Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Roth, Paul --- "Remedies under New Zealand privacy law - Part 1" [2004] PrivLawPRpr 4; (2004) 10(8) Privacy Law and Policy Reporter 153

Remedies under New Zealand privacy law — Part 1

Paul Roth UNIVERSITY OF OTAGO

his is Part 1 of a series of articles by Paul Roth which will systematically examine each remedial power of the New Zealand Privacy Commissioner and the remedies that have been granted to date — General Editor.

General considerations underpinning remedies

There are a number of important considerations that are relevant to determining how to structure a remedial jurisdiction and what remedies should be made available for privacy infringements in a particular jurisdiction.

The most obvious is the type of possible harm or loss that an individual data subject might suffer. There should be some sort of relation between the remedy and the infringement to which it relates.

A related consideration is the ratio of the effort involved in seeking a remedy to the result where a complaint has been substantiated. If remedies are inadequate in comparison to the cost and trouble involved in pursuing a complaint about a privacy infringement, individuals will not feel it worthwhile to pursue them and the law will not be enforced, which in turn will have a likely negative effect on compliance with the law.

The overall aim of the jurisdiction and the purpose for instituting sanctions are, of course, key considerations. Remedies for privacy infringements can take different forms, depending on what it is desired to achieve. If the purpose is to promote a broad awareness of the need to respect privacy and discourage practices that affect large sections of the public, then an inquiry or investigative remedy, invoked upon or without a complaint from an individual or section of the public, might be all that is required. A focus more on individual issues might not require sanctions more serious than declarations or orders for compliance if one wanted to take a light handed approach. The purpose of achieving justice in individual cases, on the other hand, might require a full panoply of remedies.

Other matters that may relevant to the choice of what remedies to make available are the particular sensitivities or vulnerabilities of the agencies or types of agency whose behaviour is sought to be regulated. For example, if the regulation is limited to public sector agencies, sufficient government accountability mechanisms may already be in place so that only a declaratory remedy may be necessary.^[1] In relation to agencies with a public face, however, the importance of good public relations and the fear of public embarrassment or adverse commercial repercussions may in many contexts be sufficient.

The number and type of remedies available will have a bearing on the cost of supporting the jurisdiction. The more serious the sanctions, the more elaborate the institutional framework and processes will need to be in the interests of justice. There is thus an inseparable relationship between remedies and process. Indeed, a process itself can function as a remedy, whether it is ‘having one’s day in court’, or even the very processes of investigation and conciliation.

This point naturally leads to a further consideration. This is the availability or allocation of resources in relation to the mischief that is sought to be regulated, which in turn brings one back to the overall purpose of the jurisdiction. Just because a data subject might suffer detriment does not necessarily mean that the law ought to make provision for remedies in respect of every possible harm or loss. Similarly, if the awards likely to be made in a jurisdiction are of little monetary value, or if the effect of orders likely to be made tends not to seriously affect a party’s overall position, the cost of maintaining elaborate institutions would seem to be misplaced. The remedies or particular types of remedies that are established for privacy infringements should be weighed against the cost of maintaining the appropriate processes and institutions.

A privacy regime should also aim to avoid overlap with other jurisdictions and causes of action (for example, defamation, nuisance, negligence, breach of confidence) and contain an effective means of filtering complaints that are of a minor or misconceived nature. Any regime that enables individuals to complain about information related matters — in particular, what people say about them and how information about them is used, whether true or false — encompasses an astonishing breadth of grievances. A privacy regime can provide a low risk avenue for ventilating many of these grievances. Since all social intercourse will involve the collection, use and disclosure of personal information, many privacy issues have their origin simply in relationships gone wrong. In the NZ experience, these are most commonly family, medical, financial, employment, and individual/government relationships. Privacy concerns per se are not necessarily always at the core of all problems pursued through a privacy complaints process. A privacy regime should therefore strive to target matters that raise serious privacy issues.

Process and remedies under the Privacy Act 1993

The general object of the Privacy Act 1993 (NZ) (the Act) is to promote and protect individual privacy with respect to information about individuals in accordance with the OECD Guidelines.^[2] The centrepiece of the legislation is the set of 12 Information Privacy Principles in s 6 relating to the collection, holding and use of personal information. The Principles are modelled on both the OECD Guidelines and the Information Privacy Principles in Australia’s Privacy Act 1988 (Cth). In addition to the Information Privacy Principles, the legislation contains Principles relating to information held on public registers;^[3] it sets out guidelines and procedures in respect to information matching programs run by government agencies;^[4] and it makes special provision for the sharing of law enforcement information among specialised agencies.^[5]

Although NZ’s privacy jurisdiction differs in several fundamental respects from the European Union (EU) model (particularly by not requiring notification of data processing to a supervisory authority), it conforms to European standards by making judicial remedies available for privacy infringements, including compensation where a person has suffered loss.^[6] The Privacy Commissioner oversees compliance with the Act, but does not function as a central data registration or notification authority, and with one small exception (in relation to charging for information), does not have the power to determine legal rights and liabilities under the Act.

The many and varied functions of the Privacy Commissioner are set out in s 13 of the Act. In relation to remedial jurisdictions, the Privacy Commissioner’s role can be seen to be threefold. First, the Privacy Commissioner investigates and conciliates complaints made to him or her by aggrieved individuals, and this function is of major importance in relation to the Act.^[7] It constitutes one of the chief activities, if not the chief activity, of the role.^[8]

Second, the Privacy Commissioner can undertake investigations into interferences with the privacy of individuals on his or her own initiative,^[9] though this is much less common. This was done in relation to the high profile disclosures made by Neil Pugmire, a psychiatric nurse who disclosed health information about a dangerous patient released into the community.^[10]

Third, the Privacy Commissioner can inquire into privacy matters and comment on them on his own initiative, or upon a representation from the public.^[11] This constitutes a wider and more directly public good oriented form of remedy. Again, there are not many examples of such inquiries. In 1999, there was an inquiry into unauthorised information matching between the Department for Courts and the Motor Vehicle Register the previous year. This exercise generated a mailout to some 4000 people who were wrongly warned that they had 48 hours to pay fines or face penalties.^[12] In 2003, the Privacy Commissioner conducted inquiries into two incidents where patient information was discovered at disused hospital premises.^[13] The Privacy Commissioner has noted that formal inquiries or own motion investigations ‘may lead to wider systemic investigations’, but he observed that:

Such inquiries take considerable time and resources and are not lightly undertaken. If they appear to be leading nowhere the inquiry is stopped. Where, however, they produce some information of general use, the results can be made public and lessons can be learned.^[14]

He noted that this approach ought to have an effect on the number of subsequent individual complaints.

With one exception, all of the rights provided for in the Act must be enforced through the processes provided for in the legislation itself. The exception relates to the right of access by individuals to personal information held by public sector agencies. This particular right can be directly enforced, at the individual’s option, in a court of law instead of through the specialist complaints process provided for under the Act.^[15] Direct recourse to the courts was carried over to the Privacy Act from NZ’s freedom of information legislation^[16] on the grounds that this preserved existing legal rights, the principle being ‘that a right once conferred by statute should not lightly be taken away’.^[17] This right was not extended to personal information held by private sector agencies, however, as it was thought to be more cost effective to leave enforcement in the hands of a public official specialising in information privacy.^[18]

Although individuals have a legal right of direct access to the courts (and the courts’ remedies) where their personal information is held by public sector agencies, in practice they have always taken the alternative route of pursuing their rights through the specialised processes provided under the Privacy Act. This is despite the current waiting period of up to one year before the Privacy Commissioner can undertake an investigation. The principal reason for not using the courts of ordinary jurisdiction seems to be that the review processes of the Privacy Commissioner are undertaken without charge, and there are no filing or hearing fees in the Human Rights Review Tribunal.

The Act has been in operation for just over 10 years, and, after an initial phasing in period, has made provision for a full panoply of legally enforceable remedies for over six years.^[19]

An actionable complaint under the Act crystallises with the breach of an Information Privacy Principle, a code of practice, or the provisions relating to information matching, together with some loss or detriment to the individual.^[20] In cases involving complaints about denied, delayed, or qualified access to personal information, however, no loss or detriment is necessary.^[21] The procedure in Pt VIII of the Act must be followed. Complaints are first lodged with the Privacy Commissioner, and if the matter is not then voluntarily resolved, the matter may proceed to the Human Rights Review Tribunal.^[22]

The resolution process is as follows.

• The Privacy Commissioner attempts to settle the complaint where possible.^[23]

• The Privacy Commissioner investigates and reports to the parties, and tries to settle the it where complaint has substance.^[24]

• If settlement is not reached, the Privacy Commissioner may refer the matter to the Director of Human Rights Proceedings.^[25]

• The Director of Human Rights Proceedings decides whether or not to institute proceedings on behalf of the complainant before the Human Rights Review Tribunal.

• Alternatively, the complainant may bring proceedings personally before the Human Rights Review Tribunal if the Privacy Commissioner or the Director of Human Rights Proceedings has found the complaint to be without substance or that it should not be proceeded with, or the Director of Human Rights Proceedings declines to take proceedings.^[26]

• Where the complaint concerns an unreasonable charge for access to personal information (private sector only),^[27] the Privacy Commissioner makes a final and binding determination.^[28]

• The Human Rights Review Tribunal determines matter and may award any of the following remedies:

— a declaration;

— an order restraining the continuance or repetition of the interference;

— general and special damages;

— an order that the defendant remedy the interference or redress any loss or damage; or

— any other relief as the Tribunal thinks fit.^[29]

• There is an appeal right from the Human Rights Review Tribunal to the High Court,^[30] with an appeal right on issues of law to the Court of Appeal.^[31]

The number of complaints lodged under the Act each year since its enactment has been as follows: 513 in the year ended 30 June 1994; 877 in 1995; 993 in 1996; 1200 in 1997; 1088 in 1998; 1003 in 1999; 798 in 2000; 881 in 2001; and 1044 in 2002.

A queue has had to be established by the Office of the Privacy Commissioner because of the large number of complaints in relation to available resources. It can now take up to a year before an investigation is allocated. The queue itself may be functioning as an effective, if awkward, sifting mechanism, though cases substantiated as urgent may be brought forward in the queue.

Process and remedies under FOI legislation

It is important to appreciate the relationship between the Privacy Act and NZ’s two other freedom of information statutes, the Official Information Act 1982 (NZ) (the OI Act) and the Local Government Official Information and Meetings Act 1987 (NZ) (the LGOIM Act). When the Privacy Act was enacted in 1993, it was given jurisdiction over data subject access and correction rights in respect of personal information held by the public sector. The Office of the Ombudsman, which has jurisdiction over freedom of information complaints, continues to deal with complaints relating to requests for reasons concerning decisions about individuals,^[32] and requests for information held by public sector agencies about individuals who are not themselves the requester (that is, requests for information about third parties). Where an issue arises in relation to the withholding of information by a public sector agency about a third party on the grounds of privacy, the Ombudsman must consult with the Privacy Commissioner before forming an opinion.^[33] The Privacy Commissioner and Ombudsman are also required to consult with one another when either receives a complaint that relates to an area under the other’s jurisdiction.^[34]

Thus, although NZ has a well developed stand-alone privacy regime, its information access regime (the most commonly invoked right) consists of two separate regimes operating side by side. One, under the Privacy Act, covers personal information relating to the data subject. The other, a freedom of information regime, covers access to personal information by a person who is not the person to whom the information relates. In respect to wrongful denial of access to information under the Privacy Act, all of the remedies that are provided for under the legislation (mentioned above) are available, but wrongful withholding of information under the freedom of information legislation is remedied merely by a recommendation, which can convert into a public duty, that the information at issue be disclosed.

The processes and remedy under the freedom of information legislation are markedly different to those in the Privacy Act.

• The Ombudsman investigates and reviews the decision to withhold information.^[35]

• The Ombudsman reports and may make a recommendation.^[36]

• Where the Ombudsman makes a recommendation, the agency has a public duty to comply with it 21 working days later unless it is overridden by the executive branch of government (that is, the Governor-General by Order in Council).^[37]

• The requester has the right to judicial review in the High Court of such Orders in Council.^[38]

• The requester has the right to judicial review of the original decision after the Ombudsman has investigated it (that is, if the Ombudsman has made no recommendation).^[39]

• There is an appeal right in either case to the Court of Appeal.^[40]

Requests for personal information by persons to whom the information relates (where ‘persons’ are limited to bodies corporate) are treated differently. Requests for ‘personal information’^[41] and for the reasons for decisions about persons (natural as well as corporate persons)^[42] are subject to legal rights enforceable in a court of law.

Thus, in the case of access to personal information (by bodies corporate only) there are directly enforceable legal rights of access and correction. Alternatively, and this is the usual course, recourse can be had to the Ombudsman’s review process.

• The Ombudsman investigates, reports, and may make a recommendation.^[43]

• If a recommendation is not complied with, in OI Act cases the Ombudsman may report to the Prime Minister and House of Representatives;^[44] in LGOIMA cases, the Ombudsman informs the complainant of the non-compliance with the recommendation,^[45] and may require a summary of the report to be publicly notified and made available.^[46]

• Where there is non-compliance with the Ombudsman’s recommendation, the complainant must enforce his or her rights in a court of law.

This jurisdiction has functioned since 1982 in relation to central government agencies, and since 1987 in relation to local government authorities.^[47] Damages have never been awarded in this jurisdiction (though in theory they may be available under tort law in appropriate cases), in contrast to their availability now in respect of denied access requests under the Privacy Act.48 l

Paul Roth, University of Otago, <paul.roth@stonebow.otago.ac.nz>.

Endnotes

[1]. Compare the remedies under New Zealand’s freedom of information legislation: see the following article in this series.

[2]. Recommendation of the Council of the Organisation for Economic __ Co-operation and Development Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980.

[3]. Part VII of the Act.

[4]. Part X of the Act.

[5]. Part XI of the Act.

[6]. Compare arts 22 and 23 of Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 24 October 1995.

[7]. This jurisdiction is discussed in more detail below.

[8]. Interestingly enough, this function is not specifically set out in s 13, but falls under the omnibus s 13(1)(u), which provides that the Privacy Commissioner’s functions include ‘[t]o exercise and perform such other functions, powers, and duties as are conferred or imposed on the Commissioner by or under this Act or any other enactment’. In the case of the Commissioner’s role in investigating and conciliating complaints, the relevant provisions are in Pts 8 and 9 of the Act.

[9]. Section 69(2).

[10]. Case No 2049 December 1996. The information concerned was sent to an Opposition MP after no action was taken by the Minister of Health, the Minister of Police, and the National Director of Mental Health.

[11]. The relevant provisions setting out these functions are s 13(h) (To make public statements in relation to any matter affecting the privacy of the individual or of any class of individuals); s 13(i) (To receive and invite representations from members of the public on any matter affecting the privacy of the individual); and s 13(m) (To inquire generally into any matter, including any enactment or law, or any practice, or procedure, whether governmental or non-governmental, or any technical development, if it appears to the Commissioner that the privacy of the individual is being, or may be, infringed thereby).

[12]. See Privacy Commissioner Unauthorised information matching between Department for Courts and Motor Vehicle Register: Report to the Minister of Justice, Courts and Transport in relation to an inquiry into events surrounding unauthorised information matching programme operated in mid-1996 25 August 2000; this report was based on the commissioned Report by Robert Stevens as to Inquiries into Information Matching by Department for Courts with the Motor Vehicle Register in June/July 1998 21 March 2000.

[13]. One inquiry looked at the circumstances in which patient health information was left at the former premises of Hillmorton Hospital in Christchurch, and the second inquiry looked at the discovery of patient health information and staff personal information at the former premises of Rawhiti Trust Hospital in Auckland. At the conclusion of his investigations, the Privacy Commissioner was satisfied that they were isolated events that arose as a result of ‘one-off’ human errors. See Canterbury District Health Board: Discovery of Patient Notes in an Abandoned Hospital Building Final Report, July 2003, and Rawhiti Trust Hospital Board: Discovery of Patient Notes in a Former Private Hospital Building Final Report, July 2003.

[14]. Report of the Privacy Commissioner for the year ended 30 June 2000 (AJHR A 11), at pp 11-12.

[15]. Section 11.

[16]. The Official Information Act 1982 (NZ) and the Local Government Official Information and Meetings Act 1987 (NZ).

[17]. Report of the Department of Justice on the Privacy of Information Bill, 22 January 1993, to the Privacy of Information Bill Sub-Committee of the Justice and Law Reform Committee, p 13.

[18].Above note 17.

[19]. Under s 79 of the Act, only remedies for breaches of Principles 5, 6, 7 and 12 were initially available from the Complaints Review Tribunal (as the Human Rights Review Tribunal was then called); after 1 July 1996, however, the Tribunal had jurisdiction to hear matters concerning breaches of the other Privacy Principles as well.

[20]. Section 66(1). The technical term for an actionable complaint is ‘an interference with the privacy of an individual’.

[21]. Section 66(2).

[22]. Formerly known as the ‘Complaints Review Tribunal’ until 1 January 2002, it is constituted under the Human Rights Act 1993 (NZ). It also deals with complaints about discrimination under the Human Rights Act and with complaints about health consumers’ rights under the Health and Disability Commissioner Act 1994 (NZ).

[23]. Section 74.

[24]. Section 77(1).

[25]. Section 77(2). Prior to 1 January 2002, the Director of Human Rights Proceedings was known as the Proceedings Commissioner.

[26]. Section 83.

[27]. Personal information held by public sector agencies is available free of charge, which continues the position that existed under the freedom of information legislation prior to the enactment of the Privacy Act in 1993.

[28]. Section 78. In a submission addressed to the New Zealand Law Commission on 15 May 2002, the Assistant Privacy Commissioner noted that of approximately 8200 complaints that have been handled by the Privacy Commissioner’s Office, only three or four have concerned complaints concerning charges imposed by private sector agencies.

[29]. Section 85(1).

[30]. Section 123 Human Rights Act applies by virtue of s 89 of the Privacy Act.

[31]. Section 124 Human Rights Act applies by virtue of s 89 Privacy Act.

[32]. Section 23 of the OI Act; s 22 of the LGOIM Act.

[33]. Section 29B of the OI Act and s 29A of the LGOIM Act.

[34]. Section 72 of the Privacy Act, s 17A of the Ombudsmen Act 1975.

[35]. Section 28 OIA; s 27 LGOIMA. The investigation procedure is governed by the Ombudsmen Act: s 29 OI Act; s 28 LGOIMA.

[36]. Section 30 OI Act; s 30 LGOIMA.

[37]. Section 32 OI Act; s 32 LGOIMA.

[38]. Section 32B OI Act; s 34 LGOIMA.

[39]. Section 34 OI Act; s 37 LGOIMA.

[40]. Section 32C OI Act; s 35 LGOIMA.

[41]. Section 24 OI Act; s 23 LGOIMA. Prior to the enactment of the Privacy Act, these provisions also covered natural persons. The Privacy Act, however, took jurisdiction over access and correction rights in respect of personal information about natural persons.

[42]. Section 23 OI Act; s 22 LGOIMA.

[43]. Sections 35(1)-(2) OI Act; ss 38(1)-(3) LGOIMA.

[44]. Section 35(4) OI Act.

[45]. Section 38(5) LGOIMA.

[46]. Section 39 LGOIMA.

[47]. The relevant local government authorities are listed in the First Schedule to the LGOIMA.

[48]. This point is discussed below in the section on damages for breaches of Principle 6 access rights.