CHAPTER 4: PRINCIPLES OF INFORMATION PROTECTION 4.1 Origins of the information protection principles
4.2 Discussion of Information Protection Principles
a) Introduction
4.2.1 It is common for privacy or information protection acts worldwide to contain sets of principles.
The information protection principles lie at the heart of any Information Privacy Act. It has been found to be an appropriate means of translating the concepts of information privacy into a legally effective form.50 Only those legal instruments embracing all or most of the principles set out below are commonly considered to be information protection laws. The principles can however be found in all types of policy and legal instruments.51
4.2.2 Except to the extent that any data controller/ responsible party is able to claim an exemption from any of the principles (whether on a transitional or outright basis) the principles apply to all personal information processed by responsible parties.
50 Office of the Privacy Commissioner, New Zealand Privacy Act Review 1998Discussion Paper No 2: Information Privacy Principles (hereafter referred to as “New Zealand Discussion Paper”) at 1.
51 Bygrave Data Protection at 3.
4.2.3 The formulation of a code of fair information practices is usually derived from several sources, including codes developed by the OECD(1980), the Council of Europe(1981) and EU (1995) as discussed in para 4.1 above. In this discussion paper the principles will also be compared with other modern sets of privacy principles recently developed in other jurisdictions.
4.2.4 One should remember that these codes are guidelines only which ought to be interpreted by countries to suit their own position. Article 5 of the Directive states for example that:
Member States shall, within the limits of the provisions of this Chapter, determine more precisely the conditions under which the processing of personal data is lawful.
4.2.5 For example, in the UK the data principles were originally derived from the CoE Convention which in turn were given substance and amplification by recital 11 of the EU Directive. In New Zealand the information privacy principles follows, but do not directly repeat, the OECD principles, are designed to suit New Zealand law and circumstances and are somewhat more precise. They owe much to the principles in the Australian Privacy Act 1988 although there are significant differences.52 In Canada the federal Privacy Act of 1982, which applies to the public sector, is based on the OECD Guidelines whereas the Personal Information Protection and Electronic Documents Act (PIPEDA) adopted the CSA International Privacy Code (a national standard developed in conjunction with the private sector - also based on the OECD principles) into law for the private sector.53
4.2.6 The introduction to Paragraph 7 of the OECD Guidelines emphasises an important point, namely that all the principles set out in the guidelines are interrelated and partly overlapping. Thus, the distinctions between the different activities and stages involved in the processing of information which are assumed in the principles, are somewhat artificial and it is essential that the principles are treated together and studied as a whole.
b) Principles of Information Protection
52 New Zealand Discussion Paper at 1.
53 See discussion in Ch 7 below.
4.2.7 What follows is a discussion on the different information principles (sometimes called “good information handling”) which information agencies are required to comply with. As stated above, the categories are not always hard and fast, considerable overlap exists between them. Further, each of them is in reality a constellation of multiple principles. Some principles have been incorporated in certain information protection laws as fully fledged legal rules. In other instances the principles function as guiding standards during interest-balancing processes carried out by, for instance, information protection authorities in the exercise of their discretionary powers. The principles may also help to shape the drafting of new information protection laws,54 and have accordingly been implemented to find the principles to be embodied in a South African act.
4.2.8 The information protection principles that will be discussed are the following:
x Principle 1: Processing Limitation (fair and lawful processing)
x Principle 2: Purpose Specification
x Principle 3: Further Processing Limitation
x Principle 4: Information Quality
x Principle 5: Openness
x Principle 6: Security Safeguards
x Principle 7: Individual participation
x Principle 8: Accountability
It is to be noted that additional principles are set out for sensitive information. See discussion below.
4.2.9 Respondents to the Issue Paper were in general supportive of the incorporation of these principles in legislation 55
and indicated that the principles should apply to all personal information kept by a responsible party, who should be obliged to comply with them.56
54 Bygrave Data Protection at 57.
55 Eg. Vodacom; The Banking Council; Gerhard Loedoff Eskom; ENF for Nedbank; ISPA.
56 The Credit Bureau Association indicated that these principles when given effect to within the credit information system, would place certain obligations upon the credit granting industry ( subscribers of the bureaux ) and the credit bureau industry. To elaborate further the principles would place the following obligations on credit grantors’ who are the source and primary users of personal information within the credit information industry:
a) to obtain the data directly from the data subject;
b) at the time of collection, which would be on application of credit, the credit grantor would have to, through the credit application form, notify the data subject of the collection, the specified purpose/s of the collection, the uses
4.2.10 Over and above the importance of protecting the constitutional right to privacy, another reason stated for introducing these principles in legislation was that various commercial opportunities exist for information outsourcing, both domestically and internationally, and that if South Africa’s national standards do not conform to international requirements, specifically the EU’s directive, this will inhibit full exploitation of those commercial opportunities. 57
4.2.11 It was, however, emphasised that the real test will lie in the implementation of the principles and that the degree to which these principles are adopted will depend on the cost and feasibility of implementing them.58
Concern was raised that the application of these principles may have an adverse impact on the cost of information technology, which can be ill afforded in South Africa.59
4.2.12 Careful definition will be required to ensure that a balance is maintained between individual rights and the public good, and that the cost and effort to meet the defined requirements are not so onerous as to be unreasonable in relation to the potential risks to individuals of the information
the data may be put to and to whom it will be disclosed. Provision will then be made for “opt-out” consent; and c) the credit grantor will have to obtain the credit applicant’s consent to access the applicant’s credit report;
d) the credit grantor will have to ensure that the data supplied to the credit bureaux is valid (that is information in respect of valid debts), accurate, up-to-date, relevant (in relation to the purpose/s for which it is collected) and complete;
e) the credit grantor will have to give notice to a data subject prior to transferring default (adverse) information on the data subject to a credit bureaux , 28 days notice in writing is recommended;
f) the credit grantor will have to ensure that there is only one listing in respect of a failure to pay a debt . The Credit Bureau industry will then have the following obligations:
a) Ensuring that data is accurate, complete and up-to date as is necessary for the purposes it was collected for, through effective and high quality data processing systems ; and to ensure that data is processed for the legitimate specified purposes;
b) Giving access to data subjects to their credit reports to give effect to the rights of verification and objection;
c) Ensuring high quality data security systems; and
d) Ensuring that the data is erased once the data retention period has lapsed
e) Credit Bureaux will have to provide a statement of their functions and activities for inspection by the data protection authority, because of competition and legitimate business this information cannot be made public knowledge.
f) Credit Bureaux will have to report to the data protection authority on the results of the independent audit of its data processing and data security systems .
57 The Internet Service Providers Association.
58 LOA; Liberty.
59 LOA.
collection.60
4.2.13 It should, furthermore, be possible to exempt certain organisations from specific principles. It has, for instance, been argued that some of these principles, such as principle 7:individual participation and principle 5:openness, should not apply to law enforcement agencies. Criminal suspects cannot be informed by the police that specific information about them is being kept in a police informationbase or be allowed access and correction of personal information that is being gathered about them by the State.61
4.2.14 The idea was therefore supported that the legislation would need to create a framework for information protection based on the principles of information protection as set out in the Issue Paper.
62
(i) Principle 1: Processing Limitation (Fair63 and lawful processing)
4.2.15 It is sometimes argued that the primary principle of information protection laws is that the personal information must be processed fairly and lawfully.64 This principle is primary because it
60 Medical Research Council.
61 SAPS.; See Chapter 3 above dealing with the scope of the legislation and specifically “critical data”.
62 LOA.
63 See, however, Roos thesis at 483 who notes that it is sufficient, in the South African context, to require that processing should be done lawfully, since fairness is part and parcel of the concept of lawfulness. See also the discussion in Chapter 2 above in this regard.
64 See Bygrave Data Protection at 58 and the references made there-in; Roos thesis at 481.
Art 5(a) of the CoE Convention states:
Personal data undergoing automatic processing shall be:
a) obtained and processed fairly and lawfully;...
Article 6 (1)(a) of the EU Directive stipulates that Member States shall provide that personal data must be processed fairly and lawfully.
Principle 1 in the UK’s Data Protection Act of 1998 provides:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive data, at least one of the conditions in Schedule 3 is also met.
Schedule 2 is based on Art 7 of the EU Directive and follows the Directive fairly closely.
The conditions deal with the consent to processing as well as other lawful reasons why the data controller needs to process data of the subject. Schedule 3 derives from Art 8 of the EU Directive which allows the processing of sensitive data, such as data revealing racial or
embraces and generates the other core principles of information protection laws presented below.
The twin criteria of fairness and lawfulness are manifest in all these principles even if, in some instruments, they are expressly linked only to the means of collection of personal information65 or not specifically mentioned at all.66
4.2.16 The notion of “lawfulness” is relatively self-explanatory. The bulk of information protection instruments comprehend legitimacy prima facie in terms of procedural norms hinging on a criterion of lawfulness (eg that the purposes for which personal information are processed should be compatible with the ordinary, lawful ambit of the particular responsible party’s activities).67 The determination what is fair may be a more difficult task.68
4.2.17 At a general level the notion of fairness69 undoubtedly means that, in striving to achieve their information-processing goals, responsible parties must take account of the interests and reasonable expectations of data subjects. The notion of fairness therefore brings with it requirements of balance and proportionality.70
4.2.18 Fairness/reasonableness implies that the processing of information be transparent to the data subject.71 It militates against secretive collection and processing and also against deception of the data subject as to the nature of, and purposes for, the information processing. See Principle 5 below.
Another requirement that may flow from this argument is that information should be collected from the
ethnic origin, political opinions, religious or philosophical beliefs etc, only in specific cases.
65 The Collection limitation principle in the OECD Guidelines (Principle 1) states as follows:
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
66 Bygrave Data Protection at 58 and the reference therein to the Norwegian PDA.
67 Sec 4 of Canada’s federal Privacy Act; IPP1(a) of Australia’s federal Privacy Act; Data Protection Principle 1 of the UK Data Protection Act, 1998.
68 Strathclyde LLM at 16.
69 “Fairness” may be regarded as the American equivalent of the South African term “reasonableness”. See discussion in Ch 2 on the criterion of reasonableness or boni mores.
70 Bygrave Data Protection at 58.
71 Bainbridge D Data Protection CLT Professional Publishing Welwyn Garden City 2000 (hereafter referred to as “Bainbridge Data Protection”) at 59.
data subject, not from third parties. 72 This requirement is expressly laid down in some, but not the majority of information protection instruments.73
4.2.19 Since fairness implies that responsible parties must take some account of the reasonable expectations of data subjects, this has direct consequences for the purposes for which information may be processed.74 It helps to ground rules embracing the purpose specification principle. It sets limits on the secondary purposes to which personal information may be put. When personal information obtained for one purpose are subsequently used for another purpose, which the data subject would not reasonably anticipate, the responsible party may have to obtain the data subject’s consent to the new use.75 Where a person was deceived or misled as to the purposes of the processing the processing will be unreasonable. The subject should also be informed as to the non- obvious uses to which the controller intends to put the information.76 See Principle 3 below.
4.2.20 Even though a responsible party may be able to show that information was obtained and personal information processed fairly and lawfully in general and on most occasions, if it has been obtained unfairly in relation to one individual there will have been a contravention of this processing principle.77
4.2.21 Where a responsible party holds an item of information on all individuals which will be used or useful only in relation to some of them, the information is likely to be excessive and irrelevant in relation to those individuals in respect of whom it will not be used or useful and should not be held in those cases.78
72 Principle 2 and 4 of New Zealand Privacy Act. See below.
73 Bygrave Data Protection at 59 and the references made therein.
74 Commonwealth Secretariat Draft Model Law on the Protection of Personal Information LMM(02)08 October 2002 (hereafter referred to as “ Commonwealth Bill for private users”). Sec 7 reads as follows:
Appropriate purpose
7. An organisation may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
75 Bygrave Data Protection at 59.
76 Bainbridge Data Protection at 58; Commonwealth Secretariat Model Law for Public Sector LMM(02)7 November 2002 (hereafter referred to as “Commonwealth Bill for public users”); See Part II of the proposed Commonwealth Privacy Act dealing with the collection, use, disclosure and retention of personal information by public agencies.
77 Information Commissioner Chapter 3: The Data Protection Principles of the IC’s Legal Guidance Version 1 Nov 2001 (hereafter referred to as “Information Commissioner Data Protection Principles ”) at 12.
78 Information Commissioner Data Protection Principles at 18.
4.2.22 Where personal information contain a general identifier, additional conditions should be laid down to protect the security of the information collected, otherwise the processing will be treated as unreasonable.
4.2.23 There should furthermore be limits to the collection of information. “Fishing expeditions”
should not be allowed, and personal information should be collected for a clearly specified purpose only.7980 The principle is prominent in all the main international information protection instruments as well as in national legislation.81 See Principle 2 below.
4.2.24 Article 6(1)(c) of the EU Directive stipulates that EU member states shall provide that personal information must be:
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; 82
4.2.25 The minimality principle is also manifested in Arts 7 and 8 of the Directive 83 which deal with
79 Roos 1998 THRHRat 499 and the references made therein. See discussion below on Principle 2.
80 Pretexting is the practice of collecting information about a person using false pretenses. Typically investigators pretext by calling family members or coworkers of the victim under the pretense of some official purpose. The family members are deceived by the pretexter and provide personal information on the victim.
81 Sec 5(3) of Canada’s Personal Information Protection and Electronic Documents Act states as follows:
“An organisation may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances;
Principle 1 of the New Zealand Privacy Act stipulates as follows:
Purpose of collection of personal information
Personal information shall not be collected by any agency unless -
(a) The information is collected for a lawful purpose connected with a function or activity of the agency; and (b) The collection of the information is necessary for that purpose.
The second Data Protection Principle in the UK Data Protection Act stipulates as follows:
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose of those purposes.
82 Article 5(b) and (c) of the CoE Convention contains an almost identical requirement except that it relates to the purposes for which data are “stored”. See also Principle 3 of the UN Guidelines; See Principle 4 below.
83 Article 7 of the EU Directive
Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at
this question extensively, by setting out circumstances which will be reasonable, and what is not reasonable processing. Clarification has been provided in the Explanatory Memorandum to the Dutch law which mentions as matters to be taken into account to determine the reasonableness of these processing: the nature of the information; the nature of the processing; whether the processing is carried out in the private sector or the public sector (with the latter being subject to a stricter assessment); and the measures which the controller has taken to protect the interests of the data subject. Also relevant is whether the processing is in accordance with a relevant code of conduct (in particular, of course, if the code has been positively assessed by the Information Protection Authority).84
4.2.26 Of crucial importance for the extent to which information processing may occur, is the
the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
Article 8 of the EU Directive
The processing of special categories of data
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
However there are a range of exceptions dealing with where
2(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or (b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or
(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.
3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy}..
5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.
Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.
6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.
84 Korff EC Study at 80.