10 minute read
Q&A with the Privacy Commissioner
Michael Webster*
In November, The Employment Law & Privacy Committee chair Rachel Burt and Committee member, Juliet Philpott, coordinated and hosted a successful webinar for the Bar Association with the Privacy Commissioner Michael Webster, and his General Counsel, Joanna Hayward. There was so much to cover on the topic, the one hour webinar could not cover all the questions raised, so we are pleased to bring you this follow up article.
Almost two years in, are you able to comment on how the OPC is using the new tools in the Privacy Act (access directions, compliance notices, breach reporting) and how these are affecting general privacy compliance and agencies’ willingness to comply with their Privacy Act obligations?
The Office’s Compliance and Regulatory Action Framework is the guide we use to prioritise our compliance actions.
We are seeing positive responses to compliance actions such as requests for information, explanation or assurance; letters of concern or investigation; and draft compliance notices. We also see agencies engaging independent experts to carry out investigations and working through implementation of their recommendations.
We are now able to look routinely into systemic issues, however, we are finding that levels of privacy compliance are lower than should be reasonably expected for 30-year-old legislation. This will likely result in future regulatory action.
What themes are you noticing in privacy complaints that the Office is dealing with?
Access complaints continue to be the largest type of privacy complaint, and we are starting to see more complaints following cyber-security incidents that have led to financial losses.
To what extent does the OPC perceive that agencies focus on their “external” (public-facing) privacy obligations to the detriment of their internal obligations (for instance to employees or contractors)?
We sometimes observe employers overlooking their Privacy Act obligations in routine day-to-day work, for example over-collecting or sharing personal information within the workplace.
Employers should build privacy into their policies and procedures and be comfortable advising and explaining what personal information is being shared with whom, for what purpose, and on what basis.
The Ministry of Justice has recently closed engagement on changes it is proposing to the Privacy Act to broaden the requirements for an individual to be notified when an agency collects their personal information from a third party. Are you able to give us a sense of your views or the views of your office on these proposed changes?
The proposal is to strengthen transparency by extending the notification obligation, so it applies to the collection of personal information, regardless of its source.
The Office made a submission to indicate support for the proposed amendment, noting that it is important to consider transparency in the context of online and digital privacy given the information and power asymmetries in the online environment.
Are you able to comment on how IPP12 is operating and whether it is achieving its purpose?
IPP12 addresses the risk that personal information being disclosed offshore may not be subject to data protection safeguards.
New Zealand agencies have various means to comply, and we have not seen particular issues since we provided FAQs about the model clauses option, even though not all the compliance options are operational as yet.
We have had positive feedback about the model clauses from other jurisdictions, to inform their own standard clauses.
Withholding personal information on the basis that it was not “readily retrievable” was previously an exception listed under the old Act. Now, it is not listed as an exception in ss 49-53 of the Act, but is listed as a possible response that is given when responding to an IPP 6 request (s44). What’s the practical impact of removing this as an exception? Commentary still seems to discuss it as an “exception.”
This appears to be a drafting rationalisation. Because a response on this basis can be reviewed on complaint under section 69(3)(c) as a decision under Part 4 of the Act, this type of response can still be treated in the same way as when it was framed as an exception.
When an individual makes a complaint to the Privacy Commissioner regarding an interference with privacy, the Commissioner can decide not to investigate the matter by response email. There does not appear to be any recourse for an individual to have this decision reviewed under the Act. How does this sit with access to justice? Commentary suggests that an HRC complaint can only be made once a) the Commissioner has investigated the matter, or b) when the matter has been referred to mediation without investigation, but the matter did not resolve. It suggests there is a gap when the Commissioner decides not to take either of these steps.
There are review mechanisms to ensure the Privacy Commissioner’s gatekeeper role is being exercised in accordance with the statutory scheme under the Privacy Act. There is a right to complain to the Ombudsman if the Privacy Commissioner decides not to investigate a complaint. The Privacy Commissioner is listed in Part 2 of Schedule 1 to the Ombudsman Act. There is also the potential for judicial review in the courts: see Mitchell v Privacy Commissioner [2017] 7NZHC 569.
Is there any recent privacy case law you want to highlight for our members?
In the webinar, we talked about two important decisions in relation to privacy breaches and the vulnerability of compromised data, in the context of last year’s Waikato District Health Board cyber-attack. See Waikato District Health Board v Radio NZ and unknown defendants [2021] NZHC 2002 (injunction decision to protect the stolen dataset) and Seven Complainants and Radio New Zealand BSA 2021-090, 14 September 2022 (the BSA upholding aspects of the complaints made by the Privacy Commissioner and others about RNZ’s broadcast under the privacy and fairness standards).
These developments illustrate the increasing need to actively consider court orders to protect compromised data and prevent further harm to individuals, with the injunction decision providing guidance about the relevant public interest assessment.
From the Human Rights Review Tribunal, the most substantive decision of 2022 has been the Netsafe decision – Director of Human Rights Proceedings v Netsafe [2022] NZHRRT 15.
The Tribunal found Netsafe interfered with the privacy of three women when it refused to provide them with personal information held as a result of a complaint made under the Harmful Digital Communications Act 2015 (HDCA). The complaint to Netsafe was made by a person known as Mr Z about certain digital communications made by one of the women. Following Netsafe’s processing of the complaint, Mr Z obtained interim District Court orders that were served on the women constraining any posting of information about Mr Z.
Two of the women explained they had each previously been in a relationship with Mr Z, had been subjected to online and other harassment, and had been granted protection orders against Mr Z in the Family Court. The third woman had supported the others through the civil court processes in relation to the protection orders, and then in criminal proceedings arising from Mr Z’s breaches of those orders (Mr Z was convicted). The women believed Mr Z’s use of the HDCA processes was another form of harassment by Mr Z. They were concerned Mr Z was continuing to access their private communications in continuation of the cyber stalking activity that resulted in the previous protection orders against him.
The Privacy Act became relevant as the women each requested their personal information from Netsafe in April 2017, which Netsafe refused. Netsafe released some information in January 2018, but argued its withholding of the remaining information was justified under section 27(1)(a) (avoid prejudice to the maintenance of the law), and section 29(1)(a) (unwarranted disclosure of the affairs of another) of the Privacy Act 1993.
The Tribunal disagreed, finding the refusal to release the information was based on an overriding, but misguided, concern that releasing the information to the women would undermine the confidentiality of Netsafe’s processes, and impact its ability to carry out its functions.
Among other things, the Tribunal confirmed the Privacy Act requires agencies to undertake a case-by-case assessment of the individual circumstances and found Netsafe failed to take into account a number of relevant factors.
The Tribunal did not accept there was a real and substantial risk to the maintenance of law if the requested information was released to the women or releasing the information to the women would involve the unwarranted disclosure of the complainant’s affairs.
The Tribunal made the formal declaration Netsafe had interfered with the privacy of the three women and ordered Netsafe to provide the women with access to their respective personal information within 20 working days. The Tribunal ordered Netsafe to pay $5,000 each to two of the women for loss of benefits, and $30,000 to each of the three women for humiliation and injury to feelings.
The key reminders from this decision are the need to make a specific assessment of the access request, and the need to sift the relevant considerations from the irrelevant ones.
As we near the end of the year, what are the current areas of focus for the Office? What challenges to do you see on the horizon - are you predicting any themes for 2023?
We had a very good response to our consultation about possible regulation of biometrics. This will help us with decisions about the future regulatory approach to this type of sensitive personal information.
We are scoping up other important areas of work across the office, including supporting agencies to make privacy a real priority through the design of privacy risk management systems, and to address pressing issues such as children’s privacy.
Other big challenges will come through the intersection of privacy and other important contexts. That includes the work to build our understanding of the intersection between privacy and tikanga Māori. The opportunity to appear as intervener in the 2021 Te Pou Matakana judicial review of access to Māori vaccination data was a good example where issues of access to personal data in a public health emergency intersected with te Tiriti, tikanga and iwi data sovereignty.
Personal information is also increasingly being monetized as people access the benefits of free online applications without understanding their information is being collected and on sold.
Technology is continuing to bring privacy challenges as government and businesses are increasingly driven by data collection, analytics, and reuse of data.
* Michael Webster took up the role of Privacy Commissioner on 5 July 2022. Prior to Michael’s appointment, he worked in the Cabinet Office, Department of the Prime Minister and Cabinet for 14 years and held the position of Secretary of the Cabinet and Clerk of the Executive Council from March 2014.
*Joanna Hayward joined the Office in July 2014, and assumed the role of General Counsel in August 2019.She was previously an advisor to the New Zealand Law Commission and is an experienced lawyer with particular expertise in privacy and law reform. As General Counsel, she is responsible for providing legal assurance and compliance advice to the Commissioner, and legal representation on behalf of the Commissioner.
Members of the Bar Association can access the free recorded webinar with Michael Webster, and Joanna Hayward, along with other recorded webinars, in the "On Demand" section of the Bar Association website. https://www.nzbar.org.nz/resources/qa-privacycommissioner-michael-webster-cpd-10-hr
Michael Webster
