Privacy Law and Policy Reporter
Complaints Review Tribunal (NZ), Decision No 21/97, 24 July 1997
Privacy Act 1993 (NZ) s 2 — Definition of personal information — information about a corporate entity outside the scope of the Privacy Act even where it pertains to the personal affairs of an individual.
The plaintiff, C, had alleged that the defendant, the ASB Bank, had breached IPPs 5 and 11 in that it had disclosed copies of the bank statements of the company operated by the plaintiff to his former wife without his consent. He claimed that the disclosure, by a number of suburban branches on at least 16 occasions after he and his wife had separated and were in dispute, had led to the liquidation of the company.
Both parties agreed that the threshold issue was whether the information which was disclosed was personal information within the meaning of the Privacy Act.
The Tribunal found that while the plaintiff had operated his company bank account as it were a personal account, and that transactions of a personal nature were recorded on the statements which were disclosed, this did not mean that any of the information contained in the statement could be considered ‘about’ the plaintiff. The Tribunal accepted the proposition:
that all transactions on a company’s bank statements are the transactions of the company, not of any individual, no matter how identified with the company the individual may be.
The Tribunal rejected arguments that both the purpose of the request for disclosure, and the subsequent use of the information by the requester, including combining it with other information, can have an effect on the question of whether the information concerned is ‘personal’. It said that to accept that:
the conclusions that may be drawn ... by the combination of different categories of information can affect the status of information ... would render the issue of what is personal information a completely subjective exercise and the definition in the Act meaningless.
The Tribunal upheld the earlier decision of the Privacy Commissioner (NZ) not to accept the complaint, and recommended referral of the matter back to the Banking Industry Ombudsman, where it had originated.
The plaintiff did not appeal.
This decision should re-assure businesses in Australia that a privacy law applying to them would not affect their handling of information about legal entities, including their own business records. While the Tribunal accepted that this can have the effect of depriving individuals of rights in circumstances where information about a legal entity is also information about an individual, it did not accept the ingenious arguments by the plaintiff’s counsel [Tim McBride, former NZ editor of PLPR — Ed] for a ‘purposive’ interpretation.
While the definition of personal information in the New Zealand Act is simpler than that in the Australian Privacy Act 1988, it does not differ in any respect material to the issue decided in this case. In order to be subject to either Act, information must be ‘about’ an ‘identifiable individual’ (NZ) or ‘an individual whose identity is apparent, or can be ascertained, from the information or opinion’ (Aus).
If the Australian Act with an unchanged definition of personal information applied to the private sector, it could be expected that the Privacy Commissioner, and the courts, would take a similar approach to their counterparts in NZ to any suggestion that the Act impinged on the operation of records about legal entities.
To do otherwise, in the words of the defendants counsel in this case [Elizabeth Longworth — another member of the PLPR Editorial Panel — Ed]:
[would be to] disregard a hundred years of company law and jurisprudence.
It is doubtful if Australian businesses even in their worst nightmares could envisage a privacy regulator or courts so radical as to uphold an interpretation of a privacy law at variance with this NZ decision.
Nigel Waters, Associate Editor.