In this edition of InfoRM:
New Zealand developments
New Government Chief Privacy Officer
The new role of Government Chief Privacy Officer (GCPO) has been established within the Department of Internal Affairs (DIA) to lead an all-of-government approach to privacy protection. The position operates alongside a team at DIA to support the Government Chief Information Officer in setting the policy, direction and standards for government Information Communications Technology. The role is intended to provide a clear signal that privacy is central to government information management practices.
The GCPO's key responsibilities include providing leadership and advice on privacy issues and ensuring that government maintains a co-ordinated engagement with the Privacy Commissioner. The GCPO will develop privacy standards and issue best practice guidance that government agencies will be expected to implement.
The GCPO has already issued “core expectations”, including:
- implementing a privacy strategy that promotes a privacy culture and is “owned” by a member of the executive team;
- establishing a programme of improvement to deliver on the privacy strategy, and ensuring the organisation has sufficient resources to deliver that improvement;
- understanding and monitoring what personal information the organisation holds; and
- establishing policies and procedures to address the full information life cycle from collection to retention and/or destruction.
Those core expectations are discussed further in the Privacy Maturity Assessment Framework developed in 2013. The Framework consists of nine elements that provide criteria against which an agency can assess its privacy maturity (more information is available here).
Cases of interest
High Court sets aside ruling on discovery of confidential and private documents
In Alpine Energy Limited v Human Rights Review Tribunal  NZHC 2792 the High Court set aside a ruling by the Human Rights Review Tribunal (HRRT) requiring Alpine Energy to disclose job application documents that it said were confidential and contained personal information. The High Court ordered that the matter be remitted to the HRRT to be considered afresh.
The action arose from a claim by Mr Waters that his lack of success for two positions advertised by Alpine Energy in 2012 was due to his age (62 years old). In the HRRT, Mr Waters applied for disclosure of CVs of applicants for the two positions, the applications themselves and notes of job interviews. The HRRT ordered discovery of those documents.
Alpine Energy brought judicial review, claiming the orders were inconsistent with the Human Rights Act 1993 (HRA), the Privacy Act 1993 and that the HRRT had not properly considered the contractual relationship between the parties.
Justice Gendall in the High Court held that that the legislative framework (sections 104(5) to 106 of the HRA, regulation 16(1) of the HRRT Regulations 2002, and section 69 of the Evidence Act 2006), when taken together, endowed the HRRT with very broad powers to do justice, in particular:
- The HRRT has a very broad discretion in respect of evidential matters. The practical effect of section 106(1)(d) of the HRA was (at the very least) to “significantly dilute” section 69 of the Evidence Act.
- Contractual arrangements creating “confidentiality” should not be allowed to defeat the protections of the HRA.
- However, his Honour held that confidentiality should not be abrogated simply because of concerns that some right has potentially been breached - a more “secure footing” is required. The HRRT decision lacked “secure footing” because it had not apprised itself of the precise nature and content of the documents.
Timeframes and delays in releasing requested personal information
The Human Rights Review Tribunal held that Immigration New Zealand (INZ) did not act with “undue delay” when processing personal information access requests under the Privacy Act 1993: Koso v Chief Executive of Ministry of Business, Innovation and Employment  NZHRRT 39.
The Privacy Act imposes two timeframes on requests for personal information:
- the decision whether to grant a request (release decision) must be made “as soon as reasonably practicable” and in any event no later than 20 working days after receipt of the request; and
- information must be released without “undue delay”.
In Koso, the plaintiff requested access to all personal information held by INZ. INZ decided to release electronic and hard copy files simultaneously, then encountered delays in obtaining some of the plaintiff’s files (which were held offshore in Nuku’alofa, Tonga). Accordingly, INZ failed to make its release decision within the 20 day timeframe.
The plaintiff alleged that INZ failed to treat the request as urgent (avoiding INZ’s internal queue system), failed to make its decision “as soon as reasonably practicable”, and failed to release the information without undue delay. The HRRT found that:
- Urgency was not required as the request provided no reasons for requesting urgency.
- INZ was not required to release the electronic file before obtaining the paper file in order to comply with its obligation to make the decision as soon as reasonably practicable.
- Queuing was an inevitable and practical necessity.
The information was released 28 days after request. That was a breach of the Privacy Act, but was not “undue delay”. Agencies dealing with large volumes of requests are entitled to prefer single decision-points, and a single process for providing the information, to avoid doubling the workload, and a degree of latitude should be given to agencies in discharging their obligations.
A declaration of breach of the 20 day limit was made, but no damages were awarded and the HRRT recognised INZ’s efforts to comply. The case demonstrates the HRRT’s pragmatic approach to remedies, at least where good faith efforts can be demonstrated.
Surveillance cameras breach neighbour’s privacy
The HRRT has decided a case under the Privacy Act 1993 (Armfield v Naughton  NZHRRT 48) that has implications for those using monitoring devices. The HRRT awarded damages of $7,000 for breach of Information Privacy Principles (IPPs) 1, 3, 4, and 6 by operating surveillance cameras with a view over part of the plaintiff’s property. The decision is also notable for its endorsement of digital masking and cropping technologies to reduce intrusion.
The parties were neighbours. After a falling out, the defendant, who owned a Bed and Breakfast business, installed an eight camera surveillance system. Three of the cameras pointed in the direction of the plaintiff’s home.
The plaintiff, who had three young children, believed that the cameras were recording his family’s activities. His request to the defendant for access to that personal information was refused.
The HRRT held that information recorded on a CCTV system is “collected” in terms of the Privacy Act. That collection was for a lawful purpose (IPP 1), ie to protect the defendant’s property, but surveillance of the plaintiff’s yard was not reasonably necessary for that purpose, thus breaching IPP 1 and IPP 4.
Further, in refusing the plaintiff’s request to see the footage being collected, and without giving reasons, the defendant also breached IPP 6. The HRRT noted that a refusal of a request for access to personal information must be accompanied by reasons to qualify as a “decision”. Therefore, IPP 6 was breached, even though the cameras had not been connected (and there was no information) at the time the request was made.
IPP 3 was also breached by failing to inform the plaintiff that personal information was being collected, the purpose for which the information was being collected, the intended recipients of the information, and of his right of access to this personal information.
The HRRT made a declaration as to the defendant’s breaches under section 85(1) of the Privacy Act, awarded $7,000 in damages to the plaintiff (noting that damages of $15,000 or more would have been appropriate if sought), and ordered the defendant reset the surveillance system and destroy any personal information collected in breach of the IPPs.
The decision demonstrates the importance of considering the effects of surveillance systems. Guidance is available from the Privacy Commissioner here.
“Collection” does not require “receipt” of information
In Holmes v Housing New Zealand Corporation  NZHRRT 54, the HRRT has found that Housing New Zealand Corporation (HNZC) breached the collection principles of Information Privacy Principle 1 (IPP 1) by using information collected for the purpose of allocating state housing for the separate purpose of determining the level of income-related rent subsidies. The HRRT awarded damages of $10,804 for loss of benefit, and $10,000 for humiliation, loss of dignity, and injury to feelings.
From 2000 to 2006, Mr Holmes submitted income statements issued by the Ministry of Social Development (MSD) to HNZC, in support of his applications for income-related rent (IRR). In 2006, Mr Holmes noticed that the personal information included on income statements was more extensive than in previous years, and included information that was not relevant to the assessment of IRR. He submitted a redacted form. However, in 2007 he was told that he could not alter the income statement to remove the additional information to which he objected. He chose not to submit applications for IRR from 2007 to 2010, and was charged market rent.
In 2011, Mr Holmes re-applied for IRR. He obtained an income statement from MSD which omitted the personal information to which he objected in 2006. However, in processing the application, HNZC obtained a statement directly from MSD which contained the additional information.
The central issue was whether IPP 1 was engaged where no personal information about Mr Holmes was obtained from 2007 to 2010. Mr Holmes did not apply for IRR during that time, and HNZC did not receive any information from him. The HRRT concluded that “collect” does not require “receipt”. Such a requirement would unduly narrow the protection given by the Principles, and be inconsistent with the purpose of the Act. The HRRT also noted that the highly developed system for collating information meant that HNZC was “collecting” personal information in the sense of gathering together, seeking and acquiring income statements, and operating a process by which that information was to be gathered. Moreover, by sending out IRR forms, HNZC was soliciting applications; itself a form of collection.
The HRRT concluded that HNZC collected information that was not reasonably necessary for the purpose of assessing IRR, and was therefore in breach of IPP 1. Consequential damages were awarded for the increased rent Mr Holmes was required to pay during the years he chose not to apply for IRR. The “voluntariness” of that loss was not addressed in the decision, but the HRRT would seem unlikely to regard such a decision as truly voluntary.
The case potentially has broader implications. The state sector / social services context is an important factor in this case, so it does not necessarily follow that other entities will be liable for consequential losses where they request personal information in order to provide a service. However, the decision suggests that the HRRT may look closely at cases where information is requested that is clearly extraneous to the services to be provided.
Privacy Commissioner's “Naming Policy”
In August 2014 the Privacy Commissioner announced his intention to introduce a new “Naming Policy” to guide the practice of the Commissioner’s Office in naming agencies, in order to give effect to the purposes of the Privacy Act 1993. The Commissioner subsequently provided guidance on how the proposed policy would work by releasing a proposed policy accompanied by a discussion document. The new policy has now been released and is available here.
The Commissioner has identified the general growing concern for privacy, which has made breaching individuals’ or customers’ rights more harmful to a business’ brand. The Commissioner anticipates that the threat of reputational harm in the Office’s approach will lead to more compliant behaviour, and reduce the number of complaints in the long term.
The new policy is intended to motivate agencies to be more attentive to privacy regulations and to promptly and genuinely engage in a process of resolving privacy disputes. By publicly naming agencies in appropriate cases, it is envisaged the Office will be a more effective regulator and consumers will be further educated regarding the extent of their privacy rights.
In practice, once the Office determines that a breach has occurred, it will consider whether to publish the identity of the agency which was responsible for the breach. There have already been well publicised examples of this. In accordance with natural justice principles commonly adopted in the regulatory space, the Office will give the agency in question the opportunity to comment on being named publicly before this takes place. In addition, the Office will consider a set of criteria to help it determine whether to publish the agency’s name. These criteria include:
- whether the agency’s breach might have affected persons other than the complainant (or others who have come forward already);
- whether the agency has been responsible for breaching privacy in the past, such as repeated (lesser) breaches;
- whether the agency has previously been involved in a single or multiple very serious breaches of privacy law (eg by causing significant harm or where many people have been affected);
- whether the agency has acted in a way that demonstrates it is unwilling to comply with privacy laws; and
- whether it is in the public interest to publish the name of the agency, due to the deterrent or educational effect.
The policy applies from 1 December 2014.
Office of the Privacy Commissioner - Briefing for the Incoming Minister of Justice
The Office of the Privacy Commissioner has released its Briefing for the Incoming Minister of Justice (BIM). The BIM outlines the functions of the Privacy Commissioner, the Privacy Commissioner’s current work plan and areas of priority, and the progress of the privacy law reform programme.
The BIM notes that the Government has accepted the majority of the Law Commission’s recommendations in respect of privacy law reform, except for two. The rejected recommendations are that:
- the functions of the Director of Human Rights Proceedings be brought within the Office of the Privacy Commissioner; and
- the Privacy Commissioner be given the ability to review information systems in situ rather than just an ability to require the production of information.
The BIM states that these two recommendations would significantly enhance the efficacy of the Privacy Commissioner and the administration of justice in the privacy area by reducing delays associated with processes in the HRRT. The Office expressed its concern that the two recommendations will not be included in the Government’s privacy reform programme.
More from the Privacy Commissioner
Shared Care Record Systems Report
A report by the Privacy Commissioner reviewing the use of electronic shared care record systems (SCRs) by three regional health agency projects has found that the privacy risks associated with SCRs are well managed and appropriately mitigated.
SCRs help reduce waiting times for patients and costs for health providers, but must provide for adequately protected information-gathering processes. All three projects were found to have met their clinical objectives and complied with the Health Information Privacy Code, but the report emphasised the importance of healthcare providers continuing to maintain high standards with regards to privacy in the healthcare sector.
The Privacy Commissioner intends for the report to be used to develop clear recommendations for appropriate minimum privacy standards for SCRs.
Agency disclosure on how collected information is used
The Privacy Commissioner has recently reiterated the need for agencies to pay continued attention to the Information Privacy Principles (IPPs), particularly in relation to disclosure of what an agency plans to do with the information it collects. The Commissioner has advised that this is an area where there is scope for many agencies to improve their privacy practices.
Compulsory conferences between parties to a complaint
The Privacy Commissioner has also indicated that he intends to make greater use of the power to convene compulsory conferences between parties to a privacy complaint in order to facilitate agreement on the identified issues. The primary purpose of compulsory conferences would be to facilitate more efficient resolution of complaints. The Commissioner has likened the use of the conferences for privacy complaints to the use of mediation by the Employment Relations Authority and the Family Court.
Privacy guidance on developing mobile apps
As a result of growing trends in mobile app usage, and the tendency of apps to seek access to information beyond that necessary for their functionality, the Privacy Commissioner has released a guide for app developers and businesses that provide apps to customers.
The guidance, Need to Know or Nice to Have – Making App Privacy Your Competitive Advantage, is intended to help businesses and app developers become more aware of privacy obligations when collecting and using personal information. It is intended to motivate compliance by highlighting the commercial gains of selling privacy-strong apps. The guidance seeks to incorporate privacy practices into the app design process, to build user trust and loyalty.
The guidance summarises how the Privacy Act 1993 relates to businesses’ use of personal information in the apps they use and sell. It explains that that any information which relates to an identifiable person (even if the person is not named) is covered by the Privacy Act.
The Commissioner refers in the guidance to a ‘life-cycle’ of personal information, which business must adhere to. They must:
- decide what information they need and where and how they will source it;
- ensure they hold that information securely and provide access to it when their ‘owner’ seeks it;
- comply with correction requests as to the information held; and
- only use or disclose that information in accordance with the purposes for which the information was collected.
The guidance offers five broad privacy considerations for app developers and businesses using apps:
- identify the privacy risks from the outset;
- be open and transparent with users about the business’s privacy practices;
- collect and keep only that information that the app needs to function, and secure that information;
- make privacy understandable and relatable to the tools the app uses, and ensure the user has given proper consent to all of the app’s operations; and
- provide users with real-time information as to privacy implications and consent requested.
The guidance can be found here.
Weak data security arrangements amongst NZ businesses
Two recent reports on information security arrangements suggest that this country’s businesses may not be well enough prepared for data and privacy breaches.
The Insurance Council of New Zealand undertook a study this year, interviewing about 750 people from throughout the country about whether they believed businesses were well prepared for hacking and keeping data secure. It found that only 21 percent of respondents were confident that businesses were prepared.
The Council’s Chief Executive has estimated the cost of cyber-related breaches in New Zealand was over $625 million per year. The Council receives reports on a monthly and sometimes weekly basis, that something has gone wrong. However, it is aware that many more incidents occur, which go unreported because of the fear of reputational harm. The Council says that many businesses do not undertake necessary checks and implement protective measures. Addressing that could be as simple as changing passwords more frequently, or as complex as a firm-wide systematic breach response mechanism.
PWC’s Global State of Information Security 2015 found the incidence of security breaches is rising in New Zealand and overseas, and is causing significant (and increasing) losses. The survey found that, while only 29 percent of respondents globally said their employee records had been compromised, in New Zealand this figure was 43 percent. The report recommends a risk-based approach to security, prioritising the most valuable assets and proactively addressing the most relevant threats. The report can be accessed here.
In light of this heightened public awareness, and increased vigilance from the regulator, investment in assessing and, if necessary, strengthening, information security systems may be worthwhile, especially if consumers can be confident that their information is safe. Those wishing to gain a better understanding of cyber security may wish to start with Connect Smart, a partnership led by the National Cyber Policy Office. Its purpose is to raise the profile of cyber security issues and provide easy-to-understand and trusted advice for individuals, SMEs, large enterprises, and education audiences in New Zealand. Further information on Connect Smart can be found here.
Around the World of Privacy:
Tort of intrusion upon seclusion
Ontario’s Supreme Court has found a Legal Aid Toronto employee liable for the tort of intrusion upon seclusion in McIntosh v Legal Aid Ontario  ONSC 6136.
In McIntosh, a woman (who worked at Legal Aid Ontario) accessed the legal aid file of her partner’s former girlfriend, and threatened to call the Children’s Aid Society in an attempt to have the plaintiff’s children removed.
The plaintiff alleged that the defendant’s access of her file breached her privacy rights, and that, as a result, she experienced substantial anxiety, depression, significant stress, embarrassment, weight loss, insomnia, an inability to concentrate at work and, ultimately, the loss of her job. She sought general, as well as aggravated and pecuniary damages.
Justice Cornell applied the elements of the Canadian tort of intrusion upon seclusion, ie:
- the defendant’s conduct was intentional (including recklessness);
- the defendant invaded the plaintiff’s private affairs or concerns without lawful justification; and
- a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.
Liability was not contested and the Court, unsurprisingly, held that the defendant accessed the plaintiff’s file for an improper purpose. However, the plaintiff had not established substantial anxiety and a connection between the privacy breach and termination of her employment. For that reason, the Court did not award compensation for loss of earnings, or aggravated or pecuniary damages. General damages of $7,500 were awarded.
The risk of employees accessing files for improper purposes is a familiar one, and there have been several prominent examples in New Zealand in recent times. A similar result could be expected in New Zealand under Information Privacy Principles 5 and 10 (these address the storage and security of personal information and the limits on an agency’s use of personal information).
In what can be seen as a rejection of judicial developments overseas (including in New Zealand), the Australian Commonwealth Government has decided that enacting a statutory privacy tort, which would apply only to intentional or reckless conduct, would encroach too far on established freedoms.
The Australian Law Reform Commission (ALRC) recommended the tort in May 2014, after reviewing international developments. The report can be accessed here.
The rejection of the ALRC’s report comes at a time when some, especially in the UK, are calling for greater and more direct legal protection for privacy in a world of new-age information technology.
Lord Neuberger, President of the UK Supreme Court, stated at a conference in late August 2014 that the internet revolution demands an urgent ‘rethink’ of privacy laws.
Likewise, British computer scientist and inventor of the world-wide web, Tim Berners-Lee, has recently called for an ‘internet bill of rights’ to protect individuals’ privacy on the internet, and guarantee the independence of the internet from governments and corporations. Mr Berners-Lee voiced concerns at September’s Web We Want festival in London that governments and private firms are increasingly interested in the controlling the web, highlighting the reality that once an entity can control a person’s internet access, it can control access to web sites and therefore have tremendous control over that person’s life.
This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.