Discussion:
Arbitration case a20150823.1 - ruling: dismiss - ABC for Stefan T
Stefan Thode
2016-06-26 12:56:03 UTC
Permalink
Stefan Thode
2016-06-27 17:33:12 UTC
Permalink
vv01f
2016-06-27 17:42:42 UTC
Permalink
Hi Stefan,

how can
Following your ruling, I stated that there is no ABC request following
anymore.
fulfill
a) if it becomes known that the respondent will never be able
to do an ABC any more or
? I do not see that this is inevitably true. How have you been disabled
to do so?

If not so, your 2nd request would be void AFAIK.
--
PGP-Key 4096 RSA as of 2014-10-02
Fingerprint: 4B12 EFA6 9166 CA8C 23FC 47E4 9CD3 A462 48B6 60CA
Stefan Thode
2016-06-29 17:20:30 UTC
Permalink
Hubert Daubmeier
2016-06-29 22:03:51 UTC
Permalink
I cannot speak to the internal workings of CACert. I can only speak to the German legislation



§34 is our right for information

§35 is our right for correction, deletion or blocking



Those rights and the law are unquestionable. However, a couple of things need to be checked by whoever receives such a request



a) Is the requesting person indeed the person they claim to be? The certificate provided could suffice here.

b) What was the legal basis under which the data were provided?

a. Where they given voluntarily? Then the permission to use can be withdrawn at any time. Could apply here (not sure)

b. Where they given to enable a business transaction? Could be true (there is no necessity for money/cash to be in the play)

c. Under which legal regime where the data given - German or Australian? I do not know the answer to this question. The assumption German law applies would not automatically apply. However, if German law did apply the another checks needs to be conducted: is there a need to retain the data for other than privacy reasons. Trade laws, archiving laws, etc.

c) if deletion did not work for technical reason (e.g. impact database integrity) then data should be blocked from further use. And the requestor be informed about the fact.

d) Finally the requestor should be informed that his/her data will need to be stored (securely of course) about the deletion request, so that a future deletion request could be checked for reasonability. E.g. one request for information per year is considered reasonable.



In short several complex checks need to be completed. I would argue for simplicity sake, do what can be realistically done and skip the legal complexities. But a two weeks' notice is outrageous for any fully operational, for-profit business. For an organisation of volunteers even more so.
--
Mit herzlichen GrÌßen
Hubert Daubmeier
datenschutz Daubmeier

CIPP/E, GDDCert

Zur Au 14
86633 Neuburg Do

Tel: 08431 90 78 171
Mobil: 0176 92 67 79 12
mailto: ***@daubmeier.de <mailto:***@daubmeier.de>

<http://daubmeier.de/> http://daubmeier.de/







From: cacert-***@lists.cacert.org [mailto:cacert-***@lists.cacert.org] On Behalf Of Stefan Thode
Sent: Wednesday, June 29, 2016 7:21 PM
To: Eva Stöwe <***@cacert.org>
Cc: dirk astrath <***@cacert.org>; Philipp Dunkel <***@cacert.org>; arbitration archives <arbitration-***@cacert.org>; cacert-***@lists.cacert.org; ***@lists.cacert.org
Subject: Re: Fwd: Re: Arbitration case a20150823.1 - ruling: dismiss - ABC for Stefan T



Dear Eva,
you don't need a 2nd Arbitrator for the deletion of personal data.
I gave the data to you. You are responsible that all copies are deleted, and not other Arbitrators.
Your ruling never reached juristic validity, as it stays directly against §35 "Bundesdatenschutzgesetz"
https://www.gesetze-im-internet.de/bdsg_1990/__35.html
Personal data can be deleted at every time.

In conjunction with your personal matters and your journey, I extend the time I expect your
confirmation of deletion to sunday 2016-07-10.
That should be enough time to comply with the law.

Regards
Stefan

Am 28.06.2016 um 01:08 schrieb Eva Stöwe:

Dear Stefan,

please read my "ruling" carefully. It says:

"/will never be able to do an//ABC"/

/or alternatively:/

/"//a decision in another ABC case"/

none of this is fulfilled at the moment.

But the CM and me finally were able to discuss the situation. He is of
the opinion that as you are requesting something in direct relation of
this case, I/we could open the case again, so that I could do an
additional ruling, even as the DRP does not speak about this option.
This evening, I also spoke to the claimant of that case and he also
would not have an issue with this approach.


Two comments:
I hope you are aware that you were demanding(!) that two arbitrators
violate a ruling and confirm this with a CARS. I do not think that you
have any reason to expect that we do so. And even less reason to expect,
that we do so within an extremely short time.

But even if I/we would have had that intention: I did not get an answer
from the CM before yesterday, even as I have addressed him directly
after I saw your first mail. Well, he has one of the two copies and you
request that I confirm its deletion. I myself was not at home since
shortly after your first mail and will not be at home until end of this
week. Do you expect/want me to travel around with my copy, so that I can
access/destroy it at any possible time, everywhere?


As this is a case about private issues (I believe we agree in this
point), I ask everybody else to excuse that I do not have any intention
to further answer on case specific details, publicly. For everybody
interested, please use the case file (but allow us the time we need to
update it).

Kind regards,
Eva


On 27.06.2016 19:33, Stefan Thode wrote:

Dear Eva,
my request is not more than the content of your ruling.
You ruled:
/ 4. The CV should be destroyed when it becomes clear that it
is not/
/ needed any more, which would be the case/
/ a) if it becomes known that the respondent will never be able
to do an/
/ ABC any more or/
/ b) if there is a decision in another ABC case over the
respondent, that/
/ the CV of this case is not needed, any more./

Following your ruling, I stated that there is no ABC request following
anymore.
So follow your own ruling and delete all personal relevant data
according to
the case a20150823.1, please.
I see your refusement to follow your own ruling as breach of the DRP!

I repeat my request for the confirmation of deleting of my personal data
according to your ruling at the case a20150823.1.

Regards
Stefan


Am 26.06.2016 um 15:09 schrieb Eva Stöwe:

Dear Stefan,

there was a ruling. It is based on the SP where the requirements of
keeping or deleting that kind of information is stated. That ruling also
provided the reasons when the data should be removed. It is not unlikely
that one of those situations will occur, soon.

Please keep in mind that "escalation" in this situation is an appeal to
re-open the case and nothing else.

Btw: IF you would have answered in that case while it was open, you
could have asked for this and I would have considered it. But you
refused to answer even when asked, twice. I am sure that we would have
found a solution that works for all.

But regrettably you addressed me with this after the case was closed.
And I am not sure how to deal with that.

What I can ensure you is that nobody will access that data as long as
there is no arbitration decision that it is necessary.

Just a minor detail: A CARS is not exactly the same as an
"Eidesstattliche Versicherung".

Kind regards,
Eva


On 26.06.2016 14:56, Stefan Thode wrote:

Dear Eva,
one week ago, I requested the confirmation, that you deleted my
personal data in accordance with the case a20150823.1.
At this time, I did not receive ANYHING from you.
I am waiting for your confirmation of the deleted data.
I will accept a CARS statement as (in German) "Eidesstattliche
Versicherung".

Reasons why you don't have to store this informations:
1. The German law for (in German) "Informationelle Selbstbestimmung"
2. There is no reason for the storing of my CV for an ABC for me
anymore as this is additional data that is not relevant
as the ABC never really started. If there should be a request for a
new ABC, there will be the need for an up to date CV anyway.

I will wait a maximum of ONE other week, before I will escalate the
situation.

Regards
Stefan


-------- Weitergeleitete Nachricht --------
Betreff: Re: Arbitration case a20150823.1 - ruling: dismiss - ABC for
Stefan T
Datum: Thu, 16 Jun 2016 20:07:24 +0200
Von: Stefan Thode <mailto:***@web.de> <***@web.de>
An: Eva Stöwe <mailto:***@cacert.org> <***@cacert.org>, dirk astrath <mailto:***@cacert.org> <***@cacert.org>
Kopie (CC): Philipp Dunkel <mailto:***@cacert.org> <***@cacert.org>, arbitration
archives <mailto:arbitration-***@cacert.org> <arbitration-***@cacert.org>



Dear Eva,
in accordance due to your ruling in paragraph 4:
There is NO reason to keep personal data linked to this case in the
area of the CAcert arbitration.
In the sense of data protection and my personal interest, delete my
cv, please!

In the sense of data protection, i wonder why your ruling don't hit
the target of data protection!

Confirm the deletion, and confirm that no copies were retained, please.

Regards
Stefan

Am 15.06.2016 um 22:58 schrieb Eva Stöwe:

Dear Dirk, dear Stefan,

As the Arbitrator of a20150823.1 I hereby dismiss this case with the
following provisions:
1. The case is dismissed because of no apparent interest of both parties.
2. There is no final decision made in this case.
3. The Security Policy requires to store the used material for
ABC-cases. Because of this the Arbitrator and Case Manager have to keep
the CV ofR in a save location. If this is done digitally it should be
done encrypted.
4. The CV should be destroyed when it becomes clear that it is not
needed any more, which would be the case
a) if it becomes known that the respondent will never be able to do an
ABC any more or
b) if there is a decision in another ABC case over the respondent, that
the CV of this case is not needed, any more.

2016-06-15
Eva Stöwe
Arbitrator of a20150823.1
Ben Short
2016-06-29 23:03:12 UTC
Permalink
Dear Everyone

Does this somewhat private matter really need to be aired (or cc'd) on a
public mail list?

For whatever conceived notion of transparency that is trying to be
addressed in doing so, as a "Normal CACert User" there seems to be a lot of
people intent on generating drama in the community that I at least see as
being harmfully damaging to the CACert community and brand.

Could I please be as bold to suggest people think about who needs to be
involved with particular discussions before carpet bombing every mail list?

Thanks
Ben
*Sent:* Wednesday, June 29, 2016 7:21 PM
*Subject:* Re: Fwd: Re: Arbitration case a20150823.1 - ruling: dismiss -
ABC for Stefan T
Dear Eva,
you don't need a 2nd Arbitrator for the deletion of personal data.
​​
I gave the data to you. You are responsible that all copies are deleted,
and not other Arbitrators.
Your ruling never reached juristic validity, as it stays directly against
§35 "Bundesdatenschutzgesetz"
https://www.gesetze-im-internet.de/bdsg_1990/__35.html
Personal data can be deleted at every time.
In conjunction with your personal matters and your journey, I extend the time I expect your
confirmation of deletion to sunday 2016-07-10.
That should be enough time to comply with the law.
Regards
Stefan
I cannot speak to the internal workings of CACert. I can only speak to the
German legislation
§34 is our right for information
§35 is our right for correction, deletion or blocking
Those rights and the law are unquestionable. However, a couple of things
need to be checked by whoever receives such a request
a) Is the requesting person indeed the person they claim to be? The
certificate provided could suffice here.
b) What was the legal basis under which the data were provided?
a. Where they given voluntarily? Then the permission to use can be
withdrawn at any time. Could apply here (not sure)
b. Where they given to enable a business transaction? Could be true
(there is no necessity for money/cash to be in the play)
c. Under which legal regime where the data given - German or
Australian? I do not know the answer to this question. The assumption
German law applies would not automatically apply. However, if German law
did apply the another checks needs to be conducted: is there a need to
retain the data for other than privacy reasons. Trade laws, archiving
laws, etc.
c) if deletion did not work for technical reason (e.g. impact
database integrity) then data should be blocked from further use. And the
requestor be informed about the fact.
d) Finally the requestor should be informed that his/her data will
need to be stored (securely of course) about the deletion request, so that
a future deletion request could be checked for reasonability. E.g. one
request for information per year is considered reasonable.
In short several complex checks need to be completed. I would argue for
simplicity sake, do what can be realistically done and skip the legal
complexities. But a two weeks' notice is outrageous for any fully
operational, for-profit business. For an organisation of volunteers even
more so.
--
Mit herzlichen GrÌßen
Hubert Daubmeier
*datenschutz Daubmeier*
*CIPP/E, GDDCert*
Zur Au 14
86633 Neuburg Do
Tel: 08431 90 78 171
Mobil: 0176 92 67 79 12
*http://daubmeier.de/ <http://daubmeier.de/>*
*Sent:* Wednesday, June 29, 2016 7:21 PM
*Subject:* Re: Fwd: Re: Arbitration case a20150823.1 - ruling: dismiss -
ABC for Stefan T
Dear Eva,
you don't need a 2nd Arbitrator for the deletion of personal data.
I gave the data to you. You are responsible that all copies are deleted,
and not other Arbitrators.
Your ruling never reached juristic validity, as it stays directly against
§35 "Bundesdatenschutzgesetz"
https://www.gesetze-im-internet.de/bdsg_1990/__35.html
Personal data can be deleted at every time.
In conjunction with your personal matters and your journey, I extend the time I expect your
confirmation of deletion to sunday 2016-07-10.
That should be enough time to comply with the law.
Regards
Stefan
Dear Stefan,
"/will never be able to do an//ABC"/
/or alternatively:/
/"//a decision in another ABC case"/
none of this is fulfilled at the moment.
But the CM and me finally were able to discuss the situation. He is of
the opinion that as you are requesting something in direct relation of
this case, I/we could open the case again, so that I could do an
additional ruling, even as the DRP does not speak about this option.
This evening, I also spoke to the claimant of that case and he also
would not have an issue with this approach.
I hope you are aware that you were demanding(!) that two arbitrators
violate a ruling and confirm this with a CARS. I do not think that you
have any reason to expect that we do so. And even less reason to expect,
that we do so within an extremely short time.
But even if I/we would have had that intention: I did not get an answer
from the CM before yesterday, even as I have addressed him directly
after I saw your first mail. Well, he has one of the two copies and you
request that I confirm its deletion. I myself was not at home since
shortly after your first mail and will not be at home until end of this
week. Do you expect/want me to travel around with my copy, so that I can
access/destroy it at any possible time, everywhere?
As this is a case about private issues (I believe we agree in this
point), I ask everybody else to excuse that I do not have any intention
to further answer on case specific details, publicly. For everybody
interested, please use the case file (but allow us the time we need to
update it).
Kind regards,
Eva
Dear Eva,
my request is not more than the content of your ruling.
/ 4. The CV should be destroyed when it becomes clear that it
is not/
/ needed any more, which would be the case/
/ a) if it becomes known that the respondent will never be able
to do an/
/ ABC any more or/
/ b) if there is a decision in another ABC case over the
respondent, that/
/ the CV of this case is not needed, any more./
Following your ruling, I stated that there is no ABC request following
anymore.
So follow your own ruling and delete all personal relevant data
according to
the case a20150823.1, please.
I see your refusement to follow your own ruling as breach of the DRP!
I repeat my request for the confirmation of deleting of my personal data
according to your ruling at the case a20150823.1.
Regards
Stefan
Dear Stefan,
there was a ruling. It is based on the SP where the requirements of
keeping or deleting that kind of information is stated. That ruling also
provided the reasons when the data should be removed. It is not unlikely
that one of those situations will occur, soon.
Please keep in mind that "escalation" in this situation is an appeal to
re-open the case and nothing else.
Btw: IF you would have answered in that case while it was open, you
could have asked for this and I would have considered it. But you
refused to answer even when asked, twice. I am sure that we would have
found a solution that works for all.
But regrettably you addressed me with this after the case was closed.
And I am not sure how to deal with that.
What I can ensure you is that nobody will access that data as long as
there is no arbitration decision that it is necessary.
Just a minor detail: A CARS is not exactly the same as an
"Eidesstattliche Versicherung".
Kind regards,
Eva
Dear Eva,
one week ago, I requested the confirmation, that you deleted my
personal data in accordance with the case a20150823.1.
At this time, I did not receive ANYHING from you.
I am waiting for your confirmation of the deleted data.
I will accept a CARS statement as (in German) "Eidesstattliche
Versicherung".
1. The German law for (in German) "Informationelle Selbstbestimmung"
2. There is no reason for the storing of my CV for an ABC for me
anymore as this is additional data that is not relevant
as the ABC never really started. If there should be a request for a
new ABC, there will be the need for an up to date CV anyway.
I will wait a maximum of ONE other week, before I will escalate the
situation.
Regards
Stefan
-------- Weitergeleitete Nachricht --------
Betreff: Re: Arbitration case a20150823.1 - ruling: dismiss - ABC for
Stefan T
Datum: Thu, 16 Jun 2016 20:07:24 +0200
Dear Eva,
There is NO reason to keep personal data linked to this case in the
area of the CAcert arbitration.
In the sense of data protection and my personal interest, delete my
cv, please!
In the sense of data protection, i wonder why your ruling don't hit
the target of data protection!
Confirm the deletion, and confirm that no copies were retained, please.
Regards
Stefan
Dear Dirk, dear Stefan,
As the Arbitrator of a20150823.1 I hereby dismiss this case with the
1. The case is dismissed because of no apparent interest of both parties.
2. There is no final decision made in this case.
3. The Security Policy requires to store the used material for
ABC-cases. Because of this the Arbitrator and Case Manager have to keep
the CV ofR in a save location. If this is done digitally it should be
done encrypted.
4. The CV should be destroyed when it becomes clear that it is not
needed any more, which would be the case
a) if it becomes known that the respondent will never be able to do an
ABC any more or
b) if there is a decision in another ABC case over the respondent, that
the CV of this case is not needed, any more.
2016-06-15
Eva Stöwe
Arbitrator of a20150823.1
--
*--*
*Ben Short*
The Practical Admin, Photographer and Geek
***@vk7ben.id.au | http://www.shortboy.net | Twitter: @bcshort
<http://www.twitter.com/bcshort>
gfa
2016-06-30 05:58:32 UTC
Permalink
Post by Hubert Daubmeier
c. Under which legal regime where the data given - German or
Australian? I do not know the answer to this question. The assumption
German law applies would not automatically apply. However, if German law
did apply the another checks needs to be conducted: is there a need to
retain the data for other than privacy reasons. Trade laws, archiving
laws, etc.
I'm very surprised to hear that german law could apply in a such case.
Maybe I'm wrong ? (For me, if french law could be applicable on my
private data for GAFA companies, etc., I'd become very rich ;) )

In europa, for example, there is the "Roma ruling" 593/2008 [1] that
precises the local law that should be used.

[1] http://data.europa.eu/eli/reg/2008/593/oj

My 2 cts,
--
gfa
Edward A Schober
2016-07-08 17:16:49 UTC
Permalink
But Werner

CAcert transactions occur, at least for now, in New South Wales,
Australia. Why would German law apply?

I don't expect that anything I do with CAcert here in the USA would be
bound by US law.

best regards,

Ted
Hello Nico,
True, there are international treaties that are above local law in some
sense. But normally they are not directly applicable but mandate the
local legislative body to adhere to them. So finally the local laws rule.
But this doesn't change the fact that there are fields of law where
Arbitration is applicable and other fields of law where arbitration is
never ever applicable.
The main purpose of international arbitration regulations like UNCITRAL
is to facilitate international trade and to be uniform across different
legal systems. Arbitration alway concerns civil law only, never criminal
law.
Kind regards, Werner
Edward A Schober
2016-07-29 14:40:21 UTC
Permalink
Eva, you have such a clear mind! Principles, policy and the agreement
to arbitrate are what counts.

I am proud that you are willing to take on the role of arbitrator.
Thank you.

Sincerely,

Ted
Dear members,
First: thank you Ian for those words and your abundance of patience to
explain those points.
But as this discussion keeps running, I want to add to another point
which was mentioned by both Stefan and Werner. There was the comment
that arbitration would not be the right place [but that this lists or
board would be more sensible].
No. Board or this list are not the relevant authorities.
Further: Even IF "real" courts have jurisdiction and IF they would
address us, the relevant place would be Arbitration. Because Arbitration
is the authority we select to handle this. Not board, not this list, but
arbitration.
Please read DRP. Both will tell you, that if there is an "external" case
that it will be addressed internally as a disputed and handled by
arbitration.
Interestingly the SP confirms this, but even goes a step further. It
explicitly states, that board is not allowed to handle such cases (but
should be informed).
Internally something like this always has to be dealt with by
arbitration. Even if - no: especially if - courts are involved. As we
are discussing on a CAcert mailing list, I believe this to be the
relevant point.
For the time being I will not enter into the discussion if or which
"real" courts could possibly deal with this or not. There are two reasons
1. Currently there are no such courts involved, it would be absurd to
wait for them, before we deal with this.
2. A new ruling was given in the specific case which allows the direct
destruction of the CV. I personally regard the price for having that
ruling to be higher than the former situation.
I never had the intention to hurt or harm Stefan or his data. And I wish
him well, even now. In general it is his right to ask for deletion of
data and I care for such rights. But sometimes there are other
requirements to keep data, as well. However, for this specific case,
this question is answered.
One note about Werner's idea of suing the Case Manager and/or me
personally based on the question if we were acting personally or as
authorities within CAcert.
I have absolutely no idea how such a question could even be asked. I was
clearly and explicitly acting as the Arbitrator of an arbitration case
and the Case Manager was only addressed in that role. We clearly did not
act personally - and we even could not make a personal decision to
delete that data, as we are/were holding that data based on that roles
for CAcert [arbitration].
Further: The Dispute Resolution Policy states that arbitrators are
protected and that there are high barriers until the Arbitrator of a
case can be liable.
But even more, the current board established that CAcert will try to
protect arbitrators even from court decisions in any legal manner.
At least I heard the loud and clear message.
Kind regards,
Eva [writing as a member and not as the arbitrator of that case]
Hello Edward,
Post by Edward A Schober
CAcert transactions occur, at least for now, in New South Wales,
Australia.
This is the default. At least in Arbitration you can select the legal
system of another country if all concerned agree.
Obviously not an option in this case - because your opponents won't
agree.
Post by Edward A Schober
Why would German law apply?
It could apply, since Eva as well as Stefan are both German residents.
If Stefan would sue Eva directly for data protection violation, it would
be before a German court.
Wrong on both counts. Anyone can sue anywhere. This makes no odds,
it's life. The question of jurisdiction is the key here not the
question of residence of citizenship (although that might change in
GDPR).
In such a case, the court would be made aware of the clause to
arbitrate and the deep body of policy that covers data protection
within the system. Also how CAcert community has taken care not to
misalign with DPD, and how it is a reasonable authority to handle
these disputes.
Of course one cannot predict what any court decides, but it would be
*extraordinary* if the court were to strike down the agreement to
arbitrate without good reason. Just because two people have a
relationship to a local court isn't that good reason. If it were,
arbitration would not work at all.
And just because you're upset, isn't a good reason either.
If Stefan would sue CAcert for data protection
violation, it would be before a NSW court.
No - same as above, wrong on both counts, again. Stefan can sue
anywhere. Same defence - this is a CAcert arbitration matter, because
you agreed before to arbitrate. It's not a NSW court matter.
The question arises, is Eva regarded acting in her own name or is she
regarded acting as a CAcert officer, that is on behalf of CAcert.
Werner, you're in La La Land. In order to show anything like that you
would need to show the DRP, and show how an arbitrator can be
construed as operating in her own name. You would be presenting
evidence before the court as to how you had agreed to arbitrate,
evidence that you know full well that you agreed and were totally
capable of that decision, and would now add to your sorrows by trying
to wheedle out of it.
Almost certainly you would fail. And under UNCITRAL.
I'm not unsympathetic to the notion of discussing this issue. But you
have crossed that line - you are not discussing, you are harrassing.
You and others are making up childish theories in order to spread fear
uncertainty and doubt.
It was for this reason the community faced you and tore down your
board. Because you don't understand the law, you don't understand the
community, and you don't understand when you've crossed the line and
start harassing people for no good.
The community stands behind its arbitrators. Because without that we
have nothing, we are nothing. Has the message been heard loud and clear?
Attack the arbitrators, attack us all.
iang
Benedikt Heintel
2016-06-30 10:37:09 UTC
Permalink
Post by Hubert Daubmeier
I cannot speak to the internal workings of CACert. I can only speak to
the German legislation
CAcert Inc. is bound to NSW law. With the CCA (Section 3.1) [1], CAcert
Inc. binds the member to the law of New South Wales (NSW). NSW governs
on the Australian Privacy Act (1988) [2].

The CCA in consent with the European Regulation EC 593/2008 [3] Article
4:
"1. To the extent that the law applicable to the contract has not been
chosen in accordance with Article 3 and without prejudice to Articles 5
to 8, the law governing the contract shall be determined as follows:
[...]
(b) a contract for the provision of services shall be governed by the
law of the country where the service provider has his habitual
residence;"

Let's have a look in the Australian Privacy Act:
Schedule 1, Part 2, § 3.1 and § 3.6 of named Act outlines the principles
to collect personal information (PI).
"3.1 If an APP entity is an organisation, the entity must not collect
personal information (other than sensitive information) unless the
information is reasonably necessary for one or more of the entity’s
functions or activities."
"3.6 An APP entity must collect personal information about an
individual only from the individual unless: [...]
(b) it is unreasonable or impracticable to do so."

For the use of PI, the act says in Schedule 1, Part 3, § 6.1:
"6.1 If an APP entity holds personal information about an individual
that was collected for a particular purpose (the primary purpose), the
entity must not use or disclose the information for another purpose (the
secondary purpose) unless:
(a) the individual has consented to the use or disclosure of the
information; [...]"
As far, as I read, there is no consent given by the respondent in
a20150823.1.

Schedule 1, Part 5, § 13.1 finally, deals with the correction of PI:
"13.1 If:
(a) an APP entity holds personal information about an individual; and
(b) either:
[...]
(ii) the individual requests the entity to correct the information;
the entity must take such steps (if any) as are reasonable in the
circumstances to correct that information to ensure that, having regard
to the purpose for which it is held, the information is accurate,
up‑to‑date, complete, relevant and not misleading."

There is no dedicated section for deletion of PI in the act. My research
on "PI deletion" lead me to a proposal of the Australian Law Enforcement
Commission from May 2014, to introduce a dedicated PI deletion paragraph
on request of the individual [5]:
"Proposal 15–2 A new Australian Privacy Principle should be inserted
into the Privacy Act 1988 (Cth) that would:
(a) require an APP entity to provide a simple mechanism for an
individual to request destruction or de-identification of personal
information that was provided to the entity by the individual; and
(b) require an APP entity to take reasonable steps in a reasonable time,
to comply with such a request, subject to suitable exceptions, or
provide the individual with reasons for its non-compliance."

Nevertheless, the relevance must be assessed by the entity. This might
also lead to a deletion decision; especially in a privacy aware
organisation as CAcert claims to be.

In any case, a refusal to the respondents request should be in
accordance with Schedule 1, Part 5, § 13.3:
"13.3 If the APP entity refuses to correct the personal information as
requested by the individual, the entity must give the individual a
written notice that sets out:
(a) the reasons for the refusal except to the extent that it would be
unreasonable to do so; and
(b) the mechanisms available to complain about the refusal; and
(c) any other matter prescribed by the regulations."

Best Regards
Benedikt

Disclaimer: This information is based on my own investigation and not a
legal advice. To get legal clarification on this topic, please consult a
lawyer.

[1] https://www.cacert.org/policy/CAcertCommunityAgreement.html
[2] https://www.legislation.gov.au/Details/C2014C00076
[3] http://eur-lex.europa.eu/eli/reg/2008/593/oj
[4]
http://www.alrc.gov.au/publications/15-new-regulatory-mechanisms/new-privacy-principle-deletion-personal-information
Stefan Thode
2016-07-03 15:58:46 UTC
Permalink
Loading...