by Gunning) Doyle CJ held that to require an undischarged bankrupt to disclose this fact to others even if they already know it is ‘not to impose an empty ritual’ because it will serve to protect those who have forgotten that a person is bankrupt, or who have assumed from silence that the bankruptcy has terminated. Disclosure in all cases therefore served the purposes of the Act to protect persons dealing with an undischarged bankrupt. It is not difficult to argue that the purposes of NPP 2 to protect the privacy interests of individuals are best served by regarding ‘disclosure’ as covering all instances of disclosure of personal information.
First, Gunning points out that his view means a complainant under NPP 2 would have to ‘establish that the recipient of the information was not previously aware of that information’, but he believes that this would not matter much in the type of inquisitorial procedures followed by the Commissioner. However, complainants may have to prove their case before a court (for example, for purposes of s 55A enforce-ment or a s 98 injunction), where the Commissioner’s ‘inquisitorial’ procedures do not apply. If Gunning’s preferred inter-pretation places an unfair burden on the complainant, that is in itself good reason to prefer the alternative interpretation.
Second, information received from one source is not ‘the same’ as textually identical information received from a different source, because the two sources may be of different authority, and also because the mere fact that the source knows the information may be significant (for example, the difference between a wife disclosing her husband’s infidelity and a priest disclosing the same information).[12] For example, ‘rating’ organisations could easily abuse this approach to disclosure merely be setting up enquiry systems where A asks B ‘Please confirm fact X’. If B answers ‘fact X’ then there will be no disclosure (already known), but if B says nothing there is simply no (express) disclosure. This interpretation invites abuse.
Third, there is no good policy reason to exclude information already known from ‘disclosure’. The only consequence of including communication of information already known as ‘disclosure’ is likely to be that if the organisation complained about shows that it already knew the information (which it is uniquely well placed to do), the complainant is likely to be refused any damages by the Commissioner, or any injunction by a Court. This would lead to a much fairer result.
I suggest that the better view is therefore that to ‘disclose’ in the Act includes revealing information already known. The Commissioner does not explicitly address this issue in the Draft NPP Guidelines, but seems to take the broader view by defining ‘disclosure’ by an organisation as ‘when it releases information outside the organis-ation’. In my view the Commissioner is correct, but the issue should be addressed explicitly and the authority against this view acknowledged.
Does ‘use’ include merely looking?
In R v Brown[13] the House of Lords considered the meaning of ‘use’ in the context of the UK Data Protection Act 1984. There was evidence that a police officer had looked at a person’s record in the police national computer database, apparently on behalf of a debt collector friend. However, there was no evidence that he had disclosed the information to anyone else, nor that he had made any other use of the information. The House of Lords held that ‘use’ was to be given its normal meaning of ‘to employ for a purpose’, and that merely looking at data on a computer terminal was not a use in itself — retrieval was only a prerequisite for use, not a use in itself.
As well as its more obvious significance when there could be a breach of NPP 2, the restriction of ‘use’ to exclude ‘mere browsing’ or ‘mere access’ also has significant consequences for the individual’s rights of access and correction to ‘existing information’[14] under NPP 6, because those rights only arise if the information is used or disclosed (s 16C(3)).
This aspect of Brown does not appear to have been considered by Australian courts. The Draft NPP Guidelines do not address the question.[15] Gunning expects that Brown will be followed in Australia.[16] In my view he is correct, at least in relation to the NPPs and the Act. There is nothing in NPP 2 to indicate that the context in which ‘use’ is employed gives it a different meaning from its ordinary usage. Furthermore, NPP 4.1 provides that ‘[an] organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure’. This implies that misuse (and use) does not include access, because the use of ‘access’ would then be redundant.
One apparent problem with the Brown interpretation is that it means NPP 2 does not deal with some objectionable invasions of privacy, such as where staff member of an organisation (or the neighbours or acquaintances of the staff member) that holds files concerning well known people accesses those files out of a prurient interest in the other person’s affairs, but there is no evidence of other use being made of the information.
The problem is resolved in part by NPP 4.1, quoted above, which requires the organisation concerned to take reasonable steps to prevent ‘unauthorised access ... or disclosure’. The distinction between ‘access’ and ‘disclosure’ seems to imply a distinction between unauthorised access by those within the organisation and those outside the organisation. A person within an organisation may have authority to access personal information for certain purposes, but access by them for other purposes may still be unauthorised. In Gilmour v DPP (Cth)[17] it was held that ‘the applicant had a limited authority to make entries into the computer and therefore, by going outside the limitations imposed, he was acting without authority’. Other cases have held similarly.[18]
The Draft NPP Guidelines take an approach similar to what I suggest, interpreting NPP 4.1 as requiring organis-ations to protect ‘confidentiality [which] involves limiting the availability of infor-mation to authorised users for approved purposes in order to prevent unauthorised use and disclosure’.[19] They suggest that organisations may need to consider ‘personnel measures such as ... imple-menting the need-to-know principle that limits access to information to those people who need the information to carry out their duties’,[20] and that it may involve ‘automatically removing or downgrading a user’s access when they change areas or roles within an organisation’.[21]
NPP 4.1 therefore provides a limited remedy. The mere fact of internal access for a purpose outside the legitimate purposes for which the information is held will not in itself constitute an ‘unauthorised access’ breach of NPP 4.1. The organisation must also have failed to take ‘reasonable steps’ to prevent such unauthorised access. The Draft NPP Guidelines give a reasonably strong interpretation of what steps organisations may be required to take in order to have acted reasonably, but they are requirements which are justified by NPP 4 and the relevant case law. The ‘gap’ in NPP 2 caused by the Brown interpretation of ‘use’ is therefore not as serious as might otherwise be the case.
In whose hands is information ‘personal’?
The Act’s protections only apply to ‘personal information’, defined as any information ‘about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’ in question (s 6). If a person’s identity is apparent or obvious from information, then it is clearly personal information. The difficult question arises when the item of information in question does not in itself explicitly identify the person concerned, but where some other source of information must also be consulted in order to identify the person.
The definition in the Australian legislation is unusual in saying that the reasonable ascertaining of identity must be ‘from the information or opinion’. However, the definition does not say that the person’s identity must be able to be ascertained solely from the information concerned, and it should not be interpreted that way. If it did mean that, then in any system which stored substantive information according to (and containing) a person’s identification number, but kept a separate master file containing only ID numbers and identification details, the substantive information plus ID number would not constitute ‘personal information’ and attract the protections of the Act (regarding security, access and so on).
The better view is that other sources of information may be taken into account. I suggest[22] it is a question of fact in any given situation whether an individual’s identity can be ascertained, and it is a further question of fact whether it can ‘reasonably’ be so ascertained. Information that one person may easily be able to obtain may be completely inaccessible to another person.22 The Draft NPP Guidelines take a similar approach when they say ‘[w]hether a person’s identity is reasonably ascertainable will depend on the context and on who holds the information’,[23] though they do not justify their assumption that cookies, web bugs, email addresses and browsing trails will always be ‘personal information’.[24]
We next need to ask who must be able to ‘reasonably ascertain’ a person’s identity before there is personal information? The most obvious answer is ‘the person who may have breached the NPP in question’. This seems clear enough when we are talking about the NPPs concerning collection, use or the provision of access to personal information, but it could lead to surprising results in the case of NPP 2 dealing with disclosure, as the question will be ‘is it personal information in the hands of the person disclosing the information?’, not ‘is it personal information in the hands of the person receiving it?’. It would be undesirable if organisations that had no capacity to identify data that they held could sell it unrestricted to any organisation that they knew did have that capacity. Since disclosure requires two parties, I think that the better view is that the question in that case is ‘is it personal information in the hands of either the person disclosing or the person receiving the information?’.
The Draft NPP Guidelines do not explicitly address this issue, and it would be valuable if the final Guidelines did so.
Is intention to identify relevant?
On a similar point, the meaning of ‘personal data collection’ under Hong Kong’s Personal Data (Privacy) Ordinance was considered by the Hong Kong Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data.[25] A press photographer took a photo of an unknown woman in a public place which his employer’s magazine published, without identifying the woman but ridiculing her dress sense (using the words ‘Japanese mushroom head’).
The main issue before the Court was whether the publisher had collected personal data using unfair means. The majority of the Court (Ribero JA and Godfrey VP) concluded that this was not ‘personal data collection’ (an expression not used in the Ordinance) because the data user was not ‘compiling information about an identified person or about a person whom the data user intends or seeks to identify’ [emphasis added].[26]
If Eastweek was followed in Australia it would be necessary to assess an information collector’s intentions to identify a person before it was possible to determine whether the information they collected was ‘personal information’. Gunning treats Eastweek as a case on the meaning of ‘collection’, but I think it makes more sense to read it as a case on the meaning of ‘personal data’ (‘personal information’ under the Australian legislation). The judgments in the Court of Appeal are ambiguous as to whether their Honours are discussing ‘collection’ or ‘personal data’.
A case like Eastweek would raise the question under the Australian legislation: ‘Is it personal information if you have no intention of ascertaining the person’s identity, even if you could do so with reasonable ease?’ Gunning gives good examples of where this could be important (though he considers them as questions of ‘collection’), as follows.
- Is a website that shows continuous filming of a public space (a ‘webcam’) not collecting personal information because the operators have no intention to identify the persons concerned?
- Is a security camera in a building capturing personal information because the operators have an intention to identify where occasion arises?
Gunning considers that there are ‘sound reasons for an Australian court to follow Eastweek’.[27] He considers that Eastweek could be used to exclude from the ambit of ‘collection’ (or, on my approach, from the ambit of ‘personal information’) information satisfying the following conditions:
- ‘an organisation has come into the possession of personal information as an incidental byproduct of some other activity it has engaged in; and
- the identity of the subject of the inform-ation is irrelevant to the organisation’s activities’.[28]
This would be a significant restriction on the scope of NPP 1, as the ‘webcam’ example illustrates. Should we be subjected to systematic video surveillance of our activities without even the requirement of notice that NPP 1 can provide?
Can there be ‘collection’ from public documents or webcams?
One of Gunning’s principal justifications for supporting the ‘Eastweek gloss’ is that it would avoid what he considers to be the ‘absurd result’ that a firm of solicitors, who research law reports in order to use excerpts in briefs or submissions, could be in the position of ‘collecting’ personal information about the individuals named in the law reports, with corresponding obligations to notify them of the purpose of collection and so on. This is just one example of the more generic problem of whether it is ‘collection’ to extract personal information from a newspaper, law report, book, database, or some other publicly available source of information. Do you have to give individuals notice that you have collected newspaper clippings which identify them?
The answer to Gunning’s quandary is found elsewhere. The NPPs requiring notice of collection to be given to the individual concerned only apply if information is obtained from a person: NPP 1.3 applies to information collected ‘from the individual’ and NPP 1.5 applies to information collected ‘from someone else’. It is therefore arguable that where information is extracted by the collector from a book (such as the law report in Gunning’s example) or some other ‘generally available publication’ it is not obtained from a person (in terms of either 1.3 or 1.5), and therefore there is no requirement to give notice of collection. There may be important grey areas where information is extracted by the collector from a database (such as a credit reference computer system) or some public register (such as is held at the Land Titles Office) where it is arguable whether the information was collected from a person (a legal person in these cases).
This interpretation stops the result that Gunning considers absurd in the case of collection from published printed sources. It may also mean that NPP 1.3 and 1.5 do not apply in the case of videocams, security cameras or news photographers (as in Eastweek), as these forms of collection might not be considered to be collection ‘from the individual’.[29] However, in all these cases, the requirements of collection necessary for purpose (NPP 1.1), lawful, fair and non-intrusive collection (NPP 1.2), and collection from the individual where practicable (NPP 1.4), would all still apply. This would give a far better result in terms of policy as these parts of NPP 1 should apply to all forms of collection and it is only the notice requirement that can produce absurd results if wrongly applied.
In the case of ‘webcams’ and security cameras, NPP 1.2 may still require notices to be displayed even though NPP 1.3 does not apply. In the case of news photography, the issues are more sensibly addressed from the perspective of whether the collection is ‘fair’ or ‘intrusive’, rather than through an imposed and artificial question of whether the collector was interested in the identity of the person photographed. The Act already requires that the collector must be able to ‘reasonably ascertain’ the identity of the person concerned. The additional ‘Eastweek gloss’ — whether it is on the meaning of ‘collection’ or the meaning of ‘personal information’ — would best be avoided by Australian courts. We can make sense of the NPPs without it.
The Draft NPP Guidelines do not address these last two issues directly, and the examples of collection it uses do not include examples of ‘webcams’ or collection from published sources. It would be desirable if the final Guidelines took a position on these issues, as they will be important.
Graham Greenleaf, General Editor.
[1] Federal Privacy Commissioner, May 2001.
[3] An earlier version of some of these arguments is in Greenleaf G ‘Private sector privacy: problems of interpretation’ The New Australian Privacy Landscape Conference, 14 March 2001, Baker & McKenzie Cyberspace Law and Policy Centre/Centre for Continuing Legal Education, University of New South Wales Faculty of Law.
[4] NPP 1 only applies to information collected after the commencement of the Act (s 16C).
[5] Draft NPP Guidelines, Chapter 4 ‘Meaning of collection’.
[6] Draft NPP Guidelines, Chapter 4 ‘Examples of unfair collection’.
[7] The Information Privacy Principles (IPPs) apply to Commonwealth Government agencies.
[8] Above note 2 at 196.
[9] Bank of Credit and Commerce International (overseas) Ltd (in liq) v Price Waterhouse [1997] 4 All ER 781; King v South Australian Psychological Board [1998] SASC 6621 (9 April 1998); Gunning has subsequently noted that the High Court in Foster v FCT (1951) 82 CLR 60 gives additional support to this interpretation; so does Condon v Commissioner of Taxation [2000] FCA 1291 (13 September 2000), a recent case about convictions.
[10] R v Scott [1996] SASC 5545 (8 April 1996); (1996) 131 FLR 137.
[11] As above.
[12] Alternatively, disclosure from a more authoritative source may be regarded as disclosing more (implied) information.
[14] ‘Existing information’ can be used to refer to any information collected up to 21 December 2001. Existing information is not subject to the use and disclosure limits of NPP 2 (s 16C(1A)). It is subject to access and correction rights, but only when and if it is ‘used or disclosed’ (s 16C(3), and only then if this is not unreasonably administ-ratively burdensome or expensive.
[15] Draft NPP Guidelines Chapter 5 ‘Meaning of use and disclosure’.
[16] Above note 2 at 196.
[17] (1995) 43 NSWLR 243; (1995) 125 FLR 114; (1995) 134 ALR 631; <www.austlii.edu.au/au/cases/nsw/supreme_ct/unrep29.html>.
[18] See Raiser v Sladic [1995] ACTSC 132 (4 December 1995).
[19] Draft NPP Guidelines, Chapter 7 ‘About NPP 4’.
[20] Draft NPP Guidelines, Chapter 7 ‘Physical security’.
[21] Draft NPP Guidelines, Chapter 7 ‘Computer and network security’.
[22] An earlier version of this approach was published as Greenleaf G ‘Privacy Principles — irrelevant to cyberspace?’ (1996) 3 PLPR 114 .
[23] Draft NPP Guidelines, Chapter 2 ‘Personal information’.
[24] These are complex and technical issues which cannot be addressed here. For an early and now technically out of date interpretation, see Greenleaf above note 22.
[26] See Wacks R ‘Privacy and media intrusion: A new twist’ (1999) 6 PLPR 48 (re first instance decision) and Wacks R ‘What has data protection to do with privacy?’ (2000) 6 PLPR 143 (regarding the Court of Appeal decision); Gunning above note 2 at 194 also gives a detailed summary of the Court of Appeal decision.
[27] Gunning above note 2 at 194.
[28] Gunning above note 2 at 194.
[29] This question requires separate analysis not possible here.