Privacy Law and Policy Reporter
Complaints may be made by or on behalf of individuals alleging an interference with their privacy. An ''interference with privacy' occurs if there has been a breach of certain Information Privacy Principles (IPPs); a breach of a code of practice; or non-compliance with one of the controls on information matching (s66). In addition, this action must have caused loss, detriment, damage or injury to the particular individual or may do so; or have adversely affected their rights, benefits, privileges, obligations or interests, or may do so; or resulted in significant humiliation, loss of dignity or injury to the particular individual's feelings or may do so. The threshold which must be reached before there can be an interference with an individual's privacy is therefore a high one. An interference with an individual's privacy may also arise if an agency refuses an individual's request for access to personal information or following access, for correction of that information.
The Privacy Commissioner has power to investigate, act as conciliator and take such further action (s69). The emphasis is on the settlement of complaints where possible (s74). That is, the Commissioner is to use his or her best endeavours to secure a settlement and, if appropriate, a satisfactory assurance against any repetition of the action that is a subject matter of the complaint. If necessary, the Privacy Commissioner has the power to call a compulsory conference of the parties to a complaint (s76). If during an investigation the Commissioner considers that there has been a significant breach of duty of misconduct on the part of any agency, the Commissioner is required to refer the matter to the appropriate authority (s80). This could include, for example, the appropriate disciplinary authority in relation to that agency.
If the complaint is not settled proceedings may be taken before the Complaints Review Tribunal (s80). These take the form of civil proceedings and are commenced by the Proceedings Commissioner, a Commissioner appointed under the Human Rights Act 1993 (NZ) s82. If the Proceedings Commissioner declines to take proceedings, these proceedings may be commenced by the aggrieved individual(s83). The onus of proof of proving any exception lies upon the defendant to the proceedings (s87). The Tribunal has wide powers to award various remedies. These include a declaration; an order restraining a defendant from continuing or repeating the conduct considered to constitute an interference with the particular individual's privacy; and an order that the defendant perform certain specified acts with a view to remedying the interference with the individual's privacy. The Tribunal may award damages of up to $200,000.
The Privacy Commissioner has emphasised that individuals should first contact the agency concerned and attempt to have the matter ''put right'. The Privacy Commissioner's preferred approach is that it is only if an individual is dissatisfied with the way in which an agency has dealt with his or her complaint that they should complain to the Commissioner. The Commissioner's concern is the need for the office to avoid being ''complaint driven'. Given the office's limited resources, this concern is understandable. While the investigation of complaints is one of the Commissioner's key functions, there are many other functions.
During the first six months that the Privacy Act 1993 was in operation (that is, 1 July to 31 December 1993), the Privacy Commissioner received approximately 250 complaints. Of these, 135 related to access to personal information issues, 15 related to correction issues and 66 related to complaints involving disclosure of personal information. Approximately 30 complaints related to the Health Information Privacy Code 1993 (Temporary). Of these, 20 related to access issues, two related to issues involving correction of personal information and the remainder to matters involving disclosure of personal information. During the same period the Commissioner's office received in excess of 1,500 inquiries of a specific or general nature. These figures indicate that despite the Commissioner's desire not to be ''complaint driven', the investigation of complaints will be, at least in the short term, perhaps the Commissioner's most important function.
It should be noted that under the Privacy Commissioner Act 1991, the Commissioner had no power to investigate individual complaints. This was one of the principal criticisms of that legislation. Access to/correction of personal information
The rights and procedures contained in the Official Information Act 1982 have now been extended by the Privacy Act to cover personal information held by almost all private sector agencies. The exception, however, is the news media in relation to their ''news activities', other than TVNZ and Radio NZ. Any citizen, permanent resident, or person in New Zealand may apply for access to any personal information relating to them which is held by any agency (s35). The right is not an unqualified one. There may be ''good reasons' for refusing access (s27-32). These ''good reasons' are based largely on those contained in the Official Information Act 1982 (as amended).
As a result of the passage of the Privacy Act, the provisions covering access to personal information by natural persons in the Official Information Act, have been repealed. One effect of this has been that the Office of Ombudsmen no longer has jurisdiction in these matters. The removal of this long established jurisdiction was one of the more contentious aspects of the Privacy of Information Bill 1991. Despite opposition by the Office of Ombudsmen, the Privacy Act has confirmed the removal of the Ombudsman's jurisdiction in the area of access to personal information by natural persons. There are, however, a number of provisions in the Privacy Act which emphasise the close working relationship between the Office of Privacy Commissioner and the Office of Ombudsmen: for example, s72 which provides for the referral of a complaint to the Ombudsmen and s117 which provides for ''consultation' between the Privacy Commissioner and the Ombudsmen.
The Privacy Commissioner handles all complaints by natural persons relating to access to or correction of personal information held by public and private sector agencies. Undue delay in making information available in response to an information privacy request, or a refusal to make available or correct personal information, may amount to an interference with privacy giving rise to the Commissioner's complaint jurisdiction (s66).
Private sector agencies may impose ''reasonable' charges in relation to access or correction requests (s35). The imposition of any charge is subject to review by the Privacy Commissioner. It is interesting to note that under the Health Information Privacy Code 1993 (Temporary), as approved by the Commissioner, health agencies can charge only where a request for the same personal health information has been made in the previous 12 months.
The Commissioner may permit certain public sector agencies, for example, State-owned enterprises, to charge if satisfied but otherwise they may be commercially disadvantaged in comparison with any competitor in the private sector (s36).
Personal information held on public registers gives rise to important privacy issues. These registers contain personal information which in many situations has been supplied compulsorily; for example, personal information relating to births and deaths, land valuations, and motor vehicles. A major concern involves the privacy implications of material from these registers being re-processed for commercial purposes without the approval of the individuals concerned.
The Privacy of Information Bill 1991 (NZ) made no specific provision for personal information held on public registers. In fact, publicly available information was not subject to the provisions of the Bill. However, when the Bill resurfaced in 1993 as the Privacy Bill, one of the significant changes was the inclusion of a set of Public Register Privacy Principles (PRPP). These four principles, which are quite separate from the IPPs, cover such matters as the means by which public registers may be searched; the use of information from public registers; the electronic transmission of personal information from a public register; and issues relating to charging for access to a public register(s59).
Agencies administering any public register are required by the Privacy Act to comply, so far as is reasonably practicable, with the PRPPs (s60). However, the four principles do not override any existing statutory authorities for public registers. To the extent that another statute is inconsistent with one or more of the four PRPPs, the other statute prevails.
The Privacy Commissioner may issue a code of practice covering one or more public registers (s63). Such a code may modify one or more of the PRPPs, or the IPPs by prescribing standards that are more or less stringent than the principles themselves.
If it is considered that an agency has breached a PRPP or an IPP in respect of information held on a public register, a complaint may be made to the particular agency. If the response is unsatisfactory, a complaint may be made to the Privacy Commissioner.
The Privacy Commissioner has indicated that Codes of Practice are likely to be developed for the more important public registers. One of the Commissioner's specific functions is to review the PRPPs from time-to-time with particular regard to the Council of Europe Recommendations On Communication To Third Parties Of Personal Data Held By Public Bodies. This may result in the Commissioner recommending to the Minister of Justice that the PRPPs should be amended in some way (s13(e)).
One of the most contentious aspects of the Privacy of Information Bill 1991 was the provision for amendments to a number of statutes to permit, or in some cases to legitimise, information matching between certain major State agencies. This was seen by many critics of the Bill as the major reason for the introduction of the Bill, rather than any genuine commitment to an information privacy law. Those proposed amendments to existing laws were enacted, with minor amendment only, in late 1991. The Privacy Commissioner, established by the Privacy Commissioner Act 1991, was given the role of reviewing these information- matching programmes. Despite the powers given to the Commissioner, at least one legal academic was of the view that the Commissioner under the 1991 Act was essentially ''toothless' (Kelsey (1993)).
The Privacy Act 1993 specifies the public sector agencies which may engage in information matching. Major agencies include the Department of Social Welfare; the Inland Revenue Department; the Accident Rehabilitation and Compensation Insurance Corporation; and the Ministry of Education. Public sector agencies which are not listed in the Privacy Act may not participate in an information-matching programme without a specific amendment to the Privacy Act. The Privacy Act was in fact amended in June 1993 to permit State and private sector tertiary education institutions to participate in information- matching programmes. In this case, the purpose of the programme was to detect full-time students who were receiving unemployment or similar benefits.
The Privacy Act requires agencies authorised to engage in information matching to sign what are known as information-matching agreements. These agreements set out procedures to be followed; attempt to impose controls on the security of personal information involved; and provide safeguards to affected individuals. The information matching agreements must contain controls which are at least as strict as those contained in the Information Matching Rules in the Privacy Act 1993 (s99).
The Privacy Commissioner's Annual Report must include a description and assessment of each information programme which details the extent to which that programme complies with both the Privacy Act and the information matching rules(s105). During this year the Commissioner is expected to conduct a review of the various statutory authorities for information matching. After that, reviews are to be conducted at intervals of not more than five years.
Information matching by private sector agencies may be permissible, provided that it does not breach any of the IPPs. In addition, there is a specific exemption for the direct marketing industry from IPP 11 which limits disclosure of personal information (s9). The exemption applies until 1 July 1996 for personal information collected before 1 July 1993.
The Privacy Act 1993 has had a very high public profile since its enactment. Many private sector data users, after the apparent demise of the private sector provisions in the Privacy of Information Bill 1991, were caught largely unaware by the extensive private sector coverage in the Privacy Bill 1993. Privacy Act seminars have been a major growth industry as data users have struggled to come to grips with a complex new law. Privacy ''experts' have blossomed. Every second law firm now claims to have an information privacy expert on its staff. The Privacy Commissioner, Bruce Slane, who is a superb media communicator, has played a major role in giving the new Act a high public profile.
The Act has forced private sector data users to review their practices and procedures regarding the handling of personal information. Many have established internal task forces to undertake a review of these practices. One of the obligations in the Privacy Act is that agencies must appoint a privacy officer to handle the agency's responsibilities under the Privacy Act (s23). A number of major private sector groups have been considering possible codes of practice to cover their activities. Draft codes covering groups such as the credit reference industry are currently in preparation.
The Privacy Act requires major ''cultural shifts' by many private sector data users. Greater sensitivity is required now in handling personal information. Like other human rights legislation, the Privacy Act is intended to be educative, that is, to change both practices and perceptions regarding the handling of personal information. The Act requires agencies to review their security obligations. In many situations, additional staff training on compliance obligations is required. An important obligation is to ensure that personal information is accurate, up-to-date, complete, relevant and not misleading before using that information.
Compliance programmes include auditing the design of forms. Are the individual ''authorisation' provisions in conformity with the requirements of the Privacy Act? Do the notification provisions conform with the requirements of IPP 3?
The Act emphasises the need for collection procedures to conform with IPPs 1- 4. What is the purpose for the collection of the information? Is the collection necessary for that purpose? The emphasis in IPPs 10 and 11 is on using or disclosing personal information only for a purpose which is directly related. What is the impact of this on corporate information sharing? In light of overseas experience it is likely that the obligations will be interpreted by the Privacy Commissioner more in terms of the individual's expectations, as opposed to agency expectation.
Commentators have emphasised the advantage of privacy impact studies. These may, for example, educate marketing departments on the need to ensure that all new services and products which involve the collection, use or disclosure of personal information must be in conformity with the obligations contained in the Privacy Act. Clearly to avoid embarrassment, any privacy impact study should be undertaken before any new product is released.
Privacy advocates have long seen information privacy laws as a means of resisting the development of the all-enveloping surveillance society. In New Zealand that optimism may be short lived. The draconian powers given to the Department of Social Welfare to collect personal information in the innocuously-sounding Social Security Amendment Act (No 3) 1993 and the New Zealand Police Association's 1993 ''wish list' (for example, greater interception powers/compulsory DNA testing), suggest that despite the enactment of the Privacy Act there are powerful forces in this society hell-bent on New Zealand becoming a true surveillance society in double-quick time