119 Prof Martin Olivier.
120 Another example referred to by Prof Olivier , is that it is currently possible to opt-out of cookie-collection by DoubleClick — one of the largest collectors of web-related consumer behaviour. However, most consumers will neither be able to establish how to opt-out, nor understand the technology involved to opt-out (and therefore find it hard to establish whether opting out is a safe proposition). Worse, one can just imagine the effort required to locate and opt-out of all such services. And it is hard to imagine what new services will be established in future; again expecting the consumer to keep abreast of such new services and opting out of each is unrealistic. I suggest that the possibility to opt-out is not a valid form of consent for any
‘service’ that directly affects the consumer, such as sending unsolicited bulk e-mail. The case where it potentially has an indirect effect on consumers — such as when tracking cookies are placed on a user’s disk — is more problematic and needs serious discussion to attempt to identify (and delineate) those few cases where allowing opt-out as a form of consent does indeed warrant consideration.
121 Douwe Korff EC Study at 77.
122 ‘consent” means any freely-given, specific and informed expression of will whereby data subjects agree to the processing of personal information relating to them;
Lawfulness of processing123
7. Personal information must be processed - (a) in accordance with the law; and
(b) in a proper and careful manner in order not to intrude upon the privacy of the data subject to an unreasonable extent.
Minimality
8. Personal information may only be processed where, given the purpose(s) for which it is collected or subsequently processed, it is adequate, relevant, and not excessive. 124
Consent and necessity conditions
9. (1) Personal information may only be processed where the:
(a) data subject has given consent for the processing; or
(b) processing is necessary for the performance of a contract or agreement to which the data subject is party, or for actions to be carried out at the request of the data subject and which are necessary for the conclusion or implementation of a contract; or (c) processing is necessary in order to comply with a legal obligation to which the
responsible party is subject; or
(d) processing is necessary in order to protect an interest of the data subject; or
(e) processing is necessary for the proper performance of a public law duty by the administrative body concerned or by the administrative body to which the information are provided, or
(f) processing is necessary for upholding the legitimate interests of the responsible party or of a third party to whom the information is supplied.
123 OECD par 7; CoE art 5; EU Cir art 6(1)(a); New Zealand (NZ) Principle 4; The Netherlands(NL) art 76; Roos thesis ftnt 51 at 482 and 483.
124 Sec 8 (embodying the minimality principle, see paras 4.2.23-4..2.28 above) can also be included under Principle 2: Purpose specification and Principle 4:Data quality. Comment is invited.
(2) The processing of personal information in terms of subsection (1)(e) or (f) is subject to the data subject’s rights set out in sections 14, 52 and 93125 below.
Collection directly from data subject
10. (1) Personal information must be collected directly from the data subject.
(2)It is not necessary to comply with subsection (1) of this principle if - (a) the information is contained in a public record; or
(b) the data subject authorises collection of the information from someone else; or (c) non-compliance would not prejudice the interests of the data subject; or (d) non-compliance is necessary --
(i) To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution, and punishment of offences; or(ii) For the enforcement of a law imposing a pecuniary penalty;
or(iii) For the protection of the public revenue; or(iv) For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(v) In the interests of national security; or
(vi) for upholding the lawful interests of the responsible party or of a third party to whom the information are supplied;
(e) compliance would prejudice a purpose of the collection; or
(f) compliance is not reasonably practicable in the circumstances of the particular case; or
(g) the information -
(i) will not be used in a form in which the individual concerned is identified; or (ii) will be used for statistical or research purposes and will not be published in a form that could identify the individual concerned; or
(h) the collection of the information is in accordance with an authority granted under section 33 (exemptions) of this Act.
125 This section furthermore to be read with the other information principles; See also ss 10, 11 and 12 of the UK DPA; arts 14 and 15 of the EU Directive; See also sec 45 of the ECT Act for the opt-out option regarding unsolicited commercial communications.
(ii) Principle 2: Purpose specification/ Collection limitation
4.2.54 The OECD “purpose specification principle” (Principle 3) reads as follows:
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4.2.55 This principle is furthermore set out in Article 6(1)(b) of the EU Directive.126 See also the basic regulatory premise - embodied in arts 7 and 8 of the EU Directive - which is that the processing of data is prohibited unless it is necessary for the achievement of specific goals. 127
Purpose specified at time of collection
4.2.56 Many information privacy laws oblige explanations only when collecting individual information directly from the individual concerned. However, a realisation as to the limitations of that approach has led some modern information privacy laws to vary the approach. The 1992 British Columbia law obliges public bodies to tell any individual from whom it collects personal information the purpose and legal authority for collection of personal information.
4.2.57 However, if an obligation were to be imposed on responsible parties to explain the purpose of collection when collecting information from someone other than the individual concerned, there would be a variety of issues to be worked through. For example, should the obligation arise only when collecting information from a natural person, such as a parent, or also when collecting information from another public or private body?
4.2.58 Another issue raised is that it may be open to responsible parties to proclaim their functions or activities on a very broad basis. It may be relatively easy for a responsible party to claim that it had
126 Article 6(1)(b) of the EU Directive stipulate respectively that Member States shall provide that personal data must be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
127 See discussion in Roos thesis at 483.
broader purposes in mind than were fully understood by the individual from whom information was collected. The problem is how to be sure as to what a responsible party's function or activities were at the time of collection. Explaining the purpose of collection is, furthermore, seen as of greatest importance, but should any other explanations be required, such as an indication as to whether collection is mandatory or voluntary?128
4.2.59 This task is theoretically more straightforward in jurisdictions having a registration/notification process. In those jurisdictions agencies are required to register a list of their functions or activities and the purposes for which they collect information.129 They are therefore not permitted to use the information for an unregistered purpose. 130 (It is proposed that the South African legislation will make provision for a process of notification. See discussion in Chapter 5 below.)
4.2.60 Where no registration or notification takes place, it might be possible for responsible parties/data processors to have a statement of their functions and activities and their purposes for collecting information on their own file. The suggestion is that this could be verified in some way, such as by having a dated copy open for inspection at the responsible party/data processor or published from time to time, for example in a responsible party’s annual report.
4.2.61 Another approach might place an onus on the responsible party to prove these matters in the event of a complaint. Naturally a responsible party would have a defence when it has actually taken steps to communicate its purposes to the individual concerned. Where this has not been done the responsible party would be obliged to make out a case where there are doubts as to the matter.
4.2.62 A third suggestion would be to oblige bodies to give notice to the regulatory authority in certain exceptional cases where a high degree of sensitivity exists in respect of the purpose of the information.131
128 New Zealand Discussion Paper at 3.
129 New Zealand, Australia and Canada have rejected a registration process as being too bureaucratic, imposing unreasonable compliance costs on business and government, and as being ineffective in enhancing privacy.See discussion below dealing with the notification process.
130 Part II of Schedule I of the UK Data Protection Act indicates that there are two means by which a data user may specify the purpose for which the personal data are obtained namely, in a notice given by the data controller to the data subject and in a notification given to the Commissioner under the notification provisions of the Act.
131 New Zealand Discussion Paper at 2.
4.2.63 For example, because of competition, credit bureaux are not inclined to register a list of their functions or activities but may be prepared to compile an internal statement of their functions, activities and purposes for processing information, which statement can be open for inspection by the regulatory authority.132
4.2.64 The UK law stipulates that the purpose of any processing may be specified in particular, in the information given to the data subject or in the particulars notified to the information protection authority in the context of notification. In the UK (as elsewhere) the notified purposes are, however, often expressed in broad terms - which means that responsible parties can claim some considerable leeway with regard to both the primary and any secondary purposes.133
4.2.65 For the purpose of this principle the point is that the determining specification is the one provided to the data subjects when the information is obtained, and not the one set out in a responsible parties’ notification. 134
4.2.66 Respondents to Issue Paper 24 agreed with this principle.135 Responsible parties should be obliged to identify the minimum amount of information that is required in order properly to fulfil their purpose and this will be a question of fact in each case. If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those limited cases. It should not be acceptable to hold information on the basis that it might possibly be useful in future without a view of how it will be used.136
Retention of records
132 The CBA submitted that in defining the legitimate purpose/s for which data is processed within the South African credit information system cognizance should be taken of the fact that credit bureaux in South Africa have reached a level of maturity and sophistication comparable with the most mature systems in the world and consequently are able to provide information for the assessments of risks other than credit risks such as insurance risk ; and provide information for purposes of fraud prevention .
.
133 Douwe Korff EC Study at 63.
134 Douwe Korff EC Study at 64.
135 ENF for Nedbank; LOA; Credit Bureau Association. 136 ENF for Nedbank; LOA.
4.2.67 Article 6(1)(e) of the EU Directive stipulate that Member States shall provide that personal data must be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
4.2.68 See also art 5(e) of the CoE Convention.137 The Commonwealth Model Law for private sector sets out the finality of records in art 20 (2) and (3).138
4.2.69 The OECD Guidelines omit a specific provision on the destruction or anonymisation of personal data after a certain period. However, it may be required pursuant to the principle of
“purpose specification”. Many, but not all,139 national laws make specific provision for the erasure etc of personal information once the data are no longer required.140
4.2.70 For example in national laws see Data Protection Principle 5 in the UK Data Protection Act141 and Principle 9 of the New Zealand Privacy Act. 142 Similar provisions are found in several
137 Art 5(e) of the CoE Convention reads as follows:
Article 5 Quality of data
Personal data undergoing automatic processing shall be:
a)- d)...
. e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
138 Article 20 Retention of records (1)...
(2) An organisation that has used a record of personal information about an individual to make a decision about the individual shall retain the record for such period of time as may be prescribed after making the decision, to allow the individual a reasonable opportunity to request access to the information.
(3) An organisation shall destroy or delete a record of personal information or de-identify it as soon as it is no longer authorised to retain the record under subsection (1).
139 US federal Privacy Act 1974 being an example.
140 Bygrave Data Protection at 60.
141 Fifth Principle
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
142 New Zealand Discussion Paper at 6:
Principle 9
Agency not to keep personal information for longer than necessary
An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.
other jurisdictions. See for example, principle 2(2) of the Hong Kong Personal Data (Privacy) Ordinance143 and the 1993 Quebec Act respecting the Protection of Personal Information in the Private Sector (section 12).144
4.2.71 The principle will however be subject to the requirements of other enactments. There are, for example, laws requiring taxpayers to retain taxation records and health agencies to retain medical records. In the public sector the national archives 145 and national146 and local 147 government require the retention of certain archives.148
4.2.72 Concerns have been expressed that over zealous application of this principle might lead to premature destruction of records which may in fact turn out to be useful to the responsible party and able to be used both lawfully and in accordance with the information privacy principles. It may also be possible, for example, for the responsible party to return documents to the data subject or disclose the information to another responsible party that does have a further lawful use for the information.
4.2.73 Of course, personal privacy and autonomy may also be harmed by the premature destruction of information. Examples include:
* destruction by the sole repository of information concerning a person's origins (such as information about a birth parent in an adoption context or about donor of gametes in relation to offspring born through assisted human reproduction);
143 Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used.
144 Once the object of a file has been achieved, no information contained in it may be used otherwise than with the consent of the person concerned, subject to a time limit prescribed by law or by a retention schedule established by government regulations.
145 National Archives of South Africa Act 43 of 1996.
146 Electoral Act 73 of 1998.
147 Eg. the Local Government Municipal Electoral Act 27 of 2000 and the Local Government Municipal Property Act 6 of 2004.
148 New Zealand Discussion Paper at 6; SAHA believes that any adoption of such a principle must explicitly recognise that:
*Categories of “personal” and “public” information are not mutually exclusive
*The “purpose” of a document may include indefinite retention in a public archive as a document of enduring value and
*Destruction of certain records is legally impermissible under the National Archives Act and provincial archival legislation until such time as an assessment has been made of whether they are records of enduring value.
* destruction of personal information so as to prevent the individual concerned exercising a right of access;
* destruction of information upon which a decision has been based so as to prevent any review of that decision or exercise of any judicial or administrative remedies (for example, information which would have indicated unlawful discrimination in an employment decision).
4.2.74 It was submitted that guidelines should be provided but that self-regulation, in the form of individual codes of conduct, should define the applicable retention periods.149
4.2.75 Different laws require different record retention periods. For instance, financial and accounting information is generally retained for a pre-determined time period (approximately 5 years), while long-term insurance contracts can easily have a contractual duration equal to or extending beyond the lifetime of the life assured. Legislation such as the Financial Intelligence Centre Act provides that records should be retained for 5 years after the termination of an insurance contract.150 It was argued that fraud information should remain in a correctly managed storage system for an indefinite period and should not be restricted to a 3 or 5 year deletion.151
4.2.76 The British Columbia Freedom of Information and Protection of Privacy Act has tackled this issue directly. In a section entitled "retention of personal information" (section 31) it states:
If a public body uses an individual's personal information to make a decision that directly affects the individual, the public body must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.
4.2.77 In the Commonwealth Model Bill for the public sector this principle is set out in art 14.152 In
149 The Banking Council.
150 LOA.
151 SAFPS.
152 Retention and disposal of personal information
14.(1) Where a public authority uses personal information for an administrative purpose, it shall retain the information for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual concerned has a reasonable opportunity to obtain access to the information, if necessary.
(2) Subject to subsection (1) and this Act, the Minister shall prescribe by regulation, guidelines for the retention and disposal
the Model Law for the private sector it is set out in art 20.153
4.2.78 Comment is invited on the following clauses:
PRINCIPLE 2