(Image Source: https://flic.kr/p/igPaVp)
This is the second in a two-part post on the National Privacy Principles. This post deals with Principles Five through Nine. Footnotes are especially important.Disclaimers: I have taken a bit of artistic license with these two posts, so do allow for that. Feedback, comments, recommendations, are welcome.
Following up on the previous post, I discuss National Privacy Principles Five through Nine of the Justice AP Shah Report, continuing the parallel with the story of David and Goliath.
- Principle Five : Access and Correction
Following the general concept of empowering David discussed above, this principle requires that individuals should be able to see what personal information a data controller has about them. An example of this is the Facebook feature that allows you to download an entire archive of all the information that Facebook has about you.
The second part of this principle requires that an individual be able to correct, amend or delete the collected information where it is inaccurate. Thus, this principle allows David to check if the information and notifications given to him, such as the arena of the battle, the time, or the necessity of the battle itself, are actually just so.
Sadly, the Report makes these only a ‘best effort’ requirement, which is a dicey concept at best. Due to the crucial nature of this principle, the Report arguably should have made it mandatory. It is quite unfair to let David go to battle without letting him check if the information he has is correct, and at the same time, it wouldn’t do to have the Agency find have the wrong information about how to get in touch with David.
- Principle Six: Disclosure of Information
The sixth principle concerns the Disclosure of Information by the data controller. It discusses when, why, and how the data controller is allowed to share the information it has collected with third parties; i.e., parties that are neither the data controller as was originally notified to the data subject, nor the data subject him(or her)self.
The principles of notice and consent as articulated above are repeated here, and again made mandatory. Therefore, the collected information can only be shared with the consent of the data subject, and only after due notice has been given.
According to the Report, the third parties that do receive such information are also bound to adhere to the relevant and applicable Privacy Principles, including principle 6 itself.
- Principle Seven: Security
The seventh principle, Security, is perhaps the one principle that all data controllers would actually be hard pressed to ensure.
This principle requires data controllers to make sure that the information collected by them or in their custody remains secure, against a list of possible occurrences.[1] The level of security prescribed herein is the nearly omnipresent ‘reasonable’ standard, with the Report specifically requiring ‘reasonable security safeguards’, and protection against ‘reasonably foreseeable risks’.
The problem herein is twofold. One, the ‘reasonable’ standard is usually a basic minimums standard prescribed by various agencies, and in most cases it is blatantly insufficient. Thus, the data controllers essentially get away with putting a decades old rusted lock on Goliath’s cage. And whatever doors lie between him and the town he wants to rampage in.
The second problem is that it is admittedly a Herculean task to actually make anything perfectly secure on the internet – perhaps even impossible. But even so, it is quite inarguable that a vigilant and well-prepared IT department can always help prevent the damage in most cases, and mitigate it otherwise. That is, even though Goliath will break through, putting a garrison outside his prison really does help.
- Principle Eight: Openness
This principle is quite similar to the first principle of Notice, except that it is quite a bit broader. This principle applies not only to the collection et al of information, but to all the practices of the data collector regarding its compliance with the principles. It requires the Data Controller to make information regarding the steps taken by it to ensure its compliance easily accessible in an intelligible form, using clear and plain language. Furthermore, the obligation created herein is not limited to the data subjects alone, but to ‘all individuals’. A point worth note is that, this is, again, a ‘best effort’ principle.
So the obligations created herein would allow David to check up on a broader set of information than what is referred to above, including the compliance of the governing body in question with the above principles. And, crucially, these obligations can be claimed by ‘all individuals’, and not just David.
- Principle Nine: Accountability
The final principle is that of Accountability, or rather, the blame game. This principle states that the data controller will be held accountable for complying with the measures which actually bring the above principles into force. It also lists some illustrations of what these measures ‘should’ include.[2]
This principle is, in a way, the linchpin of the entirety of the National Privacy principles, giving them teeth, if they had any legal value. That is because it is this principle that would actually mean that failing to comply with the above would actually have some consequences on the data controllers, and would therefore give them some incentive to ensure compliance. That is, it is this principle that would mean that if Agency doesn’t meet the requirements set herein, David’s soul gets to take them to the Court.[3]
[1] “…loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.”
[2] “Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.“
[3] Only The Court has jurisdiction over this specific dispute though, but the Court is currently unavailable. Some dispute between two factions of the Presiding Souls about the government’s power to amend the Constitution. A member of the Ruling Dynasty was involved I hear, something about punishing souls of assassins. Tch tch.
2 thoughts on “Battling Goliath: An Analysis of the National Privacy Principles (Part II: Principles Five to Nine)”