The conceptual and operational compatibility of data breach notification and information privacy laws

Mandatory data breach notification laws are a novel and potentially important legal instrument regarding organisational protection of personal information. These laws require organisations that have suffered a data breach involving personal information to notify those persons that may be affected, and potentially government authorities, about the breach. The Australian Law Reform Commission (ALRC) has proposed the creation of a mandatory data breach notification scheme, implemented via amendments to the Privacy Act 1988 (Cth). However, the conceptual differences between data breach notification law and information privacy law are such that it is questionable whether a data breach notification scheme can be solely implemented via an information privacy law. Accordingly, this thesis by publications investigated, through six journal articles, the extent to which data breach notification law was conceptually and operationally compatible with information privacy law. The assessment of compatibility began with the identification of key issues related to data breach notification law. The first article, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches started this stage of the research which concluded in the second article, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A key issue that emerged was whether data breach notification was itself an information privacy issue. This notion guided the remaining research and focused attention towards the next stage of research, an examination of the conceptual and operational foundations of both laws. The second article, Mandatory Notification and the third article, Encryption Safe Harbours and Data Breach Notification Laws did so from the perspective of data breach notification law. The fourth article, The Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws did so for information privacy law. The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws synthesised previous research findings within the framework of contextualisation, principally developed by Nissenbaum. The examination of conceptual and operational foundations revealed tensions between both laws and shared weaknesses within both laws. First, the distinction between sectoral and comprehensive information privacy legal regimes was important as it shaped the development of US data breach notification laws and their subsequent implementable scope in other jurisdictions. Second, the sectoral versus comprehensive distinction produced different emphases in relation to data breach notification thus leading to different forms of remedy. The prime example is the distinction between market-based initiatives found in US data breach notification laws compared to rights-based protections found in the EU and Australia. Third, both laws are predicated on the regulation of personal information exchange processes even though both laws regulate this process from different perspectives, namely, a context independent or context dependent approach. Fourth, both laws have limited notions of harm that is further constrained by restrictive accountability frameworks. The findings of the research suggest that data breach notification is more compatible with information privacy law in some respects than others. Apparent compatibilities clearly exist as both laws have an interest in the protection of personal information. However, this thesis revealed that ostensible similarities are founded on some significant differences. Data breach notification law is either a comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive regime. However, whilst there are fundamental differences between both laws they are not so great to make them incompatible with each other. The similarities between both laws are sufficient to forge compatibilities but it is likely that the distinctions between them will produce anomalies particularly if both laws are applied from a perspective that negates contextualisation.

THE INFORMATION ERA THREATENS PRIVACY: A Comparative Study of Electronic Money’s Privacy Policies and Privacy Laws

This thesis consists of an analysis of electronic money (e-money), e-money’s privacy policies and relevant privacy laws. The value of information and the development of technology enhance the risk of privacy violations in the information era. Consumer privacy interests with respect to e-money are governed in part by the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and by the European Union’s Data Protection Directive. The analysis is directed at whether the privacy policies of three kinds of e-money – Octopus Card, PayPal and MasterCard – comply with the spirit and letter of these laws. In light of technology change, the laws should be interpreted to apply broadly to protect privacy interests. Enhanced privacy protection may in fact lead to greater adoption of e-money by consumers.

Privacy invasive geo-mashups : privacy 2.0 and the limits of first generation information privacy laws

Online technological advances are pioneering the wider distribution of geospatial information for general mapping purposes. The use of popular web-based applications, such as Google Maps, is ensuring that mapping based applications are becoming commonplace amongst Internet users which has facilitated the rapid growth of geo-mashups. These user generated creations enable Internet users to aggregate and publish information over specific geographical points. This article identifies privacy invasive geo-mashups that involve the unauthorized use of personal information, the inadvertent disclosure of personal information and invasion of privacy issues. Building on Zittrain’s Privacy 2.0, the author contends that first generation information privacy laws, founded on the notions of fair information practices or information privacy principles, may have a limited impact regarding the resolution of privacy problems arising from privacy invasive geo-mashups. Principally because geo-mashups have different patterns of personal information provision, collection, storage and use that reflect fundamental changes in the Web 2.0 environment. The author concludes by recommending embedded technical and social solutions to minimize the risks arising from privacy invasive geo-mashups that could lead to the establishment of guidelines for the general protection of privacy in geo-mashups.

Personal health data - Privacy policy harmonization and global enforcement

This workshop is jointly organized by EFMI Working Groups Security, Safety and Ethics and Personal Portable Devices in cooperation with IMIA Working Group "Security in Health Information Systems". In contemporary healthcare and personal health management the collection and use of personal health information takes place in different contexts and jurisdictions. Global use of health data is also expanding. The approach taken by different experts, health service providers, data subjects and secondary users in understanding privacy and the privacy expectations others may have is strongly context dependent. To make eHealth, global healthcare, mHealth and personal health management successful and to enable fair secondary use of personal health data, it is necessary to find a practical and functional balance between privacy expectations of stakeholder groups. The workshop will highlight these privacy concerns by presenting different cases and approaches. Workshop participants will analyse stakeholder privacy expectations that take place in different real-life contexts such as portable health devices and personal health records, and develop a mechanism to balance them in such a way that global protection of health data and its meaningful use is realized simultaneously. Based on the results of the workshop, initial requirements for a global healthcare information certification framework will be developed.

The Feasibility of Applying EU Data Protection Law to Biological Materials: Challenging ‘Data’ as Exclusively Informational

Though controversial the question of applying data protection laws to biological materials has only gotten a little attention in data privacy discourse. This article aims to contribute to this dearth by arguing that despite absence of positive intention from the architects to apply the EU Data privacy law to biological materials, a range of developments in Molecular Biology and nano-technology—usually mediated by advances in ICT—may provide persuasive grounds to do so. In addition, paucity of sufficient explication of key terms like ‘data/information’ in these legislations may fuel such tendency whereby laws originally intended for the informational world may end up applying to the biological world. The article also analyzes various predicaments that may arise from applying data privacy laws to biological materials. A focus is made on legislative sources at the EU level though national laws are relied on when pertinent.

Availability, Data Privacy and Copyrights – Opening Knowledge via Contracts and Pilots

Availability, Data Privacy and Copyrights – Opening Knowledge via Contracts and Pilots, discusses how in Aviisi-project of National Library of Finland, the digital contents, and their availability topics dealt together with pilot organizations

Data privacy in interoperability environments – a case study in the Portuguese healthcare sector

Data sharing between organizations through interoperability initiatives involving multiple information systems is fundamental to promote the collaboration and integration of services. However, in terms of data, the considerable increase in its exposure to additional risks, require a special attention to issues related to privacy of these data. For the Portuguese healthcare sector, where the sharing of health data is, nowadays, a reality at national level, data privacy is a central issue, which needs solutions according to the agreed level of interoperability between organizations. This context led the authors to study the factors with influence on data privacy in a context of interoperability, through a qualitative and interpretative research, based on the method of case study. This article presents the final results of the research that successfully identifies 10 subdomains of factors with influence on data privacy, which should be the basis for the development of a joint protection program, targeted at issues associated with data privacy.

Das Biobankgeheimnis : Schutz der Persönlichkeitsrechte in der biomedizinischen Forschung

Biobanken sind Sammlungen von Körpersubstanzen, die mit umfangreichen gesundheits- und lebensstilbezogenen sowie geneologischen Daten ihrer Spender verknüpft sind. Sie dienen der Erforschung weit verbreiteter Krankheiten. Diese sog. Volkskrankheiten sind multifaktoriell bedingte Krankheiten. Dies bedeutet, dass diese Krankheiten das Ergebnis eines komplizierten Zusammenspiels von umwelt- und verhaltensrelevanten Faktoren mit individuellen genetischen Prädispositionen sind. Forschungen im Bereich von Pharmakogenomik und Pharmakogenetik untersuchen den Einfluss von Genen und Genexpressionen auf die individuelle Wirksamkeit von Medikamenten sowie auf die Entstehung ungewollter Nebenwirkungen und könnten so den Weg zu einer individualisierten Medizin ebnen. Menschliches Material ist ein wichtiger Bestandteil dieser Forschungen und die Nachfrage nach Sammlungen, die Proben mit Daten verknüpfen, steigt. Einerseits sehen Mediziner in Biobanken eine Chance für die Weiterentwicklung der medizinischen Forschung und des Gesundheitswesens. Andererseits lösen Biobanken auch Ängste und Misstrauen aus. Insbesondere wird befürchtet, dass Proben und Daten unkontrolliert verwendet werden und sensible Bereiche des Persönlichkeitsrechts und der persönlichen Identität betroffen sind. Diese Gefahren und Befürchtungen sind nicht neu, sondern bestanden schon in der Vergangenheit bei jeglicher Form der Spende von Körpersubstanzen. Neu ist aber der Umfang an Informationen, der durch die Genanalyse entsteht und den Spender in ganz besonderer Weise betreffen kann. Bei der Speicherung und Nutzung der medizinischen und genetischen Daten ergibt sich somit ein Spannungsfeld insbesondere zwischen dem Recht der betroffenen Datenspender auf informationelle Selbstbestimmung und den Forschungsinteressen der Datennutzer. Im Kern dreht sich die ethisch-rechtliche Bewertung der Biobanken um die Frage, ob diese Forschung zusätzliche Regeln braucht, und falls ja, wie umfassend diese sein müssten. Im Zentrum dieser Diskussion stehen dabei v.a. ethische Fragen im Zusammenhang mit der informierten Einwilligung, dem Datenschutz, der Wiederverwendung von Proben und Daten, der Information der Spender über Forschungsergebnisse und der Nutzungsrechte an den Daten. Ziel dieser Arbeit ist es, vor dem Hintergrund des Verfassungsrechts, insbesondere dem Recht auf informationelle Selbstbestimmung, das Datenschutzrecht im Hinblick auf die Risiken zu untersuchen, die sich aus der Speicherung, Verarbeitung und Kommunikation von persönlichen genetischen Informationen beim Aufbau von Biobanken ergeben. Daraus ergibt sich die weitere Untersuchung, ob und unter welchen Voraussetzungen die sich entgegenstehenden Interessen und Rechte aus verfassungsrechtlichem Blickwinkel in Einklang zu bringen sind. Eine wesentliche Frage lautet, ob die bisherigen rechtlichen Rahmenbedingungen ausreichen, um den Schutz der gespeicherten höchstpersönlichen Daten und zugleich ihre angemessene Nutzung zu gewährleisten. Das Thema ist interdisziplinär im Schnittfeld von Datenschutz, Verfassungsrecht sowie Rechts- und Medizinethik angelegt. Aus dem Inhalt: Naturwissenschaftliche und empirische Grundlagen von Biobanken – Überblick über Biobankprojekte in Europa und im außereuropäischen Ausland – Rechtsgrundlagen für Biobanken - Recht auf informationelle Selbstbestimmung - Recht auf Nichtwissen - Forschungsfreiheit - Qualitätssicherung und Verfahren – informierte Einwilligung – globale Einwilligung - Datenschutzkonzepte - Forschungsgeheimnis –– Biobankgeheimnis - Biobankgesetz

The Conceptual Basis of Personal Information in Australian Privacy Law

Australian privacy law regulates how government agencies and private sector organisations collect, store and use personal information. A coherent conceptual basis of personal information is an integral requirement of information privacy law as it determines what information is regulated. A 2004 report conducted on behalf of the UK’s Information Commissioner (the 'Booth Report') concluded that there was no coherent definition of personal information currently in operation because different data protection authorities throughout the world conceived the concept of personal information in different ways. The authors adopt the models developed by the Booth Report to examine the conceptual basis of statutory definitions of personal information in Australian privacy laws. Research findings indicate that the definition of personal information is not construed uniformly in Australian privacy laws and that different definitions rely upon different classifications of personal information. A similar situation is evident in a review of relevant case law. Despite this, the authors conclude the article by asserting that a greater jurisprudential discourse is required based on a coherent conceptual framework to ensure the consistent development of Australian privacy law.

Enabling access to and re-use of publicly funded research data as Open Educational Resources : a strategy for overcoming the legal barriers to data access and re-use

Open Educational Resources (OER) are teaching, learning and research materials that have been released under an open licence that permits online access and re-use by others. The 2012 Paris OER Declaration encourages the open licensing of educational materials produced with public funds. Digital data and data sets produced as a result of scientific and non-scientific research are an increasingly important category of educational materials. This paper discusses the legal challenges presented when publicly funded research data is made available as OER, arising from intellectual property rights, confidentiality and information privacy laws, and the lack of a legal duty to ensure data quality. If these legal challenges are not understood, addressed and effectively managed, they may impede and restrict access to and re-use of research data. This paper identifies some of the legal challenges that need to be addressed and describes 10 proposed best practices which are recommended for adoption to so that publicly funded research data can be made available for access and re-use as OER.

Facial expression recognition experiments with data from television broadcasts and the world wide web

Facial expression recognition (FER) systems must ultimately work on real data in uncontrolled environments although most research studies have been conducted on lab-based data with posed or evoked facial expressions obtained in pre-set laboratory environments. It is very difficult to obtain data in real-world situations because privacy laws prevent unauthorized capture and use of video from events such as funerals, birthday parties, marriages etc. It is a challenge to acquire such data on a scale large enough for benchmarking algorithms. Although video obtained from TV or movies or postings on the World Wide Web may also contain ‘acted’ emotions and facial expressions, they may be more ‘realistic’ than lab-based data currently used by most researchers. Or is it? One way of testing this is to compare feature distributions and FER performance. This paper describes a database that has been collected from television broadcasts and the World Wide Web containing a range of environmental and facial variations expected in real conditions and uses it to answer this question. A fully automatic system that uses a fusion based approach for FER on such data is introduced for performance evaluation. Performance improvements arising from the fusion of point-based texture and geometry features, and the robustness to image scale variations are experimentally evaluated on this image and video dataset. Differences in FER performance between lab-based and realistic data, between different feature sets, and between different train-test data splits are investigated.