‘Prevention of Harm’ principle

Background

32.17 There is a question about whether the model UPPs should contain a ‘Prevention of Harm’ principle. Such a provision would require agencies and organisations ‘to prevent tangible harms to individuals and to provide for appropriate recovery for those harms if they occur’.[20]

32.18 The Asia-Pacific Economic Cooperation Privacy Framework,[21] for example, states:

Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Further, acknowledging the risk that harm may result from such misuse of personal information, specific obligations should take account of such risk, and remedial measures should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of personal information.[22]

Submissions and consultations

32.19 Some stakeholders supported the inclusion of a specific privacy principle in the model UPPs dealing with the prevention of harm.[23] Veda Advantage submitted that this aligns with the overall ‘purpose of regulating information flows, [which] is to protect individuals from harmful uses of information’.[24]

32.20 The majority of stakeholders that commented on this issue, however, opposed a ‘Prevention of Harm’ principle.[25] One stakeholder argued that this is an unsuitable subject to be addressed in a privacy principle.

The sentiment that privacy remedies should concentrate on preventing harm … is unexceptional but it is strange to elevate it to a privacy principle because it neither creates rights in individuals nor imposes obligations on information controllers. To treat it on a par with other Principles makes it easier to justify exempting whole sectors (eg small business in Australia’s law) as not sufficiently dangerous, or only providing piecemeal remedies in ‘dangerous’ sectors (as in the USA).[26]

32.21 The Law Council of Australia was concerned that such a principle would be too imprecise because it is difficult to articulate a precise meaning of ‘harm’.

While financial harm and damage to reputation or character are concepts which are well understood, other concepts of harm which are raised within the privacy debate such as ‘distress’ and the knowledge that someone has their personal information are harder to place within a legislative context.[27]

ALRC’s view

32.22 A number of the principles in the model UPPs already incorporate a harm prevention approach. In particular, the ‘Data Quality’ principle and the ‘Data Security’ principle impose specific obligations to ensure the integrity of personal information that is handled by agencies and organisations, and to guard against possible misuse and unauthorised disclosure.[28] The ‘Anonymity and Pseudonymity’ principle also aims to lessen the threat of personal information being misused by reducing the amount of personal information that agencies and organisations collect.[29] Finally, the obligations imposed by a general ‘Prevention of Harm’ principle could be undesirably vague. Accordingly, the ALRC does not support including such a principle in the model UPPs.

[20] F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341, 368.

[21] This Framework is discussed in Ch 31.

[22] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Principle 1.

[23] Government of South Australia, Submission PR 187, 12 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[24] Veda Advantage, Submission PR 163, 31 January 2007.

[25] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australian Federal Police, Submission PR 186, 9 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007; AAMI, Submission PR 147, 29 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[26]G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007, citing G Greenleaf, ‘APEC’s Privacy Framework Sets a New Low Standard for the Asia-Pacific’ in A Kenyon and M Richardson (eds), New Dimensions in Privacy Law: International and Comparative Perspectives (2006) 91, 100.

[27]Law Council of Australia, Submission PR 177, 8 February 2007.

[28] Data quality and data security are discussed in Chs 27 and 28 respectively.

[29] See Ch 20.