Asia Pacific Privacy Authorities

Introduction

Asia Pacific Privacy Authorities (APPA) is the principal forum for privacy authorities in the Asia Pacific Region to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.

APPA convenes twice a year, discussing permanent agenda items like jurisdictional reports from each delegation and an initiative-sharing roundtable. Topical issues canvassed by forums have included privacy and security, a World Anti-Doping Code, cross-jurisdictional law enforcement in the Pacific Rim, privacy legislation amendments, cryptography and personal data privacy.

Background

Asia Pacific Privacy Authorities (APPA) was formerly known as PANZA and PANZA+ (Privacy Agencies of New Zealand and Australia plus Hong Kong and Korea).

Following an internal review of PANZA+ during 2005, the participants agreed to update the Forum. A title more accurately reflecting the composition of the group was adopted and a formal structure was put in place to assist the Forum to engage strongly on privacy matters in the region. The first outcomes of this enhanced and directed focus is the APPA Statement of Objectives and the Statement of Common Administrative Practice outlined below.

Statement of Objectives

Meeting in Hong Kong, on 11 June 2009, the assembled privacy authorities from Australia, Canada, Hong Kong, Korea and New Zealand, resolved as follows:

RECOGNISING that:

Privacy is a matter of growing international concern
Information networks closely connect people and organisations in our various economies regardless of physical borders and differing laws
Governments and business expect regulators to strive for efficient and effective solutions and that best practice requires privacy authorities to be aware of what similar regulators are doing
Privacy issues can emerge in one jurisdiction before others and that privacy authorities can benefit from an advanced warning system
Privacy authorities are increasingly being called upon to contribute to solutions to complaints, or policy challenges, that cross borders
There is limited specialised data privacy resource in any one jurisdiction and that privacy authorities benefit from reaching abroad for information, inspiration and assistance
Participants in the forum will benefit from cooperation in information privacy knowledge sharing and technical resources
Endorsement of the APEC Privacy Framework in 2004 has provided a regional restatement of the importance of privacy and transborder information flows
Adoption of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy in 2007 has re-emphasised the need for regional cooperative arrangements

THEREFORE we resolve to:

Continue the cooperative arrangements established in 1992 and relaunched as the Asia Pacific Privacy Authorities Forum in 2005
Encourage further participation from within the region

AND FURTHER RESOLVE to build upon and enhance the current arrangements with the principal objectives of:

Facilitating the sharing of knowledge and resources between privacy authorities within the region
Fostering cooperation in privacy and data protection
Promoting best practice amongst privacy authorities
Working to continuously improve our performance to achieve the important objectives set out in our respective privacy laws.

Privacy Commissioner of Australia
Privacy Commissioner of New Zealand
Privacy Commissioner for Personal Data, Hong Kong SAR, China
Privacy Commissioner of New South Wales, Australia
Privacy Commissioner of Victoria, Australia
Information Commissioner of Northern Territory, Australia
Korea Information Security Agency Information
Information and Privacy Commissioner of British Columbia, Canada
Privacy Commissioner of Canada

APPA Secondment Framework

Secondments offer an excellent opportunity to foster collaboration between APPA members and promote best practice in the field of privacy and data protection. They can also help to improve the performance of individual staff members and of the privacy authorities they work for.

For this reason, APPA has adopted the APPA Secondment Framework (pdf 275 KB). This framework provides advice on how to set up a successful secondment.

Statement of Common Administrative Practice

PDF

Case Note Citation

Adopted: 24th APPA meeting, Melbourne, Australia, 17 November 2005

Abstract: This statement outlines agreed elements of a system for citing reports of complaints handled by privacy authorities. The citation system seeks to maximise the collective regional benefits of individual report series published by particular privacy authorities by making it easier to clearly identify and refer to reported cases.

Special terms used: "Case note" is intended to encompass any report outlining the outcome of an investigation, conciliation or determination of a complaint that is contained in a series of reports released by a privacy authority.

Background information: Graham Greenleaf, "Reporting Privacy Complaints Part 1: A Proposal for Systematic Reporting of Complaints in Asia-Pacific Jurisdictions" 9/3 Privacy Law & Policy Reporter 41-48, available on-line at http://www.austlii.edu.au/au/journals/PLPR/2002/30.html.

Statement on citation of case notes

Many privacy authorities issue instructive case notes on a selection of complaints that have been handled. It is desirable that all those who wish to refer to a case note can do so by an official citation that unambiguously refers to the same note and has an accepted designator for the privacy authority or other body publishing the report.

APPA particularly wishes to encourage good citation systems given the clear benefit to privacy authorities in the region in the ability to cite reports from other offices. Others engaged in interpreting and applying privacy law will similarly benefit.

It is agreed that all case notes should be issued with a citation including the following elements:

A descriptor of the case
The year of publication
A standard abbreviation for the privacy authority
A sequential number.

Some variety exists in case descriptors currently used by privacy authorities in the region. This diversity is compatible with this statement of common administrative practice. Current approaches include:

Australia and Victoria: reference to complainant by letter of the alphabet and respondent through a general description (e.g. J v Superannuation Provider [2005] PrivCmrA 7)
New South Wales: reference to complainant by letters followed by respondent department's name (e.g. KJ v Wentworth Area Health Service [2004] NSWPrivCmr 7)
New Zealand, Korea and Hong Kong: a short generalised characterisation of the complaint (e.g. Mobile telecom company provided the details of telephone conversation of a customer to a third party without her consent [2004] KRPIDMC 4); New Zealand and Hong Kong citations add an internal reference number e.g. Man upset that employer disclosed epilepsy to other employees (Case Note 16723) [2003] NZPrivCmr 11).

The year of the note appears in brackets, followed by the abbreviation of the issuing authority and the sequential case note number.

The following abbreviations have been adopted for APPA participants:

HKPrivCmr - Hong Kong Privacy Commissioner for Personal Data
KRPIDMC - Korean Personal Information Dispute Mediation Committee
NSWPrivCmr - New South Wales Privacy Commissioner
NTICmr - Northern Territory Information Commissioner
NZPrivCmr - New Zealand Privacy Commissioner
PrivCmrA - Privacy Commissioner of Australia
VPrivCmr - Victorian Privacy Commissioner

Statement of Common Administrative Practice

Case Note Dissemination

PDF

Adopted: 26th APPA meeting, Hong Kong, 9 November 2006

Abstract: This statement outlines recommended steps for disseminating privacy case notes. These steps seek to maximise the collective regional benefits of individual case note series published by particular privacy authorities by making it easy to obtain case notes on-line and by facilitating re-publication.

Special terms used: "Case note" encompasses any report outlining the outcome of an investigation, conciliation or determination of a complaint that is contained in a series of reports released by a privacy authority.

Related statement: APPA Statement of Common Administrative Practice on Case Note Citation adopted at the 24th Meeting, Melbourne, Australia, 17 May 2005.

Statement on dissemination of case notes

Many privacy authorities issue instructive case notes on a selection of complaints that have been handled in their jurisdiction.

Privacy authorities disseminate their case notes domestically in a variety of ways depending upon their priorities, budget and target audiences. For instance, some:

maintain a distribution list to which printed copies of case notes are mailed
reprint the text of case notes in annual reports
publicise summaries in newsletters
post case notes on their own website
distribute electronic copies through RSS feeds or email subscription lists
cooperate in re-publication by local legal publishers
periodically publish indexed compilations.

APPA actively encourages privacy authorities to make their case notes widely available to increase comparative knowledge and stimulate research and debate.

This statement is focused upon steps that facilitate the dissemination or availability of case notes throughout the region.

APPA encourages privacy authorities:

to cooperate with third party publishers who wish to re-publish their case notes, and
to make their case notes available, in an electronic form suitable for re-publication, to a recognised regional consolidated point of access.

Third party publishers

APPA recognises that third party publishers can enable case notes to be made more widely available to the public, specialist bodies, professional advisers and researchers.

Privacy authorities should facilitate re-publication of case notes by third party publishers. This should be done by giving a general licence for re-publication of their case notes with proper acknowledgement.

The general licence can be made subject to revocation if inappropriate (e.g. salacious) use is made.

The general licence should be included within the usual copyright notice posted on each privacy authority's website.

Consolidated point of access

APPA sees considerable value in having a consolidated point of access for case notes. An access point now exists in the World Legal Information Institute's Privacy Law Library (www.WorldLII.org/int/special/privacy). The single point of access brings a variety of benefits including the ability to search across a range of case note series from within and beyond the region.

Privacy authorities should supply electronic case notes to WorldLII at the same time as they distribute the case notes in the ordinary way or as soon as reasonably practicable after that.

APPA Members List

Below is a list of the current APPA members. Authorities from other countries are eligible for membership if the authority (or agency) has been accredited through the international meetings of Data Protection and Privacy Commissioners.

APPA generally meets over two or two and a half days, one to one and half days being reserved for Privacy Commissioners (APPA's formal members) and their staff and the remaining day including invited representatives of government agencies/departments involved in privacy administration or privacy-related issues.

Current APPA members include:

Members	Commissioners
Office of the Privacy Commissioner for Personal Data, Hong Kong www.pcpd.org.hk	Mr Roderick B Woo, Privacy Commissioner for Personal Data, Hong Kong
Office of the Privacy Commissioner, Australia www.privacy.gov.au	Ms Karen Curtis, Privacy Commissioner (Australia)
Office of the New South Wales Privacy Commissioner www.lawlink.nsw.gov.au/lawlink /privacynsw/ll_pnsw.nsf/pages/PNSW_index	Judge K V Taylor, AM, RFD, NSW Privacy Commissioner Ms Maureen Tangney, Assistant Director General, Department of Justice and Attorney General has been appointed Acting Privacy Commissioner until 31st of March 2010
Office of the Victorian Privacy Commissioner www.privacy.vic.gov.au	Ms Helen Versey, Privacy Commissioner Victoria
Office of the Information Commissioner Northern Territory www.privacy.nt.gov.au	Ms Zoe Marcham, Information Commissioner
Korea Internet & Security Agency www.kisa.or.kr	Dr. Won, Yoojae - Vice President
Office of the Privacy Commissioner, New Zealand www.privacy.org.nz	Ms Marie Shroff, Privacy Commissioner (New Zealand)
Office of the Privacy Commissioner, Canada www.privcom.gc.ca/index_e.asp	Ms Jennifer Stoddart, Privacy Commissioner (Canada)
Office of the Information and Privacy Commissioner, British Columbia www.oipcbc.org	Mr Paul Fraser, Acting Information and Privacy Commissioner (British Colombia)