Privacy Law and Policy Reporter
Privacy Act 1988 (Cth) — NPP 2.1 — disclosure
Information relating to B’s medical status (which was therefore ‘sensitive information’) was collected from B by his health insurer. A ‘Membership Arrear Payment Notice’ which included his personal details was mistakenly attached to a large number of letters to employers instead of a sample notice containing dummy information.
The apparent breach of NPP 2.1 involved in this disclosure was addressed by the insurance company taking three steps: (1) strengthening checking procedures; (2) advising recipient companies to destroy the information; and (3) taking disciplinary action against the responsible staff member and reminding other staff that privacy breaches may result in disciplinary action. B was satisfied with this. The investigation was closed under s 41(2)(a). l
A v INSURER  PrivCmrA 1
Privacy Act 1988 (Cth) — NPP 1.3 — time of ‘making aware’ of required matters — generality of description of third party recipients
NPP 1.3 requires an organisation to take reasonable steps to ensure an individual is aware of a number of matters ‘at or before’ the time that the organisation collects information from the individual. Here, A was only made aware of some of the required matters when making a claim and reading the insurers’ privacy statement on the claim form. A was not made aware at the time of applying for insurance when the personal information was provided. A complained about this, and about two aspects of the content of the privacy statement on the claim form.
The insurer took steps to address A’s complaints, on the basis of which the Commissioner closed the complaint under s 41(2)(a) on the grounds that the insurer had adequately dealt with the matter.
1. The insurance product in question was bundled with credit card products, so that the individual only dealt with the credit card providers unless and until a claim was made. The insurer agreed to contact the credit card providers to have new terms included in the credit contracts which would give applicants the required advice.
2. The privacy statement said that person information would be disclosed inter alia to ‘other consultants’. The Commissioner’s Office recommended a more specific description be provided. The insurer agreed to provide a list of named consultants on its website, obtainable on request.
3. The privacy statement also stated that by signing the claim form, A consented to the named recipients (including ‘other consultants’) ‘disclosing sensitive information about you’, but did not state to whom they would disclose the information. The form was altered so that it only obtained consent for the insurer to disclose personal information, not for third parties to do so. l
Graham Greeenleaf, General Editor.
(Dec No 4/2002, CRT 50/2001)
Privacy Act 1993 (NZ) — IPP 11(e)(iv)
The plaintiff alleged that the police had disclosed personal information about him to the Family Court, namely information contained in an affidavit from a police officer, a letter written by the plaintiff to his probation officer, details of his criminal history, a summary of facts in relation to charges laid against the plaintiff and the police’s notice of opposition to bail in relation to those charges. This was said to be in breach of IPP 11. The Family Court was due to hear an application from the plaintiff for discharge of the protection order granted under the Domestic Violence Act 1995 against him. In the plaintiff’s view the material supplied by the police was prejudicial to his application, which he understood to be a de novo hearing.
The plaintiff sought to bring proceedings against the NZ Police and the officer who had sworn the affidavit. The proceedings therefore raised an initial question of jurisdiction, as the Privacy Commissioner had not investigated a complaint against the officer. It also raised the question of whether all of the information which had been appended to the affidavit had been ‘disclosed’, given the Court’s ability to access such information directly from its own records.
The defendant accepted that there had been a prima facie disclosure of information but argued that the exception provided at IPP 11(e)(iv) (disclosure necessary to avoid prejudice to the maintenance of the law) applied.
The Tribunal found that only some of the information at issue had been ‘disclosed’ and that the exception under IPP 11(e)(iv) applied to that disclosure. l
YOUNG v DEPARTMENT OF CORRECTIONS NZ COMPLAINTS REVIEW TRIBUNAL
((Dec No 6/2002, CRT 49/2001)
Privacy Act 1993 (NZ) — IPP 11(e)(i), 11(e)(iv), and 11(f)
The proceeding arose out of the disclosure by the defendant to the NZ Police of a letter written by the plaintiff to one of the defendant’s employees, a probation officer. The background to the writing of the letter, and the reasons for that release, are common to this matter and to Young v Police, above.
The defendant accepted that a prima facie disclosure of personal information had occurred but argued that the exceptions provided at IPP 11(e)(i) (disclosure necessary to avoid prejudice to the maintenance of the law), and 11(f) (disclosure necessary to prevent serious/imminent threat to safety of an individual) applied.
There were a number of preliminary jurisdictional issues as a result of the plaintiff having sought to include in his notice matters raising IPP in respect of which no investigation had been conducted by the Privacy Commissioner, and the naming as defendants individuals (including the Privacy Commissioner) who had not been the subject of the Commissioner’s investigation. These matters were able to be resolved in the pre-hearing process by the withdrawal of the additional IPPs and the plaintiff’s acceptance that the proceeding could not include the other persons named as defendants.
The Tribunal found that both exceptions advanced by the defendant applied in the circumstances of the case. l
(Dec No 9/02, HRRT 46/01)
Privacy Act 1993 (NZ) — s 88, IPP 11
The plaintiff alleged that the defendant had disclosed personal information about her to a third party in breach of its own policy to maintain as confidential the names of those who acted as informants regarding animal welfare. The disclosure alleged was said to have been done by means of a confirmation to an inquiry as to the source of information used by the defendant’s officers in conducting an inspection of the third party’s premises and other animal welfare matters.
The defendant accepted that there had been a breach to which no exception applied. The central issue before the Tribunal was therefore whether the plaintiff had suffered any adverse consequences and, if so, whether all the adverse consequences advanced by the plaintiff as grounds for seeking damages were as a result of that disclosure.
The Tribunal found that although the plaintiff had suffered adverse consequences sufficient to meet the requirements of s 66(1)(b), only some of the matters advanced were connected to the disclosure so that in making an award under s 88(1) only certain losses could be compensated.
In awarding a modest amount of damages ($4000) the Tribunal also took into account the defendant’s behaviour, including its early acknowledgement of the breach and the steps it had already taken (by way of personal apologies to the plaintiff from the employees involved) to resolve the matter.
No suppression order was sought by the plaintiff and none was ordered by the Tribunal, despite the underlying issue in the case, namely that disclosure of the plaintiff’s name had the potential to put her at risk should it become generally known in the district that she acted as an informant for this agency and others. l
(Dec No 10/02, HRRT 29/01)
Privacy Act 1993 (NZ) — ss 66, 88, IPPs 6 and 7
The plaintiff alleged that the defendant had failed to comply with its obligations under IPPs 6 and 7 of the Act, in that it had withheld personal information about him which it held, namely personnel and medical records relating to his military service during the Vietnam War, and that it had failed to correct those records (in particular certain medical records) when asked to do so by him.
The defendant denied that it had breached either of these principles but argued that even if it had the plaintiff could not point to any adverse consequences to him as a result of that failure. It argued that the plaintiff, in order to show that there had been an interference with his privacy as a result of any action on its part, would need to satisfy the matters set out in s 66(1)(b)(i)-(iii) of the Act, rather than s 66(2).
The proceedings therefore raised the issue of what an agency’s obligations were in respect of these principles, and what was required to find an interference with an individual’s privacy in respect of an information privacy request (see s 33 definition).
The Tribunal found that the defendant had breached its obligations under IPP 6 in that it had failed to comply with the procedural obligations under Pt V (which attach to IPP 6) and had failed to provide him with access to all the information about him which it held.
In respect of IPP 7 the Tribunal found that the defendant had not caused an interference with the plaintiff’s privacy. Although it was satisfied there had been a general request for correction of certain records, as the defendant was, at the time of the request, unaware that it held the information (which would have enabled it to make the correction sought), it had had no basis to believe the information it acknowledged it held was incorrect and was therefore not obliged to correct its records: IPP 7(2).
The Tribunal also confirmed that the defendant had no obligation under IPP 7(3) to advise the plaintiff of his right to have a statement of the correction sought but not made attached to his record, even though doing so would have been prudent in all the circumstances.
Without resolving the issue under s 66 the Tribunal considered it was able to make an award of damages ($3000) for the interference with the plaintiff’s privacy arising from the improper withholding because it was satisfied that there was evidence of adverse consequences to the plaintiff as a result of that withholding. l
Privacy Act 1993 (NZ) — s 29(1)(b) and 29(3), IPP 6
The plaintiff alleged that the defendant had withheld personal information about him without having had a proper basis under the Act to do so. The information at issue was a reference about the plaintiff supplied to one of the defendant’s operatives, and on which it had based its recommendation that the plaintiff should not be appointed to a position with one of its clients.
The proceedings were initially instituted against the director of the defendant company. During the course of the hearing the plaintiff confirmed that he did not wish to proceed against the director personally but against the company.
The defendant argued that s 29(1)(b) was applicable (information supplied solely for evaluation of individual for employment on the basis of a promise of confidentiality as to the information and the supplier).
The information at issue was supplied in a sealed envelope to the Tribunal and was not opened until after all argument had been heard. An expurgated copy was supplied to the plaintiff in order that argument could be received on the issue of the existence of the promise.
The hearing was obliged to extend into a second day in consequence of the failure of the defendant to call the operative who could speak to the question of whether the elements required to prove the withholding ground existed.
The Tribunal found that the defendant had a proper basis to withhold the information and the name of the supplier. It was satisfied that the information fell within the requirements of s 29(3) (that it be compiled solely for the purposes of determining the suitability of an individual for employment and that it be evaluative or opinion material) and that there was sufficient evidence of a promise of confidentiality in respect of the name of the supplier and the information supplied to find that the ground had been made out.
The decision has been taken on appeal by the plaintiff. l
(Dec No 12/02, HRRT 04/02)
Privacy Act 1993 (NZ) — ss 70, 71 and 82, IPP 11
The plaintiff alleged that an employee of the defendant had disclosed personal information about him to a third party during the course of a social function held in his immediate neighbourhood. The third party to whom the information was allegedly disclosed was his next door neighbour. The social function was at the home of the employee’s baby sitter, and only two houses away from the plaintiff’s (then) residence. The employee was the plaintiff’s case manager.
The defendant accepted that there had been a discussion between its employee and the neighbour but denied that personal information had been disclosed. It argued that the information used had been anonymised (on the basis that as no names were used the client involved could not be identified) but that in any event the neighbour had already been aware of the matters discussed, so there had been no ‘disclosure’. It further argued that, even if there had been a disclosure, the plaintiff had not suffered any adverse consequences as a result, or if he had that this was as a result of the neighbour’s subsequent actions in discussing the information disclosed to her with others.
There was also a preliminary issue for the Tribunal to decide: whether, as a result of the Privacy Commissioner having discontinued his investigation under s 71, the defendant was a person to whom s 82(1) applied (that is, he was a person in respect of whom an investigation had been conducted).
On the jurisdictional issue the Tribunal found that where an investigation has been discontinued (whether under s 71(1) or 71(2)) the agency or person who had been named as the respondent in the Commissioner’s investigation will be a person to whom s 82(1) applies so as to found the Tribunal’s jurisdiction to hear the matter. In reaching this decision the Tribunal confirmed its earlier position (in Cable) that it does not have jurisdiction to review the conduct of the Privacy Commissioner’s investigation.
On the substantive issue the Tribunal found that there had been a disclosure of personal information about the plaintiff by the defendant’s employee, and that this disclosure had caused the plaintiff adverse consequences sufficient to meet the requirements under s 66(1)(b) of the Act.
The Tribunal accordingly awarded the plaintiff $10,000 in damages. l
Michelle Donovan, Office of the NZ Privacy Commissioner.