Quality of information to be ensured
15. The responsible party must take the reasonably practicable steps, given the purpose for which personal information is collected or subsequently processed, to ensure that the personal information is complete, not misleading, up to date and accurate.
216 Information Commissioner Data Protection Principles at 20.
217 The Banking Council.
218 LOA.
219 OECD par 8; CoE art 5; EU Dir art 6(1) (c); Roos thesis at 492.
(v) Principle 5: Openness
4.2.125 The principle of openness flows from the notion of fairness and transparency set out above.220 It is furthermore the first part of the principle giving effect to data subject participation and control. Before an individual can request access to personal information, he or she has to have knowledge of the fact that personal information about him or her is being kept by a specific body.221 4.2.126 It is clear that even the most comprehensive measures for protecting information are
worthless if the individual does not have such knowledge. Without this knowledge he or she remains completely unaware that his or her privacy is threatened or even actually infringed. Therefore the responsible party should have a legal duty to notify persons concerning whom information is collected of this fact (unless, of course, they are in some other way already aware of it).222 Obviously allowance must be made for exceptions to this principle, for example where personal information is processed for the purposes of national security.223
4.2.127 The most important of these rules are those which require responsible parties to orient data subjects directly about their information-processing operations. Secondly, are the category of rules requiring responsible parties to provide basic details of their processing of personal information to information protection authorities, coupled with a requirement that the latter store this information in a publicly accessible register.224
4.2.128 Principle 6 of the OECD Guidelines225 stipulates that there should be a general policy of
220 See discussion in Roos thesis at 505.
221 Roos 1998 THRHR at 499.
222 Neethling’s Law of Personality at 278 refers to Klopper at 266-267 who comments on the present position in SA regarding credit bureaux: “[O]nder die huidige bestel is persone nie . . . bewus van die inligting wat oor hulle bestaan nie omdat hierdie inligting agter ’n sluier van vertroulikheid verberg word wat hy (sic) nie eens die reg het om te lig nie.” (see further McQuoid-Mason Law of Privacy at 198).
223 See in general on exceptions Neethling Huldigingsbundel WA Joubertat 125-128.
224 Bygrave Data Protection at 63.
225 Para 9 Part II Basic Principles of National Application of OECD Guidelines; Roos 1998 THRHRat 503.
openness about developments, practices and policies with respect to personal information.226 Means should be readily available of establishing the existence and nature of personal information, and the main purposes of its use, as well as the identity and usual residence of the responsible party.
4.2.129 Articles 10-11 of the EU Directive227 require responsible parties (data controllers) to supply data subjects directly with basic information about the parameters of their data-processing operations, independently of the data subjects’ use of access rights. The Directive therefore provides detailed guidance on the information that must be provided, and in this distinguishes between the situation in which information is obtained directly from the data subjects, and situations in which information is obtained from other sources than the data subjects.228
226 Principle 6 of the OECD Guidelines reads as follows:
Openness Principle
There should be a general policy of openness about developments, practices and policies with respect to personal data.
Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
227 Article 10 of the EU Directive
Information in cases of collection of data from the data subject
Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.
Article 11 of the EU Directive
Information where the data have not been obtained from the data subject
1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing;
(c) any further information such as - the categories of data concerned, - the recipients or categories of recipients,
- the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.
2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.
228 At 98.
4.2.130 The laws in the EU member states, however, vary considerably with regard to the kinds of information that must be provided, the form in which it must be provided, and the time at which it must be provided - both in circumstances in which information is collected directly from data subjects, and in cases in which information on them is otherwise obtained.229
4.2.131 Art 10-11 of the Directive are supplemented by art 21 which requires the Member States to
“take measures to ensure that processing operations are publicised (art 21(1)) and to ensure that there is a register of processing operations open to public inspection (art 21(2).
4.2.132 The UN Guidelines “principle of purpose specification” (principle 3) stipulates that the purpose of a computerised personal data file should “receive a certain amount of publicity or be brought to the attention of the person concerned”.
4.2.133 This means that the following facts should be publicly known:230
b) the existence of record-keeping systems, registers and data banks that contain personal data;
c) nature of the data being processed;
d) a description of the main purpose and uses of the data; and e) identity and usual residence of the data controller.
4.2.134 An example of the principle in national legislation is that of Principle 3 of the New Zealand Privacy Act. 231 Underlying the principle are the idea of openness: that collection of personal
229 At 98; Thus, the laws in Austria, Belgium, Denmark, the Netherlands, Portugal and Sweden all again basically follow the Directive by stipulating that the controller must inform the data subject of the identity of the controller and the purposes of the processing, and of further information only to the extent that that is necessary to ensure fair processing in respect of the data subject (or when this is necessary to allow the data subject to exercise his rights, or to safeguard those rights.) The law in the UK also basically stipulates these matters - but then again qualifies this by adding that the information only needs to be provided so far as practicable and that the data subject must either be provided with the information, or have it made readily available to him. By contrast, the laws in Finland, Greece, Italy and Spain, and the proposed new (amended) law in France, are more demanding, by requiring that all the information be always provided. Several of them also require that the information should (in principle) be given in writing (Greece, Italy) or at least explicitly, precisely and unequivocally (Spain).
230 CDT’s Guide.
231 PRINCIPLE 3
Collection of information from subject
(1) Where an agency collects personal information directly from the individual concerned, the agency shall take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of -
information should be done with the knowledge or consent of the individual concerned, that the purposes for which information is collected should be specified and that there should generally be transparency about information collection policy and individual participation in that process.232
4.2.135 In South Africa PAIA partly complies with this principle as far as information collected by the public sector is concerned, with the requirements in sections 14 and 15 that an index of records must be kept.233 A similar provision is found in section 51 which applies to private bodies. PAIA does not, however, specifically deal with the collection of information.
4.2.136 It was clear from the response to the Issue Paper that there is in general support for this principle.234
It is, for instance, accepted as good practice within the credit information industry that credit grantors’ give data subjects 28 days notice prior to transferring default information on that data subject to a credit bureau.
4.2.137 Concern was, however, expressed that disclosing the purposes, the use of the information, the identity and address of the responsible party, and so on, may not be cost-justified. The ultimate question should be how much information must be provided so that any consent is properly informed.
235
(a) The fact that the information is being collected; and (b) The purpose for which the information is being collected; and (c) The intended recipients of the information; and (d) The name and address of -
(i) The agency that is collecting the information; and (ii) The agency that will hold the information; and (e) If the collection of the informationis authorised or required by or under law -
(i) The particular law by or under which the collection of the information is so authorised or required;
and (ii) Whether or not the supply of the information by that individual is voluntary or mandatory; and (f) The consequences (if any) for that individual if all or any part of the requested information is not provided;
and (g) The rights of access to, and correction of, personal information provided by these principles.
Section 4 makes provision for certain exceptions to sec 1.
232 New Zealand Discussion Paper at 3.
233 The Act provides that government and private bodies must publish a manual containing inter alia, a description of the subjects on which information is kept, as well as the categories of records held on each subject.
234 The Banking Council; SAFPS.
235 LOA.
4.2.138 In addition to the right of access to his information record, a data subject must also have the right to require from the responsible party information as to the identity of all persons who have had access to his information record. This will enable him to ascertain whether or not the information was used for the protection of a legally recognised interest or for the purpose(s) in question. Thus the responsible party must be legally obliged, at the request of the data subject, to give him or her information concerning whom and when the information was made available. Obviously provision must be made for exceptions in situations where it will not be justifiable to disclose such information.236 See Principle 7 below.
4.2.139 Comment is invited on the following clauses:
PRINCIPLE 5