Privacy Law and Policy Reporter
This article discusses several important issues raised by two recent cases dealing with the New Zealand Privacy Act 1993. The cases are the High Court appeal case L v L and Case No 19740 of the Privacy Commissioner’s case notes. The issues concern ‘implied’ authorisation, the proper role of the Privacy Commissioner in legal proceedings, and whether personal information can be ‘passively’ collected. Although these issues arose from the interpretation and application of particular provisions of New Zealand’s Privacy Act, they nevertheless can provide an interesting comparison and contrast to the Privacy Act 1988 (Cth) as amended.
Several information privacy principles in s 6 of the Privacy Act (NZ) provide for exemptions from compliance where the collection, use, or disclosure of personal information has been ‘authorised’ by the individual concerned. The New Zealand legislation does not define the concept of ‘authorisation’. The Australian Privacy Act uses the term ‘consent’, which is defined as meaning ‘express consent or implied consent’. It is not clear, however, whether there can be ‘implied’ authorisation under the New Zealand legislation.
The concept of authorisation is arguably stronger than that of consent. The verb ‘authorise’ denotes more clearly a positive and conscious act by the individual, whereas ‘consent’ tends to be used in contexts where an act is being performed by another in relation to the individual concerned, who is in a passive position. In the legal (particularly medico-legal) context, the expressions ‘implied consent’ and ‘informed consent’ are well established, but the same cannot be said of ‘implied authorisation’. The idea of authorisation is free of any such associations, and thus more clearly denotes a deliberate act.
This was the approach taken in Case No 2976 of the Privacy Commissioner’s case notes. A bank carried out a credit check on a couple who were applying to open a joint savings account. The customer services officer had merely informed ,the couple that she would get the application ‘checked’. The credit check proved unfavourable and the couple were informed that they could not open the account. As a result of the bank’s disclosure of information to the credit reference agency, both the husband and the wife were contacted at their workplaces by a debt collection agency regarding a dispute they were having about an account. The Privacy Commissioner found that ‘the bank did not appear to have obtained any authorisation to carry out the credit check (Information Privacy Principle 2(2)(b)) and I did not consider that a failure to object amounted to an authorisation’. ,He was of the view that ‘authorisation requires a positive act’.
The Privacy Commissioner has publicly addressed the idea of implied authorisation at least twice. The Privacy Commissioner mooted the possibility of there being implicit authority in some circumstances for Ministers to respond to public criticism by aggrieved individuals by referring to personal details as appropriate. He stated:
Whether there are grounds to infer such authorisation would depend on the circumstances of the case and I have not had to consider such a case. One could imagine public criticism by an individual setting out her alleged personal circumstances, coupled with a demand for the Minister to ‘explain his actions’ might be interpreted as implicit authority to respond to each of the points made even where that involves release of limited personal details. On the other hand, an individual who feels badly treated by a Department and who simply says that could not be considered to have given such a broad authorisation.
The subject of implicit authorisation was also briefly addressed by the Office of the Privacy Commissioner in an article on collecting personal information through job references. The article suggested that when a job applicant supplies a list of referees in a curriculum vitae, that may be implicit authorisation that information about the applicant can be collected from those referees. However, the article cautioned that ‘it is still safer to check with the applicant beforehand’.
Such caution was well advised in ,view of Case No 19740 of the Privacy Commissioner’s case notes, in which the Privacy Commissioner did not accept that the sending of a written reference with a curriculum vitae constituted implied authorisation to contact the author of the reference. This was on the basis that the prospective employer departed from the procedure ,it had advised applicants it would follow in respect of contacting referees.
The complainant in that case unsuccessfully applied for a position ,in a government department, and her complaint concerned its disclosure of information to her former employer. ,The complainant had completed the application form, which asked for the nomination of referees. The complainant was under the impression from this request that only these nominated referees (or persons nominated in turn by them) would be contacted. She also attached to the application a reference from a former employer. The department contacted this person, informing him that the woman had applied for a job. The job applicant did not expect that the department would contact her former employer. The complaint involved consideration of breaches of principles 3 (Collection of information from subject), 10 (Limits ,on use of personal information), and ,11 (Limits on disclosure of personal information), but in the result, the Privacy Commissioner formed the view that only principle 3 had been breached, as the department did not advise her that any written references provided might be followed up.
The department unsuccessfully tried to argue, inter alia, that by sending ,the former employer’s reference, the applicant impliedly authorised the department to contact it. The Privacy Commissioner did not accept this argument, and noted:
It appears that the Department had a policy of following up all references, whether or not the applicant had nominated those people as referees in the relevant section of the form. However, the application form was silent about ,the Department’s policy and the steps it would take if those referees suggested other sources of information about the applicant.
As the Department had not advised applicants that they might use the form alone when applying for the position ,and in fact had instructed applicants to submit a curriculum vitae in addition to the form, I took the view that it was obliged to advise applicants how all the information included in their application would be dealt with, not merely how nominated referees and people they nominated would be handled. The fact that an applicant supplies additional references cannot constitute an implied authority for those referees to be contacted by the Department when the applicant had been given no indication that such an action would be taken. ,I could not accept the argument that merely by submitting extra written references the woman had in any way authorised the Department to contact those people.
The Privacy Commissioner formed ,the view that in order to comply with principle 3, the department should have notified applicants that any references supplied might be followed up.
The Complaints Review Tribunal and the High Court, however, have tended to take a somewhat liberal approach in the two cases where the issue of implied authorisation has arisen.
In L v J, which dealt with Rule 11 (Limits on disclosure of health infor-mation) of the Health Information Privacy Code 1994, the Tribunal took a relaxed view of what could constitute an authorisation to disclose information. The plaintiff alleged that the defendant general medical practitioner disclosed information in the plaintiff’s medical notes to a psychiatrist to whom the plaintiff had been referred, without the plaintiff’s authorisation. The defendant accepted that she had not first obtained the plaintiff’s specific authorisation. ,The Tribunal, however, found that the defendant had implied authorisation to disclose this information as the plaintiff had provided the psychiatrist with the name of her general practitioner, and ‘[t]here must have been the clear implication that by asking for this information the psychiatrist would access her medical file, or those parts of it which were relevant to his treatment of her’.
That the plaintiff’s provision of a seemingly innocuous piece of information as to the identity of her physician could be taken as implied authorisation to the disclosure by the defendant physician of highly personal medical details is surprising. In any ,case, the psychiatrist would have been required to disclose to the plaintiff beforehand the purpose of asking for ,the identity of her physician, whether that was under Principle 3(1)(b) of the Privacy Act or Rule 3(1)(b) of the Code. Even if the psychiatrist had not been required to inform the plaintiff of his specific purpose in collecting the information, one would have thought that at least from a clinical perspective he ought to have done so, given that there were grounds for suspecting that the plaintiff had psychiatric difficulties (the eventual diagnosis was that the plaintiff was suffering from a chronic paranoid and delusional disorder).
In L v L, which dealt with another complaint concerning the disclosure of health information in breach of rule 11 of the Health Information Privacy Code, the Tribunal found that the defendant surgeon had implied authorisation to disclose information to the patient’s husband after an operation. This was ,on the basis of the previous conduct ,of the parties.
The plaintiff had had a doctor/patient relationship with the defendant over some eight years, during which time ,she underwent a number of procedures and operations. In relation to the circumstances in question, the plaintiff completed the hospital admission form in the defendant’s rooms, filling out the next-of-kin details, but omitting the part of the form which requested details of the person to be contacted after the operation. The plaintiff maintained that this omission was deliberate, as she did not want her husband to be contacted with details of the operation. After admission to the hospital, details of the person to be contacted were completed on the hospital admission forms and post surgery contact list, but the plaintiff maintained that this was not on her instructions. In the event, the contact details for the plaintiff (her husband is name and home telephone number) were contained on a contact list of patients that was taped on the wall next to a telephone ,in the operating theatre. In accordance with usual practice, the defendant, who performed the operation on the plaintiff, telephoned the plaintiff’s husband to confirm that the operation had been completed and to advise on the plaintiff’s condition. Later in the day, further emergency surgery was necessary on the plaintiff, and the defendant once again telephoned the husband. The defendant maintained that the plaintiff was aware of this, but did not protest ,at the time.
In the result, the Tribunal found that the defendant’s usual practice was to contact the plaintiff’s husband after surgery; the plaintiff was aware of this practice; the plaintiff was normally forthright about her instructions; and that if an instruction countermanding the usual practice had been given, the defendant would have complied with it. Moreover, the documentation completed by hospital staff in respect of the plaintiff on the day in question did not record that no contact was to be made with the plaintiff’s husband.
Although on appeal the High Court quashed the Tribunal’s decision in L v L on the grounds of error of law and breach of the principles of natural justice, on rehearing the matter the Court came to the same conclusion on the facts. The High Court found that the respondent surgeon reasonably believed that she was authorised by the appellant to advise her husband that an urgent problem developed following the operation. The Court found that this belief had a reasonable basis for the following reasons.
The respondent had performed a number of operations on the appellant previously, and the invariable practice was to telephone the appellant’s husband after the operation. The appellant was aware of this practice and had never objected to it. The Court commented that ‘[t]he appellant’s acquiescence in this practice is illustrated by her acceptance of the propriety of the respondent’s first telephone call’ to inform the husband that the operation had gone well.
The evidence indicated that the appellant had instructed the respondent’s nurse not to discuss the surgery with ,the appellant’s husband only before the operation, so that he would not attempt to stop the operation. Once the operation took place, this instruction was ‘spent’.
The evidence indicated that there was no unequivocal direct instruction to the respondent not to communicate with the appellant’s husband after the operation was completed.
The respondent was informed that the husband had been nominated on the appellant’s admission form as a contact person in respect of the operation. For present purposes, it was immaterial whether it was the appellant or a hospital staff member who indicated this. The issue here was whether the respondent had a reasonable belief that the husband was a contact person, and this was indicated on the contact list given to her by hospital staff. The nomination of the husband as a contact person was consistent with previous occasions when the appellant had undergone surgery.
The case law, therefore, indicates that ‘authorisation’ can indeed be implied or inferred. Were the position otherwise, ,it is likely that there would be many technical breaches of the information privacy principles.
In L v L, the High Court noted that ‘remarkably’, counsel for the Privacy Commissioner apparently bore the burden of cross-examining the respondent in the Tribunal hearing. The Court commented that ‘[h]e might have been expected to play a neutral role’.
In New Zealand, once the Privacy Commissioner has investigated a complaint, or where conciliation has not resulted in a settlement, the matter may be referred to the Director of Human Rights Proceedings to decide whether the matter should be pursued in Tribunal. Alternatively, the aggrieved individual may bring proceedings himself or herself if the Privacy Commissioner or the Director of Human Rights Proceedings is of the opinion that the complaint does not have substance or the matter ought not to be proceeded with, or the Director ,of Human Rights Proceedings declines to take proceedings.
The Director of Human Rights Proceedings (called the ‘Proceedings Commissioner’ before 1 January 2002) has taken on a mere handful of Privacy Act cases since the enactment of the Act in 1993; only five cases have proceeded to a hearing. The cases taken by aggrieved individuals themselves therefore tend not to be the strongest cases, or else generally deal with relatively minor complaints. Nevertheless, the Privacy Commissioner is invariably represented in these hearings and takes an active role in the proceedings, although, strictly speaking, he is not a party to them. Where the complainant is not legally represented (as is often the case), the role played ,by the Privacy Commissioner’s repre-sentative may appear to be greater than thought appropriate by other actors in the proceedings.
Although one can merely speculate ,on the matter, there is some anecdotal indication that the Privacy Commissioner’s role in proceedings can be galling for the parties. The plaintiff may feel that if the Privacy Commissioner or Director of Human Rights Proceedings did not think the matter sufficiently worthy to be proceeded with, placing the burden of running the case on the complainant, why is the Privacy Commissioner continuing to be actively involved in ,the matter? On the other side, the respondent may feel it unfair that the Privacy Commissioner is taking a position against them after having already decided not to refer the case ,to the Director of Human Rights Proceedings. In short, having abandoned the plaintiff to his or ,her own devices, and having left the respondent feeling that they were ,now in the clear, the parties are now faced with the active involvement ,of the Privacy Commissioner in the proceedings, and with an extra set ,of submissions with which to deal. While the contribution of the Privacy Commissioner is undoubtedly valuable and important from a legal point of view to the quality of argument in ,the proceedings, this will be of little comfort to the party whose case is ,not assisted by the Privacy Commissioner’s participation.
The nature of the role to be played by the Privacy Commissioner in Tribunal proceedings is thus contentious. The point had already been indirectly raised by the Tribunal in its costs decision in W v Christchurch Casinos Ltd, where the Tribunal noted that the defendant objected to the Privacy Commissioner’s submissions on costs in the matter. Those submissions were said to have actively opposed the defendant’s application for costs ‘in a manner that might be expected of an advocate for the plaintiff’. The defendant in that case contended that this was ‘inconsistent with the neutral role’ it thought the Commissioner should play in such proceedings. The Tribunal did not comment on this submission, though ,by singling it out for mention in an otherwise brief decision the Tribunal implied that there was some force ,to it.
Against Tribunal and Court disapproval of the Privacy Commissioner’s active or partisan role in proceedings must be balanced the relevant provisions in the Privacy Act itself. Section 86(2) (which applies to the Privacy Commissioner via ,s 86(5)) provides that in any Privacy Act proceedings, whether or not he is ,a party to those proceedings, the Director of Human Rights Proceedings has the right:
(a) To call evidence on any matter (including evidence in rebuttal) that should be taken into account in the proceedings:
(b) To examine, cross-examine, and ,re-examine witnesses, —
but shall have no greater rights than parties to the proceedings in respect ,of the calling of evidence or evidence ,in rebuttal, or in respect of the examination, cross-examination, and ,re-examination of witnesses.
The Privacy Commissioner thus has the express right to cross-examine witnesses, which should at least answer the High Court’s remarks in L v L.
In relation to the making of submissions, the Privacy Commissioner is undoubtedly entitled to do so on matters of privacy law. Accordingly, it will be inevitable that the office will not be ‘neutral’ if such submissions happen to favour the case of one party over the other.
The comments on lack of neutrality ,in both the Christchurch Casinos case and L v L concerned situations where the Privacy Commissioner’s role was perceived to be more akin to that of a legal advocate than that of an amicus curiae. Section 86(2), however, indicates that the Privacy Commissioner can assume a role that is somewhat more active than that of a conventional amicus curiae, and perhaps this is ,the source of misunderstanding.
The term ‘collect’ is a key concept in information privacy principles 1 to 4, which deal with the collection of personal information. Section 2 of the Act provides that the term ‘does not include the receipt of unsolicited information’. In the drafting instructions for the original Bill, the term ‘collect’ was defined as including ‘solicit, and the taking of any other action by the agency to get personal information into its possession from outside the agency’. This definition, however, was not finally carried over into the legislation.
The term ‘collect’ implies an active ,as opposed to a passive activity. There may, however, be grey areas. For example, where the existence of a customer service or complaints department is brought to the general notice of customers, is information obtained through this means ‘collected’, or is it unsolicited, and therefore not subject to principles 1 to 4?
Case No 19740, discussed above ,in relation to the issue of implied authorisation, is arguably an example of such a ‘passive’ collection of personal information. The complainant had completed a job application form that asked for the nomination of referees. The complainant completed the form, and understood from it that only these nominated referees (or persons nominated in turn by them) would be contacted. However, she also attached to the application a reference from a former employer, and the department contacted this person as well.
The Privacy Commissioner formed the view that principle 3 had been breached, as the complainant had ,not authorised the contact with her former employer. The department unsuccessfully contended that the material sent by the complainant was unsolicited information, and therefore was not subject to the requirements of principle 3 as it was not ‘collected’ in terms of the s 2 definition. The Privacy Commissioner, however, did not accept this argument:
The woman did not speculatively submit the application form and her curriculum vitae. She supplied it in accordance with the advertisement, which indicated that applicants should use the Department’s form. It did not advise applicants that they must only use that form, merely that the minimum method of application was completion of the form. It does not follow that any additional information supplied constituted ‘unsolicited material’. The application form itself indicated in the ‘Notes for Applicant’ that a curriculum vitae containing additional information should be attached.
Accordingly, the information sent of the complainant’s own volition was ‘collected’ in the circumstances, and ,did not comprise unsolicited material. ,It follows that if the department’s advertisement had not been so open-ended, but specified precisely what was to be sent with an application, the material would have been ‘unsolicited information’. To apply the reasoning of this case to the hypothetical customer service/complaints department example posited above, any information obtained from a customer that related to customer service or a complaint would be ‘collected’, but any additional information that was not relevant to that purpose (for example, mere gossip about an employee) would be ‘unsolicited information’.
Paul Roth is Associate Professor in the Faculty of Law at the University of Otago, New Zealand, and a member ,of the PLPR Editorial Board. He is currently on sabbatical at the University of Melbourne.
 High Court, Auckland, AP95-SW01, 31 May 2002, Harrison J.
 May 2002.
 Principle 2(2)(b) (Source of personal information); principle 3(4)(a) (Collection of information from subject); principle 10(b) (Limits on use of personal information); and principle 11(d) (Limits on disclosure of personal information).
 Section 6.
 November 1996.
 ‘Legal Framework surrounding Ministerial Release of Personal Details in Matters of Public Controversy’ Report by the Privacy Commissioner ,to the Minister of Justice, 2 November 1995 (reprinted in Privacy: New Zealand: A Compilation of Materials on the Privacy Act 1993 and the Office of the Privacy Commissioner, vol 5 (September 1995-April 1996), pp 38-44.
 As above, para 2.2.
 ‘Hints on job references’ Private Word No 10 October 1996, p 2.
 May 2002.
 Known as the ‘Human Rights Review Tribunal’ since 1 January 2002.
  NZCRT 9; (1999) 5 HRNZ 616.
 At 623.
 The identity of the plaintiff’s physician may not have been ‘health information’ in terms of cl 4(1)(a) of ,the Code, as the information was not information about the plaintiff’s health or medical history per se, unless it could be classed as information about health services that had been provided to her (cl 4(1)(c)).
 Decision No 15/2001, 26 July 2001.
 L v L High Court, Auckland, AP95-SW01, 31 May 2002.
 At para 76(a).
 At para 64.
 See s 77(2) and s 82(2).
 Section 83.
 This does not necessarily mean that they invariably lose. Indeed, the highest award of damages under the Privacy Act ($20,000) was made in a case that had to be brought by the aggrieved individual himself: L v N (1997) 3 HRNZ 721 (Decision No 11/97).
 Decision No 2/2002, 28 February 2002.
 Section 86(5) provides that:
The Privacy Commissioner may appear and be heard in any proceedings in which the Director of Human Rights Proceedings would be entitled to appear and be heard under this section but declines to do so, and, where the Privacy Commissioner so appears, the provisions of this section shall apply accordingly with all necessary modifications.
 Section 86(1).
 Privacy of Information Bill: Directions Report to the Minister ,of Justice, 23 October 1992.
 May 2002.