Author: MIL-OSI Publisher

Source:

Cameron Slater, a well-known blogger, published a number of posts about business consultant Matthew Blomfield on the Whale Oil site. The posts were released between May–October 2012. There were additional publications containing personal information about Mr Blomfield on other blog sites.

The posts accused Mr Blomfield of dishonesty, theft, bribery, deceit, perjury and asserted, amongst other things, that Mr Blomfield was a psychopath, loved extortion and was a pathological liar.

The source of the information for the posts came from a hard drive that Mr Blomfield had used over a ten-year period to back up his business emails and documents. How the hard drive came into Mr Slater’s possession was not confirmed, although Mr Slater denied taking it unlawfully.

What was disclosed

Mr Blomfield claimed that at least 46 documents of his, containing personal information, were published by Mr Slater in 2012. These included business emails, correspondence with his lawyers; bank statements; photographs of Mr Blomfield, and a police adult diversion scheme form for Mr Blomfield.

The Director of Human Rights Proceedings (“the Director”) alleged that Mr Slater’s actions in disclosing personal information about Mr Blomfield had breached privacy principle 11 and had caused significant emotional harm.

Mr Slater’s defence was that in publishing this material in the blog posts, he was acting as a news medium, and was therefore exempt from the Privacy Act altogether. The news media exemption in the Privacy Act (section 2(1)(b)) provides that the news activities of any news medium are excluded from the Act’s coverage.

What counts as “news activity”

The Tribunal looked at a number of Whale Oil blog posts about Mr Blomfield and considered whether those posts could be considered to be a news activity. The Tribunal noted in its decision that the media exemption was not all-encompassing or open-ended [para 62.5].

Further, the Tribunal said it was “… not the purpose of the news medium exemption to shield a news medium from the Privacy Act where the agency fails to meet the standards of responsible news activity, including impartiality, accuracy and balance” [para 62.8].

In considering what constituted “news” the Tribunal noted “…the personal information must itself qualify as news, observations on news or current affairs before the news medium exemption applies” [para 78]. This test takes into account the fact that the Privacy Act’s primary purpose is to protect information about individuals.

There was a countervailing responsibility upon news media to act ethically and in a manner that was consistent with the public interest in fair and accurate reportage of news or current affairs [para 80].

Of the 40 or so documents published by Mr Slater, there were 12 posts in which Mr Blomfield’s personal information was accompanied by observations on news or current affairs. The Tribunal considered the application of the news media exemption in relation to only those 12 posts [para 95].

The Tribunal found that, with one exception, none of the blogs comprised news activity as defined in the Privacy Act [para 135].

Harm

Mr Blomfield submitted on the significant harm he had suffered as a result of the publication of the blog posts, including feelings of paranoia; difficulty sleeping; anxiety; concerns about personal and family safety; and a loss of confidence [para 141].

The Tribunal found that, on the balance of probabilities, Mr Blomfield had experienced significant humiliation, loss of dignity and injury to his feelings, and that Mr Slater’s actions were a material cause of the harm [para 142-3].

Remedies

The Tribunal awarded Mr Blomfield $70,000 for severe humiliation, severe loss of dignity and severe injury to feelings [para 173].

The Tribunal also made an order restraining Mr Slater from continuing or repeating the interferences with Mr Blomfield’s privacy, and an order that Mr Slater ‘erase, destroy, take down and disable’ any personal information about Mr Blomfield on the Whale Oil website or other websites within Mr Slater’s control [para 162].

A declaration was issued by the Tribunal that Mr Slater had interfered with Mr Blomfield’s privacy.

Image credit: Office of Human Rights Proceedings

Human Rights Review Tribunal, media

Back

Source:

Following the tragic events of Christchurch in March 2019, gun reform is a legislative priority. The Government recently introduced the Arms Legislation Bill to impose tighter controls on the use and possession of firearms.

Many doctors, particularly in rural areas where firearms are more common, may have found themselves in a situation where they have concerns about a patient’s access to a gun. The new Bill will provide some support to health practitioners who hold concerns about individual or public safety. It may also mean that health practitioners are asked for information by Police more often when Police are considering firearms licence applications.

Changes to the application process

The Bill will change the process for applying for a firearms licence. Under the process as proposed, applicants would be required to provide the name and contact details of their health practitioner. Police could then use this information to notify the relevant medical practitioner of the fact the individual holds a licence.

The Bill also clarifies what Police can consider as part of a “fit and proper person” test for a firearms licence. The Bill says Police can consider:

• the applicant having exhibited significant mental health issues, including attempted suicide or other self-harm;
• the applicant abusing alcohol, or having a dependence on alcohol, to an extent that detrimentally affects their judgment or behaviour;
• the applicant using legal or illegal drugs in a way that detrimentally affects their judgment or behaviour.

Health practitioners may find that they receive more frequent requests from Police, either to query an applicant’s mental or physical health, or to advise that a firearms licence has been granted. This will mean health practitioners will be more aware of their patients’ access to firearms.

Concerns about an individual who may be unfit to use a firearm

The new Bill will allow for health practitioners to disclose to Police information about an individual’s mental or physical health where the health practitioner is concerned that an individual is unfit to possess and use a firearm.

The new section 91 states that a health practitioner must consider notifying Police if they have reason to believe that their patient is a firearms licence holder and they consider that in the interests of public safety, that person should not be permitted to possess or use a firearm due to their mental or physical condition.

If a doctor decides to notify Police, they will need to tell Police:

• their opinion and the grounds on which they have come to that conclusion;
• whether the doctor believes the licence holder poses an immediate or imminent danger of self-harm or harm to others.

Police may then temporarily suspend the licence. Police may also require a firearms licence holder to undergo a further medical assessment in considering whether to revoke the licence.

Health practitioners may already be aware of their ability to disclose personal health information to Police if they have concerns about safety. The Health Information Privacy Code 1994 allows health practitioners to disclose health information if they believe it is necessary to avoid a prejudice to the maintenance of the law or there is a serious risk to an individual’s or the public’s safety. The new section in the Arms Legislation Bill provides further support for health practitioners to disclose information where they have serious concerns.

The new section does not impose any obligation on health practitioners to disclose patient information to Police. Health practitioners who disclose information in accordance with new section 91 will be protected from criminal, civil or disciplinary proceedings as long as they act in good faith.

Supporting health practitioners and protecting individual privacy

The Office of the Privacy Commissioner has engaged with Police to ensure that the new firearms legislation appropriately accounts for individuals’ right to privacy, while also addressing the important public safety concerns. The legislation is not perfect – and the Commissioner will be making a submission to the Select Committee considering the Bill on improvements that can be made.

During the development of the Bill, Police originally proposed that health practitioners should have direct access to the registry containing information about all firearms owners. The Commissioner raised concerns about this proposal because of the number of individuals who would have access to the registry, the potential for data breaches and the safety concerns. The Commissioner also noted concerns that the health sector had not been consulted in the development of the proposal. He was also concerned about the effect on the willingness of unwell people, particularly in rural communities, to seek support.

As a result of our feedback, the proposal was changed so that health practitioners would not have direct access to the registry.

If health practitioners have concerns about patient or public safety because of someone’s access to a firearm, they should feel confident and supported in their ability to share this information with appropriate agencies which can act before something goes wrong.

The Arms Legislation Bill is currently before Parliament’s Finance and Expenditure Committee. Submissions on the Bill closed on 23 October 2019. You can read the full content of the Bill here.

This article was first published in the November issue of NZ Doctor.

Image credit: Five bullets via Wikimedia Creative Commons.

Health Information Privacy Code, law enforcement

Back

Source:

Reviewed for relevance April 2025.

A fortnight ago, Europe’s top court, the European Court of Justice (ECJ) ruled that Google will not be required to apply the ‘right to be forgotten’ globally. This means that search results suppressed within Europe at the request of the individual, will still be available to searches outside Europe. Sometimes referred to as the “right to erasure”, the rule gives EU citizens the power to demand data, including search links, about them be deleted.

In 2015, French national privacy regulator – CNIL – ordered Google to remove search listings linking to pages that contained false or defamatory information about individuals.

Google implemented a geo-blocking feature that would prevent people searching from within the EU from being able to access search results that had been delisted. They did not impose the same restrictions on searches outside the EU. CNIL tried to fine Google 100,000 Euros for failing to delist the search results from Google sites worldwide. Google appealed against the fine to the European Court of Justice.

Google argued they wished to ensure the right to be forgotten was enforced in the EU while also balancing individuals’ rights to access information. The Court ruled that EU law did not require search engine operators to “carry out such a de-referencing on all the versions of its search engine.” In other words, Google would only be required to delist results from Google sites based within the EU.

History of right to be forgotten

Although it had been discussed and ruled upon in European jurisdictions to varying degrees throughout the early 2000s, the right to be forgotten from search engine results in EU law derives from the case in which Spanish man, Mario Costeja González, took Google to court in Spain in 2014. Mr González was concerned that a Google search of his name brought up a 1998 Spanish newspaper article detailing how he had been forced to sell his property to repay social security debts. In the European Court of Justice, Mr González contended that this record was no longer relevant to his life as he had paid his debts to society. He argued that having the record so readily accessible to someone who searched his name on Google put a stain on his reputation. 

The European Court of Justice declared that Google must remove the man’s data from their indexes.  The newspaper that originally published the article was allowed to keep the story of the forced sale on their site as it had been lawfully published.

In the five years since the 2014 ECJ ruling, Google has removed more than 800,000 URLs after receiving a request for erasure. It has retained more than a million others in its index.

In 2014, Privacy Commissioner John Edwards wrote this blog on the right to be forgotten. In the blog, the Commissioner wrote that that term “right to be forgotten” is inaccurate, imprecise and impossible.” It could mean removal of content from a public source, leaving a social network and taking your data with you but it could not mean an “enforced right to be forgotten.”

When the General Data Privacy Regulation (GDPR) was passed into law in the European Union in May 2018, Article 17 outlined circumstances in which someone can exercise the right to have their data erased.

The GDPR rule  

The GDPR provision sets out that data must be erased immediately in the following circumstances:

1. Where it is no longer required for processing purposes
2. The subject of the data has withdrawn their consent or objected and there is no other legal ground for processing
3. Erasure is required to fulfil a statutory obligation under the EU law or right of Member States

The goal of the provision is not internet censorship but rather, that it should be difficult for someone to discern personal data without substantial effort.

What does this mean for New Zealand?

Neither New Zealand’s current Privacy Act 1993 nor the Privacy Bill currently before Parliament contain an equivalent to the EU’s right to be forgotten. The Commissioner recommended the Bill offer the right to erasure, allowing people to require a company to delete all of their personal data and halt third-party processing of that data.

Our Office will continue to monitor judgments relating to the right to be forgotten with interest.

Google, IPP9 – retention, erasure, right to be forgotten

Back

Source:

Investigating complaints is an important function of our office and a considerable part of our workload. When we receive a complaint, we make an initial assessment about what steps we will take next. In some circumstances, we will investigate. In other instances, our office may decline to investigate.

There are also occasions when we cannot investigate, but we may decide that the complainant has raised legitimate concerns that should be brought to the attention of a respondent agency.

For instance, we may not have enough evidence of a breach of the Privacy Act or of a code of practice, but we have concerns about the conduct or practices of an agency. At this stage, we may offer a complainant the option of our Office contacting the agency with a compliance advice letter.

Compliance advice letter 

What our compliance advice letter contains will depend on the circumstances of the complaint. We may take the opportunity to:  

• relay a complainant’s concerns directly to an agency
• remind an agency of its obligations under the Privacy Act and codes
• identify what conduct and practices of the agency we think conflict with its obligations
• express any general concerns we have
• make recommendations to an agency – such as a change to a policy, or an action it may wish to take with the complainant, such as offering an apology or an assurance
• suggest the agency undertake our online privacy training to better understand its obligations.

How does it work?

But is a compliance advice letter from our office just a ‘slap on the wrist with a wet bus ticket’? Consider this:

• it gives the agency the opportunity to take proactive action and to rectify any practices which are not in line with the Act, codes, or guidelines
• it is a prompt outcome which is much faster than most other resolution options at our disposal.
• it tells an agency that it is ‘on our radar’. If we receive similar complaints about the same agency in future, we will weigh this factor up when deciding whether we need to take further action
• it is not a punishment or penalty. Our focus is on educating an agency and improving privacy practices.

Am I in trouble?

A compliance advice letter does not mean your agency is in trouble. It means:

• we are aware we have only heard one side of the story
• we are not making a finding about the factual correctness of the complaint or about if there has been a breach of your obligations
• unless we have said that we will, it’s unlikely we will be taking any further action.

While a compliance advice letter is not a full investigation, an agency that receives one should take our correspondence seriously because we keep a record of the complaint and our letters for future reference. If we were to use a traffic analogy, consider it a warning for speeding, and not an actual speeding ticket.

Image credit: Free letter via Clipart.

complaints

Back

Source:

One of the most pervasive and persistent problems of privacy and data protection in the digital age is how to move the burden from consumers to read terms and conditions for services they are using, to the service providers to ensure they are clearly explaining the choices that consumers have, and the consequences for them.

We all know the problem, and it has been presented in a number of very striking ways.  We’ve seen researchers print out and measure the length of the privacy policies and terms and conditions of popular services.  Others have calculated the time it would take to read them all, if you started from 1 January.

Our Chief Justice believes that privacy consents will prove to be a significant issue. In her lecture commemorating the first New Zealand Privacy Commissioner, Sir Bruce Slane, she said:

There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy or had waived it. These are standard contracts people must agree to if they are to access services, sometimes essential services. Most do not read the full content of any such contract. That is especially so with online service providers. Although the privacy policy must be agreed to before services can be accessed, acceptance is easy — simply click on the accept button.

Often the consequential authorised collection of data will occur in the course of a very low to no value transaction. Few would spend time reading a privacy policy before using a search engine or purchasing food to go. And yet by clicking accept, we are agreeing to all of the terms and conditions, if expressed in suitably plain English, contained in the privacy policy of the service provider. Even if we do read the privacy policy, it is doubtful we will have a full understanding of the implications of what we have agreed to. There is a very substantial asymmetry in technical understanding between the customer and most who operate business in an online world.

As with many problems that the digital age has created as a by-product of the convenience and access to services these products represent, the solutions need to be found in a range of different areas.

Yes, we need to change behaviours, both of consumers, and service providers, to make the former more curious, diligent, and perhaps willing to defer their digital gratification before “click(ing) to accept”. Industry needs to be both more transparent with consumers about the nature of the transaction that “click” involves, and more innovative in the ways in which it conveys that transparency.

Privacy by design will play a part. Ensuring that the most privacy protective options are obvious, and the default setting should become the industry norm. 

And regulation will play a part. I and my international colleagues need to grasp the nettle and ensure our consumer protective data protection and privacy laws do exactly that.

Labelling laws are a staple of consumer protection. There is a reason there are easy to understand graphics, prominently displayed on hairdryers warning of the dangers of exposure of the device to water. Would our product safety regulator colleagues allow those warnings to be buried on page 23 of a 26 page “consumer information notice”? I think not.

Here’s the approach I’m taking to our law. It is important to set this out now to ensure agencies know their obligations. When the Privacy Bill comes into effect in 2020 it has clear and explicit application to all agencies doing business in New Zealand, whether they have a physical base here or not.

The digital giants are addressing this issue in other parts of the world, it is important that I give clear notice of the law they are expected to comply with here, and how I apply it.

Consent

Unlike other parts of the world, New Zealand’s law does not depend on consent as the primary authority for collecting, using and disclosing personal information. Consent certainly has a role, but the main driver is the legitimate business purpose of the holder of the information. Here’s what this means in practice for complicated privacy policies, terms and conditions, and “click to consent”.

Information privacy principles 10 and 11 say that an agency that collected personal information for one purpose, should not use or disclose that personal information for any other purpose unless an exception to that overarching principle applies.

The exceptions require an agency to have a justifiable basis for relying on them. They need to have a belief on reasonable grounds that one of a set of conditions exist. For example, a novel use or disclosure of personal information will not be a breach of the principle where the agency concerned “believes on reasonable grounds that the use/disclosure”:

• Is authorised by the individual concerned

This threshold belief is tested when we investigate complaints, and we examine the grounds on which an agency holds a particular belief. In the case of a “clicked consent” defence, we will enquire as to the basis on which the online agency believes that click actually conveys an authority to undertake the action complained of. What research have they done to establish the number of people who actually read the terms they are purportedly consenting to? How many times do their customers click the link to the terms and conditions or privacy policy before clicking the consent box? How long do those who do click spend on the privacy policy page long enough to actually read it?

We’ve already declined to accept an imputed authority for a disclosure, based on the continued use of services on the basis of broad and unexpected terms and conditions.

Purpose

Under New Zealand law, it’s the concept of purpose that plays a central role in authorising the collection, use and disclosure of personal information. The fact that your customer’s “consent” might not pass muster as an authority to use the information you’ve collected doesn’t necessarily mean you’re stuck. You need to look closely at the principles that prohibit novel uses or disclosures:

IPP 10

An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose …

IPP 11

An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds –

that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained.

Consent or no, if you always meant to do what you are proposing to do with the personal information, and you’re clear about that, then that’s your purpose, so you don’t need any individual authorisation.

So, you can do what you want, right? Not quite.

In order for consumers to make informed decisions about who gets to see and use their personal information, agencies must, by information privacy principle 3 to take “such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of” a number of matters, including “the purpose for which the information is being collected, and the intended recipients of the information”.

If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.

So what, you say?

While it is true that neither the current law nor the Privacy Bill allows the Commissioner to issue the massive fines available to my colleagues under the GDPR or at the US Federal Trade Commission, you will be liable for damages for any harm caused by the deception or obfuscation of your purposes. 

In addition, when the Privacy Bill comes into force next year, I’ll have the ability to issue compliance notices to business to improve the digital environment for consumers, whether you are based here, or just doing business here.

It’s 2019, and time to raise your game.

Image credit: Free image by SugarandSkullDesigns via Pixabay

International

Back

Source:

In 2019, privacy policies are omnipresent. We’ve all seen them, we’ve all scrolled quickly to the bottom of the page, and we’ve all clicked “I accept,” granting us access to the wonders of the internet. But when you are presented with a privacy policy on a website, how often do you actually read it?

If your answer to the above question is somewhere in the realm of never, you are not alone. In fact, according to consumer advocates across the ditch, 94% of Australians do not read all the privacy policies that apply to them. As much as we might like to think we’re better readers than Australians, the figures in New Zealand are probably very similar.

The reality is most privacy policies are far too long and complex for any regular internet user to read and understand. As far back as 2008, researchers estimated it would take the average person 244 hours to read the privacy policies on all the websites they visit each year.

More recently, The Atlantic estimated it would take 76 work days to read the privacy policies of every website you visit in a year. That means you would have to read full-time from the first of January through to mid-April before you knew all the ways your information could be used by online companies. 

By 2014, the privacy policies of the 50 most popular American websites had collectively ballooned to 145,000 words, about as long as The Grapes of Wrath. When plotted on a graph alongside other works of classic literature, the privacy policies of many popular websites are considered more difficult to read than Charles Dickens’ Great Expectations, Stephen Hawking’s A Brief History of Time, and Immanuel Kant’s infamously dense Critique of Pure Reason.

For a visual representation of the problem, Dima Yarovinsky’s art project I agree makes it very clear. Yarovinsky printed out the terms of service for seven major tech companies to highlight their length and complexity. Instagram, Snapchat, and Facebook’s terms of service are so long they sprawl off the gallery walls onto the floor.

Despite their ubiquity, long and intricate privacy policies are inaccessible to the average internet user. Most people don’t read them, and many people wouldn’t understand them if they did. The internet is an increasingly complex place, particularly when it comes to individual privacy. As the online world continues to envelop every aspect of our lives, calls for privacy policies that people can realistically read and understand will only get stronger.

Back

Source:

The parents of a profoundly disabled boy took a case to the Human Rights Review Tribunal [2020 HRRT 13] on their son’s behalf in relation to the provision and accuracy of his health information while he was in the custody of IDEA Services.

IDEA Services is New Zealand’s largest provider of services to people with intellectual disabilities and their families. Eamon Marshall was first placed in the custody of IDEA Services when he was 18 months old and was cared for by foster families (under the supervision of IDEA Services) for 11 years.

The proceedings centred on two claims: a breach of rule 6 and rule 8 of the Health Information Privacy Code 1994.

The Marshalls sought $300,000 in damages and a declaration that IDEA Services had interfered with their son’s privacy, causing him to suffer a loss of dignity.

Eamon’s father Glenn Marshall represented his son before the Tribunal.

Facts of the case

In 2015, Eamon’s parents became concerned for their son’s welfare after they suspected he was not receiving the medication he needed in foster care. After the Marshalls complained, IDEA Services conducted an internal investigation into Eamon’s care arrangements and provided a report in December 2015. No summary of the investigation was sent to the parents.

In January 2016, the Marshalls requested the findings of the IDEA Services investigation. On 15 May 2016, the Marshalls made the first of several requests for information under the Health Information Privacy Code 1994.

The Marshalls received a summary of the investigation report. Sometime later, a four-page internal report was released to them stating they had been interviewed during the internal investigation. This had not occurred. When comparing the full report to the summary they had received, the Marshalls formed the view that IDEA Services had been involved in a “cover up”. They made a series of subsequent requests for information from IDEA Services.

Complaint to Privacy Commissioner

The Marshalls believed the response from IDEA Services had been inadequate and in June 2016, they lodged a complaint with the Privacy Commissioner. The Commissioner undertook an investigation and found that IDEA Services had withheld personal information about Eamon that should have been provided. This amounted to an interference with Eamon’s privacy.

There was significant correspondence between the Marshalls and IDEA Services about the information that the Privacy Commissioner had reviewed.

Rule 6 – Access to personal health information

Where health agencies hold health information that is readily retrievable, the individual concerned is entitled to know whether the agency holds the information and to have access to that information. Agencies must decide whether the request is to be granted and must communicate that decision to the requester within 20 working days of receipt of the request (Privacy Act, s 40(1)).

The Tribunal considered the timeline of requests for health information from the Marshalls and the responses from IDEA Services.

Section 22F(1) of the Health Act 1956, together with Rule 11(4) of the HIPC entitles a child’s representative (their parent or guardian) to request access to the child’s health information. Any such request is treated as an access request under Rule 6.

The Tribunal considered the extensive chronology of correspondence between IDEA Services and the Marshalls.

In their correspondence with the Marshalls in June 2016, IDEA Services said that some of the omissions from the files they had provided were inadvertent and not deliberate. They also raised the point that as their organisation’s record keeping was predominantly hard copy based, Eamon’s file was in hardcopy and not all information, such as email correspondence, was “readily retrievable”.

The Tribunal commented that “the matter for consideration is not whether the emails that were not printed and placed on the hard files, were retrievable, but whether they were readily retrievable” [para 85]. The cost and time and manner in which the information was stored were relevant factors. The Tribunal accepted that some of the documents were not readily retrievable, noting that “documents only discovered after a thorough forensic search cannot be said to be readily retrievable” [para 87].

Determination on Rule 6

The Tribunal concluded [para 78], in agreement with the findings of the Privacy Commissioner, that IDEA Services had interfered with the privacy of Eamon Marshall by failing to supply certain personal information without undue delay. Specifically, this was:

• an audit undertaken by its health advisor
• a file note dated 18 April 2016
• file notes made between 10 – 18 December 2015.

Rule 8 – Accuracy of information

Under rule 8 of the Health Code, a health agency must take reasonable steps to check that information is accurate, complete, relevant, up to date and not misleading before it uses or discloses health information. The Tribunal noted that rule 8 “focuses on the reasonableness of the steps taken to check information, having regard to how that information is to be used” [para 107].

Failure to interview

The Marshalls alleged that during the compiling of their internal investigation report, IDEA Services failed to interview or speak to them and that this amounted to a breach of rule 8 [para 111].

IDEA Services accepted that in conducting its investigation it did not interview or speak to the Marshalls. IDEA Services said however the investigator was in regular daily contact with Mr and Mrs Marshall and it was reasonable to assume the she was well acquainted with the Marshall’s concerns. The Tribunal said Mr Marshall had not shown why interviewing him or his wife was a reasonable step to ensure the information in the investigation report was accurate, complete and not misleading [para 112].

Determination on Rule 8

The Tribunal found the plaintiff had not proved a failure to interview Eamon’s parents gave rise to a breach of Rule 8, stating that Mr Marshall had failed to establish why any matters listed in his statement of claim gave rise to a breach of Rule 8. The Tribunal found the evidence on this point to be lacking. The claim of a breach of Rule 8 was therefore unsuccessful.

Apology given

The Tribunal gave significant weight to the apologies the Marshalls received [para 127]. IDEA Services said it had stressed to the Marshalls that they did not intend to withhold any information. They repeatedly apologised to the Marshalls regarding the handling of their request. The CEO also wrote a personal letter to the Marshalls on two occasions in which he offered to meet with them and to engage with an independent mediator.

Damages application dismissed

Although there had been an interference with Eamon’s privacy, the Tribunal noted: “Eamon’s dignity has not been diminished at all by the failure to provide information in a timelier fashion. No evidence has been shown establishing that Eamon suffered any loss of dignity by the delay in providing the documents…” [para 142].

The Tribunal went on to say they saw “no justification for Eamon’s rights to be further vindicated by any additional award of damages” [para 143]. The bid for $300,000 in damages was therefore dismissed.

Costs

Costs were reserved.

Back