SASLAW Seminar 15th March Adv Iain Currie

Report
The Protection of Personal
Information Bill
Presentation for SASLAW seminar: 15 March 2012
Iain Currie
University of the Witwatersrand
1.
2.
3.
4.
Introduction to the Bill
Current status of the Bill
The difference the Bill will
make to the law of privacy
The difference the Bill will
make to labour law
(scattered speculations)
ISG -- Privacy SIG
[email protected]
What is the Bill
intended to
achieve?
Section 2 (Purposes)
(1) The purpose of this Act is to—
(a) give effect to the constitutional
right to privacy, by safeguarding
personal information when
processed by a responsible party,
subject to justifiable limitations….
Protection of personal
information
=
Data protection
≠
privacy protection
At common law, the
breach of a
person's right to
privacy constitutes
an iniuria.
It occurs when there is an unlawful and
intentional acquaintance with private facts
by outsiders contrary to the determination
and will of the person whose right is
infringed, such acquaintance taking place
by an intrusion or by disclosure.
See J Neethling et al Neethling’s Law of
Personality 2ed (2005) chapter 8
It occurs when there is an unlawful and
intentional acquaintance with private facts
by outsiders contrary to the determination
and will of the person whose right is
infringed, such acquaintance taking place
by an intrusion or by disclosure.
See J Neethling et al Neethling’s Law of
Personality 2ed (2005) chapter 8
Intention is
required to
establish a breach
of privacy.
This means ‘that the perpetrator
must have directed his will to
violating the privacy of the
prejudiced party . . . knowing that
such violation would (possibly) be
wrongful’
Neethling et al 252.
Examples
See the “Privacy library” at
http://www.worldlii.org
(Searchable database of decisions of
privacy commissioners)
Example 1: breach of privacy?
A Municipality discloses information about
the complainant’s HIV status to a home
nursing company providing services to
his mother.
[Ontario Information and Privacy
Commissioner]
Example 2
B flees her abusive ex-husband and moves to a new
address, unknown even to her parents. She tells
a government agency of her new address (so that
she can continue receiving social security
benefits).
Ex-H visits the agency and obtained the new
address from a desk clerk via a routine enquiry.
[Victoria Privacy Commissioner (2003)]
Example 3
A bank conducts a marketing campaign in a bookshop on
a Saturday to solicit credit card applications.
At the end of the campaign, the bank staff put all the
application forms together with applicants' identity
card copies in a briefcase and carry them home before
returning to office the next Monday. Unfortunately, the
bank staff left the briefcase in a public light bus and
lost all the documents.
[Hong Kong Privacy Commissioner]
Example 4: data
mining
Example 6:
Targeted
advertising
http://www.nytimes.com/2010/03/04/technology/04facebook.html?em
Privacy [for purposes of the common-law right]
means ‘a condition of human life characterized by
seclusion from the public and publicity. This
condition embraces all those personal facts which
the person concerned has determined to be
excluded from the knowledge of outsiders and in
respect of which he or she has the will that they be
kept private’.
J Neethling Persoonlikheidsreg (1979) and National
Media Ltd v Jooste 1996 (3) SA 262 (A)
Privacy [for purposes of the common-law right]
means ‘a condition of human life characterized by
seclusion from the public and publicity. This
condition embraces all those personal facts which
the person concerned has determined to be
excluded from the knowledge of outsiders and in
respect of which he or she has the will that they be
kept private’.
J Neethling Persoonlikheidsreg (1979) and National
Media Ltd v Jooste 1996 (3) SA 262 (A)
Dataveillance
Roger Clarke
"the systematic monitoring of people's
actions or communications through the
application of information technology".
Clarke R. (1988) 'Information Technology and
Dataveillance' Commun. ACM 31,5 (May 1988)
Example 7: online incaution (aka oversharing)
Senior vice-president Marketing and Sales at the 2011 Xmas party
'One college student lost a shot at a summer internship when
the company’s president saw that his Facebook profile listed
“smokin’ blunts” as an interest. Disclosure is hardly limited to
students, though. Someone blackmailed Miss New Jersey
2007 by sending racy pictures from a private Facebook album
to pageant officials. Or consider Sandra Soroka, who posted a
Facebook status update saying that she was “letting Will know
it’s officially over via Facebook status,” only to see the story
flood the Internet.'
James Grimmelmann ‘Saving Facebook’ (2009) 94 Iowa LR
1137.
What difference will
the Bill make?
Section 2 (purposes)
…(b) regulate the manner in which personal information may
be processed, by establishing conditions, in harmony with
international standards, that prescribe the minimum
threshold requirements for the lawful processing of personal
information;
(c)
provide persons with rights and remedies to protect
their personal information from processing that is not in
accordance with this Act; and
(d)
establish voluntary and compulsory measures,
including an Information Regulator, to ensure respect for and
to promote, enforce and fulfil the rights protected by this Act.
So,
1. Regulate the processing of personal
information by establishing minimum
conditions.
2. Provide statutory rights and remedies for
breach of the conditions.
3. Establish a regulator.
Processing:
See definition of "processing"
Section 1, p 8
See definition of “personal information”
Section 1, p 8
Application of Act
Section 3(1) – (3), p 10
Automated
or non-automated forming part of a filing
system
Guy Tillim
Court records, Lubumbashi, DR Congo, 2007
Guy Tillim
Typing pool, Town Hall, Likasi, DR Congo, 2007
Hard disk drive
(ca 1956)
Capacity 5MB
Pieter Hugo
Yakubu Al Hasan,
Agbogbloshie Market,
Accra, Ghana 2009
Section 6
Exclusions
Section 4 Rights
of data subjects
Section 5
Conditions for
lawful processing
The conditions are
high-level, general
and abstract
Their routine elaboration
and enforcement in
specific instances is
intended to be done by
an Information
Regulator.
See Chapter 5, p
27ff
Section 50, p 34
Information
officers
Sections 52 – 53, p
37
Regulatory functions
of Regulator:
notification,
investigations,
codes of conduct
Enforcement
functions of
regulator:
See s 75, p 45
Example 1
A Municipality discloses information about
the complainant’s HIV status to a home
nursing company providing services to
his mother.
[Ontario Information and Privacy
Commissioner]
Ontario Commissioner
SUMMARY OF CONCLUSIONS
• The information in question was "personal
information" as defined in section 2(1) of the Act.
• The Municipality disclosed the complainant's
personal information to the Company.
• The Municipality's disclosure of the complainant's
HIV status to the Company was not in compliance
with section 32 of the Act.
RECOMMENDATION
Therefore, our recommendation to the Municipality is
that it should take steps to include as part of its
staff training, specific information about the
requirements of the Act regarding the disclosure of
personal information.
Within six months of receiving this report, the
Municipality should provide the Office of the
Information and Privacy Commissioner with proof
of compliance with the above recommendation.
Damages?
See section 99, p 54
Example 2
B flees her abusive ex-husband and moves to a new
address, unknown even to her parents. She tells
a government agency of her new address (so that
she can continue receiving social security
benefits).
Ex-H visits the agency and obtained the new
address from a desk clerk via a routine enquiry.
[Victoria Privacy Commissioner (2003)]
Result (brokered by the Privacy
Commissioner)
• A conciliation meeting was held, with the following outcomes:
• The Entity apologised to B for action of its employee.
• The Respondent gave an undertaking to review its business rules
and procedures concerning the protection of the residential
addresses of persons who fear violence.
• Procedures to be introduced for persons who require their names
and addresses to be suppressed for safety reasons to be more userfriendly, and that the Entity’s database have an effective system for
warning staff at the counter of the request.
• The Entity agreed to pay B the sum of $25,000 compensation. This
amount reflected both financial loss that the complainant incurred
as a result of fleeing her new home, and non-financial loss relating
to her distress and continuing fear for her own safety.
Example 3
A bank conducts a marketing campaign in a bookshop on
a Saturday to solicit credit card applications.
At the end of the campaign, the bank staff put all the
application forms together with applicants' identity
card copies in a briefcase and carry them home before
returning to office the next Monday. Unfortunately, the
bank staff left the briefcase in a public light bus and
lost all the documents.
[Hong Kong Privacy Commissioner]
Findings by the HK Privacy Commissioner
Upon investigation, it was discovered that the bank
did not have adequate guidelines issued and given
to staff in relation to handling of personal data
collected during outside-office marketing
campaigns. Taking into account the sensitivity of
the data collected and the harm that is likely to be
inflicted upon the data subject on accidental loss of
the data, the bank was found in breach of the
requirements of the Data Protection Law in failing
to take practicable steps to protect the security of
the personal data collected.
Actions by the HK Privacy Commissioner
An enforcement notice was issued, and in compliance
therewith the bank implemented corresponding
safeguard measures, including the transmission of
those credit card applications and supporting
documents to a nearby branch of the bank at the
end of the marketing campaign instead of allowing
staff to bring them home.
Impact on
employers
Most employers will
process personal
information of their
employees
In other jurisdiction, data protection
authorities have issued Codes
dealing with processing by
employers:
eg UK Information Commissioner,
Employment Practices Code
UK Code deals with:
1. recruitment and
selection;
2. employment records;
3. monitoring at work; and
4. worker’s health.
1. Recruitment:
retention of
information,
background checks,
extent of information
requested.
2. Employment records:
Retention of
information, security,
individual participation.
3. Monitoring:
Act will apply to retention of records
of employees’ telephone calls for
training, keeping a log of websites
visited, CCTV to monitor health and
safety compliance or to prevent
theft.
Health: see part B
of Chapter 3:
‘special personal
information’

similar documents