Category: MIL-OSI

Source:

We get it. As a lawyer, one of the least fun things about your job is chasing the money. Sometimes people just don’t cough up for the service you provide.

But this does not mean you can refuse to cough up personal information if it is requested by a client (or ex-client) under principle 6 of the Privacy Act (even if they owe you money for their legal bill). By way of case law on point, see CBN v McKenzie Associates.

The old idea of the “solicitor’s lien” – the right of a lawyer to retain a client’s property deposited with them, including crucial and original documents until the bill was paid – does not override principle 6 of the Privacy Act. Under principle 6, an individual is entitled to request a copy of their personal information held by an agency.   

If you hold personal information about an individual, and that individual requests it, you have obligations under the Privacy Act to respond to that request. Check out this handy flow chart.

You can charge them for the provision of information … BUT … that charge has to be reasonable (it can’t just be the amount of their outstanding bill – sorry – the Privacy Act says so).

Section 35(2) says what a private sector agency can’t charge for:

•           providing assistance to a requester;

•           the making of the request for information; or

•           processing the request, including deciding if the request is to be granted and, if so, in what manner.

Section 35(3) says what a private sector agency can charge for:

•           making the information available (copying/collating/sending) in compliance with the request.

We think this is a really helpful guideline on charging.

One of the best ways to ensure you are making a reasonable charge is to get a quote from a copy shop for a job. It’s likely that a quote from a copy shop will be a reasonable charge for making information available, as it will be a fair reflection of the amount of paper and time involved in the job.

And don’t worry. You don’t have to provide the information until you have, at least, received payment for the job of copying and sending the file.

IPP6 – access

Back

Source:

A recent Human Rights Review Tribunal case has attracted some attention as a result of its colourful facts – bad feelings between previously friendly neighbours, allegations about vandalism, and a compensation bill of $7000. Read the NZ Herald article about this case.

It isn’t just a human interest story, though. This is the first Tribunal decision to consider CCTV, and the effect of privacy enhancing technologies, and it has set some clear legal boundaries.

Armfield v Naughton [2014] NZHRRT 48 contains some straight-shooting advice from the Tribunal about how businesses need to set up and manage CCTV systems.

Briefly, a bed and breakfast owner had been having problems with property damage and set up eight CCTV cameras around his house. Three cameras overlooked his neighbour’s property. One camera was angled over the front garden with a children’s swing, the second pointed towards the neighbour’s side door, and the third covered an area of the backyard.

The relationship between the two men had become confrontational and the installation of the CCTV made it worse. The neighbour objected to what he saw as a significant intrusion into his family’s personal space. The bed and breakfast owner refused to talk to the neighbour about the camera system, and failed to respond to lawyers’ letters asking him to change the camera angles.

The Tribunal found the first camera breached the Act. The second and third were saved by the use of masking technology. There was also a breach of principle 3 (failure to notify) and principle 6 (failure to respond to a request for information). The Tribunal awarded $7000 after noting the neighbour’s request that the award should be moderate – but commented it would usually have been $15,000 or more.

Collecting or not collecting, that is the question

First, the Tribunal decided the Privacy Act applies to CCTV. It’s certainly the line that we have always taken – read our CCTV guidance. But at least one expert commentator has queried whether information gathered by CCTV is “collected” in terms of the Privacy Act because the camera system automatically captures everything within its range and does not solicit information from each individual.

The reason for the confusion is that the Privacy Act slightly unhelpfully defines “collect” in the negative – it “does not include the receipt of unsolicited information”. But the Tribunal has confirmed this doesn’t mean an agency has to ask for, or actively “solicit” information. Instead, “collection” is the “gathering together, the seeking of or acquisition of personal information.” [44.3]

So CCTV is clearly covered. The whole purpose of setting up a CCTV system is to gather together information within the range of the cameras. The Tribunal has firmly laid the ambiguity in the Act to rest.

Failed attempts to collect may now be covered

The Tribunal goes on to say that collection refers to the “framework or process for collection which must be in place before information is received”. [47] In other words, the agency has obligations before the cameras are switched on: in particular, the obligation to have a legitimate reason for setting up the camera system, which is necessary for some business purpose; the obligation to tell people the cameras are there and why; and the obligation to be fair and not unreasonably intrusive with how information is collected. Collection encompasses the actions that precede actually getting the information in one’s hand.

The logical upshot of this is that failed attempts to collect personal information might also breach the Act. This is a new angle for the Tribunal, though it had indicated there should be liability for attempts in an earlier case. The Law Commission has recommended that attempted collections should be covered, and the government has supported that recommendation. The stars are therefore lining up. Agencies need to be careful to set up their systems correctly from the start and not trust to luck.

Adopting PETs

The Tribunal acknowledged that CCTV can be a legitimate and valuable way to protect people and property. But it also has the capacity to cause significant intrusions into personal life. Complying with the privacy principles provides the right balance between the two. As part of this analysis, the Tribunal has usefully said that “leveraging technology to enhance privacy is a valuable approach and is to be encouraged.” [53] This is the role of “privacy enhancing technologies”, affectionately known to the profession as “PETs”.

The camera system here had a facility for cropping the field of vision, which was used on two of the cameras. Despite the apparent camera angle, the neighbour’s backyard and side door were not in fact visible to anyone watching the footage live and nothing in those areas was recorded to disc. Use of the masking technology saved those cameras from being in breach of the Act.  

What we’ve got here is failure to communicate…

The problem for the neighbour, of course, was that it was not obvious whether the cameras were recording and, if so, what they were recording. All he could see was that they were pointed at his house. The Tribunal said this highlighted the importance of communication. Agencies need to give clear statements about what the cameras are there to do (and other matters listed in principle 3). This is a continuing obligation. If the field of vision, or other aspects of the system are changed, they need to notify affected people again. They also have to respond to reasonable requests by affected people to see the system and know what information it was recording, so that those people can be confident the system is working lawfully.

Human Rights Review Tribunal, CCTV

Back

Source:

As a general rule in New Zealand, if you go to Court and you lose, you’re going to have to foot the bill – and not just your own legal bill but a chunk of the other party’s costs too. 

But this week, the Human Rights Review Tribunal released a decision saying Shannon Richard Andrews, the unsuccessful plaintiff, should not have to pay the costs of the New Zealand Police.

The reason behind this decision is that people should not be deterred from bringing a case in the human rights jurisdiction just in case it costs them later.

Mr Andrews claimed the Police had improperly disclosed personal information about him, contrary to principle 11 of the Privacy Act 1993.

In March 2014, the Tribunal dismissed Mr Andrews’ complaint. Subsequently, the Police sought a contribution to the costs they had incurred in the course of defending this complaint. The Police said the case had cost them approximately $21,000 and were seeking an order that Mr Andrews pay them an amount between $7,500 and $10,000. 

Mr Andrews is currently serving a custodial sentence and does not presently have the means (nor is he likely to on his release) to pay such costs – but the Police said this should not be a consideration.

The Police said there were no features in Mr Andrews’ case that should disrupt the “presumption” of a costs award.

The Tribunal disagreed, saying the fair and reasonable outcome would be for each party bear their own costs. “The State must expect and tolerate individuals to challenge the exercise of state power. Such challenge should not be inhibited by the fear of potentially ruinous financial consequences,” it said in its decision.

Another feature of the case was that it involved an issue that the Tribunal hadn’t considered before – it was a test case. This too suggested Mr Andrews shouldn’t have to pay costs.

Basically if you think your rights have been breached, including your rights to privacy, it shouldn’t cost you an arm and a leg to have the Tribunal take a look at it. 

This is probably a bitter pill to swallow for the agencies that are being taken to the Tribunal.  But might it be better than telling individuals (who may only just have the means to fund their own case) they have to pay for the other side too – if the decision doesn’t go in their favour?

But while Mr Andrews seems to indicate costs awards of thousands of dollars will no longer be the norm, there are circumstances in which it will still make sense to order costs, as illustrated by Rafiq v Commissioner of Police. 

Razdan Rafiq complained about the Police refusing to disclose information in response to a principle 6 access request. The Tribunal dismissed his complaint. Following this decision, the Police sought costs and in the end were awarded $13,632.32.

The difference in this case and the reason for the Tribunal making a high cost order against Mr Rafiq was because the Court said this was not a “finely balanced” case. In other words, it did not have the potential to go one way or the other. In fact, the Tribunal said the decision the Police made to withhold information from Mr Rafiq was justified “by a wide margin”.

The Tribunal also said Mr Rafiq conducted the proceedings “without regard to his obligation to participate in them meaningfully and in good faith”. He refused to participate in telephone conferences, declined to file meaningful evidence or submissions and subsequently declined to attend the hearing itself, even though he was warned about the costs implications by the Police and the Tribunal.

Because of the way Mr Rafiq conducted himself and his case, this created significant extra work for the Police in defending the complaint. Following Mr Rafiq’s rejection of a reasonable and responsible settlement offer and what the Tribunal said was a “characteristically incoherent and abusive reply”, the Tribunal decided this was a clear case in which increased costs were justified.

The moral of the story of the story is if you act in good faith when seeking a determination on your privacy rights, things will be good for you. If you act in bad faith, you get bad things (like a bill for $13,632.23). 

Human Rights Review Tribunal, IPP6 – access, IPP11 – disclosure, law enforcement

Back

Source:

A man applied for a pawnbroker’s licence. On his application he gave his work address. The rejection letter from the Ministry of Justice referred to historical criminal convictions which he hadn’t disclosed to his employer.

Even though the letter was addressed to him, the letter was opened by a staff member and read by four company employees. The information contained in the letter then prompted his employer to sack him. The employer said the decision to sack the man was based on the information about his criminal history.

The man’s complaint to us raised issues under principle 11 of the Privacy Act which says an agency that holds personal information should not disclose the information. The purpose of principle 11 is to place limits on disclosure of personal information by one agency to another person or agency.

In this case, we were told that at no point was the letter disclosed to any person or agency outside a small number of relevant staff members.

We also found out that the man, when giving his employer’s PO Box as his address, had used a different first name. The man’s employer had hundreds of employees and it was company practice to open all mail unless it was specifically marked “addressee only” or “confidential”. Neither of these labels appeared on the envelope.

When the mail clerk did not recognise the name on the letter, it was given to a senior manager who opened the envelope. The letter was then passed to two other senior managers. The company said the decision to dismiss the man was based on the fact that he had completed his application dishonestly when he applied for the job. He had not been truthful about his criminal convictions.

We concluded the disclosure of the man’s personal information within the agency, and the use of that information to sack him, was not a breach of the Privacy Act. The information had been received unsolicited by the employer, and then used appropriately, and not disclosed more widely than necessary.

IPP11 – disclosure, complaints

Back

Source:

As a parent or guardian of a child under 16, you are entitled to request health information about your child as if it were your own information. For other personal information, the Privacy Act does not provide a right of access by a parent, but a parent or guardian can request information if the child is either too young to act on their own behalf, or where the child has consented.

This information will often be necessary to help parents raise and look after their children. But the parent or guardian’s right to access information is not absolute.

There will be some cases where information should be withheld from parents. Sometimes information is requested in situations of family breakdown and violence. Sometimes children will have suffered abuse and may be caught in the middle of bitter custody disputes.

An example is where a child undergoes counselling, and whether a parent should see the disclosures a child may make in those counselling sessions. In these situations, the child will be free discuss sensitive personal information, and needs to feel safe while doing this. This can be intensely sensitive and personal, and the improper release of such information could be detrimental to a child’s wellbeing.  Trust in the counsellor will be diminished, and the child will be less likely to share sensitive information in the future.

In some cases a child may disclose abuse by a parent or a close family member. Releasing this information would very often be dangerous and unsafe.

The Privacy Act gives some protections around this. Information can be withheld under sections 27-29 of the Act. In particular under section 29(1)(d), an agency may refuse to disclose any information requested, if this is contrary to the interests of a child under the age of 16. 

Sometimes it is not clear cut. When an agency is asked for information from a parent or guardian, there may be competing interests to consider and these can be hard to judge. Parents should be able to access information about their children, but ultimately the welfare of the child must come first. If you work in an agency, and you are asked for information and you have concerns or something raises alarm bells, you should ask for advice. If you are in doubt as to whether release is in the best interests of the child, do not release the information. If parents make a complaint to the Privacy Commissioner, we will look into it The outcome of that may be that further information is released. This is not a big deal if you’re acting with good intentions.  

Whether requesting, withholding or releasing information, the welfare of the child must always be paramount and be at the forefront of any decision.

complaints, children, health, Health Information Privacy Code

Back

Source:

The case for government agencies identifying opportunities to work together to provide public services is compelling. We expect government to be efficient, to deliver services based on sound reasoning and in ways that bring the most benefit to the people they are trying to help.

Public programmes can be designed in ways that allow sensible service delivery and a collaborative approach, without intruding on individuals’ rights, or exposing the agencies involved to legal risk.

The Privacy Act is, at its core, a flexible and enabling piece of legislation. However, sometimes it has been perceived as getting in the way of agencies working together. Sometimes those perceptions have been true, particularly when personal information gathered for a narrowly defined purpose is to be used in a new way, and by other agencies, as part of a proposed service delivery innovation.

The Approved Information Sharing Agreement (AISA) mechanism, proposed by the Law Commission and brought into law in February 2013, is designed to provide an answer to the “Because of the Privacy Act” objection to innovation in service delivery.

To support public sector understanding of how to design an AISA and make it work, we’ve published a guidance document that explains what an AISA can do and how to make it comply with the Privacy Act’s requirements.

Our AISA guidance includes checkpoints, scenarios and tips to help you.

Consider this hypothetical scenario. There is high youth unemployment in Northland and the government wants to improve outcomes for this group. An AISA could enable a wraparound service to be developed for school leavers. This might involve Work and Income, CYFS, Police, local schools, iwi organisations, the local employers’ association and other youth focused community groups. These parties could regularly meet to discuss individual cases. The AISA would describe the personal information that each party may share with each other.

If an agency can describe which parties are to be involved in delivering a public service, what information they need to do it, and what they are going to do with that information, they can begin to draft an AISA that will remove any questions about whether the Privacy Act will get in the way.

From our perspective as a watchdog, the AISA model means agencies can build in protections that allow the public to have confidence that the proposal is reasonable, proportionate and subject to adequate safeguards.

AISAs can enable efficient and responsive public services in ways that do not sacrifice important rights, and without adding unnecessary risk of privacy breaches. One additional safeguard is that I have the power to review an AISA 12 months after it becomes operational.

An A to Z of Approved Information Sharing Agreements is designed to be a practical user friendly guide. We depend on your feedback. If you have ideas on how to improve it, please get in touch.

information sharing

Back

Source:

Late last year, one of my senior investigating officers came to me with a file she’d been working on for quite a while. She was convinced the facts supported a finding of an “interference with privacy”, that is, a breach of the privacy principles, that had caused harm to the complainant. She’d tried to reach a settlement, but the parties were too far apart.

When we get to an end point like that, we have to decide whether or not to refer the matter to the Director of Human Rights Proceedings, an independent statutory officer who decides whether to litigate the matter in the Human Rights Review Tribunal. That can take a long time, and be quite stressful for the parties. It is also expensive.

What had happened was that a social worker out on her rounds had her car broken into. Her notebook was in the car. In the notebook were jotted details of some 90 clients she had seen in recent years. This is an important point – it was not just her current clients.

Her employer, a DHB, did the right thing, and got in touch with all the clients, to let them know what had happened. Some of them were understanding, some were a bit upset, but the one who complained to us was devastated. It had been some years since she had seen the social worker and she could not understand why she would still be carrying around her extremely sensitive personal information, which revealed details of mental ill health following the birth of a child.

Often, when a third party like a thief intervenes maliciously to release personal information, it would not be fair to hold the agency responsible. However in this case, we had to consider whether the agency had taken reasonable steps to ensure the information was protected from loss. While we acknowledged that there would be cases where it was necessary to take patient information ‘offsite’ when treating patients in the community, we were not satisfied it was reasonable to expose this type of historic information to the additional risks inherent in taking patient information out of the DHB.

As a last effort to resolve the complaint I arranged to meet with the chief executive of the DHB. We had a very productive conversation and were able to agree to terms on which the complaint would be settled without referral to the Director of Proceedings. It was helpful for me to learn that the DHB’s biggest concern was the perception that we were requiring a significant change of professional practice (namely that we were saying patient information should never be taken offsite). That would have had quite significant implications given the change in clinical service delivery to community care. This means that more health and support staff will be out and about, which means the ability of health care workers to access patient information when they are outside traditional facilities (think clinics and hospitals) will become increasingly important.

Part of the settlement was that my Office agreed to provide some guidance to help health workers and others who are increasingly mobile, to reduce the risks of things going wrong. We will be beginning that work soon, and will hope to canvas the views of a range of community workers to see how they practically manage their information securely without compromising their ability to deliver top quality care.

And here’s a final tip. One of the things that the complainant was very pleased about was that it had reached the highest level of the organisation. She felt that if it had come to the attention of the chief executive, she knew it had been taken seriously and that something would be done. Don’t underestimate the power of a personal approach from the top level in appropriate circumstances!

(Image courtesy of the National Library: Complaint to the editor in Clutha Leader 1907)

complaints, breach

Back