Table of contents

• Introduction
• Statement of Objectives
• APPA Secondment Framework
• Statement of Common Administrative Practice: Case Note Citation
• Statement of Common Administrative Practice: Case Note Dissemination
• APPA members list
• When meetings are held
• Privacy Awareness Week
• APPA TWG correspondence to Google February 2012
• Communiqués

Introduction

Asia Pacific Privacy Authorities (APPA) is the principal forum for privacy authorities in the Asia Pacific Region to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.

APPA convenes twice a year, discussing permanent agenda items like jurisdictional reports from each delegation and an initiative-sharing roundtable. Topical issues canvassed by forums have included privacy and security, a World Anti-Doping Code, cross-jurisdictional law enforcement in the Pacific Rim, privacy legislation amendments, cryptography and personal data privacy.

Background

Asia Pacific Privacy Authorities (APPA) was formerly known as PANZA and PANZA+ (Privacy Agencies of New Zealand and Australia plus Hong Kong and Korea).

Following an internal review of PANZA+ during 2005, the participants agreed to update the Forum. A title more accurately reflecting the composition of the group was adopted and a formal structure was put in place to assist the Forum to engage strongly on privacy matters in the region. The first outcomes of this enhanced and directed focus is the APPA Statement of Objectives and the Statement of Common Administrative Practice outlined below.

Statement of Objectives

Meeting in Auckland, on 6 December 2010, the Asia Pacific Privacy Authorities Forum resolved as follows:

Recognising that:

• Privacy is a matter of growing international concern;
• Information networks closely connect people and organisations in our various economies regardless of physical borders and differing laws;
• Governments and business expect regulators to strive for efficient and effective solutions and that best practice requires privacy authorities to be aware of what similar regulators are doing;
• Privacy issues can emerge in one jurisdiction before others and that privacy authorities can benefit from an advanced warning system;
• Privacy authorities are increasingly being called upon to contribute to solutions to privacy breaches or policy challenges, that cross borders;
• There is limited specialised privacy resource in any one jurisdiction and that privacy authorities benefit from reaching abroad for information, inspiration and assistance;
• Participants in the forum will benefit from cooperation in information privacy knowledge sharing and technical resources;
• Endorsement of the APEC Privacy Framework in 2004 has provided a regional restatement of the importance of privacy and maintaining information flows;
• Adoption of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy in 2007 and the commencement of the APEC Cooperation Arrangement for Cross-border Privacy Enforcement (CPEA) in 2010 have re-emphasised the need for regional cooperative arrangements:

Therefore we resolve to:

• Continue the cooperative arrangements established in 1992 and encourage further participation from within the region;
• maintain constructive relations with complementary networks including the International Conference of Data Protection and Privacy Commissioners, the APEC CPEA and the Global Privacy Enforcement Network:

And further resolve through the Forum to:

• Facilitate sharing knowledge and resources between privacy authorities in the region;
• Foster cooperation in privacy and data protection;
• Jointly promote privacy awareness activities
• Promote best practice amongst privacy authorities;
• Work to continuously improve our regulatory performance;
• Support efforts to improve cross-border cooperation in privacy enforcement.

Office of the Australian Information Commissioner
Privacy Commissioner of New Zealand
Privacy Commissioner for Personal Data, Hong Kong SAR, China
Privacy Commissioner of New South Wales, Australia
Privacy Commissioner of Victoria, Australia
Information Commissioner of Northern Territory, Australia
Korea Internet & Security Agency
Information and Privacy Commissioner of British Columbia, Canada
Privacy Commissioner of Canada
Federal Trade Commission, United States of America
Federal Institute for Access to Information and Data Protection, Mexico

APPA Secondment Framework

Secondments offer an excellent opportunity to foster collaboration between APPA members and promote best practice in the field of privacy and data protection. They can also help to improve the performance of individual staff members and of the privacy authorities they work for.

For this reason, APPA has adopted the APPA Secondment Framework (pdf 275 KB). This framework provides advice on how to set up a successful secondment.

Statement of Common Administrative Practice

Case Note Citation

Adopted: 24th APPA meeting, Melbourne, Australia, 17 November 2005

Abstract: This statement outlines agreed elements of a system for citing reports of complaints handled by privacy authorities. The citation system seeks to maximise the collective regional benefits of individual report series published by particular privacy authorities by making it easier to clearly identify and refer to reported cases.

Special terms used: "Case note" is intended to encompass any report outlining the outcome of an investigation, conciliation or determination of a complaint that is contained in a series of reports released by a privacy authority.

Background information: Graham Greenleaf, "Reporting Privacy Complaints Part 1: A Proposal for Systematic Reporting of Complaints in Asia-Pacific Jurisdictions" 9/3 Privacy Law & Policy Reporter 41-48, available online at http://www.austlii.edu.au/au/journals/PLPR/2002/30.html.

Statement on citation of case notes

Many privacy authorities issue instructive case notes on a selection of complaints that have been handled. It is desirable that all those who wish to refer to a case note can do so by an official citation that unambiguously refers to the same note and has an accepted designator for the privacy authority or other body publishing the report.

APPA particularly wishes to encourage good citation systems given the clear benefit to privacy authorities in the region in the ability to cite reports from other offices. Others engaged in interpreting and applying privacy law will similarly benefit.

It is agreed that all case notes should be issued with a citation including the following elements:

• A descriptor of the case
• The year of publication
• A standard abbreviation for the privacy authority
• A sequential number.

Some variety exists in case descriptors currently used by privacy authorities in the region. This diversity is compatible with this statement of common administrative practice. Current approaches include:

• Australia and Victoria: reference to complainant by letter of the alphabet and respondent through a general description (e.g. J v Superannuation Provider [2005] PrivCmrA 7)
• New South Wales: reference to complainant by letters followed by respondent department's name (e.g. KJ v Wentworth Area Health Service [2004] NSWPrivCmr 7)
• New Zealand, Korea and Hong Kong: a short generalised characterisation of the complaint (e.g. Mobile telecom company provided the details of telephone conversation of a customer to a third party without her consent [2004] KRPIDMC 4); New Zealand and Hong Kong citations add an internal reference number e.g. Man upset that employer disclosed epilepsy to other employees (Case Note 16723) [2003] NZPrivCmr 11).

The year of the note appears in brackets, followed by the abbreviation of the issuing authority and the sequential case note number.

The following abbreviations have been adopted for APPA participants:

• HKPrivCmr - Hong Kong Privacy Commissioner for Personal Data
• KRPIDMC - Korean Personal Information Dispute Mediation Committee
• NSWPrivCmr - New South Wales Privacy Commissioner
• NTICmr - Northern Territory Information Commissioner
• NZPrivCmr - New Zealand Privacy Commissioner
• PrivCmrA - Privacy Commissioner of Australia (changed on 1 November 2010 to AICmrCN - Office of the Australian Information Commissioner)
• VPrivCmr - Victorian Privacy Commissioner

Statement of Common Administrative Practice

Case Note Dissemination

Adopted: 26th APPA meeting, Hong Kong, 9 November 2006

Abstract: This statement outlines recommended steps for disseminating privacy case notes. These steps seek to maximise the collective regional benefits of individual case note series published by particular privacy authorities by making it easy to obtain case notes on-line and by facilitating re-publication.

Special terms used: 'Case note' encompasses any report outlining the outcome of an investigation, conciliation or determination of a complaint that is contained in a series of reports released by a privacy authority.

Related statement: APPA Statement of Common Administrative Practice on Case Note Citation adopted at the 24th Meeting, Melbourne, Australia, 17 May 2005.

Statement on dissemination of case notes

Many privacy authorities issue instructive case notes on a selection of complaints that have been handled in their jurisdiction.

Privacy authorities disseminate their case notes domestically in a variety of ways depending upon their priorities, budget and target audiences. For instance, some:

• maintain a distribution list to which printed copies of case notes are mailed
• reprint the text of case notes in annual reports
• publicise summaries in newsletters
• post case notes on their own website
• distribute electronic copies through RSS feeds or email subscription lists
• cooperate in re-publication by local legal publishers
• periodically publish indexed compilations.

APPA actively encourages privacy authorities to make their case notes widely available to increase comparative knowledge and stimulate research and debate.

This statement is focused upon steps that facilitate the dissemination or availability of case notes throughout the region.

APPA encourages privacy authorities:

• to cooperate with third party publishers who wish to re-publish their case notes, and
• to make their case notes available, in an electronic form suitable for re-publication, to a recognised regional consolidated point of access.

Third party publishers

APPA recognises that third party publishers can enable case notes to be made more widely available to the public, specialist bodies, professional advisers and researchers.

Privacy authorities should facilitate re-publication of case notes by third party publishers. This should be done by giving a general licence for re-publication of their case notes with proper acknowledgement.

The general licence can be made subject to revocation if inappropriate (e.g. salacious) use is made.

The general licence should be included within the usual copyright notice posted on each privacy authority's website.

Consolidated point of access

APPA sees considerable value in having a consolidated point of access for case notes. An access point now exists in the World Legal Information Institute's Privacy Law Library (www.WorldLII.org/int/special/privacy). The single point of access brings a variety of benefits including the ability to search across a range of case note series from within and beyond the region.

Privacy authorities should supply electronic case notes to WorldLII at the same time as they distribute the case notes in the ordinary way or as soon as reasonably practicable after that.

APPA Members List

Below is a list of the current APPA members. Authorities from other countries are eligible for membership if the authority (or agency) has been accredited through the international meetings of Data Protection and Privacy Commissioners.

APPA generally meets over two or two and a half days, one to one and half days being reserved for Privacy Commissioners (APPA's formal members) and their staff and the remaining day including invited representatives of government agencies/departments involved in privacy administration or privacy-related issues.

Current APPA members include:

When meetings are held?

There are two APPA forums every year, with hosting duties rotating between APPA members.

The next meeting will be held in Hong Kong in June 2012.

Privacy Awareness Week

Privacy Awareness Week was first jointly promoted internationally by APPA members in 2007.

In 2011 APPA members jointly ran a survey to learn more about your concerns about privacy and social networking. A media release announcing the survey results appears here.

Privacy Awareness Week 2012 will be held from 29 April–5 May 2012.

Communiqués