Privacy Law and Policy Reporter
Periodically, the Privacy Commissioner issues case notes giving details of some of the matters dealt with by the Office. The case notes appear a few times per year. They are put up on the Commissioner’s own website at <www.privacy.org.nz> and are also now listed on the Austlii website at <www.austlii.edu.au/nz/cases/NZPrivCmr>. The Commissioner’s Office has also published a compilation of case notes from July 1993 to December 2001 in hard copy form. This volume is well indexed, which is very helpful in finding notes on particular topics ,or sections, or involving particular types of agency. The search functions on the websites also work reasonably well.
This means that the case notes are reasonably easily accessible. This is important. They represent a sample of work completed by the Office of the Privacy Commissioner which is not otherwise in the public domain, given the necessary confidentiality within which the Office works. While having no force of law, the case notes are useful indicators of the way in which certain matters have been dealt with. As the Commissioner says:
[Issuing a case note] can be useful to illustrate the Commissioner’s opinion about how an information privacy principle applied in an actual fact situation. It might also draw attention to the need to be aware of the privacy interest that can arise in an industry or activity.
In essence, publishing case notes ,is an important way in which the Commissioner can fulfil his educative function under s 13(1)(a) of the Privacy Act 1993 (NZ) (the Act). Given the volume of complaints before the Commissioner’s office, it is therefore somewhat surprising that there are so few case notes (150 published to date, in the decade since the Act came into force). There are various reasons for this. Some complaints of course will not raise particularly ‘legal’ issues which are capable of giving much guidance, some are repetitive of previously published material, some will not in any way fall within the jurisdiction of the legislation, and ,some would not be capable of being anonymised in the way necessary to protect the parties. Even leaving those aside, however, there must be a fair body of examples which might be of assistance in addition to the ones actually selected. Most probably the problem is a resourcing one; there is only so much time available to write ,up the material in the way necessary for publication. Perhaps there is also a desire to avoid information overload. I would suggest, however, that the more information is accessible, and easily searchable, the better the educative function of the Commissioner’s office will be fulfilled. I would therefore encourage the Commissioner to seriously consider publication of ,case notes in greater numbers and ,even more regularly. It may also ,be possible to draw attention to ,them more pro-actively (though ,others of us could also do more towards this goal!).
In line with the desire for greater accessibility of information, however, ,a method needs to be found to ensure that the information is better indexed. As mentioned, the hard copy version ,of the case notes works well in this respect. It is, however, just one volume of relevant information in interpreting the statute. The best way to improve public accessibility, perhaps, would be to have the text of the case notes and also, with permission, the decisions of the Complaints Review/Human Rights Review Tribunals and the courts hyperlinked in the appropriate ,sections in an electronic version of the legislation on the website. This might be fairly expensive (and relies on having electronic copies of the Tribunal cases available), but might well be justifiable in providing much greater access to the interpretive material. Non-lawyers would then more easily ,be able to draw conclusions about what the legislation means in any ,given instance without having to trawl through unfamiliar research materials. This is particularly important given that the Commissioner’s recommendations in the Review of the Privacy Act (especially those dealing with restructuring) have so far not been implemented by Parliament. Naturally, if Paul Roth’s commentary from ‘Privacy Law and Practice’ were available in the same way — though presumably only to paying licensees — this would be more useful still.
The case notes, of course, vary enormously in the scope of matters they cover. Probably the most famous, and certainly most influential case note to date, is 0632 from 1995. This was the case involving a dispute over video monitoring of a locker room by an employer. The brief but thorough note indicated some of the factors which are going to be most important in deciding whether video surveillance breaches the Act or not: whether there is an audio function on the equipment, whether the room is used for employees to change their clothes, whether the camera rotates, what the exact reason was for the surveillance, whether there were other viable methods of finding the information sought, the level to which the surveillance was targeted so innocent parties were protected and ,so on. In any situation involving surveillance, this case note provides ,a clear and useful springboard for comparison and discussion. It is therefore an illustration of how the case note system can work at its best.
It remains to be seen whether any of the more recent case notes will have the same level of importance. However, some of them raise interesting legal issues. Below, I give a few examples ,of the most recent cases. The first — which I discuss in depth — raises some problems with the application of the law, not of the Act itself but of the relationship between the Act and the Bill of Rights Act 1990 (BORA). This might lead to some undesirable confusion especially among those wishing to give complainants advice. ,It also raises some other interesting points, one of which indicates a divergence of opinion between the Commissioner and the Tribunal. The other cases (mentioned much more briefly) are more legally innocuous, ,but raise some interesting matters for future application.
Elders of a church who had been providing marriage counselling for the pastor read a statement at a public meeting of the church congregation. The statement gave considerable details about the couple’s difficulties (some of which were arguably inaccurate), and asked for the prayers of the congregation.
The Commissioner did not need to form an opinion in the finish, as the parties reached a settlement once he informed the elders that the church ,was an agency under the Act, that the BORA did not override the Act in this regard, and that disclosure to members of the congregation was still a disclosure in terms of Information Privacy Principle (IPP) 11.
The fact that the church as a formal entity is an agency is an uncont-roversial proposition to those who are familiar with the Act. However, the width of the ‘agency’ definition may still come as a surprise to groups of people who are not in business, are not corporate in structure, and are not involved in government agencies. It may never have crossed the mind of the elders of the church that they were required to comply with the Act at all. At first glance, a church seems to involve a very diverse group of people, tied together in a much more flexible way than would usually be contemplated by the term ‘agency’. However, the Act is not at all rigid in its interpretation of what body of persons can be an agency, and extends to groupings such as churches as well as other unincorporated bodies, such as, for example, sports clubs or choirs. At least the latter tend to have some form of legal identity, however, frequently as unincorporated societies. A church may look more legally akin to a support group and is even more open to confusion. The Commissioner’s interpretation is therefore important in indicating to less formalised groupings of people the need to take care when handling personal information.
Similar problems have arisen before, with church ministers unsure whether the Act allows them to mention to the congregation the fact that a person is in hospital, for example. Some ministers have chosen to be very risk averse. A certain amount of common sense seems in order here, though. In most instances, it is perfectly acceptable under the legislation to give information about a person’s general health condition, as long as the patient has not indicated that there is any particular difficulty with that. Gruesome medical details are, however, unnecessary for the purpose of encouraging prayers and support. Focusing on the purpose of imparting the information should in itself be an adequate indicator of how far one can go. Ministers, as with other responsible persons, should generally be able to make that call adequately. Thus, the Act and general sensitivities as to what is acceptable are completely in tune. Here, though, the elders appeared ,to go a long way beyond what would generally be thought of as acceptable ,in any case. Potentially very sensitive personal information was released, which the pastor could have reasonably expected would be kept entirely within the counselling relationship.
The Commissioner was also confident that, despite the information being released to the church attendees, therefore arguably released within the agency itself, there was a disclosure in terms of IPP 11 to which no exception applied. As the Commissioner mentioned, the Complaints ,Review Tribunal suggested in KEH and PH v Chief Executive Department of Work and Income that disclosure by an agency to another person within the agency was not a disclosure in terms of IPP 11. The Tribunal stated that:
We do not accept that IPP 11 applies to a disclosure made within the defendant organisation. A breach of this provision is dependent upon the disclosure of information by the agency to another agency or person. Officers of the defendant are part of the defendant agency and should not be regarded as separate from it for some purposes. Information to which the Act applies held by officers of the defendant in that capacity is deemed, pursuant to s 3(1) ,of the Act, to be held by the defendant. Agencies such as the defendant would not be able to operate effectively if staff members were unable to communicate personal information about other individuals (including clients and customers) to other staff members if their communications were caught by IPP 11.
The Commissioner said he did not consider himself bound by that statement as it was ‘obiter’. This is probably not the case — while there were other reasons for the decision in KEH that no information about the plaintiff son was disclosed, it was certainly material that his sister in law, a staff member of the agency, was given the information by other staff members of the agency. The Tribunal’s statement is therefore directly on ,point in that case.
There are, however, material fact differences between KEH and the church elders’ situation which mean that a Commissioner who disagrees with the finding is not obliged to follow it in this instance. Principally, members of the church congregation would usually not be seen as caught ,by s 3(1) if they held personal information. It is only if they were officers of the church — that is, in this case, elders of the church, or others holding management positions — that,s 3(1) would be appropriate. Section 3(1) does not therefore help here to establish that disclosing information ,to the congregation, oblivious to the purpose for which the information was collected, should be seen as exempt from IPP 11. The Tribunal’s reasoning may possibly serve to allow the elders to discuss the pastor’s difficulties among themselves freely and frankly, with a view to making decisions on behalf of the church. That type of communication would be justified by its ‘need to know’ basis. It is a far cry from that, however, to saying that officers involved with an organisation such as a church can divulge personal information to other members who do not have the same valid reason for knowing it. I therefore suggest that the Commissioner was correct to read down the Tribunal’s statement. If taken too widely, it would seriously impact on the focus of the Act on purpose of collection. I hope that the Human Rights Review Tribunal will at some stage soon get the opportunity to clarify the earlier Tribunal’s statement.
From an academic viewpoint, the most interesting aspect of the case ,note is the Commissioner’s use of the BORA. The church apparently quoted ,s 6 of the BORA, which states that ‘whenever an enactment can be given ,a meaning that is consistent with the rights and freedoms contained in this Bill of Rights, that meaning shall be preferred to any other meaning’. Instead of considering this, however, the Privacy Commissioner went straight to the override provision in s 4 of the BORA, which states that in cases where another enactment contains a provision inconsistent with the BORA, courts shall not decline to apply the provision by reason only that the provision is inconsistent with the BORA.
The Privacy Commissioner is not, ,of course, a ‘court’ as such. However, in the exercise of his powers under statute, he arguably must comply with the BORA as a body exercising public functions under s 3. Certainly, where ,a party complaining to his office may have recourse to a judicial body, in the form of the Human Rights Review Tribunal, which is certainly bound by the BORA, it is wise in any case to ensure that his practices comply. In ,this particular instance, however, the Commissioner appears to have taken ,a wrong interpretation of the BORA.
The substance of the argument is that the church was contending that the BORA gave it the freedom to do as it wanted vis a vis prayers within church meetings without interference from ,the Privacy Commissioner. The Commissioner, on the other hand, appeared to be arguing that there was an inconsistency between the Act and the freedom against discrimination provision in s 15. This was a battle which the Act would win, because of ,s 4 of the BORA and the Act would ,not allow the dissemination of this information in this way.
It is rather strange that the Commissioner did not address the issue as to whether giving information of this type in prayers to a wider church congregation is in fact an exercise of freedom of religion at all under s 15 ,of the BORA. There is no evidence ,that breaching the confidentiality of information given in some type of counselling relationship would normally come within the practices of the denomination in question. Perhaps the Commissioner did not want to buy into an argument on what was and was not a matter of religious practice. In addition, the church had also mentioned freedom of expression, which is a claim that would perhaps more naturally fit the statements in question.
Even if this situation were seen as an aspect of freedom of religion, which is possible when one leaves aside initially the rightness or wrongness of the particular content of the disclosures, the Commissioner has then not gone on to consider the issue in the way suggested to date by the courts and by scholars in the Bill of Rights area. The courts have consistently taken the view that s 4 of the BORA is not the first port of call, though of course it binds the hands ,of the courts in true cases of inconsistency. Fairly early cases such as the key ‘right to legal advice’ case ,of Ministry of Transport v Noort, ,and later cases including the seminal censorship decision in Moonen, have stressed the role of ss 5 and 6. The Commissioner’s approach is at odds with this. It is also highly surprising that the Commissioner assumed an inconsistency existed without any argument to support such a finding.
It is all the more surprising that the Commissioner should get it wrong given that there is a markedly similar provision in the Act itself, in the form of s 7 — a section which allows other enactments to override the Act in cases of inconsistency. The Commissioner has always appeared to construe this section liberally to give the maximum possible effect to the Act provisions while ,at the same time respecting clear Parliamentary intention as to information handling practices in particular legislative contexts. A similar exercise is required under s 6 of the BORA — if there is a reasonable interpretation of the legislation which accords with the right in question, together with any demonstrably justified limitations on that right, then the legislation bears that meaning.
It is evident that the anti-discrimination provisions of the BORA and the principles in the Act are not necessarily at odds. Nothing in the ,IPP are directly and unambiguously contrary to the rights of elders in a church congregation to pray for the sick or others in need, or otherwise to run services in accordance with the tenets of that particular religion. It would be very strange if this were seen as being the case — both the BORA and the Act ,are, after all, human rights documents and are stated in fairly general terms (particularly the former, but also the latter with its ‘principle’ format). They should be seen to complement one another rather than cutting across one another. Section 4 is therefore not in issue at all, and the Commissioner’s emphasis on it gives, I believe, an unhelpful indication that privacy might be seen as superior in some ways to other rights, rather than part of the same fabric of human rights.
Instead, the starting point — once one has analysed what the right of freedom of religion or freedom of expression entail — is to consider what necessary limitations must be placed upon those rights — that is, s 5 of the BORA needs to be considered. The rights should be limited to the least extent possible — limitations should be necessary in themselves and also proportionate to the interest being recognised. Privacy requirements, as reflected in the Act’s principles, provide justification for intruding upon freedom of religion to some extent. Churches should not be forbidden from praying for members of their congregations. A certain amount of basic information might be required to fulfil that task as indicated above. This would indicate an appropriate balance between the rights is perfectly achievable: a s 5 analysis enables that to be done most neatly. However, here the circumstances indicate that the elders went a great deal further than that, and seriously breached the trust of the pastor. It is highly likely, therefore, that on a correct application the law the Commissioner — or the Tribunal, had it gone that far — would still have been perfectly entitled to decide that the church was in breach of the Act. ,Such a decision would be completely ,in accordance with Bill of Rights concerns.
I would argue therefore that case note 18541 came to the correct conclusion, but in a way which could be confusing for later agencies and complainants wishing to know what the relationship between the BORA and the Act entails. A clear statement from the courts will undoubtedly be required at some stage, but in the meantime, any case notes raising the point need to be tackled rather differently to be helpful.
The other recently released case notes raise few eyebrows in contrast. Here is ,a brief selection.
A file summary about a man’s Accident Compensation Commission (ACC) claims was sent to two rehabilitation agencies. As well as details of his injuries and so on, the summary contained information about administrative and family matters, including financial details, which was not relevant to the rehabilitation process. Disclosure of the irrelevant information was therefore not one of the purposes for which the information was held and no other exceptions to Rule 11 of the Health Code applied. The ACC accepted this finding.
The Commissioner accepted the ,man’s claim that he had suffered embarrassment as a result, and that he had had to change his doctor after his doctor became aware of the irrelevant information. This was sufficient harm in terms of s 66 to mean that the ACC’s actions had been an interference with his privacy. The Commissioner did not accept, however, that the man’s arrest for trespass after an altercation at the ACC office (not solely related to the disclosure) nor stress suffered during an operation in hospital were sufficiently linked with the disclosure to amount ,to an interference with privacy.
The case illustrates how careful agencies have to be with their records management. It is essential to keep the purpose of what is to be achieved firmly in mind. Much of the ACC’s business is geared to a policy of rehabilitation. It should usually be fairly obvious what is and what is not required to fulfil that aim. An intelligent rather than mechanical approach to information collection, handling ,and dissemination based on a clear understanding of why it is being done ,is essential to building trust with applicants and ultimately achieving rehabilitative goals. This is especially necessary when the volume of information collected may well be enormous, as with agencies such as the ACC. A proper initial sorting system for information would seem to be vital.
A woman applied to a Legal Services Committee for a revision of her legal costs in relation to her legal aid claim. The Committee sent its decision to the firm of solicitors and to her barrister ,as well as to the woman herself. She claimed that this disclosure had breached her privacy.
The Commissioner again applied the exception in IPP 11 that information can be disclosed if that is one of the purposes for which it was given or is in connection with that purpose. He traced through the steps which barristers and solicitors take to apply for, and deal with, legal aid on behalf of their clients and concluded that, given their connection with the process throughout, disclosure to the lawyers involved was not a breach of IPP 11.
This conclusion is uncontroversial. Surely even someone unfamiliar with legal procedures would generally expect the cost revision committee to notify the applicant’s advisers of their findings. They had done all the paperwork to date on the matter, and, moreover, may well have been the subject of the complaint. The only strange thing about this complaint is that it got to the stage of requiring a provisional opinion at all. It is, however, another example ,of the key role which the concept of purpose plays in the Act, and the misunderstandings which can follow where people believe there is an overriding need for consent — presumably the core of the woman’s complaint here.
The complainant had at one stage written an article which led a Ministry to request a police investigation into whether there had been a misuse of official information. It also conducted its own complaint. The complainant requested access to all personal information which the Ministry held ,on her. The Ministry, however, stated that it did not hold any personal information, including information about the investigation.
Since investigations usually give rise to some form of information being held by an agency, the Commissioner was understandably sceptical about the Ministry’s claim, and decided to look into the matter further. There was indeed no documented information about the investigation. However, the staff involved were able to remember enough that the Ministry could give the Commissioner a summary of what had occurred.
The Commissioner reiterated his consistent view, which has been upheld by the Complaints Review Tribunal, that information held in someone’s memory is still personal information held by an agency in terms of the Act. As long as it is readily retrievable, and there are no other withholding grounds, the information must be written down and given to the person concerned upon request.
The decisions of the Commissioner and the Complaints Review Tribunal ,in this regard, supported by earlier indications from the Ombudsman about non-documentary information, are, one would have thought, so well known by now that it is slightly alarming that the Ministry would have withheld the information on these grounds.
The ‘defendant’ company had apparently had a series of misfortunes which required it to improve its security procedures. First, it received a bomb threat, which had led to a loss in production of about $100,000 and the hassle of site evacuation. The police ,had advised the company to improve its security measures as a result of this. It also had some problems with employees using drugs and alcohol in situations where heavy machinery was operated. There had been threats of violence, and the company wanted to ensure that no weapons were brought to work. Finally, there had been thefts of company property over some years. The company therefore decided to institute a search policy: a security guard was to inspect all bags coming into and out of the site, and also to check all vehicles entering and leaving. The union complained ,that this was contrary to employment contract provisions which stated that company personnel ‘shall not search cars, lockers, bags or any other items belonging to an employee without his or her consent and in his/her presence’. The union claimed breaches of IPPs 1 and 4.
The Commissioner agreed with the company that part of its function was to ensure the security of its property, its staff’s property and staff safety. All the problems listed above compromised that function. The company also had to show, however, that the searches — during which information could be collected — were necessary for that purpose. Since there had been no further serious threats to employees ,on site after introduction of the search policy, the company said it would discontinue the inspections of incoming bags and cars, and would only reintroduce them if it became necessary once again.
Searches of bags and cars leaving the site was still necessary, however, in order to secure company and staff property — a view supported by the Commissioner. The Commissioner’s view was that the policy should be modified so that handbags were not searched, since they were incapable of carrying the sort of property which was usually stolen (such as laptop computers or scales). The company accepted this. Other searches did not involve rummaging among a person’s private belongings — a cursory look was all that was needed. More detailed searches would be conducted on suspicion, and with the appropriate notification and consent as required by the contract. This factored into the finding that ,there was no breach of IPP 4.
There was no direct discussion — since this is outside the Commissioner’s jurisdiction — about whether the policy as modified still amounted to a breach of the employment contract. It is hard to conclude without knowing more, but from the part of the contract quoted, ,it does look as if this amounts to an attempt to unilaterally vary a material term. Notifying staff and visitors of ,the change of policy, in the way the company appeared to do, would be sufficient to change the house rules applying to a workplace. It is not enough, however, to change the terms of the contract itself. That was a matter which should have been negotiated with the union. If, as it appears, the search policy was actually reasonable, the parameters of the variation should have been able to be negotiated fairly easily.
A woman was placed on the unpublished electoral roll because she was concerned for her safety. She had ,a temporary protection order in her favour against the complainant. This man wrote to the Electoral Enrolment Centre (EEC) stating that she should ,not be on the unpublished roll as the protection order had expired. The EEC checked with the woman, who provided further information supporting her claim to remain on the unpublished roll. The man requested access to the information she used to support her claim. The ,EEC refused on the grounds that the information would be an unwarranted disclosure of another individual’s affairs. The man complained to the Commissioner, who stated that the ,EEC was justified in withholding most of the information on this ground.
In doing so, he referred back to the second Complaints Review Tribunal case of O v N, which discussed the meaning of s 29(1)(a). The section requires the balancing of the requester’s very strong rights of access to his or ,her own personal information with the privacy rights of other individuals. Fear of causing mere embarrassment, the Tribunal has said, is not enough to make the disclosure unwarranted.
The requester already had knowledge of some of the factual information held by the EEC. The Commissioner decided there was no reason for refusing access to this information, and that the EEC should give it to him in summary form. This was done. It is worth bearing in mind, however, that confirmation of information held might in some circumstances actually lead to harm ,to the information subject.
The Commissioner did not spell out exactly why s 29(1)(a) applied to the rest of the information. However, on the facts as given, it clearly does so. It was reasonable of the EEC to conclude that there was a risk disclosure would be unwarranted. There had been a protection order in the woman’s favour, and ongoing circumstances were obviously sufficient to satisfy the EEC that staying on the unpublished roll was advisable. There might even have been a threat to the woman’s safety, though s 27(1)(d) was not apparently pleaded. This might be because that section requires there to be a likelihood of physical harm. Likelihood of emotional harm, for example by harassment, is insufficient for this withholding ground. This seems a surprisingly narrow definition of ‘safety’, especially given common law and statute’s recent moves to proper recognition of psychological harm, not just physical harm. However, in many instances (including perhaps in this case) s 29(1)(a) can actually serve ,to close this loophole. Likelihood of harassment is something which can obviously be taken into account when considering whether granting access ,will involve an unwarranted disclosure of another’s affairs.
A husband and wife had a credit card account with a bank. There was a dispute between them and the bank about the account and it was closed. The bank referred the outstanding amount to a credit reporting agency, citing both husband and wife as liable for the debt. The debt was cleared, and the bank notified the credit reporter. However, the credit reporter only deleted the record of the husband’s default. The wife was therefore still listed as a debtor. This caused considerable problems when the couple applied for a loan to another bank. ,The application was declined.
The Commissioner decided that the bank itself was not in breach of any privacy principles. The information passed to the credit reporter was allowed to be disclosed, in that the couple were jointly and severally liable for the debt. Passing information in the case of default to a credit reporting agency was within the purposes of collecting the information and so IPP 11(a) applied. The bank took ,all steps reasonable to correct the information on file by notifying the credit reporter that the debt was paid. It had requested that the debt be removed from both names. IPP 7 does not require an agency to check that the request has actually been carried out.
This must be correct. Such a requirement would place considerable additional burdens on agencies, leading to very considerable compliance costs in many instances. Since Parliament did not specify directly in IPP 7 that this is a requirement, an interpreter should therefore be very slow to state that it can be implied from the wording. The Commissioner has certainly not been prepared to do so. This seems wise in light of the provisions of s 14(a) which require him to bear in mind the legitimate interests of business.
The Commissioner also said there was no breach of IPP 8 as the bank had not used ‘the information in question’ and did not hold ‘the default information’. This looks slightly confusing on its face. The bank did hold the default information. Moreover, it had used it in order to contact the credit agency and then to correct the record once the debt was paid. The main point under IPP 8 is surely that the bank at all stages took such steps ,as were reasonable to ensure that the information was accurate before it ,used it. What the Commissioner was obviously meaning to refer to is that ,it was not the bank that actually used the inaccurate information.
This case illustrates the difficulty that some complainants face in isolating exactly where a fault has occurred. It is unsurprising that the couple here chose to complain against the bank. However, the bank had in fact done everything right and the problem lay elsewhere. If, as it appears, the Commissioner had got to the stage of issuing an opinion on the matter, however, this indicates that a considerable amount of time had elapsed — given the queue for full investigation of matters in the Commissioner’s office — before the couple were made aware they were pursuing the wrong person. This would be extremely frustrating for them. ,This example might indicate a need to further support the Office’s initiative to manage complaints at an early stage to enable reasonably straightforward complaints to be dealt with more swiftly. In this particular case, though, ,it is entirely conceivable that a full investigation was required in order to find out exactly who was responsible for the mistakes made. If this is so, ,only significant boosting of the Commissioner’s resources, to reduce the queue for consideration of complaints, will actually serve to give complainants the information they need at the time when they need it.
Katrine Evans, Faculty of Law, ,Victoria University of Wellington.
 This is also the case for the Commissioner’s opinions: see the standard statement by the Privacy Commissioner at the front of the compilation volume of case notes: ,‘The Commissioner can investigate a complaint and form an opinion about whether there has been an interference with the privacy of an individual. He does not give a decision. Nor does his opinion bind anyone.’
 No casenotes were published ,at all in 2000, for example.
 Case Notes: July 1993 to December 2001 Office of the Privacy Commissioner Auckland 2002 13-14.
 Also famous and useful, but much more controversial, is the case note dealing with a charge nurse (Neil Pugmire) who disclosed information about an arguably highly dangerous patient to an opposition MP (Phil Goff) in an attempt to get a legislative loophole closed. The appropriate governmental authorities had done nothing about the perceived threat. The MP released the patient’s information into the public domain: Case note 2049 (1996), Case Notes p 20-29.
 The settlement took the form of an apology, read out to the church, and payment of the pastor’s legal costs.
 See s 2 of the Privacy Act 1993: ‘Agency’. It covers individuals ,or bodies, public or private sector, corporate or unincorporate, and has only 13 quite narrowly defined exceptions.
 This is indicated within the Health Information Privacy Code itself, Rule 11(1)(e).
 KEH and PH v Chief Executive Department of Work and Income (19 December 2000) Decision No 40/2000, CRT 36/00 and 37/00, 8.
 As above.
 Freedom of expression is protected by s 14 of the BORA, not ,s 13 as the case note states.
 Quilter v Attorney-General  NZFLR 481 (CA).
  3 NZLR 260 (CA).
 Moonen v Film and Literature Board of Review  2 NZLR 9 (CA).
 It is worth noting that, in the Moonen case, Tipping J indicated ,that it is first necessary to decide ,on all possible interpretations of the legislation and that the court should then select the one which placed fewest restrictions (apparently whether demonstrably justifiable or not) upon the right in question. If applied here, this could have the effect of ousting privacy considerations altogether. The point was obiter in Moonen however, and it is also highly dubious whether that was exactly what his Honour meant. It remains to be decided ,by the Court of Appeal exactly ,what s 6 means. One hopes that a straightforward reading of the BORA will ensue that avoids the confusions created by Moonen.
 The width of the consent forms which claimants have to sign allowing the ACC access to doctors’ records is another major concern. Much of this information collected by this method may be entirely irrelevant to the claim. Requiring production of all of it on demand can very seriously undermine the doctor/patient relationship, to the extent that a patient will feel unable to trust any doctor, can cause immense suffering, and can undermine the relationship which the ACC seeks ,to build with the claimant.
 The Commissioner’s provisional opinion was confirmed as final when the complainant failed to respond to it.
 Re application by L: information stored in a person’s memory (1997) 3 HRNZ 716.
 Section 29(1)(a) of the Privacy Act 1993.
 (1996) 3 HRNZ 636 650-651.
 There have been others since, such as Adams v New Zealand Police (12 June 1997) CRT Decision No 16/97 which are arguably rather less confusing than O v N in their reasoning. Be that as it may, however, the main ‘balancing’ test is still probably best stated in that case.
 O v N above note 19 at 651.