Privacy Law and Policy Reporter
In the mid-1970s a fierce public debate raged over the then government’s proposal to establish a national computerised Law Enforcement Information System (LEIS) at Wanganui. In an attempt to placate those hostile to the proposal, elaborate privacy protections were included in the Wanganui Computer Centre Act 1976 (the 1976 Act). For example, coerced access requests and coerced authorised disclosures of criminal history information were essentially outlawed (1976 Act, s 29(2)(c)).
When the Privacy Act 1993 (the Act) was enacted, the 1976 Act was repealed. At the time it was assumed that access rights by individuals to their criminal history information, available under the 1976 Act, would remain basically the same — albeit that they would be exercised under information privacy principle 6 (the access principle) of the Act.
Regrettably, since the enactment of the Act, there has been what can only be described as a dramatic increase in the number of coerced requests for criminal history information. For example, the Department of Courts has confirmed that only 25 per cent of requests to the Department for criminal history now come from individuals. The remaining 75 per cent come from third parties, for example, insurance companies and prospective employers.
The problem is highlighted in the Review of the Privacy Act. The Commissioner considers a coerced access request to be a situation where, for example a prospective employer insists that an applicant make an access request to an agency and deliver the results to the employer. On the other hand, a coerced authorised disclosure is where, for example, a prospective employer requires an applicant to sign a form authorising the law enforcement agency to disclose directly to the prospective employer.
Interestingly, the Department of Courts’ figures — contained in a letter to the Privacy Commissioner — were apparently prepared to explain the Department’s ‘difficulties in processing so many access requests and the costs that it believed it had to absorb’ (para 12.18.10). However, as the Privacy Commissioner rightly notes, ‘the position is far more worrying from a privacy perspective’ (Ibid).
The Department’s figures offer ‘a dramatic illustration of the rapid escalation of coerced access requests and coerced authorised disclosures. It would appear plain that three-quarters of the public releases of criminal history information ... would not have been permitted under the 1976 Act. The change has not been positive for privacy ...’ (para 12.18.11). This is something of an understatement. Such coerced releases of criminal history information, if detected, would have constituted a criminal offence, for which a term of imprisonment was a sentencing option.
The Commissioner recommends that the Privacy Act be amended to ‘reinstate special controls on individual access rights to criminal history information’. The object would be to:
Ensure that information is only released directly to the individual concerned. Disclosure to third parties, such as insurance companies or prospective employers, (would) only be permitted where there is both —
• express legislative authorisation; and
• written authorisation from the individual concerned (para 12.18.14).
The fact that these two requirements would be cumulative is very important. In an increasingly tight job market, combined with a generally deteriorating economic environment, notions of freedom of choice for prospective employees and purchasers of goods and services may be largely illusory. The additional requirement of specific statutory authority is therefore required.
The Privacy Commissioner considers that the specific authority could be provided in an Act or in regulations pertaining to a specific law. The authority could permit ‘disclosure to a third party where the objectives of that legislation required’ (para 12.18.15). The example of the Financial Advisers Disclosure Act 1997 is given.
An additional concern at present is that criminal history information is available free of charge. To address this, the Privacy Commissioner recommends that any change should ensure ‘that the costs are borne by industry or the Government ... and not publicly subsidised by disguising the process as individuals seeking access to their information under information principle 6’ (para 12.18.16).
That approach would be consistent with recent ILO initiatives, in particular, the ILO code of practice, Protection of Workers’ Personal Data (1997). Finally, the Commissioner notes that the British Data Protection Bill 1998 attempts to outlaw coerced access requests (cl 56).
The issue of coerced access requests is an important one — which could easily be overlooked, given that the commentary on it is tucked away in the section of the Privacy Commissioner’s Review Report headed ‘Miscellaneous Provisions’. The Commissioner’s recommendations must be implemented as a matter of urgency, given that this is a situation where New Zealanders are demonstrably worse-off, privacy wise, than they were before the enactment of the Privacy Act 1993.
Tim McBride, Senior Lecturer in Law, University of Auckland.