Wednesday, November 14, 2007

Privacy law roundup

Garda Code of Practice

The Data Protection Commissioner has announced the launch of a data protection code of practice for the Garda Siochána, which will include random audits of the use of the PULSE system. This is the first code of practice to be approved by the Commissioner. More coverage in the Examiner.

Landlord spied on students

The Irish Times reports that 10 students were awarded a total of €115,000 against their landladies who had installed electronic surveillance equipment to spy on them:
Two Dublin landladies have been ordered to pay damages totalling more than €115,000 to 10 students who were tenants in their house after the Circuit Court found they had kept the students under secret electronic surveillance...

The students became concerned in late 2004 that their conversations and activities were being monitored when the McKennas referred to details the students had discussed in private in the house. When they raised the issue with the McKennas, the students were evicted....

Judge Gerard Griffin yesterday found that the evidence in the case left him "in no doubt whatsoever that the defendants had kept these plaintiffs under electronic surveillance".

The judge said he could not say whether it was audio or video surveillance or both, but he was concerned that yellow wires found in the house were of the international standard used for video recording.
This isn't the first instance of this in Ireland - in 2003 a Galway landlord was found to have installed miniature cameras in the ceilings of his female tenants' bedrooms and bathrooms.

Australian proposals for privacy reform

The Australian Law Reform Commission has published a discussion paper on Australian Privacy Law. This substantial document (stretching to 1995 pages in PDF!) proposes root and branch overhaul of Australian privacy laws and given its scope and ambition is likely to be influential on this side of the world also. Some highlights:
Deceased people
The ALRC proposes that some aspects of privacy protection should apply to personal information concerning deceased persons.

In particular:
• data quality and security requirements should apply, so that organisations that hold information about deceased persons must ensure that it is accurate and protected from misuse, loss, unauthorised access or disclosure; and
• there should be some right of access to information for family members. The ALRC has heard that people who had a relationship to the deceased—such as family members — may sometimes need to access information in order to know about medical conditions, or to document family history. Under the proposed changes, any person would be able to apply for access to information relating to a deceased person.

Before releasing information, the organisation would have to consider whether this would have an unreasonable impact on the privacy of others, including the deceased person.

Sensitive information
The ALRC proposes that the definition of sensitive information be changed to include
certain types of biometric information.

Biometric information—which can include photographs, fingerprints, iris scans or voice recordings—is like some other sensitive information because it is often linked to an individual’s physical characteristics. It also carries greater risks than some other forms of information—such as the risk of revealing an individual’s cultural origins, or providing information that can allow an individual to be impersonated.

For these reasons, the ALRC proposes that biometric information should be given
the same level of protection as other information that is currently treated as sensitive information. This should only apply in certain circumstances, such as where biometric information is collected for purposes of identification.

Email and IP addresses
Technology has changed the types of information that may reveal facts about an
individual. For example, an email address or internet protocol (IP) address may reveal much about an individual, but these categories of information may not be covered by the Privacy Act because they may not specifically identify the individual.

The ALRC proposes that the definitions of ‘personal information’ and ‘record’ in the
Act be broadened to cover information such as email and IP addresses in some

Personal information published on the internet
The internet creates greater opportunity for personal information to be published, sometimes anonymously.

The ALRC is interested in feedback on whether there should be a ‘take down notice’
scheme that would require a website operator to remove information that may constitute an invasion of an individual’s privacy. This could be similar to—or an extension of — a scheme that currently operates for removal of prohibited content, based on decisions of the Classification Board.

Data breach notification
Agencies and organisations are not currently obliged to notify individuals where there has been unauthorised access to their personal information.

The ALRC proposes that individuals be notified where there has been unauthorised access to personal information that could lead to a real risk of harm to any affected individual.

Under this proposal the Privacy Commissioner would oversee the decisions of agencies
and organisations about the level of risk and whether individuals should be notified. If the Privacy Commissioner formed the view that there was a real risk of serious harm, he or she could direct that the agency or organisation notify the affected individuals.