Two recent high-profile cases, relating to Winston Peters' superannuation overpayment and the cyber-attack on the Waikato District Health Board, emphasise the importance that New Zealand courts attach to protecting private information, even though one of them rejected a claim for breach of privacy. The latter also recognised the necessity of preventing media (and others) from benefitting from making use of stolen health information.
Court of Appeal releases privacy tort judgment
In Peters v Attorney-General on behalf of Ministry of Social Development  NZCA 355, the Court of Appeal has provided guidance in respect of the tort of invasion of privacy. The case is notable for signalling developments in the tort, such as affirming the removal of the requirement for there to be widespread disclosure and the potential for the removal of the requirement that disclosure be highly offensive.
In 2017, the Ministry of Social Development (MSD) realised that Mr Peters, who, at the time, was a Member of Parliament and leader of the New Zealand First party, had mistakenly been overpaid New Zealand Superannuation (NZS). Due to errors, found not to be attributable to Mr Peters, NZS had been paid at the single rate when it should have been paid at the partner rate. Mr Peters immediately arranged for the overpaid amount to be repaid.
In late August 2017, several reporters received anonymous calls in respect of the overpayment. To pre-empt any publicity, Mr Peters released a press statement addressing the incident.
Mr Peters alleged that the tort of invasion of privacy had been committed by MSD, the Chief Executive of MSD, the State Services Commissioner and two Ministers. The High Court claim was dismissed because those parties were proper recipients of the information and Mr Peters could not establish that any of the defendants were responsible for the disclosure of his personal information to the media.
Court of Appeal judgment
The Court dismissed Mr Peters' appeal. For an invasion of privacy claim to succeed, it is necessary to prove:
- the existence of facts in respect of which there was a reasonable expectation of privacy; and
- that the publicity given to those private facts would be considered highly offensive to an objective reasonable person.
The Court accepted that Mr Peters had a reasonable expectation that the overpayment would be protected from disclosure to the public generally. However, the Court found that Mr Peters did not have a reasonable expectation of protection from disclosure of this information within MSD and from MSD to the relevant Ministers and select staff. Those disclosures were made in good faith and in accordance with their proper functions.
As none of the defendants released the information to the media, the appeal was dismissed.
Key takeaways from the Court of Appeal judgment
It confirmed that there are two distinct privacy torts ("giving publicity to private facts" and "intrusion into solitude and seclusion").
The Privacy Act is distinct from the tort of invasion of privacy. The Court confirmed that the tort was never intended to be co-extensive with liability under the Privacy Act (which has distinct obligations, procedures and remedies).
The intention of the person disclosing private information may be critical. The Court commented that the tort is not intended to regulate what Chief Executives can disclose to their Minister in good faith. In contrast, the Court noted that there "could well" be liability if an employee had provided private, personal information to a political adviser, in bad faith, in order to enable that information to be passed on to the media.
The Court upheld the statutory immunity of the two Chief Executives under the State Sector Act 1988 (now the Public Service Act 2020).
The Court was invited to remove the requirement that disclosure be "highly offensive". The Court declined to do so (as it was not necessary on the facts) but acknowledged that the test was adopted from a UK authority that has since been reversed. These comments are likely to promote further judicial discussion in the future.
The Court rejected the argument that the tort only applies to "widespread publication to the public". Instead, the Court affirmed that the tort may be committed where disclosure is made to a small class, and disclosure to just one person may be enough. It also noted that the existing defence – that there is a legitimate public concern in the information – will need to be adapted to continue to provide a defence to these cases of limited disclosure.
The decision suggests a significant shift in the core element of the tort, particularly by confirming that there need not be widespread dissemination of the information, and for the indication that the requirement for highly offensive disclosure may be reconsidered in the future.
High Court grants orders to protect stolen information
The High Court has granted an interim injunction in Waikato District Health Board v Radio New Zealand  NZHC 2002, to prevent Radio New Zealand (RNZ) and others from using confidential information that was illegally obtained.
In May 2021, the Waikato District Health Board (WDHB) was subject to a widespread cyber-attack by unknown criminals. As a result of this attack, personal patient health information, employee information and commercially sensitive information was obtained and later released on the dark web (the Stolen Dataset).
Two months after the cyber-attack, RNZ published an article that contained confidential patient information from the Stolen Dataset. While RNZ contacted the WDHB in advance of publishing the article, it did not provide sufficient time for the WDHB to contact the affected individual, or their whānau, prior to publication. RNZ also refused to delay publication by a day to ensure appropriate protection could be provided to the affected individual. However, RNZ consented to the orders made.
High Court judgment
Orders were made restraining RNZ and the "unknown defendants" (being both those who were responsible for the illegally obtained data and those who have obtained information from the Stolen Dataset) from using or disclosing any information from the Stolen Dataset without consent from the WDHB, and requiring the permanent deletion of all copies of the Stolen Dataset.
The judgment is notable for:
providing another example of the courts' willingness to issue injunctions against unknown parties to protect confidential or private information that has been stolen;
emphasising that it is not in the public interest to allow the confidentiality of private information to be breached; and
recognising strong public policy arguments against permitting the "unknown defendants" to profit from stolen information, noting that the extortionists should not, when issuing ransom demands, be able to demonstrate the willingness of media organisations to publicise such information.
Please get in touch with one of our experts below if you would like to discuss how this update relates to you and your organisation.