AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2003 >> [2003] PrivLawPRpr 53

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Roth, Paul --- "Remedies under New Zealand privacy law: recent cases" [2003] PrivLawPRpr 53; (2003) 10(6) Privacy Law and Policy Reporter 116


Remedies under New Zealand privacy law: recent cases

Paul Roth

New Zealand has the most substantial body of privacy case law in the Asia-Pacific region. In this article Paul Roth surveys recent developments concerning remedies that may also be of relevance in other jurisdictions — General Editor.

Over the past year, there have been a number of noteworthy Privacy Act cases concerning remedies decided in New Zealand. These include several cases that resulted in substantial damages awards, and two cases that dealt with important issues relating to other remedies under the Privacy Act 1993 (NZ), both of which reached some questionable conclusions. Indeed, one of these cases arrived at an unexpected result that seriously undermines access rights under the Privacy Act.

It should be noted that the Human Rights Review Tribunal, which deals judicially with privacy complaints at first instance if they cannot be conciliated by the Privacy Commissioner, has been ‘under new management’ for the past year with the appointment of a new tribunal chairperson. In practical terms, this has meant a quite different approach from the Tribunal as formerly constituted. Fewer claims are being struck out before being heard, and the facts and legal issues in each case are now considered in much greater detail, with the result that decisions now tend to be somewhat more lengthy, in some instances unnecessarily so. The Tribunal as presently constituted also has not proved to be reluctant to revisit earlier tribunal decisions.

Rising damages awards in the tribunal

The Human Rights Review Tribunal has the jurisdiction to award damages against a defendant for an interference with the privacy of an individual.[1] Such damages may be awarded in respect of pecuniary loss, loss of any benefit, and humiliation, loss of dignity or injury to feelings. The amount of damages is limited to $200,000.[2]

The levels of damages awarded over the past year, particularly for non-economic loss, has been quite high by New Zealand standards. In the specialist employment law jurisdiction, which is comparable because of its similar ‘equity and good conscience’ jurisdiction[3] and its ability to make awards for non-economic loss,[4] awards tend to fall largely within the $3000 to $7000 range. Over the past year, however, there have been awards of $10,000 and as high as $40,000 in the Privacy Act jurisdiction. It is therefore very likely that if such a case were ever to be appealed to the High Court or Court of Appeal, the amount of damages would be reduced for being out of kilter with awards in analogous jurisdictions.

In Parker v Ministry of Agriculture and Forestry,[5] the Tribunal awarded $4000 damages for injury to feelings where an officer of the defendant effectively disclosed the identity of the plaintiff informant to the person in respect of whom an animal welfare claim was laid. The defendant did not deny liability for the breach of principle 11 (Limits on disclosure of personal information), but was disputing the amount of compensation that the plaintiff was claiming. The Tribunal acknowledged that the defendant acted responsibly in the circumstances, and the damages award was intended to reflect this.

In Plumtree v Attorney-General on behalf of the New Zealand Defence Force,[6] the Tribunal ordered the defendant to pay the plaintiff $3000 for humiliation, stress and injury to feelings. In 1998 the plaintiff, a Vietnam war veteran, requested documents that the army claimed had already been disclosed to the plaintiff in response to previous requests for information. The Tribunal accepted that the army had breached principle 6 (Access to personal information) in a number of respects. In particular, the Tribunal found that the army failed to make a decision on the plaintiff’s information privacy request in compliance with the Privacy Act because the previous provision of copies of documents was not a good reason for refusing a request, and the army failed to disclose information that was readily retrievable in terms of principle 6 (the defendant failed to notice the plaintiff’s vaccination certificate contained in a pouch on his file). The Tribunal found that the plaintiff suffered as a result of the way the defendant dealt with his requests for information. The Tribunal acknowledged that it was difficult to disentangle the plaintiff’s privacy complaint from his unhappy experiences while in the army some years earlier,[7] and accordingly made the ‘modest award’ that it did in this case.

In Steele v Department of Work and Income,[8] the Tribunal awarded $10,000 for humiliation to a person whose application for a social welfare benefit was discussed at a neighbour’s party, in breach of principle 11 (Limits on disclosure of personal information). The person who disclosed the information was an employee of the Department of Work and Income.

In Jans v Winter,[9] the Tribunal ordered the defendant real estate agent to pay the plaintiffs $20,000 damages. Some $15,000 of this amount was awarded to compensate the plaintiffs ‘for the loss of the benefit of the certainty that the plaintiffs would have had’ if they had been given access to the information which they had requested, and which was later lost.[10] The remainder of the award was for humiliation, loss of dignity and injury to feelings. The plaintiffs owned a property that was sold at a mortgagee sale in 1997 on the instructions of the ANZ Bank. The defendant was the managing director of the real estate agency instructed to sell the house. The plaintiffs had had a number of concerns about the way the sale was conducted. In particular, they believed that the property was sold at a significant undervalue. The plaintiffs were contemplating taking legal proceedings to recover their losses and accordingly requested their file from the defendant. The defendant first refused the request on the basis that he could not provide the file without the bank’s authorisation. After the plaintiffs replied that they were entitled to the information under the Privacy Act, the defendant responded, without taking any legal advice, that the plaintiffs were not entitled to the information on the ground that the Privacy Act applied only to official information and not private files. By the time the proceedings were filed, the defendant had lost the file when he moved offices. The Tribunal found fault with the defendant’s high-handed manner and failure to deal properly with the plaintiffs’ information privacy request.

The highest amount of compensation ever awarded in the Privacy Act jurisdiction was for humiliation, loss of dignity and injury to feelings in the amount of $40,000. This award was made in Hamilton v The Deanery 2000 Ltd,[11] where the defendant, an alcohol treatment clinic, disclosed sensitive health information about the plaintiff. The director of the clinic had told immigration authorities that the plaintiff, a well known public figure in Britain, was an active drug user. He also told a newspaper of the plaintiff’s length of stay at the clinic, and that she had failed the program. Moreover, he told an English tabloid that the plaintiff had been expelled from the clinic for illegal drug use, and he told lawyers for the tabloid that he had a urine test from the plaintiff that confirmed his drug allegations.

Damages in the Privacy Act jurisdiction are compensatory only. The issue whether exemplary damages could be awarded was discussed in Jans v Winter,[12] but the matter was left open. Nevertheless, the Tribunal cast doubt on whether it had the jurisdiction to award exemplary damages, and compared the provisions in the Privacy Act to s 57(1)(d) of the Health and Disability Commissioner Act 1994 (NZ), which expressly provides the Tribunal with the power to award damages in respect of ‘[a]ny action by the defendant that was in flagrant disregard of the rights of the aggrieved person’. The Tribunal remarked that ‘the absence of such a provision in the Privacy Act seems to indicate that no similar jurisdiction was intended to exist in privacy cases’.[13] The Tribunal was no doubt correct that it lacks the power to award exemplary damages to punish breaches of the Privacy Act.[14] Such damages might be available, however, in a common law tort action for the breach of a statutory duty, which could conceivably be based on a prior finding of breach of the Privacy Act.[15]

Harm requirement extended to access and correction rights

Probably the Tribunal decision decided in the past year with the most far-reaching effect was Jans v Winter.[16] That decision determined that in cases dealing with access to or correction of personal information, the plaintiff is required to prove some loss or harm before the Tribunal will find an interference with the individual’s privacy. Moreover, where non-economic loss is claimed, the agency’s action or omission must have caused ‘significant humiliation, significant loss of dignity, or significant injury to feelings’.[17] As this interpretation of the law was not necessary for the particular decision in the case (the Tribunal did in fact find there to have been both economic and significant non-economic loss), it is strictly obiter dictum (non-binding), but it nevertheless indicates the approach that the Tribunal will take to access and correction cases in subsequent cases.

The point of interpretation dealt with the relationship between ss 66(1) and 66(2) of the Privacy Act, and in particular, whether the requirement of loss or other detriment in s 66(1) was necessary to any finding of an ‘interference with the privacy of an individual’ where there is a claim of a breach of principles 6 (Access to personal information) or 7 (Correction of personal information). Sections 66(1) and (2) are materially as follows:

66 Interference with privacy

(1) For the purposes of this Part of this Act, an action is an interference with the privacy of an individual if, and only if, —

(a) In relation to that individual, —

(i) The action breaches an information privacy principle; or ...

(ii) ...

(iii) ... and

(b) In the opinion of the [Privacy] Commissioner or, as the case may be, the Tribunal, the action —

(i) Has caused, or may cause, loss, detriment, damage, or injury to that individual; or

(ii) Has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of that individual; or

(iii) Has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of that individual.

(2) Without limiting subsection (1) of this section, an action is an interference with the privacy of an individual if, in relation to an information privacy request made by the individual, —

(a) The action consists of a decision made under Part IV or Part V of this Act in relation to the request, including —

(i) A refusal to make information available in response to the request; or ...

(vi) A refusal to correct personal information; and

(b) The Commissioner or, as the case may be, the Tribunal is of the opinion that there is no proper basis for that decision.

The position of the Privacy Commissioner was that s 66(2) should be read as being independent of s 66(1). Accordingly, ‘if there is a breach falling under s 66(2) then there is no need for the plaintiff to prove any harm before the Tribunal has the jurisdiction to award a remedy’.[18]

The Tribunal, however, rejected this position and found that ss 66(1) and 66(2) ‘are not independent’. Accordingly, ‘the Tribunal must be satisfied that there has been some harm (that is, adverse consequences of a kind specified in ss 66(1)(b)(i) to (iii) in every privacy case before there is any power to grant a remedy under s 85(1) of the Act’.[19] The Tribunal arrived at this conclusion after considering the wording of the provision, relevant authorities, the policy of the Act, and the Privacy Commissioner’s submissions.

In particular, the Tribunal found that an important policy objective of the Act was to filter out complaints where there was no or little real harm:

It must be obvious from s 66(1) alone that there is a legislative concern to prevent cases where any breach is of no real consequence. The whole purpose of s 66(1)(b) is to ensure that even where there is a breach of the Act, it is still necessary to show that there is some harm that has flowed from the breach which warrants an award of damages or some other relief. If that were not so then claims could be brought to the Tribunal in cases where no real harm had been done. We see s 66(1)(b) as the legislative expression of a concern to prevent that sort of situation arising.[20]

The Tribunal noted that it was not apparent that this rationale should not also have been intended to apply to s 66(2). The Tribunal observed that ‘The threshold for proof of harm set out in s 66(1)(b) is not high’,[21] and remarked that this ‘provides support for our view that the real purpose behind s 66 is to prevent the Tribunal from making awards in any privacy cases where no real harm has been established.’[2]

The Tribunal’s interpretation of the relationship between ss 66(1) and 66(2) was, it is submitted, mistaken. After two early cases holding otherwise,[23] the point that no harm or loss was required in order to be held liable for breaches of principles 6 and 7 was clearly established by the Tribunal in M v Ministry of Health [1997] NZCRT 12; (1997) 4 HRNZ 79, M v Police (1997) 4 HRNZ 91, and Adams v New Zealand Police (Decision No 16/97, 12 June 1997), and it was implicitly accepted by the High Court in L v T (1999) 5 HRNZ 30 and Proceedings Commissioner v Health Waikato Ltd (2000) 6 HRNZ 274. An individual’s rights of access to and correction of personal information held by public sector agencies, without having to prove detriment, had previously been conferred under the Official Information Act 1982 (NZ) and the Local Government Official Information and Meetings Act 1987 (NZ), before these rights were transferred to the Privacy Act 1993. The enactment of the Privacy Act was not intended to downgrade this position, and it is quite surprising that the Tribunal should find that this was indeed Parliament’s intention. In the ordinary course of events, most people will not suffer loss or significant humiliation and so on if denied access to their personal information or the right to correct it. The Tribunal’s decision therefore renders these rights nugatory.

In the Privacy Commissioner’s 1998 report on the first periodic review of the Privacy Act, it was recommended that the relationship of s 66(2) to s 66(1) could benefit from clarification.[24] The Privacy Commissioner nevertheless commented:

I am confident that s 66(2) was intended to ensure that substantiated access complaints could be considered an ‘interference with privacy’ without any harm or detriment of the type referred to in section 66(1)(b) so long as the various criteria in ss 66(2)(a) and (b) are present.[25]

He went on to remark:

It is extremely important to ensure that there are enforceable remedies for the access entitlements in principle 6 without any proof of harm or detriment. Quite frequently, such harm or detriment will be absent. The absence of proof of harm must not exist as a barrier to enforceable rights of access. Were that to happen, it would significantly undermine the entitlement and be quite out of keeping with what was intended by the Privacy Act and what is expected by the OECD Guidelines and other international norms governing access laws. It would reduce rights formerly existing under the Official Information Act, and this was surely never intended.[26]

The Tribunal appeared to have fallen into error in this case by failing to appreciate the legislative context of the Privacy Act, and by taking ambiguous statutory wording at apparent face value when its intent should have been clear.

Section 66(2)(a) deals with specific types of actions in addition to those enumerated in s 66(1)(a)(i), (ii) and (iii). Section 66(2)(b) essentially functions as a counterpart to s 66(1)(b) in relation to information privacy requests. The apparent drafting purpose here was to differentiate s 66(2) from s 66(1) by requiring the Commissioner or Tribunal to be of the opinion that there was no proper basis for the agency’s decision in respect of an information privacy request (by way of contrast with what the Commissioner or Tribunal’s opinion is to be in respect to the matters covered under s 66(1)(a)). Put another way, s 66(2)(a) functions as a ‘ghost’ s 66(1)(a)(iv), and s 66(2)(b) functions as a ‘ghost’ s 66(1)(b)(iv), but only in relation to information privacy requests. Hence, this matter has been placed in a separate subsection. While the requirements of harm or loss referred to in s 66(1)(b)(i), (ii) and (iii) for making out an ‘interference with the privacy of an individual’ do not apply to actions falling under s 66(2), this does not by any means preclude an award of damages under s 88 where that is appropriate.

The immediate consequence of this decision is that the Tribunal has surrendered a significant part of its jurisdiction. This means that from a practical point of view, complainants in respect of breaches of principle 6 by public sector agencies, who would be likely to have difficulty proving harm in terms of s 66(1)(b), would be best advised to take their complaints directly to a court of general jurisdiction as they are entitled to do under s 11 of the Privacy Act.[27] There they may seek the declaratory and such other relief to which they might be entitled, now denied them by the Tribunal. This avenue of redress will be somewhat more expensive to pursue than resort to the Tribunal, but presumably some or most of the expense may be recovered by applying for costs.

Order to correct personal information

In Plumtree v Attorney-General on behalf of the New Zealand Defence Force,28 which involved a complaint involving principle 7 (Correction of personal information) as well as principle 6 (see above), the Tribunal ordered the defendant to correct the plaintiff’s personal information. It is questionable, however, whether the Tribunal actually has the jurisdiction to make such an order. Moreover, the order was made even though the Tribunal found that all of the information at issue in this case did not have any particular use except as an historical record of the plaintiff’s army service some 40 years previously. The accuracy or otherwise of the information did not affect any entitlement or benefit of the plaintiff.

The Tribunal had found that the plaintiff’s army vaccination certificate was incorrect in referring to the administration of vaccinations in 1963 rather than in 1964. In addition, the list of vaccinations in the plaintiff’s unit personal record card was incomplete. The full list was contained on his vaccination certificate. The Tribunal ordered the defendant to (1) correct the plaintiff’s unit personnel record card by including a complete list of vaccinations, and (2) alter the plaintiff’s vaccination certificate by changing the date of the entry for vaccinations from 1963 to 1964.

The Tribunal’s jurisdiction to make such an order, however, was dubious. Principle 7(3) confers the discretion to correct (or else attach a statement of correction sought but not made) on the agency concerned, not the Tribunal. The relevant statutory wording is as follows:

Where an agency that holds personal information is not willing to correct that information in accordance with a request by the individual concerned, the agency shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the information, in such a manner that it will always be read with the information, any statement provided by that individual of the correction sought.

Principle 7 recognises that agencies have a right not to correct information, but at the same time it provides that if an agency does exercise this right, then it must attach a statement of a correction sought but not made. It would therefore seem inconsistent with this statutory arrangement if the Tribunal could override this right by using its power under s 85(1)(d) (Powers of Human Rights Review Tribunal) to order an agency to correct information.[29] In effect, the Tribunal in this case was ordering the physical alteration of original documents that were historical records.

It was unclear why the Tribunal held that ‘the army has an obligation under principle 7(2) to ensure that the information in the [plaintiff’s vaccination] certificate is accurate’,[30] and it was surprising that the Tribunal even bothered to order the army to correct the plaintiff’s vaccination records.

Under principle 7(2), an agency is obliged ‘to take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete and not misleading’. In the present case, the circumstances were certainly not such that it would have been reasonable to hold the agency concerned liable to maintain accurate records since it was evidently not holding the information for any particular further use or purpose at all. While principle 8 (Accuracy, etc, of personal information to be checked before use) deals directly with the accuracy of information, that principle could not be brought into play in this case because a complaint concerning non-compliance with this principle had not been raised. Moreover, principle 8 only applies where the agency concerned proposes to use the information in question (‘An agency that holds personal information shall not use that information’). In the present case, there was no indication that the army proposed to use the information concerned, and the Tribunal had found that nothing turned on the accuracy or otherwise of the information. l

Dr Paul Roth, Associate Professor, Faculty of Law, University of Otago.

Endnotes

[1]. Section 88 of the Privacy Act 1993 (NZ).

[2]. Section 89 of the Privacy Act. This is the same maximum that applies in the District Court (the lowest court of general jurisdiction), and to breaches of the Human Rights Act 1993, which deals mainly with complaints about discrimination. Higher awards may be sought, but in such cases the Tribunal must refer the matter to the High Court.

[3]. Compare s 105 of the Human Rights Act 1993 (NZ) (which applies to privacy matters by virtue of s 89 of the Privacy Act) with s 157(3) and s 189 of the Employment Relations Act 2000 (NZ).

[4]. See s 123(c) of the Employment Relations Act.

[5]. Decision No 9/02, 23 September 2002.

[6]. Decision No 10/02, 2 October 2002.

[7]. At [157].

[8]. Decision No 12/02, 21 October 2002.

[9]. Decision No 21/03, 27 June 2003.

[10]. At [162].

[11]. Decision No 28/03, 29 August 2003

[12]. Decision No 21/03, 27 June 2003.

[13]. At [153].

[14]. Section 127 of the Privacy Act makes provision for fines for offences against the Act, but this relates to obstruction or interference with the Privacy Commissioner’s performance of his functions. It should be noted, however, that Tribunal has no jurisdiction to summarily convict persons for these offences.

[15]. Such an action would fall within the jurisdiction of the High Court rather than the Tribunal.

[16]. Decision No 21/03, 27 June 2003.

[17]. Section 66(1)(b)(iii) of the Privacy Act.

[18]. At [68].

[19]. At [136].

[20]. At [110].

[21]. At [112].

[22]. At [113].

[23]. Mitchell v Police Commissioner [1994] NZCRT 3; [1995] NZAR 274; (1995) 1 HRNZ 403 and O v N (No 2) (1996) 3 HRNZ 636.

[24]. Necessary and Desirable: Privacy Act 1993 Review, November 1998, para 8.2.7.

[25]. At [8.2.3].

[26]. At [8.2.4].

[27]. Section 11 provides that ‘[t]he entitlements conferred on an individual by subclause (1) of principle 6, in so far as that subclause relates to personal information held by a public sector agency, are legal rights, and are enforceable accordingly in a court of law’.

[28]. Decision No 10/02, 2 October 2002. The damages award in this case for breach of principle 6 (Access to personal information) was discussed earlier.

[29]. Section 85(1)(d) provides that the Tribunal may grant ‘[a]n order that the defendant perform any acts specified in the order with a view to remedying the interference, or redressing any loss or damage suffered by the aggrieved individual as a result of the interference, or both’.

[30]. At [67]; see also [92] and [133].


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2003/53.html