Privacy Commissioner - Te Mana Matapono Matatapu

Skip to content

Five Strategies for Addressing Public Register Privacy Problems

Article by Blair Stewart, Assistant Commissioner

ABSTRACT

The purpose of this paper is to outline and discuss strategies that Data Protection and Privacy Commissioners might take to address public register privacy problems. The paper commences with a discussion of some of the common difficulties in constructing solutions and is intended to be read in conjunction with a companion conference paper on problems and conflicts. In the balance of the paper, five strategies for addressing public register privacy problems are discussed using practical illustrations where available. The five strategies offered are:

1. Let general data protection laws solve the problems;
2. Apply data protection laws in a limited fashion;
3. Tailor the laws establishing registers to address privacy issues;
4. Look beyond the register to users of register information;
5. Supplement data protection laws with special rules on public registers.

The paper offers conclusions in relation to each strategy and finishes with an opinion as to how the options can be made to work effectively in combination.

INTRODUCTION

Public registers are a perennial source of privacy problems. They have been the subject of discussion at the International Conference of Privacy and Data Protection Commissioners several times in recent years. Any number of public register privacy issues would be worthy of examination at the International Conference. There is, for example, a growing trend to devolve the administration and operation of public registers from government agencies into the private sector - going considerably further than the simple outsourcing of computer facilities management attempted in earlier years. Public registers also illustrate the growing merger between commerce and public service: there are signs that citizens' privacy interests in information in government registers may fall victim to the all pervasive "market" attitude to service provision.

Modern operation of public registers also illustrates the technological challenges to privacy in today's information society. One example highlighted by the Information and Privacy Commissioner of British Columbia concerned the local authority property register in the City of Victoria. That register attracted an average 30 enquiries per day until city administrators, acting without adequate assessment of the privacy implications, posted the register on the Internet and attracted more than 15,000 visitors on the first day of operation alone. The names of home owners were rapidly removed from the web site in the ensuing public outcry which perplexed officials given the public availability of the details by other means.

Any one of these issues, and numerous others, would be worthy of a conference session on their own. However, this year it was decided to attempt to address a very practical issue for Privacy and Data Protection Commissioners: what can be done about public register privacy problems?

Preceding this paper is one by Robert Gellman which focuses upon the "problem" side of public registers. This paper is intended to offer some tentative "solutions"

. In the first part of the paper I briefly canvass some common difficulties in constructing public register solutions. In the remainder, I outline five strategies for addressing public register privacy problems. To offer an appropriate solution for a particular jurisdiction, any strategy will need to be able to address most or all of the problems mentioned in Robert Gellman's paper and the common difficulties I outline. The task is not straightforward but I am confident that solutions can be found.

COMMON DIFFICULTIES IN CONSTRUCTING PUBLIC REGISTER SOLUTIONS

In this paper the following definition of a "public register" is adopted:

a register, list, roll or compendium of personal data under the control or direction of a public body;
maintained pursuant to statute, regulation, rule or other requirement of law; and
open, in whole or part, to public inspection, copying, distribution, or search under a specific law or policy.

The need to develop a definition for this paper perhaps points to the first problem in constructing solutions. There is no necessary consensus as to what constitutes a public register. It is a handy shorthand term which can mean different things to different people. Indeed, the label "public register" practically invites the frequently heard question: "Why try to protect privacy of public register information, it is public after all?" Would the same question be posed if we simply called them government registers? Probably not. However, I continue to use "public register" as I believe the label is helpful to alert us to the special "public" aspects of such registers.

There are a range of difficulties in constructing privacy solutions for public register problems. Each of the strategies outlined later attempts, in some fashion, to overcome some or all of these problems. Some common difficulties in constructing privacy solutions for public register problems, include:

complexities of interacting legislation, such as the laws which create the register, freedom of information laws, constitutional provisions and general data protection legislation;
a lack of sophistication in the way that general data protection legislation often addresses register or other publicly available information (for instance, by including a complete exemption from any controls);
the requirement that effective solutions be underpinned by specific law since the agencies maintaining public registers often have no discretion to withhold information from requesters regardless of whether it is to be used for purposes incompatible with those of the register;
the existence of various secondary uses of register data, some of which have continued for many years while others are emerging as registers become fully automated;
inconsistency in approach between the various laws under which different registers are maintained as to what is included in the legislative authority and what is left to administrative discretion, some laws being very precise and others rather vague;
hostility of some officials to privacy solutions which impede their preferred means of organising a register, sometimes arising from strong commercial pressures to sell the data.

To these problems, can be added the fact that data protection authorities will often have an incomplete picture of the existence and nature of public registers. Even in jurisdictions with registration systems, there is often an exemption to registration or notification for registers maintained pursuant to statute. Accordingly, one preliminary step towards devising solutions to public register problems may be to survey existing laws and registers to see what is going on.

TOWARDS SOLUTIONS TO PUBLIC REGISTER PRIVACY PROBLEMS

I offer five strategies which, taken alone or together, may go some way to solving public register problems. It will be apparent from my paper that I consider that an effective solution will borrow from several of the suggested strategies

Strategy 1: Let general data protection laws solve the problems

Not every data protection law exempts public registers or public register information from controls but many do. Some laws exempt public registers from their principal data protection controls explicitly. For example, the UK law expressly excludes the maintenance of a public register from the prohibition on data processing without registration. Certain laws, such as that in Alberta, provide an explicit exemption for particular named public registers. Others include public register information expressly or implicitly in general exemptions covering publicly available information. New Zealand's law, for instance, expressly includes public registers in the definition of "publicly available publication" which is the basis of an exception to four key principles in the Act. Many laws, while not explicitly mentioning public registers, nonetheless effectively exempt them from controls by providing that an action authorised or required by another law will prevail over the data protection law's controls on use and disclosure of personal data. I expect that in some jurisdictions where there is not a specific exemption for public registers, publicly available information, or disclosures of information authorised by other laws, that data protection laws are nonetheless interpreted and applied so as to permit uncontrolled disclosures from such registers.

Might it not be possible to require public registers to be maintained consistently with normal data protection principles? If that is feasible then it may follow that the privacy risks will be satisfactorily addressed. Perhaps if exemptions did not exist, the lawmakers and agencies which maintain public registers might have to put more effort into identifying the principal and related purposes of registers and to devise means to ensure that the information is used for those purposes and no others.

Some privacy advocates have argued the case for eliminating public register exemptions from privacy laws. For instance, Dr Roger Clark has undertaken a survey of laws relating to public registers and has offered his "inescapable conclusion" that any form of exemption from privacy laws for such registers is unjustifiable. However, Roger Clark notes that as with many other data collections, the law needs to be applied and interpreted in relation to public registers in a manner that reflects their particular circumstances.

Public registers can be maintained consistently with certain normal data protection rules or principles. For example, when information is collected it ought to be possible to make individuals aware of the reason for requiring particular personal details, rights to rectification, and the consequences of the information being made publicly available. However, in my opinion, it would be impracticable to apply all data protection principles in completely unmodified form to public register information and assume that this would solve privacy problems. That approach might instead create new difficulties and render particular registers ineffective. Certainly lawmakers have often feared this, which has led to the enactment of the exemptions earlier mentioned.

Strategy 1 may have little chance of effectively addressing public register problems. While complete exemption of public registers from data protection laws is unsatisfactory from a privacy perspective, so too is a unilateral repeal of all such exemptions. A more sophisticated solution is needed.

Strategy 2: Apply data protection laws in a limited fashion

A second option is to take an ordinary data protection law and apply it in some limited fashion to public registers. In fact, this is what many data protection laws already do.

A typical data protection law may have a series of controls governing obtaining, holding, using and disclosing of personal data, and access to and rectification of such data. This option would avoid a complete exemption for public registers from all such requirements and instead allow only a partial exemption. It may make little sense to apply general access rights to a public register in a data protection law in circumstances where the public register law itself establishes a specific access regime. On the other hand, rectification or correction rights may be important.

Data protection laws have a number of parts in addition to any data protection principles or rules. For example, there may be registration or notification obligations and provisions concerning complaints and redress for breach. Powers may be conferred upon a Commissioner to conduct inquiries and audits or to make recommendations. With these, and the various other parts of data protection laws, there is scope to apply provisions to public registers in a limited form. While it may be considered problematic to apply the Use Limitation Principle to the use of public register information, it may nonetheless be straightforward to allow a Commissioner to audit the register for compliance with security safeguards requirements.

This option offers the start of a solution to public register problems. If registers are not simply to be seen as an exception to fair information practices it is necessary to bring them within the normal data protection regime. If there is a consensus that data protection laws cannot be applied in an unmodified fashion, the appropriate response may be to apply them in a more limited fashion. This option, at best, would improve the privacy protection in jurisdictions which presently completely exempt public registers from data protection laws. However, Strategy 2 will achieve very little on its own. For anyone interested in seriously tackling public register privacy problems, this can only be seen as a first step.

Strategy 3: Tailor the laws establishing registers to address privacy issues

A potent strategy for addressing the privacy issues in relation to public registers lies in reforming the particular laws establishing each register. Most data protection commissioners participate in this kind of law reform activity as an everyday part of their work. The main opportunities for reforming public register laws arise when new registers are created or the laws establishing old registers are reviewed, amended or consolidated.

In addition to the ad hoc reform of public register provisions in laws that fall due for re-enactment, it is possible to more proactively reform public register laws. In reviewing and reforming public register laws the following features might be worth considering: ·

Review overall position: Some commissioners, such as those in the UK and Hong Kong, have seen value in undertaking research into the nature and effect of existing public register laws before moving to any other stage of reform.
Review purpose of register: The opportunity for reform might include articulating the purposes for establishing a register and the purposes for giving the public direct access whether in the statute itself or in some other publicly accessible and transparent manner. Perhaps the opportunity should be taken to consult the community as to which (if any) additional uses of register information should be allowed. Robert Gellman's companion paper outlines how this approach has been taken in the US Driver's Privacy Protection Act 1994. The approach has also been recommended and tried in New Zealand.
Review content of register: Reviews offer the opportunity to consider which information is really necessary to be on the register and, of that, which needs to be publicly accessible. For instance, the New Zealand Register of Driver Licences includes residential addresses and digitised photographs on the register for official use only and omits such details from those able to be searched by the public.
Review technological issues: Technological issues abound in the automation of manual registers. New issues arise when consideration is given to making registers accessible through the Internet. There may be opportunity for the use of privacy enhancing technologies to enable useful statistical data to be produced through searches of public registers without the need to release personally identifying information. New technology might also provide an opportunity for better auditing mechanisms, audit trails and security devices.
Utilise experience from complaints and audits: Some Commissioners have used the opportunity of special inquiries into the operation of particular registers to make some recommendation for reform. Valuable reports on motor vehicle and property registers have been produced in British Columbia, for example. If use of a register for mass direct marketing is the problem, then perhaps the law should limit the number of entries which might be released on any one search. On the other hand, if personal safety is the issue, a suppression mechanism might be the appropriate response.

This strategy can be used in conjunction with the other options and any solutions devised can be carefully tailored to the circumstances of a particular register - providing better protection for privacy in some cases while elevating competing public interests in others. The approach can also ensure that the agencies maintaining public registers fully "own" the privacy problems. This is because those agencies will be consulted in devising particularised solutions and, once imposed by the legislature, the requirements will form part of their own primary legislation rather than an external requirement of a data protection law.

Commissioners may develop checklists of questions to be posed in relation to reform of public register laws. These will vary depending upon the nature of the register and the legal controls applicable in the jurisdiction. Typical questions might include:

Can the register be used to locate an individual? Is a home address required to be displayed? May individuals present alternatives such as post office boxes, businesses addresses or an agent's address?
Are sensitive details accessible? For instance, details of citizenship or ID number?
Does the register fulfil a public notification function? If so, does the purpose of the law require notification to the world at large or simply to a class of affected persons? Is there a more effective means to alert affected persons? Might it be possible to allow an affected class to have access to the register but constrain release of details to the wider public?
Should use of the register for marketing be permitted? If not, how can such use be constrained? For instance, would bulk release controls work? Might records be "seeded" so that improper uses may be monitored? If permitted, should this be limited to marketing which is relevant to the purpose of the register? Should marketing be allowed subject to an opt-in or opt-out arrangement?
Are secondary uses by other public authorities of concern? If so, how should such uses be authorised, controlled or prohibited? For instance, should law enforcement authorities have the same rights of search of the register as ordinary members of the public or should they be given greater or lesser access? Should other authorities have on-line access to registers "behind the scenes"?
What does an individual have to demonstrate in order to have his or her data removed from public display? Are the criteria appropriate? Are the procedures satisfactory?

Many jurisdictions have attempted to reform particular register laws. Frequently, good results have been achieved. In other cases, the results are mixed given the inevitable compromises resulting from trying to reconcile conflicting public interests. Elsewhere in this paper, and in Robert Gellman's companion paper, examples are given of particular register laws which have been tailored to address privacy issues. A few recent New Zealand examples include:

Dog Control Act - This Act constrains the supply of personal information from the Dogs Register. It permits the supply for any lawful purpose to listed officials such as the police, council officers, inspectors, animal welfare organisations and veterinary surgeons. However, it limits supply of register information to members of the public to certain specified purposes. The public must apply on a prescribed form which requires them to identify themselves and the purpose for which they require the information. The purposes listed in the Act relate to prosecutions or complaints alleging breach of relevant animal protection laws, civil claims for compensation in relation to damage attributed to a dog, to return a lost dog, to advise the owner of a dog that has been killed, or in order to make a complaint. Additional purposes can be added by regulation or pursuant to a code of practice issued under the Privacy Act.
Radiocommunications Amendment Bill - This bill will combine the registers of radio frequencies and radio licence holders and specify the purposes for which the register is maintained. While the register will generally be open to search, the Registrar is not to disclose a radio licensee's residential address, where that licensee is a natural person, without the individual's authority. This statutory provision is intended to be the basis of a scheme whereby amateur radio-operators may opt-into having their details released to the private publishers of directories if they so choose. This will facilitate the hobby of sending postcards between radio enthusiasts.
Roads Bill - In New Zealand the Register of Motor Vehicles is completely open for public search at nominal cost. The register can be accessed in all post offices to identify people's residential addresses by searching a vehicle registration plate number. A draft bill proposes to address the matter by limiting release of address information to the name of a town, or city and suburb, while omitting the street or house details.

Unfortunately, Strategy 3 offers only a long term solution. Even if Data Protection Commissioners had the available resources to review hundreds of register laws, there would be few jurisdictions in which officials and the legislature would make time available to quickly address privacy issues across all register laws. However, with careful prioritising, and taking the opportunities presented by the normal legislative timetable, it is possible to make significant progress over a number of years. Once suitable precedent provisions are enacted, the task will become easier as departmental legal advisers and legislative drafters adopt privacy-friendly solutions as a matter of course in new and re-enacted laws.

It is undesirable to leave privacy problems unaddressed until it is possible to get around to amending a raft of laws. Furthermore, there is no guarantee that when the appropriate time arrives that officials or lawmakers will be amenable to the suggested privacy solutions. Accordingly, it is probably best that this option form only part of a solution and be combined with some other strategy.

Strategy 4: Look beyond the register to users of register information

This paper highlights some of the difficulties in designing and implementing controls on the release of information from public registers. The focus is on the actions of the agencies maintaining registers. Why not instead concentrate upon the data protection controls applying to organisations which use information from public registers?

Earlier, I outlined typical exemptions in data protection laws. The extent and effect of those exemptions differ between various national laws. For example, the UK exemption from registration applies only to the agencies which maintain public registers. However, other exemptions generally extend beyond the agency maintaining the information to also include the information itself. For instance, exceptions to the use and disclosure controls in the New Zealand Privacy Act relate to information "sourced from" a publicly available publication, which includes a public register. Indeed, it would be fairly unusual to try to constrain the use to which information obtained from publicly available publications could be put.

Nonetheless, it may be possible to address certain public register privacy issues through constraints upon organisations obtaining information from public registers. Attempts to do so have been made in various jurisdictions. For example:

in New Zealand, public register privacy principle 2, which applies to "every person", prohibits the re-sorting of personal information obtained from a public register or the combination of such personal information with information obtained from any other public register, for the purpose of selling personal information assembled in a form in which it could not be obtained directly from the register;
in Australia, the Corporations Law prohibits any person from using information obtained from a company shareholder register to contact or send material to shareholders (or to disclose a list of shareholders to someone else to do so) unless the use or disclosure is relevant to the holding of shares or the exercise of rights attaching to them or is approved by the company concerned - persons who contravene the prohibition are liable to compensate anyone who suffers loss as a result and anyone who profits from the contravention owes a debt to the company in the amount of the profit.

Clearly any successful strategy addressing public register issues cannot ignore the people who use the information sourced from public registers. However, given the difficulty of constraining use once the information has been released from a general public register, it is unlikely this option can succeed on its own.

Strategy 5: Supplement data protection laws with special rules on public registers

Frequently standard data protection principles are found to be inadequate to sufficiently solve a particular data protection problem. In such circumstances, it is often decided to supplement a general data protection regime with more specific rules, controls and special processes. For example, in Australia, New Zealand and Hong Kong the respective data protection laws are supplemented with specific statutory controls relating to data matching. Australia also devotes a part of its Privacy Act to regulating credit reporting.

Sets of supplementary data protection rules for public registers can be found in New South Wales and New Zealand.

New South Wales
The Privacy and Personal Information Protection Act 1998 introduced two specific rules applying to public registers. The first provides that the agency responsible for keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept. In order to enable the responsible agency to comply with the obligation, the agency may require any person who applies to inspect personal information contained in the register to give particulars, in the form of a statutory declaration, as to the intended use of the information.

The second rule provides that:

a person about whom personal information is contained, or proposed to be contained, in a public register may request the agency responsible for keeping the register to have the information removed from, or not placed on, the register as publicly available, and not disclosed to the public;
* if the public sector agency is satisfied that the safety or wellbeing of any person would be affected by not suppressing the personal information, the agency must suppress the information in accordance with the request unless it is of the opinion that the public interest in maintaining public access to the information outweighs any individual interest in suppression.

The two provisions prevail over any inconsistent requirement in the law under which a public register is established. It is understood that individuals whose details are to be placed on public registers will be advised of the purpose of the register. It is not yet plain how this will be done but it is likely that an explanation will be given on registration forms. The New South Wales law requires public sector agencies to develop and publish privacy management plans which may provide a context in which to consult stakeholders and publicly articulate relevant register purposes.

The public register controls in the New South Wales law are not yet in operation and so it is impossible to judge how successful they will be. However, the law represents a very clear attempt to reconcile the operation of public registers with the Purpose Specification and Use Limitation Principles and to address particular public safety concerns.

New Zealand
New Zealand's Privacy Act 1993 provides that agencies which maintain public registers must comply "as far as practicable" with both the information privacy principles, representing a general set of data protection rules for all agencies in the country, and an additional set of four public register privacy principles touching on the following matters:
1 Search references - constraining the search references by which information may be made available;
2 Use of information from public registers - constraining the resorting or combination of public register information with other public register information where the resultant information is to be sold in a manner in which the information could not be obtained directly from the register;
3. Electronic transmission of personal information from register - constraining the making available of public register information by electronic transmission;
4. Charging for access to public register - limiting the cost of searching public registers.

The public register privacy principles have recently been reviewed by the Privacy Commissioner. In doing so, he had particular regard to the operation of the Act since 1993 and to the Council of Europe Recommendations on Communication to Third Parties of Personal Data Held by Public Bodies. The Commissioner recommended amendment of the existing principles and the enactment of two entirely new ones. The text of the principles, incorporating the recommended changes, are appended to this paper. The two principles recommended by the Commissioner touch upon:
5. Bulk disclosures of information from public register - proposing to constrain the volume or bulk release of information from registers for secondary purposes;
6. Personal safety or harassment - proposing to require each register to have a suppression mechanism where personal or family safety is at risk (in a similar fashion to the New South Wales law earlier mentioned - and broadening an existing public register suppression regime in New Zealand's domestic violence law).

The New Zealand approach is driven by a desire to have a set of data protection rules which apply across the board to a wide range of public registers. Through the application of general public register privacy principles, which apply as a supplement to general information privacy principles, it is hoped to address the privacy challenges more generally and more quickly than awaiting reform of hundreds of provisions in individual public register laws.

CONCLUSION

Public register privacy problems are difficult to address - but not impossible. A strategy to address privacy risks arising from public registers should be guided by, and be consistent with, the approach taken in general data protection law in any jurisdiction. However, it is unlikely that general data protection laws will sit comfortably with completely open public registers. Some tailoring of a data protection law, whether by limiting its general application or by including additional special controls for registers, is probably desirable. Data protection laws having limited application to public registers will work satisfactorily but be ineffective in solving privacy challenges. Probably the most effective solution is to establish a general set of supplementary rules applying to public registers to work in conjunction with limited application of general data protection law and an on-going process of reform of the laws underpinning particular registers.

Blair Stewart
Assistant Commissioner

APPENDIX: EXTRACTS FROM NEW ZEALAND PRIVACY ACT 1993

PUBLIC REGISTER PRIVACY PRINCIPLES

Incorporating proposed amendments and additions

PRINCIPLE 1
Search references
Personal information is to be made available from a public register only by search references that are consistent with the manner in which the register is indexed or organised and with the purpose of the register.

PRINCIPLE 2
Use of information from public registers
Personal information obtained from a public register must not be:
(a) re-sorted; or
(b) combined with personal information obtained from any other public register:
for the purpose of making available for valuable consideration personal information assembled in a form in which that personal information could not be obtained directly from the register.

PRINCIPLE 3
Electronic transmission of personal information from register
Personal information in a public register must not be made available by means of electronic transmission, unless the purpose of the transmission is to make the information available to a member of the public in New Zealand who wishes to search the register.

PRINCIPLE 4
Charging for access to public register
Personal information on a public register must be made available to the individual concerned for no charge or for no more than a reasonable charge.

PRINCIPLE 5
Bulk disclosures of information from public register
Personal information containing an individual's name, together with the individual's address or telephone number, must not be made available from a public register on a volume or bulk basis unless this is consistent with the purpose for which the register is maintained.

PRINCIPLE 6
Personal safety or harassment
(1) Where practicable, personal information revealing an individual's whereabouts should not be stored in a part of a register generally accessible to the public where it is shown, on an application by the individual to the agency maintaining the register, that the individual's safety or that of the individual's family, would be put at risk through the disclosure of the information.
(2) An agency maintaining a public register must have reasonable procedures to invite, evaluate and determine applications by individuals whose personal safety may be put at risk by disclosure.
(3) It is an exception to clause (1) of this principle where other appropriate safeguards are taken to ensure that the information is not disclosed to the public for purposes unrelated to the purposes for which the information was collected or obtained.