Privacy Law and Policy Reporter
This is the text of an address by Bruce Slane, NZ Privacy Commissioner to the Fourteenth Annual Banking Law And Practice Conference, Sydney, 22 May 1997, presented as ‘Privacy Laws Issues – Reform Proposals and their Impact on the Financial Industry’. Some sub-headings have been added to the original text.
I am pleased to speak to you on the NZ experience of reform of privacy law. My experience is of NZ and it is for you to draw from what I say what is appropriate for Australia.
There were a number of reasons why the coverage of the NZ Act was not confined to the public sector, or to highest risk business sectors. They can be summarised as follows (and I do not put them in order of importance):
The privacy principles in the Act do not derogate from existing laws governing collection and disclosure of personal information. Furthermore, the Privacy Commissioner has a duty to have regard not only to the information privacy principles but also to competing social interests such as the need for a free flow of information and the rights of government and business to achieve their objectives in an efficient way.
Most of the criticisms of the Act have arisen from overuse of the Act to deny people information, particularly journalists. In many cases this information has never in the past been made available but it was easier to attribute the reason to a law — the Privacy Act — than to explain it was part of company policy or the refusal related to a duty of confidentiality. This has led to a lot of silly stories in the press which I have had to deal with. When people express concern about the way the Act is working, it nearly always relates to being refused in an arbitrary fashion some request for information or a company has adopted overly conservative advice on the effect of the Act. Others have believed some of the fallacies propounded almost to the level of urban myths.
Newspaper proprietors were opposed to the Bill and editors have generally not lost an opportunity to criticise the Act. Despite a press exemption many of them feel it may be extended to cover the media. But they have also been sorely tried by agencies refusing reporters information and wrongly attributing the reason as ‘the Privacy Act’.
The NZ Act made provision for codes of practice. This was partly to meet the need for particular functions or activities or particular industries. I found that a number of business people were attracted to the idea of a code which they could have a part in fashioning. It would align more with their information practices and provide better and direct guidance in the fact situations frequently encountered by them.
When the Bill was introduced, the Bankers Association was vigorously opposed to it applying to banks and the private sector generally. In relation to banks they cited the number of statutory obligations they had that required confidentiality and the long tradition of bankers’ confidence.
They were sure that they would find it difficult to deal with the privacy principles as enunciated in the Bill (and indeed in the final version of the Bill they were considerably changed) and that a code of practice to provide exemptions would be essential. They were not alone in this view. Law firms had a field day alarming their clients as to the effects of the Act would have on their businesses. One or two of the urban myths originated in law firm newsletters and were taken as fact rather than conjecture.
In practice banks have not attracted a large number of complaints. They have not sought a code of practice. When asked for spontaneous comments as part of a statutory review of the Act the Bankers Association did not cite any great difficulties of complying with the law as it stands in the NZ statute.
Issues raised by banks that would not apply anyway in a voluntary regime were:
One or two banks have cited difficulties strangely in the Australian rather than the NZ press. Some banks seem to have less trouble complying than others.
The banks have had to get used to the idea that individuals might access information about themselves but the world has not come to an end and banks have not failed yet as a result! In my observation the banking/customer relationship usually causes the bank to want to keep a good trusting confidential relationship and staff training is directed to maintaining that trust. The position does tend to change once the customer is in default and the tendency of bank officers to take such matters personally on occasion and to ‘spread the word’, now risks a practical and effective means of redress.
However, most of the complaints I have had to deal with have concerned fairly basic and practical matters such as inadvertent disclosures or careless security.
In a recent analysis, only 3 per cent of complaints received were categorised as concerned with banking. Credit reporting drew a similar number of complaints and debt collection somewhat fewer. Education nearly twice as many and health four times as many. The level of complaints in the insurance industry was about the same as for banking.
The largest category of breaches alleged is allegations of improper disclosure and when combined with alleged breaches of the storage provisions, these categories accounted for nearly half the complaints. The next highest group was those who had been denied access or some information had been withheld.
I think the low level of complaints has been due to a number of factors:
To begin with there was an over-reliance on consent but as lawyers got there heads around the idea of purpose there has been a more sensible approach to interpretation.
Banks have had to revise forms and to do some staff training. Most of that training would have had to be carried out in view of the duty to maintain customer confidentiality. There would be some extra work in dealing with access requests but no bank has so far claimed this to be a burden except where it seemed to be a precursor to litigation principally about foreign exchange management.
During the consideration of the Bill by the select committee many put forward schemes for voluntary compliance as being more satisfactory for the private sector.
However it was not long in direct discussions with them that I found that this was only the first stage of thinking. The next stage was to consider what would be the position of the ‘good’ companies who would take efforts to comply with a voluntary code of conduct compared with those who didn’t care about their reputation. So they rapidly came to the conclusion that it was better to have a law which required everyone to comply than to have one where only the responsible companies comply and the rest ruin the reputation of the good ones in that sector because of their undisciplined conduct.
As to the compliance costs, it is difficult to see how a voluntary regime, is going to be less costly for business. First of all, if it is going to be meaningful the compliance costs will be roughly the same. There would have to be a complaint mechanism that delivers remedies or the voluntary system would be laughable. Secondly, the cost of maintaining the complaint mechanism will fall on business.
Such systems also have a difficulty over sanctions. Few companies want to subject themselves to compensatory payments although notably banks and insurance companies through Ombudsmen schemes in NZ have been prepared to do so. These schemes work better where there are a discrete number of players in the industry or activity.
The ultimate sanction is usually to be expelled from the organisation. If compensation is not offered what remedies will be given? A toothless scheme would do more harm than good.
So they came to the conclusion that it was better to have a statutory regime that was pragmatic and flexible and that is what they got.
In dealing with nearly 2,500 complaints I have referred only half a dozen to the Proceedings Commissioner for civil proceedings to be issued before the Complaints Review Tribunal. About 20 dissatisfied complainants have commenced proceedings for themselves with mixed results.
The sums paid out have not been high. The Tribunal has awarded $20,000 but that is subject to appeal. The highest settlement has been in the health sector at $15,000, The amounts paid out by any one activity or industry have been minuscule. Most settlements involving money are at under $2,000. Most settlements involve simply an apology and an assurance that it won’t happen again.
What has been important about the complaint mechanism is that it changes the culture. Once there is a liability to pay something the accountants ensure that some real notice is taken of information privacy
One of the NZ banks is very quick to make a small and sensible offer at the very beginning and their complaints seem to be settled quite easily. I doubt if the total cost to them in a year has been $10,000.
The Banking Ombudsman scheme has attracted some privacy complaints. Because, until recently, there were no general damages available and claims could only be considered for direct loss most people were sent on by the Ombudsman to me.
One of the advantages of the NZ development has been that we have avoided a multiplicity of codes. So far we have a health code and a couple of minor codes. Awaiting action are codes for credit reporting, and telecommunications. Neither banks nor insurance companies have sought a code.
The idea of codes or industry standards as an alternative to an overarching law seemed quite attractive to start with. But you strike problems around the margins. Jurisdictional issues arise. Trying to confine the codes to functional activities rather than for parties who consider themselves a coherent group such as bankers causes problems. Some sub groups will want a special code perhaps with higher standards to gain a competitive edge or in order to be seen as special.
In NZ there are few demarcation issues arising in relation to the Health Information Privacy Code. The overall law ensures that there are no dark holes down which jurisdiction can disappear.
The existence of an overarching law ensures that the codes are all expressed in using similar language and ideas.
Inevitably other legislation will attempt privacy solutions. The risk of this sectoral approach is that inevitably there will be different language used, new principles invented. So that the privacy compliance costs will rise in trying to deal in, say, the telecommunications industry with privacy issues expressed to apply there, while employment privacy issues are expressed differently in another code and direct marketing issues are using different language again.
One of features which assisted acceptance of the NZ Act was to have a deferral of the commencement of remedies. This meant that in respect of breaches of most of the principles it was not possible for the first three years to take the matter to the Tribunal. Despite this a large number of cases were settled voluntarily as companies bowed to the opinions I expressed on investigation.
The benefit of this deferral was that the pressure was not on the companies immediately to get rid of their stationery and reprint to have urgent retraining and so forth. The change was significant but gradual and most companies did not feel under a pressure at the introduction of the Bill at comparatively short notice.
Compliance was also aided by the fact that the existence of an independent complaints system meant that my investigating officers were able to discuss on a private and positive basis how a similar complaint might be avoided in the future. Thus they were able to help people to comply who had a sudden interest in doing so because of a complaint. Getting the companies to become conscious of the need to address privacy issues would not have occurred if there had been no independent complaints body. So I was pleased that the NZ Parliament decided to provide the complaint mechanism from day one but to limit the remedies for a period of three years.
The independence of the complaint process and the independence of my office have also aided the situation. Voluntary systems are always suspect with the consumer who doubts that the big players in the field are really going to be disciplined adequately by a voluntary scheme. Certainly that poses difficulties of expulsion in the end as the only method of enforcing the code.
Despite the tendency of lawyers to suggest over compliance with the Act or to adopt overly cautious interpretations of the law, I believe there has been a gradual change to the understanding of the importance of the purpose principle. This has led to the idea of openness about information policies, frankness in dealing with customers and added administrative efficiency by ensuring that information that is to be used is checked for its relevance and whether it is up to date, accurate and not misleading.
So many of the principles are based on common sense and good administrative practice that it is difficult to see that there is in the end a long term compliance cost. I believe the costs are compensated for by the administrative practices, the enhancement to software and other changes which the Act encourages. Privacy issues are not going to go away because there is no legislation. Firms still have to deal with them and there will always be a cost.
Finally, there was concern in NZ that the small business would have difficulty in complying. The small business in NZ has generally been unaffected by the Privacy Act. To begin with if they are sensible and considerate they don’t usually do things which would cause breaches of the principles. Most companies, other than those engaged in information rich activities, generally only have some retail customer information and employee information to protect. They might have an occasional request to access a personnel file, and their customer records are usually made available to the customers as before. Credit reporting has not proved to be a problem area for them.
Apart from the tendency to blacken the name of past employees to possible future employers, or to disclose personal information about the employee, most businesses do not do much which would attract complaints.
I would say the compliance costs for most small businesses in NZ have been almost nil.
It is different for those who deal with personal information as part of their business activity. The Privacy Act has made a difference to them and quite rightly so.
No doubt my current review of the operation of the Act will bring some changes. The soundings so far have not revealed any fundamental problems or excessive costs of compliance. NZ business has now had nearly four years lead in adapting to the future norms for international data flows and has a competitive advantage over its near neighbour in a principled approach to privacy for the private sector.
Bruce Slane, NZ Privacy Commissioner.