Privacy Law and Policy Reporter
The New Zealand Privacy Act 1993 (the Act) is currently one of the most extensive data protection statutes in the world. It covers the public and private sectors equally, and applies to both manually and electronically recorded information. Privacy advocates, though perhaps not some agencies, will be happy with the Review’s recommendations and say that not only should this coverage be maintained, but that some of the current exemptions from the Act should possibly be removed.
Of particular interest to debates within Australia is that there is no suggestion in the Review that the Act’s application to the private sector is not workable. The banking industry and some other organisations have consistently resisted subjection to the Act, principally on grounds of compliance costs and current trends to deregulation, and there were some strong submissions on this. However, few organisations have found it necessary to compile a code of practice to date, which is an indication that compliance issues are not as much of a barrier as they are said to be. The Review clearly favours continuation of the wide scope of the Act. As it says:
Broad coverage is a prime feature of the New Zealand Privacy Act. Its seamless application to both public and private sectors means that most privacy issues are able to be reached by the Privacy Act. It also means that the legislation is little affected by demarcation disputes, which accompany the more narrowly based laws.
This approach seems to be wise. One would have expected the Review submissions to reflect widespread difficulties with the scope of the legislation. In the absence of any evidence of severe practical difficulties, there seems little reason to distinguish (increasingly artificially) between public and private sector agencies. Personal information practices within the private sector affect individuals just as extensively as those within the public sector. This includes effective compulsory provision of information for certain necessary services. For these reasons, and others, failure to cover the private sector would inevitably fall foul of the ‘adequacy’ requirements in the EU Data Protection Directive. Maintaining the wide scope of the Act is therefore not only beneficial for individual privacy, but also enhances commercial activity, especially perhaps for agencies such as the banking industry with its significant offshore interests.
However, this is not to say that the individual provisions defining the scope of the Act are perfect. Indeed, the Review has recommended that some smaller-scale adjustments are required. Various recommendations suggest clarification of particular terms, such as ‘public sector agency’ (and adding ‘private sector agency’), ‘tribunal’ (limiting the term to statutory tribunals), ‘document’, and ‘personal information’. The changes are relatively minor, but may help with general understanding of these important terms.
Probably the most controversial recommendation is that the Ombudsman should no longer be exempt from being an agency. The Commissioner explains, convincingly, that the Ombudsman’s exemption is a complete anomaly among the state-funded complaints agencies. Admittedly, the Ombudsman is an Officer of Parliament, but so is the Parliamentary Commissioner for the Environment, who is not exempt. It seems unlikely that the mana of the Ombudsman would be undermined by the operation of the Privacy Act. The current failure to provide employees of the Ombudsman’s office, at least, with the same privacy protections as the rest of the population seems unjustifiable. If it were likely that the operation of the Privacy Act could interfere with the complaints jurisdiction of the Ombudsman’s office, the obvious answer would be to provide an exemption in the same way as has been done for other bodies such as the courts and the news media. The Ombudsman could be exempt ‘in relation to its complaints function’.
Other constitutional actors currently exempt from the definition of agency include the legislature and Members of Parliament. The Review suggests that complete exemptions may not be necessary here. For example, members of Parliament do collect, hold and use personal information of constituents and others, and, in some instances, it may be appropriate for MPs to handle that information in accordance with the privacy principles. How this should be enforced is, however, a subject which requires care. There are constitutional difficulties with having an outside agency such as the Privacy Commissioner apparently regulating the legislature in any way. Although not all handling of information by MPs will relate to their legislative duties, the Review concludes that the best way of dealing with such concerns is to regulate them under Standing Orders (which already to some extent control privacy issues). The recommendations are therefore phrased largely in terms of suggesting that consideration be given to incorporating any appropriate parts of the information privacy principles in Standing Orders.
Recommendation 16 states that it may be desirable to enact a definition of ‘use’ which will encompass ‘browsing’ activities. ‘Browsing’ can be generally defined as retrieval or consultation of personal information for non-legitimate purposes, for example looking up the records of people one knows. The problem generally arises in the context of employees who need to have access to certain types of personal information as part of their job. Where the information is not disclosed to others, or otherwise strictly ‘used’, it is difficult to regulate the behaviour using the current provisions of the Act. The negative impact on personal privacy is, however, obvious. Recommendation 16 would be a useful way of bringing such objectionable behaviour within the scope of the Act’s enforcement mechanisms. Another approach is that suggested by recommendation 23, which would amend principle 5 so as to place the onus on the agency to prevent browsing. It would be best for these recom-mendations to operate in tandem, to place as many barriers as possible in the way of browsing activities.
Section 6 of the Act sets out 12 information privacy principles, which regulate handling and collection practices for personal information. The use of principles, rather than more strictly formulated rules, has been the subject of some criticism, particularly by lawyers. There is a range of approaches in overseas data protection statutes, but in practice in NZ, the principle approach seems to work successfully. The Review concludes that those who work with the Act on a daily basis find the flexibility of the principles helpful.
This seems correct. Read together, the information privacy principles provide a common sense guideline to information handling practices, which can be readily understood by most people, provided they are not applying a strictly legalistic viewpoint. Also, as the Review points out, it is an unattractive proposition to change to rules, which would perform the same task in a different form, after five years of experience with the Act. As with the scope of the Act, therefore, the Commissioner’s recommendations are restricted to smaller scale adjustments, some of which are discussed below.
The Commissioner has made only a few recommendations regarding principles 1 to 4, which deal with collection of information. Principle 1 restricts information collection to lawful purposes connected with an agency’s business, where the collection is necessary for the purpose. This seems to cause little confusion in practice. However, various submissions suggested amendments to principle 2, which requires that information be collected directly from the individual concerned except in certain listed circumstances. The problem here is that when information is collected legitimately from a third party, there is no requirement that the individual ever be told that the information has been collected, who holds it and so on. This would seem to undermine the ability of the Act to ensure that people can exercise control over their own personal information, if only to the extent of knowing who has it and why. The Commissioner does not currently make any recommendation in that regard, but the Australian experience under the new Fair Handling principles will be informative, and, if successful there, NZ may decide to move to a similar framework.
Several amendments are suggested to principle 3, which provides a list of matters about which the information subject has to be informed when the information is collected. The basis of the principle is to provide for transparency of policies and procedures and to enable informed consent. One suggestion which was made in submissions was that the agency should have a duty to ensure that a person from whom information is collected is able to ascertain the agency’s policies and practices in relation to personal information. This suggestion would seem to support the rationale for the principle, without imposing any great hardship on agencies. It is perhaps surprising, therefore, that recommen-dation 18 suggests the matter be dealt with in codes of practice rather than more generally. Very few agencies have seen the need to produce codes of practice to date, and there is little reason to suppose that the number will increase significantly. In practice, therefore, the gap will remain.
Recommendations 20 and 21, which suggest that two exceptions to principle 3 be repealed, seem more straightforward. Principle 3(4)(a), which allows an agency to avoid the checklist if the individual concerned authorises it, seems peculiar. As the Commissioner points out, informed authorisation is unlikely if, for example, the person has not been informed of the purpose for which the information is being collected. It also seems strange that material collected for statistical purposes should not be subject to the same notification requirements, as stated in principle 3(4)(f)(ii). The proposed repeal of these exceptions therefore seems sensible.
Principle 4, regulating methods of information collection, seems to work successfully. One outstanding problem, however, is the current legal lacuna in relation to covert video surveillance, principally by the police. It may be that principle 4 covers this to some extent, but the Commissioner’s recommendation that a judicial warrant process should be established for such procedures is absolutely correct, especially in the light of the Court of Appeal’s recent refusals to fill the gap using s 21 of the New Zealand Bill of Rights Act 1990.
The other main recommendations of the Review centre on access to information. Principle 6 works well in its general application. It is very frequently used, and the rights it gives are well understood, although alleged breaches of it are still the subject of a significant proportion of complaints to the Privacy Commissioner’s office. This appears to be more as a result of the use of the withholding grounds than confusion with the principle itself, and most submissions to the Review discussed access rights in these terms.
The Review recommends that the withholding grounds would be more clearly understood if each were put in a separate section. This would require alphanumerical numbering, which is slightly clumsy, and it would take some time for frequent users of the Act to get used to the new system, especially those who also use the Official Information Act from which the current order is directly drawn. However, the Commissioner believes that the overall additional clarity would make this worthwhile. He suggests that the most commonly used provisions be put first, such as ‘prejudice to the maintenance of the law’. While, to legal practitioners, this recommendation may appear to be mere window-dressing, it will probably in practice make the Act significantly easier for lay people to use. Creating a separate section for each withholding ground is also much better than either alternative; to put all of them into a single, very long section would be clumsy and confusing, and to put them into a schedule would be inappropriate and make the statute more difficult to use, not less.
The Commissioner has suggested at various points that the meaning of the withholding grounds could be more clearly spelt out in the Act itself. Again, this should benefit lay people, who may not have access to case notes or legal precedents from the Tribunal on the interpretation of various points. So, for example, it could be beneficial to spell out more exactly what is meant by ‘maintenance of the law’ or ‘legal professional privilege’ and to give guidance on withholding in instances where mixed information is involved. It could also be directly stated that information generated within an agency by a person as part of his or her job cannot be withheld under the evaluative material exception. An important additional suggestion is that the Act could enable the withholding of information where there is a significant likelihood of harassment of an individual as a result of disclosure. This is currently often not covered by s 27(1)(d), which the Tribunal has interpreted to refer only to endangering physical safety, and has proved a problem in some areas of practice, particularly for the police.
As a final point, the Review indicates the need to revise s 7. The savings provisions in s 7 were enacted in their current form in a search for simplicity, but their effect, in practice, has been to complicate the operation of the Act quite considerably. Many who use the Act, particularly those who are not legally qualified, are unaware of the section (sometimes because they only use a set of the information privacy principles and withholding grounds), or are confused by its content. The Review suggests largely transferring the content of s 7 to the appropriate privacy principles, or into the withholding grounds under Pt IV.
It will be particularly useful in practice if recommendation 30 is adopted. This suggests that a new exception be created within principle 11 to the effect that disclosure is permitted where it is mandated or permitted by other legislation. This will make it plain to anyone reading the principle itself that other statutes also need to be considered. Particular difficulties have been encountered with the interface between the Official Information Act and the Privacy Act. Incorporating the recommendation in the terms suggested, which specifically refer to the Official Information Act, should remove a considerable amount of the current confusion.
The scope, application and principles of the Act have generally worked well to date. However, adoption of many of these recommend-ations will considerably simplify the operation of the Act for its users. This is particularly important as the Act needs to be comprehensible to all data handlers and information subjects, not just those with legal training. Some of the recommendations will be highly contentious and political, but serious consideration should be given to incorporating them into the legislation.
Katrine Evans is a Lecturer in Law at Victoria University of Wellington, where she teaches a Privacy Law undergraduate course and is completing an LLM thesis on privacy and the news media.
Telephone 04-4953290 (x 6312) Email: firstname.lastname@example.org