Category: MIL-OSI

Source:

Complaints are valuable assets for every organisation. There is no better way to highlight and fix problems in an organisation’s systems and processes. This is what we tell the agencies we investigate, and many of them take the opportunity to learn from complaints to improve their practices. It’s also a view that was echoed in an excellent Auditor-General report about ACC’s complaint’s processes.   

But how do we practice what we preach? How do you give us the opportunity to fix inadequacies in the way we do things? In other words, how do you complain about the Privacy Commissioner?

Give us a chance

If you’re unhappy with any stage of your privacy complaint, you should let us know first. We will almost always escalate your concerns to a more-senior staff member for a second look. While you don’t necessarily have to do this, it is faster and involves less paperwork than going through formal oversight channels – and it certainly doesn’t stop you from using those channels in the future!  

If you do this, the decision may be changed in your favour; and if not, you’ll at least get a more detailed explanation of our decision.

We appreciate complainants who do this because it gives our investigators the opportunity to learn in a hands-on way.

The Ombudsman and the assessment

When you make a Privacy Act complaint, our first move is to assess your complaint and determine whether or not to launch a full investigation. There are a number of reasons we may decline to investigate. For example, the case may not be covered under the Privacy Act, the breach may have been a long time ago or the issue may be too minor to merit an investigation.

Sometimes we will suggest that complainants take up another avenue for their concerns, such as in the courts, or an industry specific dispute resolution scheme.

If we decide not to investigate, we are exercising a discretion. We are answerable in the way we exercise that discretion to the Ombudsman. So if you disagree with our decision not to investigate, you can ask the Ombudsman to investigate our decision. If the Ombudsman thinks we have not taken into account all relevant factors, or have otherwise acted unreasonably, they can suggest we reconsider our decision. In most cases we would accept a Ombudsman’s recommendation.

You can file your complaint to the Office of the Ombudsman online:

Complain to the Ombudsman.

Settling your case

If, after beginning an investigation it seems as though there is some basis for the complaint, we will try and identify opportunities to help the parties resolve the problem. When the parties agree to a settlement, that is the end of the story. Each party gives up their right to pursue a full legal determination, for the sake of an early settlement.  

The Investigation and the Tribunal

If the case doesn’t settle, there are three different possible outcomes:

1) We may find an interference with your privacy and refer your case to the Director of Human Rights Proceedings, who may choose to represent your case before the Human Rights Review Tribunal.  

We don’t exercise this right very often. We reserve it for ‘edge cases,’ such as cases where a privacy breach has caused significant harm, where new legal precedents need to be set, or where we suspect there are other people suffering from the same privacy breach.  Further, a referral to the Director doesn’t guarantee that you’ll be heard in front of the Human Rights Review Tribunal, as the Director may choose not to take your case.

2) We may find that your privacy has been breached, but choose not to refer the case to the Director of Human Rights Proceedings.  

3) We may find that there has been no interference with your privacy, and close the case.

All three of these circumstances have the same recourse if you are dissatisfied: take the case to the Human Rights Review Tribunal yourself. The Tribunal will hear evidence afresh, and make up its own mind, independent of any finding we might have made.

A recent example of this practice in action was Taylor v Orcon. Mr Taylor complained to our office about telecommunications company Orcon disclosing inaccurate information about his credit history. We concluded our investigation on the basis that the breach by Orcon did not cause all the harm Mr Taylor claimed to have suffered.

Mr Taylor, dissatisfied with this outcome, took Orcon to the Tribunal and won $25,000. The Tribunal disagreed with the way we had applied the legal tests, and not only did he get the outcome he wanted, he also provided us with valuable guidance for the future (although he’s probably happier with the $25,000).

So, the Privacy Commissioner, like all public sector organisations, functions in a world of checks, balances and oversight. If you think we’ve made the wrong call, we encourage you to avail yourself of these mechanisms. Otherwise, how will we get it right next time?  

Image credit: Upset Lion by Toby Oxborrow via Flickr

Back

Source:

Our office is proud of the work we do in the area of dispute resolution. Where it is appropriate, we try and bring complainants and respondents together, in person or by phone, to resolve privacy disputes. Last year, we closed 827 complaint files and of these, nearly half were achieved with a settlement between the parties involved.

We’re therefore pleased to have been included in a pilot project aimed at leading and strengthening the use of dispute resolution by government services and agencies.

Dispute resolution works!

Dispute resolution is about trying to resolve disputes between parties so that they don’t end up in court. We’ve found that a resolution might include an apology or an acknowledgement, a promise of confidentiality, a change in an agency’s processes, staff retraining, or a compensatory payment. 

Many New Zealanders have learned the hard way of the time, cost and emotional drain of litigation, and the substantial delays inherent in the court process.

And for some time now, the government has recognised the benefits of dispute resolution, and that it should be doing more of it.

As a result, the Ministry of Business, Innovation and Employment has established the Government Centre for Dispute Resolution (GCDR), a two year project to support the further development of dispute resolution.

Making better policy

Last year, our investigations and dispute resolution team leaders were selected to participate as members of the centre’s Officials’ Advisory Group – a panel made up of representatives of government agencies with dispute resolution expertise.

Before it established the advisory panel, the GCDR reviewed all of the statutes in New Zealand that allow for the use of dispute resolution, in some form or other. It discovered at least 60 statutes provide for dispute resolution services, and up to 200 contain some kind of reference to it.

It also found a wide variability in the way these provisions were interpreted and applied by government agencies (if they were even being used at all). The GCDR is now focused on helping New Zealand agencies achieve a level of consistency in this area.

Our input

Our participation in the advisory panel was concentrated largely on the development of the best dispute resolution principles. These are a set of key criteria that any good dispute resolution service should take into account.

The principles are based on common sense (such as being objective and fair, being client focused and ensuring you are accountable for what you do), and come with guidance about how to achieve these objectives at policy, service design, service delivery and practitioner levels.

We support the work being done by the GDCR and look forward to seeing what comes next for New Zealand and its dispute resolution services.

Image credit: Created by Ruth Suehle for opensource.com.

Back

Source:

Pieter, a visitor from Belgium, witnessed a car accident in a remote area. The accident left a young woman unconscious and seriously injured. Pieter acted quickly and phoned the emergency line from his mobile phone to get help to the woman as soon as possible.

However, Pieter was in shock and was unfamiliar with his surroundings, so he was unable to tell the 111 call taker exactly where he was. Pieter was able to describe a few of the landmarks around him – a small bridge and an interesting grove of Kauri trees – but he couldn’t recall the road name or the nearest town. With only vague descriptions to help them, the Police and ambulance experienced significant delays locating the scene of the accident. As a result, they were delayed in reaching the young woman who remained in pain for some time.

This is an alarming story but one which has repeated a number of times in New Zealand, due to the unavailability of timely and accurate information about the location of mobile emergency callers.

New system

In response to these concerns, the Ministry of Business, Innovation and Employment, after researching various options, has developed a system suitable to NZ conditions that will generate location information on mobile callers and make this available to the emergency services on 111 calls. The Privacy Commissioner proposes to amend the Telecommunications Information Privacy Code to create a clear and lawful basis for this system.

The new system enabled by the amendment will involve the gathering and sharing of automated location information – either directly from a caller’s mobile phone if they have an enabled device, or in the form of a report generated by the network operator showing the nearest cell tower to the caller. Access to this information, in real time, will help the emergency services to locate a caller and thereby an incident.

In Pieter’s case, his mobile phone could have sent location information to the system which would have provided the 111 call taker with his coordinates. With this system in place, it would have mattered less that Pieter could not recall the road name or nearest town. The emergency services may have reached the accident sooner.

Submissions invited on amendment

The proposed code amendment recognises that this information sharing serves a very important public good. Systems similar to this operate in other countries, and there is a general consensus among telecommunications and privacy regulators overseas that this is beneficial to individuals and the public more generally. Public confidence that location information is properly protected is important, and so the amendment sets boundaries on the use and retention of the location information and requires the agencies involved to be as open and transparent as possible about the system.

We’re seeking the views of the wider public on this proposal, to make sure we’ve got the balance right. Click here to view the proposal and email your submission to submissions@privacy.org.nz by 23 December 2016. 

Image credit: In case of emergency sign.

Telecommunications Information Privacy Code (TIPC)

Back

Source:

As a result of a complaint, Police began an investigation into a woman who worked at a district health board. The complaint alleged that she may have accessed DHB health records in order to locate children who had been the victims of crimes committed by her brother.

In the investigation, Police disclosed sensitive personal information about the woman’s brother to the woman’s employer. The woman complained to our Office, and subsequently took her case to the Human Rights Review Tribunal, claiming there had been an interference to her privacy.

The matter had become a Police investigation after someone claiming to be the woman in a letter attempted to contact the children through the school they attended. The family were living at a secret address because they were fearful for their safety. Police suspected the woman might have tried to contact the children on behalf of her brother.

The police officer assigned to the investigation contacted the woman’s manager at the DHB where she worked. He disclosed detailed background information to the manager including information of the woman’s brother and his convictions for child sexual and physical abuse, and earlier convictions for possession of child pornography.

The police officer suspected the woman may have committed an offence under the Crimes Act 1961 – if she had inappropriately accessed the National Health Index (NHI) database through her role at the DHB to try and locate the family members.

The woman complained to our Office because the information disclosed by Police to her employer about her brother’s convictions had caused her hurt and humiliation. She said she should have been told first, and Police should have had a search warrant or production order to get her employer to look for evidence against her.

The DHB’s internal investigation showed the woman had not accessed the NHI or DHB databases.

Our investigation

The woman complained to us under principles 1-4 and 11 of the Privacy Act.

We found no breach of the collection principles (1-4). Neither did we find a breach of principle 11 which says an agency that holds personal information is able to disclose it in order “to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences”.

After we found the woman had suffered no interference with her privacy, she took the case to the Tribunal.

Tribunal case

The woman claimed after the police officer had contacted her manager, she was subjected to further audits and was harassed by the manager. She withdrew from her friends and her drinking increased. She also gained weight, slept badly and suffered anxiety attacks at work. She later resigned from the DHB.

But the Tribunal noted the woman “did not impress as a witness. Unfortunately, she has become blind to any point of view other than her own. She hears only what she wants to hear and sees only that which she wants to see.” The Tribunal said it preferred the evidence given by the police officer and the woman’s manager.

Search warrant

The police officer testified that Police did not have enough information to obtain a search warrant or a production order, and this was why Police used the Privacy Act’s principle 11 to request evidence from the DHB.

The Tribunal agreed with the view of Police. It said if there was insufficient evidence to obtain a compulsory order, it would be absurd if Police were not able to rely on using the Privacy Act. The Act’s privacy principles were flexible enough for this kind of request to be made by law enforcement agencies.

Meaning of ‘necessary’

The Tribunal found Police was able to satisfy the criteria needed to rely on the maintenance of the law exceptions and it considered the collection of the information was necessary for the purpose of maintaining the law. Like our Office, the Tribunal found no breach of the collection principles.

The Tribunal found Police had reasonable grounds to believe that disclosure of the brother’s offending, conviction and sentence was necessary because it gave the DHB the basis for agreeing to their request.

If the information was not provided, the DHB could justifiably have declined the request and this would also be in accordance with the Privacy Act. The disclosure of the woman’s connection to her brother, along with her brother’s offending, was necessary – and was not merely desirable or expedient.

The Tribunal dismissed the woman’s claim and upheld the original decision by our Office.

Image credit: Michael Kumm via Flickr

Read the full text of the decision.

Human Rights Review Tribunal, health, law enforcement

Back

Source:

Applying for a job can be a nerve-wracking ordeal and, more likely than not, it ends in disappointment. It can be devastating to miss out on that dream job and not knowing why you missed out can be incredibly frustrating.

One common part of applying for a job is nominating your referees. Confusion about this process can raise privacy concerns which sometimes ends up in our Office. There are specific parts of the Privacy Act which address these matters and it is important both parties are aware of them.

Firstly, among other important obligations, a potential employer must only contact the referees the applicant has listed. Please see our blog post on recruitment for more advice.

When you don’t get the job

What if you don’t get the job, and you are worried your referees let you down? What are your rights if you want to know what they said about you? Or, what if you want to protect a referee from a disgruntled applicant who might be threatening to sue?

Principle 6

Under principle 6 of the Privacy Act, you are entitled to access personal information an agency holds about you – but not always.

A potential employer may be able to withhold this information. Section 29(1)(b) says an agency may refuse to disclose personal information that is evaluative material, if disclosing it or information identifying its source (or both) would breach a promise to keep the information or the identity of the source confidential.

Evaluative material

Evaluative material is described in section 29(3) as information “compiled solely” for a range of purposes, and where there is a common purpose in the supply and receipt of that information. In other words, the information needs to be gathered solely for that purpose.

There needs to have been a promise made to the referee about withholding their identity or the information in confidence, and that promise must have been clear to the referee when they make the decision whether or not to supply the information. This typically applies where an employer requests a letter of reference from a referee nominated by a job applicant.

It is important to be aware that this does not apply to unsolicited information. For example, unsolicited complaints about an employee by a disgruntled client cannot be withheld under this provision.

Section 29 of the Privacy Act allows for people to be able to give free and frank references about people. It also means potential employers are more likely to value the information they hear. This can protect people from possible repercussions, awkwardness, and protects current and future relationships. Many people would also refuse to give references if they did not have confidentiality, or the ability to speak honestly. 

Disappointed applicants

But some disappointed applicants will speculate on the potential reasons they were denied a job, and unfortunately this feeling of frustration can be reinforced when information about them is withheld. Sometimes this sense of grievance arises from the way they are treated or how the application was handled. In these cases, it may be beneficial to get the referee’s permission to release the information or to give summary feedback on why an applicant was declined.

Here’s a couple of tips:

• If you are applying for a job, be careful who you use as a reference, and pick someone who is professional (and who hopefully likes you!).
• It’s also good to advise the recruiters you would like to be contacted before the referees are contacted, just in case circumstances changed in the meantime.

Here’s another thing to think about. If you really want a job somewhere, is lodging a complaint about how your application was handled going to bring you any benefit? There may be variety of reasons why you didn’t get a job and often references are only a minor factor.

If you have further questions about privacy and recruitment, try using our AskUs tool to get the answers.

Image credit: Massimo Busacca, referee, Switzerland via Wikimedia Commons

IPP6 – access, employment

Back

Source:

Callers to our Enquiries service often start with “I need some legal advice”. If the caller means guidance on his or her Privacy Act rights or the obligations of an agency, then we can help. But if by “legal advice” he or she means a legal “opinion” about how the Privacy Act might apply, then this is something our Enquiries service can’t do.

Guidance on the Privacy Act

Distinguishing between guidance on the law and legal opinion might seem like hair-splitting, but it is an important difference. Take access, for example. Our Enquiries service can tell you that you have the right, under principle 6 of the Privacy Act, to ask for any personal information that an agency holds about you.

We can advise you how an agency must respond to your request, and that the law allows for information to be withheld in certain circumstances. We can discuss the circumstances for withholding information and tell you that you have the right to complain to us and have that agency’s decision reviewed.

What we can’t tell you is whether you have the right to see particular information, because the agency may have a legitimate reason to withhold it. The reasons to withhold depend on the specific circumstances of a case.

Legal opinion

To provide a legal opinion, our Office would need to gather all the relevant information. We might, for instance, need our investigators to obtain the information that has been withheld from you. We could then weigh it up against the Privacy Act’s withholding grounds.

Only then would we be able to give you and the agency a legal opinion on whether you should have access to the information or not.

Is it a breach of my privacy?

We are also often asked “has my privacy been breached?” What if, for instance, your employer has put a GPS device in the work car, and is collecting information about where you’ve been going outside work hours. Or what if personal information has been disclosed against your wishes?

Agencies must have legitimate reasons for collecting, storing, and disclosing information. They must advise people of certain things when they collect information, like what they are collecting, why they are collecting it, how they intend to use it, and if there are any possible consequences to you for not giving it.

Agencies must also take reasonable steps to ensure the information is accurate before they use it, and they must keep it safe. They can only use or disclose it in certain circumstances.

This is set out in the Privacy Act’s 12 information privacy principles. If you think an agency is not complying with the Act, and it is unable to resolve your concerns when you ask them about it, you can complain to us.

Complaints

In most cases, we will be able to tell you if your complaint is outside our jurisdiction. There are a few no-go areas.

For example, we are unlikely to be able to investigate if your ex-boyfriend is saying stupid – but not highly-offensive – things about you on Facebook. This is because personal or domestic affairs are outside our jurisdiction under section 56 of the Privacy Act. The exception is if the information could be considered highly offensive to an ordinary person.

We are also not able to investigate if the information you are concerned about is the subject of court proceedings. The courts in their judicial function are outside the Privacy Act.

If you believe an agency has breached your privacy, and that you have suffered harm as a result, you can lodge a complaint and our investigators will look into it.But until then, our Enquiries service can give you guidance, but not a legal opinion.

Advisory opinions for agencies

Note that we do have a separate advisory service for agencies. Our Office offers advisory opinions to help agencies understand how the Privacy Act might apply in a situation they are exploring or considering. The process is intended to promote understanding of the information privacy principles and give greater certainty to agencies in relation to the Act’s operation. You can find out more about our advisory opinions here.

Image credit: Creative Commons via smlp.co.uk

complaints, enquiries

Back

Source:

A chiropractor being investigated by ACC made numerous requests for information about the investigation. When ACC withheld some of the information, he complained to the Privacy Commissioner, and then took his case to the Human Rights Review Tribunal.

Dr L is a chiropractor and acupuncturist from the United States who moved to New Zealand in 2009. He opened a clinic in Tauranga in 2010. After closing that business, he opened another clinic in Wellington in 2013.

In 2011, ACC began an investigation into Dr L’s business to determine whether a number of ACC claims submitted by him were genuine. ACC had concerns over the possible duplication of claims and other issues.

Requests to ACC

To find out more about the allegations against him, Dr L made a large number of requests to ACC for information under both the Privacy Act and the Official Information Act. He hoped that if he found out what was behind the investigation, he would be able to correct what he believed was misinformation held by ACC.

However, after ACC discontinued its investigation in 2014, it decided to give Dr L almost all the information previously withheld from him. But it withheld information about:

• ACC’s investigative techniques and the names of the informants; and
• information that would involve the unwarranted disclosure of the affairs of other people.

The Tribunal

The Human Rights Review Tribunal recently published its decision on Dr L’s Privacy Act complaints. The complaint centred on information privacy principle 6 of the Privacy Act which gives individuals the right to request their personal information from an agency.   

When the case went before the Tribunal, both parties initially could not agree on what the Tribunal was there to decide. Dr L wanted any and every one of ACC’s withholding decisions leading up to the eventual release of his information reviewed by the Tribunal. He also wanted the Tribunal to review whether ACC acted properly during its entire investigation.

On the other hand, ACC said the only issue the Tribunal needed to decide was whether ACC was right to withhold a list of clients spoken to by the agency during its investigation, because it had already released almost all the previously withheld information.

The Tribunal decided that the core of the case lay in whether ACC had properly continued to withhold the two restricted types of information. The issue was whether, when releasing the information it had previously withheld, ACC was right to hold on to some information. That information related to its investigative techniques, and information which would involve the affairs of other persons.

Duty to investigate

In its decision, the Tribunal said ACC, like other agencies that spend public money, had a duty to prevent, investigate and detect offences concerning its payments. To be able to carry out this duty, ACC must encourage members of the public to provide relevant information. The detection and investigation of fraud is particularly reliant on public information.

The Tribunal said the Privacy Act’s maintenance of the law reasons for withholding information specifically concerning the “prevention, investigation and detection of offences” were justified when related to its investigative techniques.

The Tribunal said ACC’s use of section 27(1)(c) of the Act in this case was proper – “that is, the information relates to ACC’s investigative techniques and methodologies and includes the names of confidential informants”.

Affairs of another

On the second withholding ground – the unwarranted disclosure of the affairs of another individual – the Tribunal said it was clear the information did indeed contain the names and contact details of people who provided information to the ACC investigators, including employees and patients.

“The salient point is that information about Dr L was provided to ACC by a range of persons, but particularly by those working with him and by patients. It is clear from what we have seen and heard the information was provided in expectation the identity of the informants would be withheld from Dr L.”

The Tribunal concluded the disclosure of the information about the identities of informants and others would have been unwarranted. The information had little direct relevance to the issue between Dr L and ACC. It added there was a real risk the information would be misused, including being published on the internet.  

The Tribunals said ACC had properly withheld the information and dismissed Dr L’s claim.

Image credit: Creative Commons via Pixabay.

Human Rights Review Tribunal, health, ACC, IPP6 – access

Back

Source: Tairāwhiti Graduates Celebrate Success – Press Release/Statement:

Headline: Petdirect Expands From Digital To Physical Retail

In a bold move against prevailing economic trends, New Zealand’s leading online pet retailer, Petdirect, announces plans for major retail expansion with new stores opening in Mt Roskill, Auckland and Tower Junction, Christchurch in the coming months. Following the tremendous success of its first brick-and-mortar location in Takapuna, which opened in October 2024, this strategic expansion solidifies the company’s position as a dominant force in New Zealand’s pet retail sector. The 100% Kiwi-owned and operated company, which just celebrated its 5th birthday, has rapidly evolved from an online startup during the pandemic to capturing a majority share of the online pet supply market.

The post Petdirect Expands From Digital To Physical Retail first appeared on PR.co.nz.

– –

Source:

There has been a significant amount of media coverage about our investigation into Westpac bank disclosing journalist Nicky Hager’s bank account information to Police in 2014. In the course of that reporting, some misconceptions have emerged. Because of the interest in the case, and the potential implications for future practice, we have noted some points of clarification and context below.

Coverage of the story has focussed on our final opinion letter to Mr Hager that he chose to make public. The final opinion is the tail end of a long process that involved submissions, meetings and careful consideration of the facts of the case.

Key background facts

1. Westpac disclosed Mr Hager’s account information during a Police investigation that followed the publication of Mr Hager’s book Dirty Politics.  In the course of investigating how Mr Hager got the information he used to write the book, Police asked Westpac for information about Mr Hager. Westpac provided Police with several months of Mr Hager’s transaction information.

Privacy Commissioner’s legal opinion

The Privacy Commissioner’s opinion is just that – it is not a ‘ruling’ and it is not legally binding. The Human Rights Review Tribunal – where Mr Hager has taken his case now – issues rulings. It hears evidence and argument afresh and comes to its own conclusion.

1. We form a view of each case based on its specific facts. The law describes a range of circumstances where organisations like banks can disclose customer information, but they have to be able to justify why they did so
2. The views expressed in our correspondence are not changing or reforming the law. The Police sought Mr Hager’s information without seeking a production order from a court. That in itself is unremarkable; there is nothing in the Privacy Act that requires a production order before information may be released.

Westpac’s decision to disclose the information

1. Westpac told us its authority to disclose Mr Hager’s banking details came from its terms and conditions, which Mr Hager had accepted. Principle 11(d) of the Privacy Act allows agencies to disclose personal information if the agency believes on reasonable grounds that the disclosure is authorised by the individual concerned. For example, a home insurer may share information with a mortgage holder, with customer consent.
2. The relevant clause said that Westpac would disclose information to Police whenever it “reasonably believes that the disclosure will assist it to comply with any law, rules and regulations in New Zealand or overseas or will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences.”

Privacy Commissioner’s view of Westpac’s reasoning

1. We found that a reasonable Westpac customer would think the phrase “fraud, money laundering or other criminal offences” suggests “other criminal offences” would be similar sorts of financial crimes. Police asked for Mr Hager’s information as part of an investigation involving section 249 of the Crimes Act (accessing a computer for a dishonest purpose), and fraud. Mr Hager himself was not a suspect in this investigation. Westpac has noted that this latter fact was not clear at the time the information was requested. We therefore formed our view that Westpac could not reasonably believe Mr Hager had given his consent for his account information to be disclosed to the Police, given that set of specific facts.
2. When an agency sets its terms and conditions, it needs to abide by them. Our view was that Westpac’s interpretation of its terms and conditions was too broad, particularly in its definition of “other criminal offences”.
3. Westpac also argued that the disclosure was allowed under principle 11(e)(i), which allows agencies to disclose information “to avoid prejudice to the maintenance of the law.” We thought this argument was difficult to sustain. If Westpac thought that Mr Hager had authorised it to disclose his information to Police, then “maintenance of the law” didn’t need to enter consideration. It is not consistent to disclose information based on both criteria because they address different circumstances, and one of the two should be enough to authorise disclosure.

Why do production orders and search warrants exist?

1. Production orders oblige agencies to provide information. The Privacy Act exceptions do not oblige an agency to disclose information – they enable an agency to disclose information.

How does the “maintenance of the law” exception work?

1. The Privacy Act maintenance of the law exception (principle 11(e)(i)) allows an agency to give information to the Police, provided certain criteria are met.
2. This exception does not give Police the right to see any information they would like in order to maintain the law. Rather, it only applies to situations where not seeing the information would prejudice, or do some harm to, maintaining the law. Fraud is a good example. If banks suspect fraud, they are absolutely within their rights to disclose information to the authorities. Police cannot investigate without good information from the bank. Similarly, in missing persons’ cases, bank transactions could indicate where someone is. Under these circumstances, if the agency refused to provide the information to Police, it could be hindering an investigation or, in other words, prejudicing the maintenance of the law, and they could therefore provide the information without breaching the individual’s privacy.
3. A good way to think of the maintenance of the law exception is that it functions as “a shield, not a sword.” Rather than a government agency saying “you must give this information so we can maintain the law”, the exception enables an agency receiving the request to say “explain to me why not giving this information would stop you from maintaining the law.”
4. The case law in this area underlines that when government agencies ask for information under this exception, they need to provide reasons why they think the exception applies. In the Westpac-Hager complaint, Police did not provide any reasons, so Westpac had no way to assess whether the “maintenance of the law” exception applied.

Role of the Human Rights Review Tribunal

1. Mr Hager’s legal counsel has indicated that he will be taking the case to the Human Rights Review Tribunal. The Tribunal will hear the case “afresh” (i.e: without taking the Privacy Commissioner’s view into consideration), and then issue a judgment. Tribunal judgments, unlike findings from this office, are enforceable rulings. We will be keeping a keen eye on the outcome in order to inform our approach to future cases.

finance, law enforcement, IPP11 – disclosure

Back

Source:

A recent data breach involved a deliberate email phishing attack on an organisation. The email looked like it came from the chief executive and requested a copy of the membership list (names and email addresses).

At the time, the CEO was away from the office. This fact could have been known by the person who sent the phish, as a high-profile person’s travel for work is often publicly known. Because this attack was targeted, it was not easy to spot. One of the reply addresses was unfamiliar, but the other was the CEO’s work email address so the unfamiliar one could have been assumed to be their personal email address.

The request was also plausible, particularly since the information asked for was limited to names and email addresses.

Preventing against these attacks

The most effective way for an organisation to protect against this form of attack would be to have a policy of independently verifying requests for sensitive information. Since this might involve junior staff having to contact senior management to verify a request, employees need to be confident that they are expected to do so.

Take time to investigate before you act

A basic phish can usually be spotted by moving your mouse cursor over the link without clicking. The text that pops up when you do that will usually look different from what you might expect. This difference might be just one character. Moving the mouse cursor over the reply email address can also be helpful when in doubt.

The basic phishing email below is an example. It shouldn’t have been addressed to “undisclosed-recipients” as your bank can address an email just to you. And you can see the box that popped up when the mouse cursor was held over the link. An address of “alex-parus.ru/” does not seem likely for a New Zealand company to use.

Three things to do when you get a phishing message

1. Report it!

• Let others in your organisation know. If you have IT support people, forward the email with a warning that it’s a phishing email. They should handle the rest. In a small organisation, let everyone know – but do not forward the message. People have been known to click on the links in such situations “to see what happens”! You can convert the link to plain text so people can see it, without it being so dangerous.
• Report the phish to the Electronic Messaging Compliance Unit at the Department of Internal Affairs (DIA) by forwarding the email to scam@reportspam.co.nz or by forwarding the TXT for free to the shortcode 7726 (SPAM).
• Let the other organisation know. If the message pretended to come from an organisation, then it’s helpful to let them know. It can take a little time looking on the organisation’s website (type the real web address in yourself – don’t click on that link in the phishing email!) to find where to report the spam

2. Delete it!

3. Get help!

• If you responded to the phishing email with personal information, contact us using this form or phone us on 0800 803 909 (Monday-Friday between 10am-3pm).
• You may want to seek help in handling enquiries by affected people. IDCARE is a sponsored support service. Contact them on 0800 201 415 or contact@idcare.org.
• You should still report it as above. DIA may pass on your report to the Police, Netsafe or MBIE (Consumer Affairs) for further help.

Back