AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2002 >> [2002] PrivLawPRpr 21

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Roth, Paul --- "New Zealand twins: Access review processes for personal and third party requests" [2002] PrivLawPRpr 21; (2002) 9(1) Privacy Law and Policy Reporter 9

New Zealand twins: Access review processes for personal and third party requests

Paul Roth

This paper was given at an International Symposium on Freedom of Information and Privacy, Auckland, 28 March 2002, organised by New Zealand Privacy Commissioner Bruce Slane, and is reproduced here by kind permission of the Commissioner and the author — Associate Editor.

Access rights to personal information developed in a piecemeal fashion in New Zealand. The processes for reviewing decisions on access requests reflect this history. The present institutional arrangements for access review are the product of legislative accretion rather than original design. The result is probably not a model to be emulated elsewhere, as it is not as rationalised as it might be. Nevertheless, the variety of review processes that are in place in New Zealand provides a useful indication of the pros and cons of one mode over another.

Review processes under the Official Information Act 1982 and Local Government Official Information and Meetings Act 1987

The review processes under the Official Information Act 1982 (OIA) and the Local Government Official Information and Meetings Act 1987 (LGOIMA) apply to denied access and/or correction requests in respect to information held by public sector agencies.

Requests for personal information by persons to whom the information relates (where ‘persons’ are limited to bodies corporate) are treated differently. Requests for ‘personal information’ (s 24 OIA; s 23 LGOIMA)[2] and for the reasons for decisions about ‘persons’ (natural as well as corporate persons — s 23 OIA; s 22 LGOIMA) are subject to legal rights enforceable in a court of law.

Thus, in the case of access to personal information (by bodies corporate only), there are directly enforceable legal rights of access and correction. Alternatively, and this is the usual course, recourse can be had to the Ombudsman’s review process as follows.

Review process under the Privacy Act 1993

Where a ‘person’ is a natural person, access and correction rights in respect of ‘personal information’ fall under the Privacy Act rather than the OIA or LGOIMA. The Privacy Act covers personal information held by both public and private sector agencies.

The review process is as follows.

(a) a declaration that the action of the defendant is an interference with the privacy of an individual;

(b) an order restraining the defendant from continuing or repeating the interference, or from engaging in, or causing or permitting others to engage in, conduct of the same kind as that constituting the interference, or conduct of any similar kind specified in the order;

(c) damages for:

(i) pecuniary loss suffered as a result of, and expenses reasonably incurred by the aggrieved individual for the purpose of, the transaction or activity out of which the interference arose;

(ii) loss of any benefit, whether or not of a monetary kind, which the aggrieved individual might reasonably have been expected to obtain but for the interference; and

(iii) humiliation, loss of dignity, and injury to the feelings of the aggrieved individual (s 88(1));

(d) an order that the defendant perform any acts specified in the order with a view to remedying the interference, or redressing any loss or damage suffered by the aggrieved individual as a result of the interference, or both; and

(e) such other relief as the Tribunal thinks fit.

Alternatively, where the information concerned is held by a public sector agency, there is a legal right to access and correction directly enforceable in a court of law (s 11(1)). This right was carried over from the OIA and LGOIMA.

Overlapping jurisdictions

Double-handling in the course of review processes occurs in relation to information held by public sector agencies, where the legislation makes provision for consultation between the Ombudsmen and the Privacy Commissioner. The Privacy Commissioner is consulted on the Ombudsman’s application of s 9(2)(a) OIA and s 7(2)(a) LGOIMA,[6] which deal with the withholding of official information to ‘protect the privacy of natural persons, including that of deceased natural persons’. Over the past few years, there have been between 50 and 80 such consultations per year.

‘Mixed information’

‘Mixed information’ is information about the requester as well as another individual. This is quite common, as much personal information tends to be about individuals in relation to other individuals. Even when the information is ostensibly limited to information about one individual, it may really be another’s opinion or belief about the individual concerned.

The concept of ‘personal information’ is a key one for determining the appropriate jurisdiction, since individuals must use the Privacy Act to obtain information about themselves, whereas third parties must use the OIA and LGOIMA to obtain information about others if the information is held by a public sector agency. In addition, ‘personal information’ held by a public sector agency, to which there is a right of access, is always available free of charge, whereas a reasonable charge may be made for information about a third party.

This approach, first instituted under the OIA and the LGOIMA, arguably has influenced the definition of what constitutes ‘personal information’, so that the concept has been interpreted liberally to ensure that individuals enjoy the full measure of their legal rights. Thus, ‘personal information’ has been interpreted to include comparisons of the requester with the successful job applicant for a position both had applied for;[7] the identity of informers in relation to the person being informed upon;[8] the identity of complainants;[9] and the identity of a requester’s assailants.[10]

Limited direct access to courts

Under the OIA, LGOIMA and the Privacy Act (where the holder of the information is a public sector agency), requesters of personal information may enforce their rights directly in a court of law, bypassing the specialist review procedures.[11] Direct recourse to the courts was carried over from the OIA and LGOIMA to the Privacy Act on the grounds that this preserved existing legal rights, the principle being ‘that a right once conferred by statute should not lightly be taken away’.[12] This right was not extended in respect to personal information held by private sector agencies, however, as it was thought to be more cost effective to leave enforce-ment in the hands of a public official specialising in information privacy.

Although people (both natural and corporate) have a legal right of direct access to the courts where their personal information is held by public sector agencies, they normally take the alternative route of pursuing their rights through the specialised processes provided under the OIA, LGOIMA, or Privacy Act. The principal reason for this seems to be that the review processes of the Ombudsman or Privacy Commissioner are undertaken without charge, and, in relation to the Privacy Act, there are no filing or hearing fees in the Human Rights Review Tribunal. Accordingly, recourse directly to courts of law tends not to be made, despite a lengthy queue before the Privacy Commissioner is able to investigate a matter.[13] As was remarked in relation to practice under the freedom of information legislation prior to the Privacy Act:

The courts, like the Ritz Hotel, may be open to all but only a few can afford the rooms. It is not surprising that no individual requester of personal information has taken the matter to court.[14]


Under the OIA and LGOIMA, the remedy is simply a recommendation that the information concerned be disclosed in one form or another. The Ombudsmen’s recommendations, even when they do not automatically convert into public duties, are normally adopted because of the great esteem in which the office of Ombudsman is held. No compensation or other remedies are available under the Ombudsman’s review processes. Under the Privacy Act regime, however, compensatory damages are available as a remedy.

The majority of Tribunal cases where breaches of access rights have been found under the Privacy Act concern public sector agencies that would have been covered under the official information regime prior to 1993. Therefore, requesters under the Privacy Act regime now have available to them a remedy in damages which was unavailable under the official information regime.

A requester who has been denied access to personal information will have the evidential burden of proving whether or not there should be a remedy in damages, as well as the issue of quantum. It might be thought that cases involving breaches of access rights would be unlikely to give rise to compensatable loss, but this has not proved to be the case. Indeed, several cases have attracted substantial awards.

Nominal damages were awarded in two cases brought against the police. The amounts awarded were $500[15] and $200.[16] In one case, the police professed to have been unable to find the originals of several documents. The complainant was urgently seeking these for use in a private prosecution against a constable for failing to answer a summons served on him in the original hearing of several criminal charges against her. On the day of the hearing of her private prosecution, however, some of the documents sought were produced in evidence by the constable. Nominal damages were awarded on the basis that the evidence had no impact on the outcome of the hearing, and the original of the document the complainant particularly sought was identical to a copy she had already seen. In the other case, the police refused to disclose the identities and addresses of the complainant’s assailants on the ground that the request was frivolous or vexatious. The complainant was otherwise known to the police for having lodged a number of complaints and requests for information over the years, often in relation to matters in which he was not personally involved. The Tribunal found that the complainant suffered humiliation, loss of dignity and injury to feelings.

The highest award ever awarded by the Tribunal in an access case was $20,000 for humiliation, loss of dignity, and injury to feelings.[17] The complainant had supervised disabled children for the defendant organisation. He was suspended because a complaint had been made concerning an indecent assault by him on a child in his care. The complainant, however, had never been informed of the reason for his suspension, nor was he aware that the complaint had been taken to the police. He made a number of requests for his personal information, but was never given full information behind an internal inquiry into the matter, his suspension, or the complaint to the police. The Tribunal found that ‘the defendant embarked on a course of conduct which exacerbated the effect of the failure to confirm the existence of the information sought by the plaintiff’. Among aspects of the defendant’s conduct that were criticised by the Tribunal were the deliberate concealment of highly sensitive personal information from the plaintiff, even though it was obvious to the plaintiff at the time that this information was being made available to others; the defendant’s concealment of the fact that it had destroyed the plaintiff’s file and reconstructed another after the request for information had been made; the fact that the defendant had similarly misled the Privacy Commissioner during his investigation; and the obstacles which the defendant forced the plaintiff to overcome in his quest for his personal information, which caused an increasing number of people to learn of the damaging but unanswered allegation against him.

In another case, the High Court, on an appeal from the Tribunal, awarded $2000 to a complainant because several documents had been withheld from him in the course of protracted employment litigation, apparently as the result of an oversight.[18] The Court found that the information would have been useful to the complainant’s case — at the very least, the complainant would have been able to feel that he had presented his best possible case. The Court also accepted that the complainant ‘would have felt “ambushed” and stressed’ in the original hearing of his employment case when he became aware of the information that had been withheld from him, and he would have suffered further stress and disadvantage in having to decide whether or not to apply to have the newly acquired evidence introduced on appeal, where the respondent was contesting its introduction. The Court therefore awarded damages for injury to the complainant’s feelings both at the time that he discovered that the information existed and on an ongoing basis. The Court commented that the damages award would have been higher had the complainant not delayed nearly a year in applying to have the new evidence admitted on appeal.

In a case against the Department of Child Youth and Family Services,[19] the Tribunal awarded damages of $2500 because the Department had failed to make information available to the plaintiff in a timely fashion. The plaintiff had requested the information in connection with legal action he was undertaking against the Department for abuse while he was in its care as a child. The Tribunal accepted that the Department’s treatment of a second request for information by the complainant caused him some humiliation. The defendant’s staff had wrongly assumed that the plaintiff had already received the information concerned. The defendant’s staff did not realise how important obtaining the information was for the complainant, and their conduct led him to believe that there was a conspiracy to withhold the information. The Tribunal, however, accepted the Department’s explanation that there had been a series of errors and administrative changes that contributed to the problem. In another case against the same Department that also concerned a failure to grant timely access to personal information, the Tribunal awarded damages of $7000 for humiliation, loss of dignity and injury to feelings.[20] The complainant, a secondary school teacher who taught students with special needs, had been accused by a pupil of sexual abuse, and there was undue delay by the Department in disclosing the information relating to the allegation. l

Paul Roth, Associate Professor, Faculty of Law, University of Otago.

[1] The investigation procedure is governed by the Ombudsmen Act 1975: s 29 OIA; s 28 LGOIMA.

[2] Prior to the enactment of the Privacy Act, these provisions also covered natural persons. The Privacy Act, however, took jurisdiction over access and correction rights in respect of personal information about natural persons.

[3] This Tribunal was known as the Complaints Review Tribunal prior to 1 January 2002.

[4] Section 123 Human Rights Act 1993 applies by virtue of s 89 Privacy Act.

[5] Section 124 Human Rights Act 1993 applies by virtue of s 89 Privacy Act.

[6] See s 29B OIA and s 29A LGOIMA. In addition, where the Privacy Commissioner receives a complaint that more properly relates to an area under the Ombudsmen’s jurisdiction (see the discussion of ‘mixed information’), s 72 of the Privacy Act requires the Privacy Commissioner to consult the Chief Ombudsman with a view to possible referral.

[7] Ombudsman’s Case No 737 (1987) 7 CCNO 59 (J Robertson); see also Case Nos 194, 202, and 226 (1985) 6 CCNO 111 (G R Laking); and Case No 794 (1987) 8 CCNO 66 (J Robertson).

[8] Ombudsman’s Case No 327 (1985) 6 CCNO 127 (G R Laking); Case No 210 (1985) 6 CCNO 115 at 118-119 (G R Laking); Case Nos 010W, 011W, 030W, and 075W of the Privacy Commissioner’s casenotes (April 1994); Hadfield v Police [1996] NZCRT 15; (1996) 3 HRNZ 115; Adams v New Zealand Police, unreported, Decision No 16/97, CRT 3/97; Cornelius v Commissioner of Police [1998] 3 NZLR 373.

[9] Report of the Ombudsmen for the year ended 30 June 1997 (AJHR A.3) 35-36; (1997) 3(2) Ombudsmen Quarterly Review (June). This case was handled under the LGOIMA because the requester was a corporate, as opposed to a natural, person, and the information was held by the local council.

[10] Proceedings Commissioner v Commissioner of Police, unreported, Complaints Review Tribunal, Decision No 18/2000, CRT 10/00, 10 July 2000.

[11] The Human Rights Review Tribunal is not a ‘court of law’.

[12] Report of the Department of Justice on the Privacy of Information Bill (22 January 1993) to the Privacy of Information Bill Sub-Committee of the Justice and Law Reform Committee, p 13.

[13] In his report to Parliament for the year ended 30 June 2001, the Privacy Commissioner notes that the time between receipt of a complaint and its assignment to an investigating officer dropped on average from 18 months to about 12 months.

[14] Eagles I, Taggart M and Liddell G Freedom of Information in New Zealand Auckland, 1992, pp 572-573.

[15] Mitchell v Police Commissioner [1994] NZCRT 3; [1995] NZAR 274; [1995] 1 HRNZ 403.

[16] Proceedings Commissioner v Commissioner of Police, unreported, Complaints Review Tribunal, Decision No 18/2000, CRT 10/00, 10 July 2000.

[17] L v N (1997) 3 HRNZ 721.

[18] Proceedings Commissioner v Health Waikato Ltd (2000) 6 HRNZ 274.

[19] S v Department of Child Youth and Family Services, unreported, Complaints Review Tribunal, Decision No 12/2000, CRT 13/00, 30 June 2000.

[20] DAS v Department of Child, Youth and Family Services, unreported, Complaints Review Tribunal, Decision No 24/00, CRT 26/00, 13 September 2000.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback