Privacy Law and Policy Reporter
Blair Stewart is Manager, Codes & Legislation, in the NZ Office of the Privacy Commissioner. This article was originally delivered as an address to Privacy Managers, Te Puni Kokiri, Wellington,
10 November 1994.
The Privacy Commissioner was appointed in 1992 initially with quite a limited jurisdiction involving information matching (often known as 'data-matching') and a general watching brief in terms of privacy issues. At first the Commissioner had no complaints jurisdiction. Later, with the enactment of the 1993 Act a much larger range of functions and powers were conferred on the Commissioner including, most importantly, responsibilities to receive and investigate complaints in order to obtain remedies for individuals whose privacy had been infringed.
However, in this talk I wish to look at some of the Commissioner's lesser known functions in relation to what I have termed 'legislative monitoring'. Legislative monitoring is not a term used in the Act but I have chosen it to refer to the activities involved in keeping track of policy and legislative proposals, providing some input into the process and noting the resultant changes and the general state of the law. In fact, the activities that the Privacy Commissioner is involved in is not quite as passive as the term 'monitoring' might suggest and he clearly seeks to influence the process for the improvement of individual privacy wherever appropriate.
The Commissioner has been granted a wide range of powers - noticeably wider than a number of overseas Privacy or Data Protection Commissioners, Privacy Committees and Commissions. This is reflected in the full range of the Commissioner's powers some of which I will refer to below. It is also reflected in some of the descriptions that have been applied to the Commissioner such as 'privacy watchdog' or 'statutory guardian for privacy interests'.
It seems clear that to effectively protect the privacy of individuals more is needed than simply a right to sue for breach of privacy. The Americans, for instance, have long had a tort of privacy and, since their first Privacy Act 1974, certain statutory rights. However, the absence in the US of an agency with a 'watchdog' role has been criticised. In 1987, at a stage were the Minister of Justice was considering what sort of privacy law we should have, one option suggested was to establish a statutory guardian for privacy interests. Among some of the roles noted for a statutory guardian were:
... educating the public about the importance of privacy; developing codes of practice or guidelines for the implementation of data privacy in various contexts; urging their introduction and monitoring their observance, receiving complaints, investigating complaints, aggregating experience of complaints and investigations, and making recommendations for changes in the law [in the area of privacy] ... act as auditor for any public or private sector proposals which might have potentially significant impacts on the privacy of individuals...
A leading Canadian privacy advocate, David Flaherty, argued persuasively as to the need for data protection agencies with a wide remit. He wrote in 1989:
Perhaps the most important conclusion of this volume is that it is not enough simply to pass a data protection law in order to control surveillance; an agency charged with implementation is essential to make the law work in practice. A statute by itself is an insufficient countervailing force to the ideological and political pressures for efficiency and monitoring of the population that are at work in western society.
The need for a Privacy Commissioner with a relatively wide 'watchdog' role might be easily accepted. However, I now want to speak specifically about the matter of 'legislative monitoring'.
David Flaherty in his book 'Protecting Privacy in Surveillance Societies' expressed the view that one of the fundamental tasks of a Privacy Commissioner would be to protect citizens from excessive governmental surveillance (which was the particular privacy issue he was writing about). He noted that this need had often been recognised in countries by the legislature and not the executive branch of government - the latter often being the instrument of intrusion into people's lives in this context. However, he adds:
Legislatures have at least occasionally acknowledged that they too cannot be trusted to act in favour of personal interests. Yet such insights are often fleeting - a 'window of opportunity' - in the continuing process of law-making. Thereafter, legislators have had much less reason to support data protection or to monitor implementation, especially when it appears to interfere with other priorities.
Section 13 of the Privacy Act 1993 sets out a wide range of functions placed on the Commissioner. A number of these relate to what I am referring to as legislative monitoring. One of the key functions is s 13(1)(f) of the Privacy Act which empowers the Commissioner:
to examine any proposed legislation that makes provision for (i) the collection of personal information by any public sector agency; or (ii) the disclosure of personal information by one public sector agency to any other public sector agency; or both ...
The Commissioner also has the express function under s 13(1)(o):
to examine any proposed legislation (including subordinate legislation) or proposed policy of the government that the Commissioner considers may affect the privacy of individuals, and report to the responsible Minister the results of that examination.
The Commissioner has a number of other functions which directly or indirectly affect the legislative and government policy-making process including to promote understanding and acceptance of the information privacy principles, to monitor the use of unique identifiers, to provide advice to ministers on any matter relevant to the operation of the Privacy Act, to inquire generally into any enactment or law if it appears that the privacy of the individual is being or may be infringed thereby, and to report to the Prime Minister from time-to-time on any matter affecting the privacy of the individual including the need for, or desirability of, taking legislative, administrative or other action to give better protection to the privacy of the individual. 
It will be seen that the Privacy Commissioner is empowered to:
(a) raise matters which he thinks should be addressed by law;
(b) highlight concerns about privacy issues in laws being proposed by other people; and
(c) to provide advice to those promoting legislation to help them come to grips with how privacy issues should be addressed.
So far the Privacy Commissioner has been slow to call for new laws. As appropriate cases arise he will no doubt do so. However, the enactment of a comprehensive Privacy Act is intended to limit the need for new protective laws on an ad hoc or fragmented basis. Furthermore, the Commissioner has powers to issue codes of practice thereby allowing the Commissioner himself to sometimes address privacy issues without the need for special legislation. However, undoubtedly from time-to-time the Commissioner will suggest the need for new legislation. This might occur, for instance where a government department has an existing statutory, power which is able to override some privacy interest and the department makes an unexpected use of that power which the Commissioner believes should be limited.
Another example might be where a government agency might have power to do something but that a clear policy lead by the government ought to be given before taking such a step.
The Commissioner has already taken the opportunity to comment on a number of proposed bills having privacy implications even where those proposed new laws have not specifically been brought to his attention. His normal approach is to prepare a report for the responsible minister but he does sometimes ask specifically to be heard by a select committee.
A significant proportion of the legislative monitoring and advice role is at the request of the particular department proposing the legislation. Sometimes this is the pro-active choice of the department because it has identified privacy issues which it wishes to resolve at an early or appropriate stage if at all possible. Sometimes the reference to the Commissioner is by reason of the Cabinet consultation process or because another agency, such as the Justice Department or a Minister has specifically asked that the matter be remitted to the Commissioner for comment.
A memo that the Commissioner recently circulated to all chief executives of government departments has resulted in a number of existing projects being brought to the Commissioner's attention notwithstanding that the proposals often of long standing.
It is not possible to list all the matters that the Commissioner has been consulted on in this address since a number of the matters are on-going and remain confidential. However, it is possible to indicate some matters, not all of which indicate a current bill or regulation working through the system: sports drug testing, archives, whistleblowers protection, data-matching, domestic violence, medical confidentiality, retention of health records, money-laundering, reporting of child abuse, immigration and customs formalities, dog registration, DNA testing.
To understand the importance to the scheme of the Privacy Act in monitoring legislation it is necessary to consider s 7 of the Act. Section 7 is quite a long section and I will not quote it in full but essentially it provides that an action is not a breach of any of the information privacy principles if that action is authorised or required by or under any law. Accordingly, for instance, it will not be a breach of the disclosure principle if a statute expressly provides that information may or must be given out.
Section 7 can be viewed in several ways. One view would be that this is a case of simply letting the government create its own exceptions to privacy law that would otherwise apply. This view might either be seen as cynically permitting the continuance of old intrusions and the authorisation of new ones, or it might, on a more principled basis, be seen as recognising the competing public interests democratically enacted through the accountable mechanism of legislation. The first view would see the exception as protecting the bureaucracy. Perhaps the second view would see it as protecting the public.
To my mind this explanation of s 7 does not make sense. If Parliament had wanted to exempt the government from the principles of the Privacy Act it could have done so in a much more straightforward, convenient and effective way. Clearly Parliament wished to make the government and the public sector subject to the Privacy Act together with the private sector.
However, there is another view which relates to the practicalities of implementation. As I will explain this view may also be consistent with ultimate repeal of s 7.
This view acknowledges that the Privacy Act heralded a new and, in many respects, radical regime for the handling of personal information. Since the Act sought significant changes in attitude and improvements in standards of information privacy it would have to be recognised that what went before the Act would be significantly different to what should follow after 1 July 1993.
Obviously there had been significant amounts of personal data already held even before the notion of information privacy principles had been dreamt of. This is held and may need to be used by all sorts of organisations. This basic point was expressly recognised in s 8(1) of the Act which provided that the collection principles and the use principle (principles 1 to 4 and 10) would only apply to information collected from 1 July 1993 onwards. Arguably, s 7 could be seen in the same light. In other words, Parliament had enacted a huge body of laws prior to the Privacy Act and there was no guarantee that they would all conform with the information privacy principles. Each of those enactments represented a reflection of public policy and the will of the legislature in respect of the matter it dealt with. Accordingly, that body of statutes and regulations needed to be saved pending reconsideration in due course as laws came to be re-enacted, repealed or reviewed. The obligation on public agencies to comply with the information privacy principles and other aspects of the Privacy Act combined with the Privacy Commissioner's functions in relation to the review of policy and legislation meant that as time went by more laws would be brought into conformity with the information privacy principles.
That rationalisation makes sense with respect to laws that were passed prior to the Privacy Act but how does it relation to new laws which are also saved by s 7? To an extent the same argument applies although the circumstances are slightly different. Basically the view would be that the bureaucracy and Parliament would be alive to the information privacy principles when proposing and enacting legislation and if they were not the Privacy Commissioner would draw the matter to their attention. Hopefully, new laws enacted would actually comply with the information privacy principles as far as possible. Where it was necessary to depart this could be said to be an expression of the will of Parliament or recognition of some other public policy and accordingly appropriately saved by s 7.
A savings provision such as s 7 was an appropriate provision to include in a statute as revolutionary as the Privacy Act at the time of enactment. However, at some future time the continuing existence of s 7 might usefully be re-examined or else it may cease to be a means for protecting the existing laws while matters of policy are re-examined and simply end up permitting practices which would be considered unreasonable or unlawful if not expressly saved by s 7.
At some stage in the future it would be possible for Parliament to repeal s 7. This would mean that normal rules of statutory interpretation would apply and all those statutes passed after the Privacy Act would prevail in the case of inconsistency with the Privacy Act. Statutes passed before l July 1993 would be overridden by the Privacy Act. Regulations and other delegated legislation whether passed before, or after, 1 July 1993 would be overridden by the principles in the Privacy Act.
This is essentially what will happen from 1999 with respect to our Human Rights Act. When the Race Relations and Human Rights Commission Act were enacted in 1972 and 1977 they too saved the effect of other statutes. It was perhaps unfortunate that these laws which reflected important society values and international obligations became a lesser form of statute which did not even have the effect that ordinary statutes have under normal rules of statutory interpretation. However, with the passing of the years, the opportunity to review old statutes and gain experience in the new law, the new consolidated Human Rights Act is placed on a much stronger footing.
An alternative and more radical option than the simple repeal of s 7 would be to provide that the information privacy principles will prevail over enactments, whether passed before or after the Privacy Act, unless in the other Act it is provided that it is to prevail. This would be a significant constitutional step and is similar to that adopted with the Canadian Charter of Rights for instance. However, there are direct analogies in Canadian provincial law.
I will use Quebec as an example since their privacy law is most similar to ours, covering both the public and private sectors. Section 168 of the Act respecting access to documents held by public bodies and the protection of personal information states:
The provisions of this Act prevail over any contrary provision of a subsequent general law or special Act unless the latter Act expressly states that it applies notwithstanding this Act.
Section 86 of the Act respecting the protection of personal information in the private sector is very similar.
Section 169 of the Act concerning the public sector further provides that:
Subject to s 170 [which sets out in a schedule enactments continuing to have effect] every provision of every general law or special Act which is inconsistent with provisions of Chapter II respecting access to documents held by public bodies or the provisions of Chapter III respecting the protection of personal information ceases to have effect on 31 December 1987... The same applies to every provision of a regulation that is inconsistent with the provision of this Act or of a government regulation passed under this Act.
Accordingly, privacy interests are not overwhelmed by the policy interests of other legislation except where that other legislation addresses the issue and the National Assembly expressly includes a 'notwithstanding' clause. The debate about the inclusion or non-inclusion of a 'notwithstanding' clause clearly heightens and focuses debate. Furthermore, the hierarchy of laws provides a significant incentive for early consultation with the Quebec privacy agency, CAIQ.
Finally, I wish to turn to some of the practical everyday issues that I look at in examining policy proposals or draft legislation to identify and address privacy issues.
The first step is to identify whether there is a potential privacy issue before any thought can be given to a possible solution. This is not always straightforward. An information privacy issue, or indeed a physical privacy issue, does not necessarily make itself plain from the outset. Most of the bills that I have to look at are not entitled the 'Invasion of Privacy Act' or an 'Act to Introduce New Unreasonable Powers to Ask Intrusive Questions'. Privacy issues can buried in some apparently innocuous clause such as one which may simply carry over a provision from a 1908 statute.
I will list the sort of questions I ask myself when I read a new bill to see whether there might be a privacy issue. Once I have done that I will then set out a few of the questions that I might pose to the government department in trying to seek a solution for a particular privacy problem. Basically, in reviewing a piece of proposed legislation the Commissioner's office will try to identify whether the proposed legislation conflicts with any of the following questions:
However, these broad questions are difficult to answer in the abstract. Accordingly, I might pose more specific questions:
Assuming that any one of these questions was asked positively then the Commissioner would look more closely at the Bill and try to get a feeling whether the provision was reasonable or consistent with the information privacy principles, etc. By way of illustration I will take the first question posed 'does the bill establish or continue a public register?' and take the matter a little further.
Public registers raise challenging privacy issues. It can be difficult to treat information on public registers in quite the same way as other personal information held by a public body. It seems difficult, at first glance, to understand how there could be any privacy in relation to information held on a register that anybody can search during office hours. It certainly is a challenge but there are mechanisms to better protect privacy. However, the very existence of public registers raises special problems, for example:
It should be possible in many cases to provide solutions in relation to registers to address the privacy issues. The same solution may not be appropriate to all registers. Before settling on a solution (if one can be devised) some questions should be addressed for each register open to search:
(a) does it actually collect more details about the applicant than is really needed?
(b) does the registrar need to make available for public search, all the details that are required to be collected for administrative purposes?
If it is necessary to have the register open for search, and the details include personal information about individuals (such as name, address, etc), then is it possible to have a mechanism so that:
I trust that I have made clear that the Privacy Commissioner has an important 'watchdog' function which includes monitoring new laws which may have an impact on the privacy of individuals. By examining legislation, and posing questions to policy-makers, it is possible to identify the privacy issues and quite often address issues in a way that the principles of individual autonomy and privacy can be adequately given effect to.
 Pursuant to the Privacy Commissioner Act 1991.
 The powers are set out in s 13 of the Privacy Act.
 The term 'statutory guardian for privacy interests' was used in McBride, Data Privacy: an options paper, 1987 at 158.
 Flaherty, Protecting Privacy in Surveillance Societies, 1989.
 McBride op cit, 7.85.
 Flaherty, op cit, 381.
 Flaherty, op cit, 381.
 Special reference is made in s 13(1)(f) to the information matching guidelines in s 98.
 Section 2(1) Privacy Act 1993 deems the Minister of Justice to be the 'responsible minister'.
 See also s 13(1)(a), (c), (m) and (p).
 See ss 46 and 63 of the Privacy Act 1993.
 The privatisation of GCS Limited (formerly known as Government Computing Services) is an illustration of an event that might have required special legislation to deal with privacy issues had there not been a general privacy law. Very briefly, GCS operated a number of sensitive databases for government departments including the Justice Department database of criminal convictions. There was formerly special legislation, the Wanganui Computer Centre Act 1976, governing this database which tried to deal with privacy issues. The 1976 Act was completely unsuited to modern conditions (both computer technology and the reformed public sector). The Privacy Act which applied general principles to the public and private sectors was consistent with a prevailing philosophy.
 For example, the Canadian Privacy Commissioner has recommended that any power that the Federal Government exercises for mandatory HIV testing should be grounded in an express statutory authorisation. The NSW Privacy Committee has made a similar recommendation.
 And, following the expiry of certain transitional provisions, the later date of 1 July 1996.
 Some attempts to address this issue can be seen in s 62A Electoral Act 1956, s 19(5) Transport (Vehicle and Driver Registration and Licensing) Act 1986. Section 28(2) of the Radiocommunications Act 1986 addresses one aspect of the issue relating to security and defence
 The Privacy Act creates legal impediments in the public register privacy principles and information privacy principles.