Privacy Flashcards
(23 cards)
Privacy definition
It could mean
- a right to be left alone
- a right to control info about you -keeping info private
- a right to make decisions about your personal life without govt intervention - bodily autonomy, integrity
Article 12 universal declaration of human rights
The state not being able to look at you… also about corporations and companies having limited ability to see info
How is privacy regulated internationally
Privacy tort
Notice and consent
based on privacy in consumer contexts
…Consent can be meaningless if the declaration is too long or employer wants info and you are desperate for a job
Purpose limitation
…European union general data protection regulation GDPR
………..takes emphasis away from consent - emphasis on limiting harm on the idea of purpose and limitation (workplace can get around this as they are ‘making money’ by selling data, opposed to making money in the first place (by business operation)
How is privacy regulated in NZ
The tort of breach of privacy
Privacy Act 2020
How privacy is regulated in NZ: privacy act 2020
Privacy act 2020 deals mainly with collection & disclosure of personal info
It applies to “personal information”
- personal info = info about an identifiable individual including info about employees
Collected and held or used by any “agency”
- agency is defined to include all human beings, org and corporations in public and private sectors
(Excluding news media, members of parliament, the governor general, ombudsmen & the courts)
My notes
Privacy act trying to recognise people don’t get to live in a bubble. The act wants people to be active in society. Competing goals to be balanced
Yes - people have a right to privacy
Also - rights of org to pursuit legitimate goals with that data
The function of the privacy act 2020
- try to balance the right of info privacy and rights of org to pursue legitimate goals
- all org required to have privacy officer to deal with privacy issues
- the act has 13 principles that stipulate how info can be collected & used, & peoples rights to gain access to that info and ask for it to be corrected
- the principles are not directly enforceable in court. An aggrieved individual must make a complaint to the privacy commissioner alleging an “interference with privacy”
Privacy principle 1 Purpose of collection of personal
information
An agency must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose
Purpose limitation constraint
Devil is in the detail of how this is interpreted / applied
Eg - spyware on computer to do exams at a distance, but invigilator was looking through personal files on the computer - students complained to privacy commission… but said it was a lawful purpose for the university
Eg - most people dont think its okay to put cameras in changing rooms, except for privacy commission. They said it was a lawful purpose to stop people stealing from the shops
Lawful purpose for employer to care about wellbeing… can be camera near machine, or health app that sends data to third party data broker
Privacy principle 2 - source of personal info
Personal info should be collected directly from the person it is about.
– It will not always be possible to collect information directly from the person concerned so agencies can collect it from other people in certain situations including:
* if the person concerned authorises collection from someone else
eg referees being contacted for employment
* if the information is collected from a publicly available source.
Privacy principle 3 collection of info from subject… what does agency need to tell
When an agency collects personal info, it must take reasonable steps to make sure that the person knows
Why it is being collected
Who will receive it
Whether giving it is compulsory or voluntary
What will happen if the info is not provided
…. They dont have to make sure that you know^^…. They just have to take “reasonable steps” to make sure you know…. Eg
Something included in an email
On a noticeboard
In an app
Privacy principle 4 Manner of collection
An agency may collect personal info only by a lawful means that is fair; and does not intrude to an unreasonable extent upon the personal affairs of the individual concerned
…. Extra obligation to not use unfair means for children…. protection… more easily taken advantage of - puts constraint on orgs
Teacher worry ….. More we have a norm of total surveillance, the more it becomes a reasonable expectation
Eg social media being searched pre employment… used to not be normal “private communications”… now is normal
— whats normal changes — whats reasonable changes —
Privacy principle 5 storage & security of information
Org must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal info
If an org has a serious privacy breach, it must notify the Office of the Privacy Commissioner as soon as possible (within 72 hours)
“Reasonable storage of info” - context specific
Privacy principle 6 access to personal information
An org must provide access to the personal info it holds about someone if the person in question asks to see it
- the privacy act does not allow you to request info about another person, unless you are acting on that person’s behalf and have written permission
Eg uni can’t tell students parents their grade…. Only student
Privacy principle 7 Correction of personal information
A person has a right to ask an org to correct info about them if they think its wrong
Eg wrong credit rating which might be affecting ability to buy house… can ask for it to be corrected
EU law, has “a right to be forgotten”… cant delete but have right to be forgotten can apply, usually used when people committed crimes
Privacy principle 8 accuracy of personal info to be checked before use
The agency must not use the info without taking reasonable steps to ensure it is accurate, up to date, complete, relevant and not misleading
Important with AI profiling, e.g. having the same name as the person committed crime, agency can get confused, an error
Privacy principle 9 Agency not to keep personal info for longer than necessary
The agency must not keep the info for any longer than it is needed for the purpose for which it was collected
Environmental cost to the data that kept…. Also easier to keep than delete
privacy principle 10
limitson use of personal info
Info collected for one purpose must not be used for any other purpose
There are exceptions eg where the agency reasonably believes the individual has authorised further use, or that the info was from a publicly available publication
Privacy principle 11 Limits on disclosure of personal info
Info must not be disclosed except in situations:
- Disclosure is one of the purposes for which the org got the info
Eg research… goal to publish…. You can do so
- The person concerned authorises the disclosure
- The info is to be used in a way that does not identify the person concerned
- Disclosure is necessary to avoid endangering someone’s health or safety
- Disclosure is necessary to uphold or enforce the law
… doing research and someone told you they committed crime = obligation to disclose that
Find out someone is harming themselves, use that info to help
Privacy principle 12 disclosure of personal info outside of NZ
New principle for 2020
Business or org may only disclose personal info to another org outside of NZ if they check that the receiving org:
Is subject to the Privacy Act because they do business in NZ
Will adequately protect the info - is subject to privacy laws that provide comparable safeguards to the Privacy Act
If none of the above criteria apply (eg U.S.), a business or org may only make a cross border disclosure with the explicit permission of the person concerned. The person must be expressly informed that their info may not be given the same protection as provided in the NZ Privacy Act
… help keep our privacy standards up to continue business with others eg EU
Org have to make sure they know privacy levels of overseas, if they are sending it to worse privacy protection, they add box to explicitly state this eg tickbox to “agree” info is going overseas with less protection than NZ
Pivacy principle 13 unique identifiers
An agency (A) may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable A to carry out 1 or more of its functions efficiently
Unique identifier can group lots of important privacy things together
privacy codes of practice
Privacy Act 2020 gives Privacy Commissioner the power to issue codes of practice that become pat of the law. These codes modify the operation of the privacy act and sets rules for specific industries, org, o types of personal info
These are currently 6 codes of practice - particular situations - has the effect of law
Civil defence national emergencies (info sharing) code 2020
Credit reporting privacy code 2020
Health info privacy code 2020
Justice sector unique identifier code 2020
Superannuation schemes unique identifier code 2020
Telecommunications info privacy code 2020
The privacy commissioner also recently consulted on a biometrics code of practice
privacy - bometrics
Physical and behavioral features
Facial recognition.. Fingerprint.. Voice ..Keystroke patterns.. How they walk…….Used for
Verification or authorisation involves confirming the identity of an individual
Identification involves determining the identity of an unknown individual using biometric info
Eg crime committed, there is a clear picture of someone’s face, they can compare it with data that’s already available
Categorisation or profiling involves using biometrics to extract info and gain insights about individuals or groups
Taking info and processing through AI processing big data and drawing inferences
Where major privacy risks arise
privacy - high risk use of biometrics
Biometrics can be used to infer personality and emotion is widely viewed as a high risk to privacy
Particularly in workplace and educational settings -
Eg emotional recognition in singaporean jails, officer can track how they are feeling… Boss / teacher doesn’t need to know how you feel about that…. Can also be largely inaccurate as people express emotion differently
The current draft biometrics code of practice excludes any analytical process that is integrated into a commercial service - nuku not under this code
…. Highly regulated in the EU and also the platform workers directive is prohibited except in very very narrow circumstances
what does privacy commission do?
no enforcement powers, it provides meditation and recommendations
If something needs to be enforced, it goes to human rights tribunal
Tort : Breach of privacy
multichoice
