Privacy Law and Policy Reporter
From time to time over the past five years since the Privacy Act 1993 (the Act) came into force, the Privacy Commissioner has observed that the Information Privacy Principles have proved in practice to be very satisfactory. It comes as no surprise, therefore, that the formal report prepared by the Commissioner on his review of the operation of the Act finds no substantial faults with the NZ set of 12 information privacy principles.
The section of the review which deals specifically with the information privacy principles runs to over 60 pages of text, and contains 19 separate recommendations for specific change or at least consideration of specific change, but it would be fair to say that the recommendations are in the nature of ‘tweaking’ or ‘fine-tuning’. That the original set of principles has largely stood up to five years of experience, in a myriad different sets of circumstances, and still looks pretty good even when compared with the latest privacy legislation in Europe, Canada and Hong Kong, must be seen as a solid endorsement of the decision to follow some other jurisdictions by enacting principles as such rather than attempt to reduce them to a set of precise and prescriptive rules. This is, of course, a credit to the good sense and scope of the original OECD principles, and perhaps especially the 1988 Australian embodiment of them, upon which the NZ set was closely based. It is also a credit to Bruce Slane, who devoted the better part of the 1992/93 year to trying to get the NZ Act right.
In view of this, one could have forgiven this review report if it exhibited a certain air of self-satisfaction, but it does not come across that way. For instance, at the outset of this part of the report it blithely quotes the Law Society submission that the principles exhibit ‘complexity, repetitiveness and illogical ordering [which are] ... major barriers to the understanding of the Act’.
This chapter of the report is a principle-by-principle consideration of any changes which might be desirable in their content, and some canvassing of any needs for any further principles. In the event, the recommendations it makes do not amount to major changes, and no new principles are advocated.
One recommendation which would have real practical significance, however, is to extend the present information privacy principle 7 (the right to request correction) to allow an individual to demand that their details be removed or blocked from a direct marketing list, so that the agency is prohibited from using or disclosing that information for direct marketing. This suggestion was canvassed in a discussion paper, and received considerable support and no opposition. Of course direct marketing agencies, when asked, always say that they have no wish to waste their efforts and materials on persons who do not want to receive them. On the other hand, it is noticeable that such agencies when soliciting information which they plan to use for direct marketing do not like to use large print to advise of their intentions, nor do they make a feature out of any option of avoiding the direct marketing pitches.
Placing this recommended new right in principle 7 seems to follow a neat logic that, as direct marketers do not want to make approaches to those who do not wish to receive their overtures, a direct marketing list is of persons who are happy to be approached in this way; if an individual doesn’t want to receive direct marketing approaches, they can ask for the list’s incorrect assumption to be corrected.
In NZ, at least, the Direct Marketing Association (DMA) has for a long time advocated — and has asked its member organisations to ensure — that the wishes of individuals to be removed from direct marketing lists should be respected. If the Privacy Commissioner’s proposal is accepted, this will add a legal force to the DMA’s policy. Indeed, there is a quite common misunderstanding that such a measure is already in the Act. Although it has always been difficult for an individual to show that an unwanted direct marketing letter or telephone call has caused the degree and type of harm required for there to be an ‘interference with privacy’ in terms of the Act complaints jurisdiction, including such an opt-off right in the information privacy principles will probably be a welcome move for many.
Speaking of the need to show harm for a complaint to have substance brings me to another interesting recommendation in this review, and that relates to information privacy principle 12. This principle is concerned with the use of ‘unique identifiers’. It is the least understood and least used of the 12 principles. It breaks down into four sub-principles, and this recommendation is for changes to principle 12(2) — the prohibition of an agency assigning to an individual a unique identifier which it knows to have already been assigned to that individual by another agency.
As with the other parts of information privacy principle 12, one has to think for a while about 12(2) in order to work out what is actually prohibited, and what evil is thus averted. The review includes some helpful rumination on the meaning of ‘assign’ in this principle, and concludes that it has something to do with the way in which an agency might structure its records; thus the bank which collects and records an individual customer’s tax number is not ‘assigning’ that tax number, but if it was to organise its customer records by tax numbers it probably would be seen to have assigned it. I would comment that this view, like Public Register privacy principles 1 and 2, is based upon a mental model of a database as a collection of record cards which can only be accessed by one index and sorted by one field. Modern computer databases are not like that, and attempts to regulate such activity on the basis of outmoded metaphors will tend to hit the wrong targets even if they do not miss completely.
But I digress. The recommendation for information privacy principle 12(2) is that it be limited to prohibiting an agency assigning of a unique identifier which has already been assigned to that same individual by a public sector agency. With this modification, the bank will still not be able to keep its customer records by their tax file number, because that was originally assigned in the public sector, but the credit reference agency will be allowed to arrange its records and look up people by their bank account number because that identifier was originally assigned in the private sector. I would observe that the line between public and private sectors is increasingly blurred in NZ, and it seems to be swimming against the tide to base legal distinctions upon what is now almost an organisational and historical accident as to whether an agency is (or is termed) public or private.
There are some further recommend-ations for 12(2): that a complaint may be found to have substance if this sub-principle is breached without having to show harm to the individual concerned, and that a code of practice should have the power to prohibit the re-assigning of certain private sector unique identifiers. I can’t help feeling that principle 12 suffers from misunder-standing by not identifying the harm it is intended to avoid; it appears as a somewhat indirect and crude tool to fend off something indistinct but wicked which might otherwise attack us. These recommendations for modifying 12(2) do nothing to dispel that rather unsatisfying image.
The only other discussion and set of recommendations in this part of the review report upon which I would comment concerns s 7 of the Act. This is the ‘savings’ section, dealing with any cases where some other Act or regulation allows or requires something to be done which might be thought to breach the Privacy Act. Section 7 means in practice that the other legislation always prevails over the Act — a simple enough message but one which gets (perhaps unavoidably) bogged down in detailed categorisations and sub-clauses in the legislation, just as the equivalent section does in the Official Information Act. The recommendations here are that s 7 be effectively disbanded, and its components distributed among the separate information privacy principles. This has the virtue of making each of the information privacy principles more self-contained, but I’d suggest that at the same time it will make each of the principles that much harder for the non-lawyer to comprehend.
Section 7 is just the sort of provision to make even the most dogged and intelligent layperson go glassy-eyed and walk away from their attempts to follow it. I’d have thought that unless the formulation of the intent of this provision can be made far simpler to comprehend, distributing it (and inevitably repeating it a number of times) among the individual information privacy principles will make the principles themselves that much less accessible. And if s 7 can be simplified significantly, let’s do that; but leave it where it is. One is still going to have to go elsewhere in the Act to establish conclusively whether a particular set of facts is actually covered by a certain information privacy principle, even if that is just a check on the definitions in s 2 and the exemptions in s 55 and 56. So why not make the principles themselves as readable as we can, rather than load them up with dry and repetitive exceptions that are common to a number of different principles?
Given that the Law Society thinks that the existing set of information privacy principles exhibit complexity and repetitiveness which present major barriers to understanding of the Act, the recommendations for redistributing most of the provisions of s 7 do not, to my mind, exhibit the Privacy Commissioner’s usual empathy for the non-lawyer.
But really this is a very good report. Its evidently open-minded approach should quickly and painlessly disarm those who feared that a review of the Act by the very man who has been operating it for the last five years would be a self-serving exercise just going through the motions. It is thorough, well written, and worth reading. If I have carped at minor points, that just goes to show how sensible and well-reasoned the bulk of this worthy tome really is. v
Bob Stevens is a freelance lawyer and consultant based in Auckland. From 1993 to 1997 he was the Auckland Manager for the Privacy Commissioner.
Telephone: (09) 446 0710