Author: MIL-OSI Publisher

Source:

A complainant seeking $100,000 in damages for Westpac’s disclosure of a debit card statement to his employer has had his case dismissed by the Human Rights Review Tribunal.

The complainant was a chartered accountant employed by an accounting firm. He explained that a debit card issued by the firm was registered in his name and the statements were sent to his home address. He said the statements recorded personal transactions as well as work-related transactions and that the information should not have been disclosed to his employer.

The accountant said Westpac had breached principles 5 and 11 of the Privacy Act. Principle 5 says an agency shall take the necessary safeguards to protect personal information against loss and access, use, modification, or disclosure. Principle 11 says an agency shall not disclose personal information unless the agency believes the disclosure is for one of the purposes in connection with which the information was obtained.

Debit card dispute

In its decision, the Tribunal said the outcome of the case depended on whether the debit card was in effect the accountant’s personal card or whether it was for the purposes of his employment at the accounting firm.

Under the accounting firm’s instructions, Westpac issued debit cards to four of its team leaders, including the complainant. The firm said the cards were intended to be used from time to time to pay for work-related expenses such as coffees for team members. At the time the cards were issued, the firm credited $820 to each card.

The complainant said the card he was issued was not linked to his employer and the firm was not provided with, or did not seek any authority to obtain, information about it from Westpac.

But the accounting firm’s business manager said the requirement to account for expenses reconciliation purposes had been verbally communicated to the four team leaders, including the complainant, on a number of occasions. With the exception of the complainant, the other team leaders complied with the requirement and provided the firm with their expenditure information.

Cash advance

A month later, Westpac sent the complainant an account statement of the card’s transactions. This included details of a cash advance of $700 and a cash deposit for the same amount some days later.

The firm’s business manager who set up the four pre-paid debit cards with Westpac said she asked the bank to provide a copy of the complainant’s debit card statement for accounting reconciliation purposes and to ensure that the transactions recorded on it complied with the firm’s rules for the use of cash loaded onto the card.

She did this because, despite numerous requests, the complainant did not provide the information requested. The bank complied with the request.

The complainant then complained to Westpac that the disclosure of the debit card statement to the firm was a breach of the Privacy Act. In its initial response, Westpac said the release of the statement had happened in error. Westpac then contacted the firm and asked it to destroy or return the statement. The bank also apologised to the complainant.

After further consideration, the bank concluded the disclosure of the debit card statement to the complainant’s employer was justified because the card had been authorised by the employer. In other words, the accounting firm that employed the complainant had made it clear that it needed to maintain proper oversight of the transactions carried out using the debit card.

Sum for damages

The accountant took his complaint to the Tribunal. He nominated $100,000 as the sum for damages for emotional harm suffered and damage to his career and employment relationships, plus $4,000 for legal fees.

The Tribunal said in its decision the outcome of the case depended on whether the debit card was the complainant’s personal card, or whether it was for business purposes. The Tribunal overwhelming established it was for business purposes. It noted that in Westpac’s records, the transactions were recorded under the firm’s profile.

The Tribunal’s decision described the accountant as an opportunist. It noted what it called the “noticeably self-serving tone to (the complainant’s) evidence and his shutting of the eyes to the overwhelming evidence” that the card was provided to him for work purposes only.

The Tribunal members assessed the complainant as a person whose career aspirations at the firm had been thwarted by circumstances of his own making. The ‘error’ initially admitted by Westpac for sending a copy of the debit card statement to the employer had encouraged the complainant to seek a windfall financial gain.

It observed that it would be astonishing if a firm did not put in place conditions that required documentation to ensure oversight of spending and an audit trail to help with the calculation of expenses for tax purposes. The Tribunal found there had been no breach of an information privacy principle and dismissed the complainant’s case.

Image: “Prosperity” metal elephant coin bank, ca. 1900, USA (Creative Commons licence).

complaints, Human Rights Review Tribunal, IPP5 – storage & security, IPP11 – disclosure

Back

Source:

What happens when an agency’s record of your identity conflicts with who you actually are? This is the question we grappled with in an Immigration New Zealand (INZ) case that we recently referred to the Director of Human Rights Proceedings.

Update: INZ and the Director of Human Rights Proceedings have since settled this case on a confidential basis that will avoid the need to take the case to the Human Rights Review Tribunal. INZ has acknowledged it breached principle 7 of the Privacy Act (which deals with the requirement that agencies correct personal information upon request). Read the media release here.

Estimating a birth date

Here’s what happened: in 2011, a young Ethiopian man immigrated to New Zealand, sponsored by his aunt. He did not know how old he was, as his parents had died when he was very young and there was no record of his birth – birth registration is not compulsory in Ethiopia. In order to obtain a birth certificate to support his refugee application, his aunt consulted with locals and estimated his birthday to be in early 2000. Immigration NZ used this birth date on his refugee visa.

When he arrived, a paediatrician commented that he looked big for an 11 year old boy. These comments were echoed the next year by his teacher and another doctor, so he had a bone density scan and dental examination to double-check his birth date. Both indicated  he was at least 16 years old at the time and could be as old as 18.

Based on this information, the young man asked Immigration NZ to correct his birth date on two occasions: once in 2013 based on the medical and dental examinations, and once in 2014 after getting an amended birth certificate from Ethiopia with a 1996 birth date. On both occasions, the agency said no. 

What’s in a date?

When he made his privacy complaint late last year, the young man was physically, mentally and emotionally in late teens, but his visa said he was 14. The discrepancy between the young man’s actual age and the age on his visa prevented him: 

• Earning the adult minimum wage
• Accessing financial assistance from  Studylink and WINZ
• Getting a driver’s licence

These were entitlements that he should have received as a New Zealand resident. He was prevented from receiving them because Immigration NZ’s version of his identity did not match his actual identity.  

Correcting vs annotating

Immigration NZ offered to add a note, in line with principle 7 of the Privacy Act, indicating that he had requested a correction, but that the change had not been made. Immigration NZ declined to go as far as to correct his birth date because the medical records, dental records and amended birth certificate could not verify that the young man was born on a specific date. All that evidence did was show  that the date they were using was wrong.

We do not agree with this view. While the tests do not prove that the date on his new birth certificate is correct, they do prove that it is significantly more accurate than the date on his current visa. In a perfect world, the correct date would be available and verifiable, but in this imperfect situation, we believe that Immigration NZ should adopt the position supported by evidence rather than stick to a position based purely on supposition.

Case law gives us a steer  

Case law provides more guidance by saying that while agencies can choose to correct or annotate incorrect information, they need to consider the potential ramifications of their actions when deciding which path to take.  

As a hypothetical example, consider a medical file incorrectly indicating that someone is not allergic to penicillin. Failure to correct this information could result in the person’s death, so a note indicating that they had asked to correct the information would be insufficient.

This case is in a similar category to the penicillin example. The incorrect birth date caused significant harm on an ongoing basis by cutting off the young man’s access to services that he should have been entitled to. Correcting his birth date was the only way to stop this harm, so an annotation was not sufficient in this instance.   

Referring it on

We disagreed with Immigration NZ’s view that a note on the complainant’s file was sufficient and we referred the case to the Director of Human Rights Proceedings to consider bringing before the Human Rights Review Tribunal. We’ll keep you posted on the outcome.

A few more resources

For more information, you can look at:

The case note with more detail on the case and case law

The media release about the case

IPP7 – correction, IPP8 – accuracy, Human Rights Review Tribunal, customs & immigration

Back

Source:

Privacy authorities typically perform regulatory and enforcement functions on their own – or occasionally with another public body – within their domestic jurisdiction. They know the domestic law they enforce. The law will clearly lay out the authority’s role and provide a clear pathway to the intended outcomes.

By contrast, cross-border cases offer none of these certainties.

We were recently asked the question: “What international privacy enforcement cooperation initiatives are in operation and what practical tools are available to facilitate cooperation?”

There are several difficulties:

• It may not be clear what authorities might or should be involved.
• The applicable law may be uncertain or unknown to authorities contemplating involvement in a case.
• The roles may not be clear or may be contested.
• The possible outcomes may not be known and the pathway to any outcome may not be clear.

For the past 10 years, much effort has been expended at an international level to create conditions whereby the chances of successful cross-border cooperation amongst regulators are improved. Here are some of those efforts and examples of the practical tools that now exist.

Building the right environment

Before turning to precise enforcement cooperation tools, it may be helpful first to canvas cooperation more widely.

It is probably unrealistic to expect instant success in cross-border enforcement, if an authority remains entirely domestically focused until it encounters its first case with a cross-border element.

Where would such a domestically focused authority turn? How would they know who to approach for assistance in a foreign jurisdiction? What would they know of the other jurisdictions law and how would they find out? What would an authority in another jurisdiction think of a request for assistance arriving ‘out of the blue’ from an authority it had never heard of?

Three approaches to creating cooperation might briefly be mentioned:

1. Networking with peers.
2. Connecting with stakeholders.
3. Access to law.

1. Networking with peers

The likelihood of successful cooperation across borders may be enhanced if you know your counterpart before that first case arises.Privacy authorities have networked with their peers for four decades through the International Conference of Data Protection and Privacy Commissioners.

Privacy authorities also network at a regional level. In our region this happens through the Asia Pacific Privacy Authorities Forum. Our French and Spanish speaking counterparts also have networks of their fellow-linguistic colleagues. 

There are also two specialised enforcement cooperation networks set up in 2010:

• APEC has established the Cross-border Privacy Enforcement Arrangement (CPEA), with 25 participating authorities.
• Global Privacy Enforcement Network (GPEN) was set up with the assistance of OECD, and now has participating authorities from 46 countries.

More information on these networks is available at the ICDPPC website.  

2. Connecting with stakeholders

Regulators and privacy enforcement bodies should engage with stakeholders such as global business, privacy professionals and civil society to build an environment for successful cooperation. Efforts by groups such as IAPP and iappANZ to build compliance capacity are positive steps that create an environment for cooperation.

3. Access to law

While no regulator has the time or inclination to become an expert in every other economy’s law, there are clearly benefits in some general information sharing about laws and legal interpretations. There is also benefit in being able freely to access legal information in greater detail as needed. In the area of privacy law, many of the key interpretations are issued by regulators rather than in court decisions, and may not be available through mainstream law reports.

There have been various efforts to address these deficits in legal information. Three examples from our own region are:

• APEC has each economy describe its privacy laws in a structured standardised way called an Individual Action Plan or Data Privacy IAP.
• The APPA Forum has issued standards for privacy authorities on citation and dissemination of case reports.
• The World Legal Information Institute (maintained in Australia) operates a huge free access repository of case reports and laws known as the International Privacy Law Library.

Tools for cooperation

The following are a selection of the practical tools developed in the last 10 years to promote enforcement cooperation:

• Policy guidance for updating existing privacy laws
• Cooperation networks
• Templates for requesting cross-border assistance
• Directories of enforcement contact points
• Standard statements of enforcement cooperation practices
• Discussion networks
• Templates for information sharing agreements
• Secure information exchange platforms
• Published guides

Updating existing laws

The OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (2007) provides a blueprint for upgrading privacy laws more effectively to deal with cross-border cooperation.

Cooperation networks

The OECD Recommendation on Cross-border Cooperation suggested a need for cooperation networks of privacy authorities. Several networks have accordingly been established since 2007:

Templates for cross-border assistance

Both the OECD and APEC have released Request for Assistance templates for seeking assistance from authorities in other member economies.

Directories of enforcement contacts

The OECD, APEC and Council of Europe have each established processes for nominating and listing national or economy contact points. These three international organisations have cooperated in maintaining a combined directory which is maintained for access by authorities through the GPEN website.

Standard statements

APEC has established a requirement for authorities that participate in the CPEA to publish standard statements of enforcement cooperation practices. This is published both on the authority’s own website and centrally on APEC’s system.

Discussion networks

GPEN has a facility for general discussions amongst enforcement staff on its password-protected forum pages. It also hosts 20 discussion teleconferences each year. These are split into two regions – Pacific and Atlantic.

Information sharing agreements

GPEN has a standard information sharing agreements applicable to the GPEN Alerts System. ICDPPC’s Enforcement Cooperation Arrangement also features an optional template for an information sharing agreement.

Information exchange platforms

GPEN has established the secure GPEN Alerts System.

Published guides

The EU’s PHAEDRA Project produced several reports useful to enforcement cooperation. The ICDPPC has produced an enforcement cooperation handbook. In 2016, an Enforcing Privacy textbook was published.

Conclusion

In the past 10 years, and particularly since the publication of the OECD’s 2007 Recommendation, considerable progress has been made in creating conditions conducive to cross-border cooperation and to provide privacy authorities with the tools they need.

Cross-border cooperation remains difficult and the greatest progress will probably only been made when all privacy laws are upgraded, as recommended by the OECD, with cross-border action in mind.

Image credit: Wagah border ceremony – Wikipedia

Asia Pacific Privacy Authorities (APPA), Global Privacy Assembly (GPA), International Association of Privacy Professionals (IAPP), OECD, International, Europe, legal, Asia Pacific

Back

Source:

Reviewed for relevance April 2025.

As parents, we expect to be told everything about our infants when we take them to the doctor. The same with our toddlers. By the time they get to their teens, it gets a little more complicated. Should parents have the right to know about all about their under 16-year-old’s healthcare?

That issue was the subject of a recent petition to Parliament. It asked:

That the Parliament pass legislation providing that a parent of a woman under the age of 16 years has the right to know if that woman has a pregnancy confirmed before she is referred for any resulting medical procedure, and that any consent sought for the medical procedure be fully informed as to procedure, possible repercussions, and after-effects.

The Select Committee that considered that petition has just made its report. Read the report, ‘Petition 2014/11 of Hillary Kieft and six others‘. We were asked to make a contribution to the debate and we made a submission to the Select Committee. You can read our submission where we set out how the law currently works and how the Privacy Act applies.

Medical information is universally understood to be sensitive information. Reproductive health information is generally accepted as being particularly so.

The Privacy Act’s Health Information Privacy Code says a health agency is entitled to disclose information to a parent or representative if a patient is unable to consent. If a young person objects or specifically requests privacy, it is open to the health agency to make an assessment of the young person’s ability to make that request. A test called ‘Gillick competence’ is used by doctors to evaluate a patient’s competency in this regard.

If a young person, a minor, wants to keep her request for reproductive health advice or services secret from her parents, a health agency is not automatically required to tell her parents. Under the Privacy Act, anyone has the right to protect the privacy of their personal information.

Other laws also need to be considered. In general, doctors cannot treat any person without obtaining their informed consent. Anyone over the age of 16 can refuse or consent to medical treatment but legislation is silent on the consent of minors. Section 22F of the Health Act permits a parent or representative of a child to request information about that child. But section 22F also says a doctor must still consider whether it could be contrary to a minor’s interests to disclose the information.

Our submission to the Justice and Electoral Committee says if a girl, who has been found to be mentally competent, is able to give or refuse consent for a termination, she also has the right to keep their personal medical information private from her parents. Current privacy laws protect a minor’s right to privacy while also giving an appropriate level of discretion to doctors when faced with whether or not to disclose their personal information.

Such an approach is consistent with the United Nations Convention on the Rights of the Child which recognises that children and young people have legal and social rights when seeking consent to healthcare. 

children, health, Health Information Privacy Code

Back

Source:

Mrs Patel was outraged. She’d visited her GP for a follow-up check after her hand surgery, and he’d asked her about her history of depression. She didn’t think she’d had anything of the sort, and decided to ask the receptionist for a copy of all her medical notes to see what else was in there. The young receptionist assured her that the doctor owned the notes so she couldn’t have them. 

“But they are about me and I have never seen them!” Mrs Patel protested. 

The receptionist paused for a moment. “Well,” she said, “put your request in writing and your doctor might let you see some of the notes. Our administrative charge for dealing with your request is $50. Now, shall we make an appointment to see your doctor about this?” Mrs Patel looked at her writing hand, which was still feeling tender, and decided to call the Privacy Commissioner.

The above (fabricated) scenario is an example of the sort of enquiries I receive. Just in March this year we had 145 enquiries from individuals and agencies for guidance about access requests. Medical centres in particular are often keen to understand their obligations around access requests.

Access to personal information

Individuals have a fundamental right to ask for access to any health information held about them. This right also extends to a “representative”: a parent or guardian of a child under the age of 16 years, an executor or administrator of a deceased individual’s estate or the person who has an activated enduring power of attorney for the individual concerned or someone acting in the individual’s best interests. 

We encourage individuals to put their request in writing – this way there is a record of the request and the health agency knows exactly what information is required – but there is no prescribed way to make an access request. Many health agencies have their own forms to make sure all the necessary details are collected. However, since Mrs Patel has an injured hand, she could make a verbal access request and the health agency should give her any assistance she needs to do that. Mrs Patel definitely doesn’t need to pay for an appointment with the doctor to make her request.

From the day after the health agency receives an access request, it has 20 working days to decide if it will release the information. Once it’s decided to release the information, it should do so without undue delay, and if it wants to withhold anything, it should specify the withholding grounds set out in the Privacy Act it is relying upon to do so.

What about information ownership?

Who owns the information is irrelevant. A health agency can’t refuse an access request because it owns the information. Nor can it refuse an access request because the requester owes a debt.

Information should be made available to individuals in the way they prefer. If Mrs Patel has asked for a copy of her health information that’s what she should get unless it would impair the efficient administration of the health agency. 

Charging

Because this is the first time that Mrs Patel has asked for her notes it’s not permissible to charge. But if copying her medical file requires copying an x-ray, video recording, MRI, PET or CAT scan photograph, the medical centre can levy a reasonable charge. 

Verifying identity

But a word of caution: before handing over the information to the requester, the health agency must be satisfied concerning the identity of the requester. Don’t hand sensitive health information over to the wrong person.

Sometimes requesters confuse making an access request for their information with wanting their physical file instead. What matters is the information itself – ownership of the health information is irrelevant. That said, a health provider can release the physical copy of the information to the individual the information relates to even though they don’t have to. Sometimes a doctor will hand over her notes to the patient, say, when the patient is moving permanently overseas or to a different region in New Zealand. This means the patient has possession of their health information and can immediately give their medical file to their new health provider. 

It can be difficult remembering all the procedural aspects, both for the busy health agency and the mystified requester. The Privacy Commissioner recognises this and is determined to make privacy easy. 

New tool: AboutMe

To this end, we have developed an online tool to help called “AboutMe”. This online tool helps you make an access request. The request is then emailed to the agency you choose. We never see what is being requested, we just provide the mechanism. The request includes a standard note from us about what the agency needs to do to respond to the request and by when. 

Returning to Mrs Patel – she made a verbal request to the medical centre which was noted down by the privacy officer (every agency should have one). Mrs Patel received the information promptly and immediately saw the inaccuracy. Her doctor agreed with her and made an appropriate correction in her medical file. Furthermore, Mrs Patel is thrilled that she has full use of her hand again, her trust in her doctor is restored, and she is back playing tennis and tending her roses!

First published in NZ Doctor on 25 May 2016

Image credit: Artist Paul Holmes via Vincents Art Workshop.

IPP6 – access, health, Health Information Privacy Code

Back

Source:

Complaints are valuable assets for every organisation. There is no better way to highlight and fix problems in an organisation’s systems and processes. This is what we tell the agencies we investigate, and many of them take the opportunity to learn from complaints to improve their practices. It’s also a view that was echoed in an excellent Auditor-General report about ACC’s complaint’s processes.   

But how do we practice what we preach? How do you give us the opportunity to fix inadequacies in the way we do things? In other words, how do you complain about the Privacy Commissioner?

Give us a chance

If you’re unhappy with any stage of your privacy complaint, you should let us know first. We will almost always escalate your concerns to a more-senior staff member for a second look. While you don’t necessarily have to do this, it is faster and involves less paperwork than going through formal oversight channels – and it certainly doesn’t stop you from using those channels in the future!  

If you do this, the decision may be changed in your favour; and if not, you’ll at least get a more detailed explanation of our decision.

We appreciate complainants who do this because it gives our investigators the opportunity to learn in a hands-on way.

The Ombudsman and the assessment

When you make a Privacy Act complaint, our first move is to assess your complaint and determine whether or not to launch a full investigation. There are a number of reasons we may decline to investigate. For example, the case may not be covered under the Privacy Act, the breach may have been a long time ago or the issue may be too minor to merit an investigation.

Sometimes we will suggest that complainants take up another avenue for their concerns, such as in the courts, or an industry specific dispute resolution scheme.

If we decide not to investigate, we are exercising a discretion. We are answerable in the way we exercise that discretion to the Ombudsman. So if you disagree with our decision not to investigate, you can ask the Ombudsman to investigate our decision. If the Ombudsman thinks we have not taken into account all relevant factors, or have otherwise acted unreasonably, they can suggest we reconsider our decision. In most cases we would accept a Ombudsman’s recommendation.

You can file your complaint to the Office of the Ombudsman online:

Complain to the Ombudsman.

Settling your case

If, after beginning an investigation it seems as though there is some basis for the complaint, we will try and identify opportunities to help the parties resolve the problem. When the parties agree to a settlement, that is the end of the story. Each party gives up their right to pursue a full legal determination, for the sake of an early settlement.  

The Investigation and the Tribunal

If the case doesn’t settle, there are three different possible outcomes:

1) We may find an interference with your privacy and refer your case to the Director of Human Rights Proceedings, who may choose to represent your case before the Human Rights Review Tribunal.  

We don’t exercise this right very often. We reserve it for ‘edge cases,’ such as cases where a privacy breach has caused significant harm, where new legal precedents need to be set, or where we suspect there are other people suffering from the same privacy breach.  Further, a referral to the Director doesn’t guarantee that you’ll be heard in front of the Human Rights Review Tribunal, as the Director may choose not to take your case.

2) We may find that your privacy has been breached, but choose not to refer the case to the Director of Human Rights Proceedings.  

3) We may find that there has been no interference with your privacy, and close the case.

All three of these circumstances have the same recourse if you are dissatisfied: take the case to the Human Rights Review Tribunal yourself. The Tribunal will hear evidence afresh, and make up its own mind, independent of any finding we might have made.

A recent example of this practice in action was Taylor v Orcon. Mr Taylor complained to our office about telecommunications company Orcon disclosing inaccurate information about his credit history. We concluded our investigation on the basis that the breach by Orcon did not cause all the harm Mr Taylor claimed to have suffered.

Mr Taylor, dissatisfied with this outcome, took Orcon to the Tribunal and won $25,000. The Tribunal disagreed with the way we had applied the legal tests, and not only did he get the outcome he wanted, he also provided us with valuable guidance for the future (although he’s probably happier with the $25,000).

So, the Privacy Commissioner, like all public sector organisations, functions in a world of checks, balances and oversight. If you think we’ve made the wrong call, we encourage you to avail yourself of these mechanisms. Otherwise, how will we get it right next time?  

Image credit: Upset Lion by Toby Oxborrow via Flickr

Back

Source:

Our office is proud of the work we do in the area of dispute resolution. Where it is appropriate, we try and bring complainants and respondents together, in person or by phone, to resolve privacy disputes. Last year, we closed 827 complaint files and of these, nearly half were achieved with a settlement between the parties involved.

We’re therefore pleased to have been included in a pilot project aimed at leading and strengthening the use of dispute resolution by government services and agencies.

Dispute resolution works!

Dispute resolution is about trying to resolve disputes between parties so that they don’t end up in court. We’ve found that a resolution might include an apology or an acknowledgement, a promise of confidentiality, a change in an agency’s processes, staff retraining, or a compensatory payment. 

Many New Zealanders have learned the hard way of the time, cost and emotional drain of litigation, and the substantial delays inherent in the court process.

And for some time now, the government has recognised the benefits of dispute resolution, and that it should be doing more of it.

As a result, the Ministry of Business, Innovation and Employment has established the Government Centre for Dispute Resolution (GCDR), a two year project to support the further development of dispute resolution.

Making better policy

Last year, our investigations and dispute resolution team leaders were selected to participate as members of the centre’s Officials’ Advisory Group – a panel made up of representatives of government agencies with dispute resolution expertise.

Before it established the advisory panel, the GCDR reviewed all of the statutes in New Zealand that allow for the use of dispute resolution, in some form or other. It discovered at least 60 statutes provide for dispute resolution services, and up to 200 contain some kind of reference to it.

It also found a wide variability in the way these provisions were interpreted and applied by government agencies (if they were even being used at all). The GCDR is now focused on helping New Zealand agencies achieve a level of consistency in this area.

Our input

Our participation in the advisory panel was concentrated largely on the development of the best dispute resolution principles. These are a set of key criteria that any good dispute resolution service should take into account.

The principles are based on common sense (such as being objective and fair, being client focused and ensuring you are accountable for what you do), and come with guidance about how to achieve these objectives at policy, service design, service delivery and practitioner levels.

We support the work being done by the GDCR and look forward to seeing what comes next for New Zealand and its dispute resolution services.

Image credit: Created by Ruth Suehle for opensource.com.

Back

Source:

Pieter, a visitor from Belgium, witnessed a car accident in a remote area. The accident left a young woman unconscious and seriously injured. Pieter acted quickly and phoned the emergency line from his mobile phone to get help to the woman as soon as possible.

However, Pieter was in shock and was unfamiliar with his surroundings, so he was unable to tell the 111 call taker exactly where he was. Pieter was able to describe a few of the landmarks around him – a small bridge and an interesting grove of Kauri trees – but he couldn’t recall the road name or the nearest town. With only vague descriptions to help them, the Police and ambulance experienced significant delays locating the scene of the accident. As a result, they were delayed in reaching the young woman who remained in pain for some time.

This is an alarming story but one which has repeated a number of times in New Zealand, due to the unavailability of timely and accurate information about the location of mobile emergency callers.

New system

In response to these concerns, the Ministry of Business, Innovation and Employment, after researching various options, has developed a system suitable to NZ conditions that will generate location information on mobile callers and make this available to the emergency services on 111 calls. The Privacy Commissioner proposes to amend the Telecommunications Information Privacy Code to create a clear and lawful basis for this system.

The new system enabled by the amendment will involve the gathering and sharing of automated location information – either directly from a caller’s mobile phone if they have an enabled device, or in the form of a report generated by the network operator showing the nearest cell tower to the caller. Access to this information, in real time, will help the emergency services to locate a caller and thereby an incident.

In Pieter’s case, his mobile phone could have sent location information to the system which would have provided the 111 call taker with his coordinates. With this system in place, it would have mattered less that Pieter could not recall the road name or nearest town. The emergency services may have reached the accident sooner.

Submissions invited on amendment

The proposed code amendment recognises that this information sharing serves a very important public good. Systems similar to this operate in other countries, and there is a general consensus among telecommunications and privacy regulators overseas that this is beneficial to individuals and the public more generally. Public confidence that location information is properly protected is important, and so the amendment sets boundaries on the use and retention of the location information and requires the agencies involved to be as open and transparent as possible about the system.

We’re seeking the views of the wider public on this proposal, to make sure we’ve got the balance right. Click here to view the proposal and email your submission to submissions@privacy.org.nz by 23 December 2016. 

Image credit: In case of emergency sign.

Telecommunications Information Privacy Code (TIPC)

Back

Source:

As a result of a complaint, Police began an investigation into a woman who worked at a district health board. The complaint alleged that she may have accessed DHB health records in order to locate children who had been the victims of crimes committed by her brother.

In the investigation, Police disclosed sensitive personal information about the woman’s brother to the woman’s employer. The woman complained to our Office, and subsequently took her case to the Human Rights Review Tribunal, claiming there had been an interference to her privacy.

The matter had become a Police investigation after someone claiming to be the woman in a letter attempted to contact the children through the school they attended. The family were living at a secret address because they were fearful for their safety. Police suspected the woman might have tried to contact the children on behalf of her brother.

The police officer assigned to the investigation contacted the woman’s manager at the DHB where she worked. He disclosed detailed background information to the manager including information of the woman’s brother and his convictions for child sexual and physical abuse, and earlier convictions for possession of child pornography.

The police officer suspected the woman may have committed an offence under the Crimes Act 1961 – if she had inappropriately accessed the National Health Index (NHI) database through her role at the DHB to try and locate the family members.

The woman complained to our Office because the information disclosed by Police to her employer about her brother’s convictions had caused her hurt and humiliation. She said she should have been told first, and Police should have had a search warrant or production order to get her employer to look for evidence against her.

The DHB’s internal investigation showed the woman had not accessed the NHI or DHB databases.

Our investigation

The woman complained to us under principles 1-4 and 11 of the Privacy Act.

We found no breach of the collection principles (1-4). Neither did we find a breach of principle 11 which says an agency that holds personal information is able to disclose it in order “to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences”.

After we found the woman had suffered no interference with her privacy, she took the case to the Tribunal.

Tribunal case

The woman claimed after the police officer had contacted her manager, she was subjected to further audits and was harassed by the manager. She withdrew from her friends and her drinking increased. She also gained weight, slept badly and suffered anxiety attacks at work. She later resigned from the DHB.

But the Tribunal noted the woman “did not impress as a witness. Unfortunately, she has become blind to any point of view other than her own. She hears only what she wants to hear and sees only that which she wants to see.” The Tribunal said it preferred the evidence given by the police officer and the woman’s manager.

Search warrant

The police officer testified that Police did not have enough information to obtain a search warrant or a production order, and this was why Police used the Privacy Act’s principle 11 to request evidence from the DHB.

The Tribunal agreed with the view of Police. It said if there was insufficient evidence to obtain a compulsory order, it would be absurd if Police were not able to rely on using the Privacy Act. The Act’s privacy principles were flexible enough for this kind of request to be made by law enforcement agencies.

Meaning of ‘necessary’

The Tribunal found Police was able to satisfy the criteria needed to rely on the maintenance of the law exceptions and it considered the collection of the information was necessary for the purpose of maintaining the law. Like our Office, the Tribunal found no breach of the collection principles.

The Tribunal found Police had reasonable grounds to believe that disclosure of the brother’s offending, conviction and sentence was necessary because it gave the DHB the basis for agreeing to their request.

If the information was not provided, the DHB could justifiably have declined the request and this would also be in accordance with the Privacy Act. The disclosure of the woman’s connection to her brother, along with her brother’s offending, was necessary – and was not merely desirable or expedient.

The Tribunal dismissed the woman’s claim and upheld the original decision by our Office.

Image credit: Michael Kumm via Flickr

Read the full text of the decision.

Human Rights Review Tribunal, health, law enforcement

Back