The Conceptual Basis of Personal Information in Australian Privacy Law

Australian privacy law regulates how government agencies and private sector organisations collect, store and use personal information. A coherent conceptual basis of personal information is an integral requirement of information privacy law as it determines what information is regulated. A 2004 report conducted on behalf of the UK’s Information Commissioner (the 'Booth Report') concluded that there was no coherent definition of personal information currently in operation because different data protection authorities throughout the world conceived the concept of personal information in different ways. The authors adopt the models developed by the Booth Report to examine the conceptual basis of statutory definitions of personal information in Australian privacy laws. Research findings indicate that the definition of personal information is not construed uniformly in Australian privacy laws and that different definitions rely upon different classifications of personal information. A similar situation is evident in a review of relevant case law. Despite this, the authors conclude the article by asserting that a greater jurisprudential discourse is required based on a coherent conceptual framework to ensure the consistent development of Australian privacy law.

The Global Protection of Personal Health Data

The workshop is an activity of the IMIA Working Group ‘Security in Health Information Systems’ (SiHIS). It is focused to the growing global problem: how to protect personal health data in today’s global eHealth and digital health environment. It will review available trust building mechanisms, security measures and privacy policies. Technology alone does not solve this complex problem and current protection policies and legislation are considered woefully inadequate. Among other trust building tools, certification and accreditation mechanisms are dis-cussed in detail and the workshop will determine their acceptance and quality. The need for further research and international collective action are discussed. This workshop provides an opportunity to address a critical growing problem and make pragmatic proposals for sustainable and effective solutions for global eHealth and digital health.

Exploring the economic value of personal information from firms' financial statements

Currently personal data gathering in online markets is done on a far larger scale and much cheaper and faster than ever before. Within this scenario, a number of highly relevant companies for whom personal data is the key factor of production have emerged. However, up to now, the corresponding economic analysis has been restricted primarily to a qualitative perspective linked to privacy issues. Precisely, this paper seeks to shed light on the quantitative perspective, approximating the value of personal information for those companies that base their business model on this new type of asset. In the absence of any systematic research or methodology on the subject, an ad hoc procedure is developed in this paper. It starts with the examination of the accounts of a number of key players in online markets. This inspection first aims to determine whether the value of personal information databases is somehow reflected in the firms’ books, and second to define performance measures able to capture this value. After discussing the strengths and weaknesses of possible approaches, the method that performs best under several criteria (revenue per data record) is selected. From here, an estimation of the net present value of personal data is derived, as well as a slight digression into regional differences in the economic value of personal information.

Le cadre européen de protection des données personnelles en matière pénale. Dimensions interne et externe = The European framework for the protection of personal data in criminal matters. Internal and external dimensions. Bruges Political Research Paper No. 29, May 2013

No abstract.

Privacy of personal information /

WI docs. no.: Leg.3:SB/1976/4.

Contextualizing the tensions and weaknesses of information privacy and data breach notification laws

Data breach notification laws have detailed numerous failures relating to the protection of personal information that have blighted both corporate and governmental institutions. There are obvious parallels between data breach notification and information privacy law as they both involve the protection of personal information. However, a closer examination of both laws reveals conceptual differences that give rise to vertical tensions between each law and shared horizontal weaknesses within both laws. Tensions emanate from conflicting approaches to the implementation of information privacy law that results in different regimes and the implementation of different types of protections. Shared weaknesses arise from an overt focus on specified types of personal information which results in ‘one size fits all’ legal remedies. The author contends that a greater contextual approach which promotes the importance of social context is required and highlights the effect that contextualization could have on both laws.

The conceptual and operational compatibility of data breach notification and information privacy laws

Mandatory data breach notification laws are a novel and potentially important legal instrument regarding organisational protection of personal information. These laws require organisations that have suffered a data breach involving personal information to notify those persons that may be affected, and potentially government authorities, about the breach. The Australian Law Reform Commission (ALRC) has proposed the creation of a mandatory data breach notification scheme, implemented via amendments to the Privacy Act 1988 (Cth). However, the conceptual differences between data breach notification law and information privacy law are such that it is questionable whether a data breach notification scheme can be solely implemented via an information privacy law. Accordingly, this thesis by publications investigated, through six journal articles, the extent to which data breach notification law was conceptually and operationally compatible with information privacy law. The assessment of compatibility began with the identification of key issues related to data breach notification law. The first article, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches started this stage of the research which concluded in the second article, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A key issue that emerged was whether data breach notification was itself an information privacy issue. This notion guided the remaining research and focused attention towards the next stage of research, an examination of the conceptual and operational foundations of both laws. The second article, Mandatory Notification and the third article, Encryption Safe Harbours and Data Breach Notification Laws did so from the perspective of data breach notification law. The fourth article, The Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws did so for information privacy law. The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws synthesised previous research findings within the framework of contextualisation, principally developed by Nissenbaum. The examination of conceptual and operational foundations revealed tensions between both laws and shared weaknesses within both laws. First, the distinction between sectoral and comprehensive information privacy legal regimes was important as it shaped the development of US data breach notification laws and their subsequent implementable scope in other jurisdictions. Second, the sectoral versus comprehensive distinction produced different emphases in relation to data breach notification thus leading to different forms of remedy. The prime example is the distinction between market-based initiatives found in US data breach notification laws compared to rights-based protections found in the EU and Australia. Third, both laws are predicated on the regulation of personal information exchange processes even though both laws regulate this process from different perspectives, namely, a context independent or context dependent approach. Fourth, both laws have limited notions of harm that is further constrained by restrictive accountability frameworks. The findings of the research suggest that data breach notification is more compatible with information privacy law in some respects than others. Apparent compatibilities clearly exist as both laws have an interest in the protection of personal information. However, this thesis revealed that ostensible similarities are founded on some significant differences. Data breach notification law is either a comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive regime. However, whilst there are fundamental differences between both laws they are not so great to make them incompatible with each other. The similarities between both laws are sufficient to forge compatibilities but it is likely that the distinctions between them will produce anomalies particularly if both laws are applied from a perspective that negates contextualisation.

Impact of online privacy concerns and brand reputation on consumer willingness to provide personal information

The aim of this research was to identify the role of brand reputation in encouraging consumer willingness to provide personal data online, for the benefits of personalisation. This study extends on Malhotra, Kim and Agarwal’s (2004) Internet Users Information Privacy Concerns Model, and uses the theoretical underpinning of Social Contract Theory to assess how brand reputation moderates the relationship between trusting beliefs and perceived value (Privacy Calculus framework) with willingness to give personal information. The research is highly relevant as most privacy research undertaken to date focuses on consumer related concerns. Very little research exists examining the role of brand reputation and online privacy. Practical implications of this research include gaining knowledge as to how to minimise online privacy concerns; improve brand reputation; and provide insight on how to reduce consumer resistance to the collection of personal information and encourage consumer opt-in.

Things you don't want to know about yourself: Ambivalence about tracking and sharing personal information for behaviour change

Technologies that facilitate the collection and sharing of personal information can feed people's desire for enhanced self-knowledge and help them to change their behaviour, yet for various reasons people can also be reluctant to use such technologies. This paper explores this tension through an interview study in the context of smoking cessation. Our findings show that smokers and recent ex-smokers were ambivalent about their behaviour change as well as about collecting personal information through technology and sharing it with other users. We close with a summary of three challenges emerging from such ambivalence and directions to address them.

[Book review] Rights of the Accused, Crime Control and Protection of Victims

Review of: Rights of the Accused, Crime Control and Protection of Victims. Edited by Eliahu Harnon & Alex Stein. A special volume of the Israel Law Review, Vol. 31, Nos. 1-3, Winter-Summer 1997. Published by the Faculty of Law, Hebrew University, Jerusalem.

La fraude d’identité et la protection des renseignements personnels dans un organisme public

Rapport de stage présenté à la Faculté des arts et sciences en vue de l'obtention du grade de Maîtrise ès sciences (M. Sc.) en criminologie.

La protection de la vie privée sur le Web avec P3P : l'arrimage incertain du technique et du juridique

La protection des renseignements personnels est au cœur des préoccupations de tous les acteurs du Web, commerçants ou internautes. Si pour les uns trop de règles en la matière pourraient freiner le développement du commerce électronique, pour les autres un encadrement des pratiques est essentiel à la protection de leur vie privée. Même si les motivations de chacun sont divergentes, le règlement de cette question apparaît comme une étape essentielle dans le développement du réseau. Le Platform for Privacy Preference (P3P) propose de contribuer à ce règlement par un protocole technique permettant la négociation automatique, entre l’ordinateur de l’internaute et celui du site qu’il visite, d’une entente qui encadrera les échanges de renseignements. Son application pose de nombreuses questions, dont celle de sa capacité à apporter une solution acceptable à tous et surtout, celle du respect des lois existantes. La longue et difficile élaboration du protocole, ses dilutions successives et sa mise en vigueur partielle témoignent de la difficulté de la tâche à accomplir et des résistances qu’il rencontre. La première phase du projet se limite ainsi à l’encodage des politiques de vie privée des sites et à leur traduction en termes accessibles par les systèmes des usagers. Dans une deuxième phase, P3P devrait prendre en charge la négociation et la conclusion d’ententes devant lier juridiquement les parties. Cette tâche s’avère plus ardue, tant sous l’angle juridique que sous celui de son adaptation aux us et coutumes du Web. La consolidation des fonctions mises en place dans la première version apparaît fournir une solution moins risquée et plus profitable en écartant la possible conclusion d’ententes incertaines fondées sur une technique encore imparfaite. Mieux éclairer le consentement des internautes à la transmission de leurs données personnelles par la normalisation des politiques de vie privée pourrait être en effet une solution plus simple et efficace à court terme.

La protection des données personnelles en France

La notion de vie privée, et plus précisément le droit à la protection des renseignements personnels, est reconnue aussi bien dans les textes provinciaux, régionaux, nationaux et internationaux, que dans les politiques mises en place par les sites Web. Il est admis que toutes informations identifiant ou permettant d’identifier une personne peut porter atteinte à sa vie privée, à savoir son nom, prénom, numéro de téléphone, de carte bancaire, de sécurité sociale, ou encore ses adresses électronique et Internet. Cette protection, admise dans le monde réel, doit aussi exister sur les inforoutes, étant entendu que « l ’informatique (…) ne doit porter atteinte ni à l ’identité humaine, ni aux droits de l ’homme, ni à la vie privée, ni aux libertés individuelles ou publiques » (art. 1er de la Loi française dite « Informatique et Libertés » du 6 janvier 1978). Ce principe étant admis, il est pertinent de s’interroger sur les moyens envisagés pour parvenir à le réaliser. Faut-il avoir recours à la réglementation étatique, à l’autoréglementation ou à la corégulation ? Cette dernière notion « n’est pas à proprement parler une nouvelle forme de régulation », mais elle préconise une collaboration entre les acteurs du secteur public et privé. L’idée de partenariat semble retenir l’attention du gouvernement français dans sa mission d’adaptation du cadre législatif à la société de l’information, comme nous le montre le rapport Du droit et des libertés sur l’Internet remis dernièrement au Premier ministre. Par conséquent, cet article a pour objectif de dresser un tableau de la législation française, et de ses multiples rapports, applicables à la protection de la vie privée et, plus particulièrement, aux données personnelles sur le réseau des réseaux. En prenant en considération les solutions étatiques et non étatiques retenues depuis ces deux dernières décennies, nous envisagerons une étude de l’avant-projet de loi du Gouvernement visant à transposer en droit interne la Directive européenne du 24 octobre 1995 relative à la protection des données personnelles.