the Model Law for the private sector it is set out in art 20.153
4.2.78 Comment is invited on the following clauses:
PRINCIPLE 2
from the data subject need not be taken if those steps have been taken previously in relation to the collection from that data subject, of the same information or information of the same kind and the purpose of collection and intended recipients of the information are unchanged.
(4) It is not necessary to comply with subsection (1) of this section where - (a) non-compliance is authorised by the data subject; or
(b) non-compliance will not prejudice the interests of the data subject; or (c) non-compliance is necessary -
(i) to avoid prejudice to the maintenance of the law by any public body, including the
prevention, detection, investigation, prosecution, and punishment of offences;
or
(ii) for the enforcement of a law imposing a pecuniary penalty; or (iii) for the protection of the public revenue; or
(iv) for the conduct of proceedings before any court or tribunal being proceedings that have been commenced or are reasonably in contemplation; or (v) in the interests of national security; or
(d) compliance would prejudice a lawful purpose of the collection; or
(e) compliance is not reasonably practicable in the circumstances of the particular case; or (f) the information will -
(i) not be used in a form in which the data subject is identified; or
(ii) be used for statistical or research purposes and will not be published to any third party in a form that could identify the data subject.
Retention of records
13. (1) Subject to subsections (2)and (3), records of personal information must not be kept in a form which allows the data subject to be identified for any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless-
(a) another law requires or authorises the responsible party to retain the record;
(b) the responsible party reasonably requires the record for purposes related to its operation;
(c) the record is retained in terms of any contractual rights or obligations of
the parties;
(d) the data subject has authorised the responsible party to retain the record.
(2) Records of personal information may be retained for periods in excess of those provided for under (1) only where the retention of these records are for historical, statistical or scientific purposes, and where the responsible party has established appropriate safeguards against the records being used for any other purposes.
(3) A responsible party that has used a record of personal information about an individual to make a decision about the individual must -
a) retain the record for such period of time as may be prescribed by law; or b) where there is no law prescribing a retention period, for a period which will
afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
(4) A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after it is no longer authorised to retain the record under subsection (1).
(iii) Principle 3: Further Processing Limitation
4.2.79 The principles of collection limitation, purpose specification and use limitation are closely related and require that, once personal information are collected, there are limits to the internal uses to which a collecting body may put them, or to the external disclosure that may be made. 155The notion of “relevance” underlies all these principles, since the information may be processed only for purposes specified at the time of collection.156 Information gathered to determine income tax liability, for example, may not be used to evaluate eligibility for social assistance. If information is disclosed
155 See discussion in Roos thesis at 496.
156 See purpose principle above.
for other purposes, the consent of the individual must first be obtained.157
4.2.80 In practice, there should, therefore, be limits to the use and disclosure of personal information: personal information should not be (used or) disclosed for other purposes except with the consent of the data subject; or by the authority of law.158
4.2.81 In New Zealand this principle is set out in Principle 10:Limits on use of personal information159and in the UK it is set out in Principle 2.160
4.2.82 The idea of limiting use of personal information only for purposes specified at the time of collection (or compatible purposes or those authorised by the individual concerned or by law) lies at the heart of any information protection law.161
4.2.83 The Commonwealth Model Law for the Public sector makes provision for this principle in section 9.162 The Commonwealth Model Law for the private sector also makes provision for this
157 Roos 1998 THRHR at 505.
158 Para 10 of the OECD Guidelines; CDT’s Guide to Online privacy “Privacy Basics: Generic Principles of Fair Information Practices” found at http://www.cdt.org/privacy/guide/basic/generic.html (hereafter referred to as “CDT Guide”).
159 New Zealand Discussion Paper at 7.
160 The second Data Protection Principle in the UK Protection of Data Act stipulates as follows:
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
161 The principle itself is straightforward and runs only to a single sentence. However, the detail is to be found in the list of exceptions.
162 9 Limits on use of personal information
Subject to section 12, where a public authority holds personal information that was collected in connection with a particular purpose, it shall not use that information for any other purpose unless –
(a) the individual concerned authorises the use of the information for that other purpose;
(b) use of the information for that other purpose is authorised or required by or under law;
(c) the purpose for which the information is used is directly related to the purpose for which the information was collected;
(d) the information is used -
(i) in a form in which the individual concerned is not identified; or
(b) for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned;
(e) the authority believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or other person, or to public health or safety; or
(f) use of the information for that other purpose is necessary -
principle in sections 12, 14 and 15.163
(i) for the prevention, detection, investigation, prosecution or punishment of any offence or breach of law;
(ii) for the enforcement of a law imposing a pecuniary penalty;
(iii) for the protection of public revenue;
(iv) for the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or (v) in the interests of national security.
163 Limits on use of personal information
12.(1) Where an organisation holds personal information that was collected in connection with a particular purpose, it shall not use that information for any other purpose unless –
(a) the individual concerned authorises the use of the information for that other purpose;
(b) use of the information for that other purpose is authorised or required by or under law;
(c) the purpose for which the information is used is directly related to the purpose for which the information was collected;
(d) the information is used -
(i) in a form in which the individual concerned is not identified; or
(ii) for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned;
(e) the organisation believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or other person, or to public health or safety; or
(f) use of the information for that other purpose is necessary -
(i) for the prevention, detection, investigation, prosecution or punishment of any offence or breach of law; or
(ii) for the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
(2) Where an organisation uses personal information for a new purpose, it shall document that purpose in order to comply with section 21(5)(d).
Condition for use or disclosure of personal information
14. An organisation shall only use or disclose personal information under section 12 or section 13, where such use or disclosure would not amount to an unreasonable invasion of privacy of the individual concerned, taking into account the specific nature of the personal information and the specific purpose for which it is to be so used or disclosed.
Use of personal information outside [name of country]
4.2.84 Two questions must be distinguished. First of all, what should be regarded as the specified purpose,164and secondly, how is the incompatability of any secondary processing with the primary purpose to be determined.165
4.2.85 In Belgium the law stipulates that the compatability or incompatability of secondary uses must be assessed in the light of the reasonable expectations of the data subjects. This stipulation derives from a court ruling under a previous law in which it was held, by reference to that test, that a bank could not, without the consent of its customers, use its customers’ payment information (which showed how much they paid other companies for certain insurances) to offer them cheaper insurance from its own insurance division. 166
4.2.86 In Germany, the permissibility or otherwise of secondary processing of personal information for purposes different from the one for which the information was obtained (or disclosed) depends on the application of a variety of (slightly varying) balance tests, without express reference to compatibility. Basically, information may be used for a different purpose if this serves a(manifest) legitimate (or protection-worthy) interest of the responsible or a third party, provided there are no counter-prevailing legitimate interests of the data subjects. These tests were also developed under a previous law with regard to public-sector processing, and in that context were strictly applied: the interest for which the information could be used had to be manifest, and manifestly stronger than the interests of the data subject against such change of purpose. The extension of these tests to the private sector in principle amounts to a significant tightening of the law in Germany - but it is too early
15.(1) An organisation shall not use, outside [name of country] personal information collected in [name of country] unless the organisation -
(a) would be permitted under this Act to make the same use of that information in [name of country]; and
(b) takes appropriate steps to preserve the confidentiality of the information and to protect the privacy of individuals.
(2) Nothing in this section affects the use of personal information that is required or authorised to be made under another Act.
164 Dealt with in Principle 2.
165 Douwe Korff EC Study at 63. In practice, the two are closely linked, as can be well shown by contrasting law and practice under the UK and Irish laws.
166 Douwe Korff EC Study at 64.
to see how this test will be applied to the private sector in practice. 167
4.2.87 The information protection authority in France takes into account, in particular, whether the data subject is under a legal obligation to provide the information (or has little choice in practice, eg.
as concerns the supply of essential services), and whether the responsible party bears a special duty of confidentiality (as is the case with information held by financial institutions or medical doctors etc.).168
4.2.88 The Dutch law elaborates further on matters to be taken into account in determining whether processing for a secondary purpose is "(in)compatible" with the primary purpose for which the information was obtained. It mentions as examples of such matters: the relationship between the primary and secondary purposes; the nature of the information; the consequences of the(secondary) processing for the data subject; as well as the manner in which the information was obtained and the extent to which "suitable safeguards" have been provided to protect the interests of the data subjects.
4.2.89 In other words, under the Dutch Law too the question of"compatibility" is addressed very much like the question of "balance" in the context of the information protection criteria. Indeed, the two tests are closely intertwined. It follows from the compatible use requirement that (eg.)insurers may not use medical information obtained in the context of an insurance claim in order to take decisions on requests for a different insurance from the same customer; that information obtained in the context of a sale may not be used (without specific consent) to promote unrelated goods and services offered by the responsible party; that the creation of a personality profile on the basis of such sale information is also incompatible; as is the making of selections in mailings on the basis of sensitive criteria. Thus, for instance, the authorities have suggested that a pharmacist may not send out a mailing to customers who have bought contact lenses, about a new contact-lens-cleaning fluid (unless the customers expressly and unambiguously consented to this beforehand).169
4.2.90 An issue has arisen overseas as to whether "browsing" constitutes a "use" under such a principle. An English case suggests that simply reading personal information, but not employing that
167 Douwe Korff EC Study at 64.
168 Douwe Korff EC Study at 65.
169 Douwe Korff EC Study at 65.
information for a purpose, may not constitute "use." In that case it could be shown that a police officer had checked a confidential police informationbase for details of debtors being investigated by his friend but it could not be proved that the information had been passed on or actually put to a use. The Court treated the accessing of the computer record as a prerequisite to use rather than use itself.
4.2.91 The Commissioner, furthermore, had to form a view on the meaning of the term in a Principle 8 case where a responsible party stored and retrieved information but nothing else had apparently happened. The Commissioner concluded that in order to show that some usage had occurred, the retrieval would need to have been followed by some act.
4.2.92 As will be clear from the above, Art. 6(1)(b) of the Directive in principle allows for the further processing of personal information for research purposes, even if the information had not been collected for those purposes, as long as the appropriate safeguards are provided. However, the processing of sensitive information for such purposes (other than with the consent of the data subjects) is only allowed on the basis of Art. 8(4), also quoted above, i.e. the Member States may only allow this (even with suitable safeguards) with regard to research which serves a substantial public interest. 170
4.2.93 It should be noted that the use of credit information for the purposes of compiling marketing lists is a controversial issue. However, it has been argued that the use of credit information for marketing purposes is not always a negative practice as it is better to ensure that consumers that are over-committed or in difficulties are removed from such lists. Without the use of credit information, marketing will not stop, it will simply become more general, increasing the exposure of those who are vulnerable. Opt out consent could perhaps provide the necessary protection in this regard. 171
170 Douwe Korff EC Study at 66. In the Netherlands and Sweden, processing of non-sensitive data for research purposes is subject to rather limited safeguards only, in that the Dutch law merely requires safeguards to ensure that any data used for research purposes are only used for those purposes (without otherwise protecting the data subjects).The proviso about research data not being used to take decisions in respect of the data subjects is also set out in the UK law, which adds to this a weighted balance test: data are not [to be] processed [for research purposes] in such a way that substantial damage or substantial distress is, or is likely to be caused to any data subject. Overall, the rules concerning secondary processing of personal information for research purposes without the consent of the data subjects thus vary very considerably: some consist of rather general substantive rules, others of more detailed substantive requirements; some rely on procedural safeguards; and some combine substantive and procedural rules. Some are contained in the data protection law; and some in other laws or regulations.
171 Credit Bureau Association.
4.2.94 In so far as the disclosure of information to third parties is concerned this principle is not always consistently expressed in information protection instruments. Moreover, neither the CoE Convention nor the EU Directive specifically addresses the issue of disclosure limitation but treat it as part of the broader issue of the conditions for processing information. Thus, neither of these instruments apparently recognises disclosure limitation as a separate principle but incorporates it within other principles, particularly those of fair and lawful processing and of purpose specification.
4.2.95 The OECD Guidelines incorporate the principle of disclosure limitation within a broader principle termed the “Use Limitation Principle”, 172 while the UN Guidelines specifically address the issue of disclosure under the principle of purpose specification.173
4.2.96 Disclosure limitation is, however, sometimes singled out as a separate principle in its own right because it tends to play a distinct and significant role in shaping information protection laws.
Concomitantly, numerous national statutes expressly delineate it as a separate principle or set of rules.174
4.2.97 In New Zealand this principle is set out in Principle 11175: Limits on disclosure of personal
172 Principle 4 of the OECD Guidelines reads as follows: (para 10) Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:
a) with the consent of the data subject; or b) by the authority of law.
173 Bygrave Data Protection at 67.
174 Bygrave Data Protection at 67.
175 PRINCIPLE 11
Limits on disclosure of personal information
An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds -
(a) That the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or (b) That the source of the information is a publicly available publication; or (c) That the disclosure is to the individual concerned;
or (d) That the disclosure is authorised by the individual concerned; or (e) That non-compliance is necessary - (i) To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or (ii) For the
enforcement of a law imposing a pecuniary penalty; or (iii) For the protection of the public revenue; or (iv) For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(f) That the disclosure of the information is necessary to prevent or lessen a serious and imminent threat to:
(i) Public health or public safety; or (ii) The life or health of the individual concerned or another