The Conceptual Basis of Personal Information in Australian Privacy Law

Australian privacy law regulates how government agencies and private sector organisations collect, store and use personal information. A coherent conceptual basis of personal information is an integral requirement of information privacy law as it determines what information is regulated. A 2004 report conducted on behalf of the UK’s Information Commissioner (the 'Booth Report') concluded that there was no coherent definition of personal information currently in operation because different data protection authorities throughout the world conceived the concept of personal information in different ways. The authors adopt the models developed by the Booth Report to examine the conceptual basis of statutory definitions of personal information in Australian privacy laws. Research findings indicate that the definition of personal information is not construed uniformly in Australian privacy laws and that different definitions rely upon different classifications of personal information. A similar situation is evident in a review of relevant case law. Despite this, the authors conclude the article by asserting that a greater jurisprudential discourse is required based on a coherent conceptual framework to ensure the consistent development of Australian privacy law.

The Global Protection of Personal Health Data

The workshop is an activity of the IMIA Working Group ‘Security in Health Information Systems’ (SiHIS). It is focused to the growing global problem: how to protect personal health data in today’s global eHealth and digital health environment. It will review available trust building mechanisms, security measures and privacy policies. Technology alone does not solve this complex problem and current protection policies and legislation are considered woefully inadequate. Among other trust building tools, certification and accreditation mechanisms are dis-cussed in detail and the workshop will determine their acceptance and quality. The need for further research and international collective action are discussed. This workshop provides an opportunity to address a critical growing problem and make pragmatic proposals for sustainable and effective solutions for global eHealth and digital health.

Exploring the economic value of personal information from firms' financial statements

Currently personal data gathering in online markets is done on a far larger scale and much cheaper and faster than ever before. Within this scenario, a number of highly relevant companies for whom personal data is the key factor of production have emerged. However, up to now, the corresponding economic analysis has been restricted primarily to a qualitative perspective linked to privacy issues. Precisely, this paper seeks to shed light on the quantitative perspective, approximating the value of personal information for those companies that base their business model on this new type of asset. In the absence of any systematic research or methodology on the subject, an ad hoc procedure is developed in this paper. It starts with the examination of the accounts of a number of key players in online markets. This inspection first aims to determine whether the value of personal information databases is somehow reflected in the firms’ books, and second to define performance measures able to capture this value. After discussing the strengths and weaknesses of possible approaches, the method that performs best under several criteria (revenue per data record) is selected. From here, an estimation of the net present value of personal data is derived, as well as a slight digression into regional differences in the economic value of personal information.

Le cadre européen de protection des données personnelles en matière pénale. Dimensions interne et externe = The European framework for the protection of personal data in criminal matters. Internal and external dimensions. Bruges Political Research Paper No. 29, May 2013

No abstract.

Privacy of personal information /

WI docs. no.: Leg.3:SB/1976/4.

Contextualizing the tensions and weaknesses of information privacy and data breach notification laws

Data breach notification laws have detailed numerous failures relating to the protection of personal information that have blighted both corporate and governmental institutions. There are obvious parallels between data breach notification and information privacy law as they both involve the protection of personal information. However, a closer examination of both laws reveals conceptual differences that give rise to vertical tensions between each law and shared horizontal weaknesses within both laws. Tensions emanate from conflicting approaches to the implementation of information privacy law that results in different regimes and the implementation of different types of protections. Shared weaknesses arise from an overt focus on specified types of personal information which results in ‘one size fits all’ legal remedies. The author contends that a greater contextual approach which promotes the importance of social context is required and highlights the effect that contextualization could have on both laws.

The conceptual and operational compatibility of data breach notification and information privacy laws

Mandatory data breach notification laws are a novel and potentially important legal instrument regarding organisational protection of personal information. These laws require organisations that have suffered a data breach involving personal information to notify those persons that may be affected, and potentially government authorities, about the breach. The Australian Law Reform Commission (ALRC) has proposed the creation of a mandatory data breach notification scheme, implemented via amendments to the Privacy Act 1988 (Cth). However, the conceptual differences between data breach notification law and information privacy law are such that it is questionable whether a data breach notification scheme can be solely implemented via an information privacy law. Accordingly, this thesis by publications investigated, through six journal articles, the extent to which data breach notification law was conceptually and operationally compatible with information privacy law. The assessment of compatibility began with the identification of key issues related to data breach notification law. The first article, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches started this stage of the research which concluded in the second article, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A key issue that emerged was whether data breach notification was itself an information privacy issue. This notion guided the remaining research and focused attention towards the next stage of research, an examination of the conceptual and operational foundations of both laws. The second article, Mandatory Notification and the third article, Encryption Safe Harbours and Data Breach Notification Laws did so from the perspective of data breach notification law. The fourth article, The Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws did so for information privacy law. The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws synthesised previous research findings within the framework of contextualisation, principally developed by Nissenbaum. The examination of conceptual and operational foundations revealed tensions between both laws and shared weaknesses within both laws. First, the distinction between sectoral and comprehensive information privacy legal regimes was important as it shaped the development of US data breach notification laws and their subsequent implementable scope in other jurisdictions. Second, the sectoral versus comprehensive distinction produced different emphases in relation to data breach notification thus leading to different forms of remedy. The prime example is the distinction between market-based initiatives found in US data breach notification laws compared to rights-based protections found in the EU and Australia. Third, both laws are predicated on the regulation of personal information exchange processes even though both laws regulate this process from different perspectives, namely, a context independent or context dependent approach. Fourth, both laws have limited notions of harm that is further constrained by restrictive accountability frameworks. The findings of the research suggest that data breach notification is more compatible with information privacy law in some respects than others. Apparent compatibilities clearly exist as both laws have an interest in the protection of personal information. However, this thesis revealed that ostensible similarities are founded on some significant differences. Data breach notification law is either a comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive regime. However, whilst there are fundamental differences between both laws they are not so great to make them incompatible with each other. The similarities between both laws are sufficient to forge compatibilities but it is likely that the distinctions between them will produce anomalies particularly if both laws are applied from a perspective that negates contextualisation.

Impact of online privacy concerns and brand reputation on consumer willingness to provide personal information

The aim of this research was to identify the role of brand reputation in encouraging consumer willingness to provide personal data online, for the benefits of personalisation. This study extends on Malhotra, Kim and Agarwal’s (2004) Internet Users Information Privacy Concerns Model, and uses the theoretical underpinning of Social Contract Theory to assess how brand reputation moderates the relationship between trusting beliefs and perceived value (Privacy Calculus framework) with willingness to give personal information. The research is highly relevant as most privacy research undertaken to date focuses on consumer related concerns. Very little research exists examining the role of brand reputation and online privacy. Practical implications of this research include gaining knowledge as to how to minimise online privacy concerns; improve brand reputation; and provide insight on how to reduce consumer resistance to the collection of personal information and encourage consumer opt-in.

Security and privacy of users' personal Information on smartphones

 This research investigated the proliferation of malicious applications on smartphones and a framework that can efficiently detect and classify such applications based on behavioural patterns was proposed. Additionally the causes and impact of unauthorised disclosure of personal information by clean applications were examined and countermeasures to protect smartphone users’ privacy were proposed.

Things you don't want to know about yourself: Ambivalence about tracking and sharing personal information for behaviour change

Technologies that facilitate the collection and sharing of personal information can feed people's desire for enhanced self-knowledge and help them to change their behaviour, yet for various reasons people can also be reluctant to use such technologies. This paper explores this tension through an interview study in the context of smoking cessation. Our findings show that smokers and recent ex-smokers were ambivalent about their behaviour change as well as about collecting personal information through technology and sharing it with other users. We close with a summary of three challenges emerging from such ambivalence and directions to address them.

[Book review] Rights of the Accused, Crime Control and Protection of Victims

Review of: Rights of the Accused, Crime Control and Protection of Victims. Edited by Eliahu Harnon & Alex Stein. A special volume of the Israel Law Review, Vol. 31, Nos. 1-3, Winter-Summer 1997. Published by the Faculty of Law, Hebrew University, Jerusalem.

La fraude d’identité et la protection des renseignements personnels dans un organisme public

Rapport de stage présenté à la Faculté des arts et sciences en vue de l'obtention du grade de Maîtrise ès sciences (M. Sc.) en criminologie.