Privacy versus Security: A Legal Perspective

Privacy vs SecurityA Legal Perspective

Jason NathuAttorney-at-Law | Tutor | Hugh Wooding Law School

@jasonnPOS

Reading and Resources

Throughout and after this presentation, I will be posting links to resource material via my Twitter account @jasonnpos (http://www.twitter.com/jasonnpos).

#PvSLaw

Definitions

What is ‘privacy’?

“The state of being free from public attention…”Oxford English Dictionary

What is ‘security’?

“The state of being free from danger or threat...”Oxford English Dictionary

The Concept Of Privacy

The ‘right’ to privacy

Constitution of Trinidad and Tobago Chap. 1:01

Sec. (4). It is hereby recognised and declared that in Trinidad and Tobago there have existed and shall continue to exist, without discrimination by reason of race, origin, colour, religion or sex, the following fundamental human rights and freedoms, namely:

(c) the right of the individual to respect for his private and family life

Privacy and the law

No other legislation in Trinidad & Tobago that defines that right, or gives guidance on any limitations of the right to privacy.

Other jurisdictions may have specific legislation on that issue.E.g. UK Human Rights Act

Reliance on the law of ‘breach of confidence’.

The Concept Of Information Security

The term ‘information security’ refers to the theory and practice of defending data or information systems against:

• unauthorised or unintended access• destruction• disruption• tampering

Information Security

Main concepts of ‘information security’:

confidentiality - the assurance that information is not disclosed to individuals or systems that are not authorised to receive it;

integrity - the assurance that information can’t be modified by those who are not authorised to modify it, or that any such modifications will not pass undetected; and

availability - the assurance that information is available when it’s needed, and that mishap or malice cannot affect the ability of systems to provide information when requested.

Information Security

Information Security and the Law• Data Protection Act Chap. 22:04

• Computer Misuse Act Chap. 11:17

• Electronic Transactions Act Chap. 22:05

• Telecommunications Act Chap. 47:31

• Electronic Transfer of Funds Crime Act Chap. 79:51

• Offences Against The Persons Act Chap. 11:08

• Children's Act No. 12 of 2012

Data Protection ActChap. 22:04The Data Protection Act Chap. 22:04 , provides for the protection of personal information processed and collected by public bodies and private organisations.

The Act was partially proclaimed in 2012 and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.

No timeline has been set for the proclamation of the remainder of the Act. It is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Personal Information

“Personal Information” is defined in section 2 of the Act as information about an identifiable individual that is recorded in any form including:

• the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;

• the address and telephone number of the individual;

• any identifying number, symbol or other particular identifier designed to identify the individual;

Data Protection Act Chap. 22:04


• Information relating to the individual’s race, nationality or ethnic origin, religion, age or marital status;

• Information relating to the education or the medical, criminal or employment history of the individual or information relating to the financial transactions in which the individual has been involved or which refer to the individual;

• Correspondence sent to an establishment by the individual that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence;



• the views and opinions of any other person about the individual;

• the fingerprints, DNA, blood type or other biometric characteristics of the individual.;


“Sensitive personal information” is defined as personal information on a person’s:

• racial or ethnic origins:• political affiliations or trade union membership;• religious beliefs or other beliefs of a similar nature;• physical or mental health or condition;• sexual orientation or sexual life; or• criminal or financial record.

Sensitive Personal InformationData Protection Act Chap. 22:04

Collecting and Processing

There must be compliance with the general privacy principles as set-out in section 6 of the Act.

The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection is required to be undertaken in accordance with the purpose identified, must be accurate, complete and up-to-date, must not be kept longer than is necessary; must be secured and must not be transferred out of T&T unless there are regulatory safeguards in the country to which the data is being sent.

Individuals have a right to access and challenge the validity of personal information collected.


Miscellaneous Notes

INFORMATION COMMISSIONERThe Office of the Information Commissioner is the entity responsible for the oversight, interpretation and enforcement of the Act.

BREACHES OF SECURITYThere is no provision in the Act for notifying data subjects or the Information Commissioner of a security breach.

ONLINE PRIVACYThe DPA has no specific provision regarding online privacy, including cookies or location data.


Miscellaneous Notes

OFFENCESThe act creates several offences. For example, it is an offence to wilfully disclose personal information in contravention of the act, or to collect, store or dispose of personal information in a manner that contravenes the Act. The penalties for these offences include fines of up to $100,000 or up to five years imprisonment for individuals, and fines of up to 10% of the annual returns for companies.

WHISTLEBLOWING PROTECTIONThe Act, if proclaimed as is, will offer whistleblowing protection to employees, only in relation to breaches of the Act.


The Concept Of Breach of Confidence

What is ‘breach of confidence’? • A person who has been given information in confidence, should not

take unfair advantage of it.

• Remedies include injunctive relief (to prevent a breach) or damages (after a breach has occurred).

• Examples: personal employee records; medical records; details of relationships; private correspondence.

Elements of breach of confidence • The information must have had the necessary quality of

confidence, that is, it must not be something which is public property and public knowledge.

• There must have been an obligation of confidence in the circumstances under which the information was imparted.

• There must have been an unauthorised use of that information by the party communicating it to the detriment of the confider.

Lessons learned fromHo v Simmons

“Given the rapid pace with which the face and fabric of the society has changed and cognizant of the infinite reach of social media, it cannot be denied that the privacy of the person is under attack and there is dire need for the enactment of statute to afford protection for citizen’s personal privacy…”


“There can be no circumstance that is more private and confidential than where parties are engaged in consensual sexual activity in private. In such a scenario it is unlikely to expect that there would be an express agreement by the parties that their liaisons would be confidential but in such a circumstance an obligation of confidentiality can and must be implied. Consequently, all photographs and recordings which capture sexual practices conducted in private should only be disseminated where the express consent of all the parties involved has been obtained…”


“The impact upon an individual’s privacy is tremendous and the absence of clear and cohesive legislation to protect our citizens’ privacy and to punish those who violate the rights of others, can cause us to descend into a bottomless pit of anarchy. The use of obscene language in a public place is an offence, yet, online comments to newspaper articles and messages posted on social media are very often foul, racist and despicable but no criminal charges are preferred since evidential challenges arise in relation to the authorship of the offending material. A similar challenge exists in relation to the posting of online defamatory statements…”

Orders of the Court

• The Defendant is to pay to the Claimant the sum of $150,000.00 inclusive of an award for aggravated damages.

• A perpetual injunction is hereby issued so as to restrain and/or prohibit the Defendant his servants and/or agents from disseminating, uploading, posting and/or publishing nude and/or sexually explicit photographs of the Claimant and/or photographs that depict her performing the act of fellatio whether by way of the internet, cellular phone or any other form of social media or by any other means whatsoever.

• It is hereby ordered that all the photographs exhibited in this matter should be place in a sealed envelope until the time limited for the filing of an appeal, upon expiration of same, if no appeal has been filed, the photographs are to be destroyed by the Registrar. If an appeal is filed the photographs shall remain sealed until any further order is issued by the appellate court.

• The Defendant is to pay to the Claimant costs calculated on a prescribed cost basis.

• There shall be a stay of execution of the payment of the awarded sum of $150,000.00 and the costs awarded of 14 days.

Thank you!Questions or comments?

@jasonnPOS [email protected]