Category: MIL-OSI

Source:

A recent decision by the Human Rights Review Tribunal (HRRT) illustrates how other legislation can interact with and override the Privacy Act.

When a man imported a 1982 Lancia Montecarlo car, he became unhappy about the repair work and certification necessary for it to be registered for use on New Zealand roads.

The man had requested advice and repair from an NZTA accredited repair certifier at a car repair company. After the car had been repaired and was certified as compliant by VTNZ, the man noticed a crack in the car’s chassis. He then complained to NZTA about the repairer. After an investigation, NZTA advised it would not be taking any further action on his complaint.

Disputes Tribunal

The man then filed a claim against NZTA and VTNZ with the Disputes Tribunal. The claim was also made against the car repairer and the repair company. In response, VTNZ used the Official Information Act (OIA) to request any information about previous complaints involving the man. NZTA responded to this request by providing a copy of a complaint the man had made in 2005 which also resulted in a Disputes Tribunal claim.

The circumstances of the 2005 claim had similarities to his recent claim. At that time, the Disputes Tribunal dismissed the man’s claim. This led NZTA to email the Disputes Tribunal, attaching the Tribunal’s 2005 decision and requesting that his second claim be dismissed for the same reasons. As required by the Dispute Tribunal’s procedures, NZTA’s correspondence to the Tribunal was copied to the man, VTNZ and other respondents.

The man then withdrew his claim against NZTA and was unsuccessful in his claim against VTNZ and the other parties. However, he requested under the OIA copies of emails between VTNZ and NZTA. He wanted to find out who had accessed his personal information and he subsequently complained to the Privacy Commissioner.

The Privacy Commissioner’s investigation found no breaches of principles 5, 8, 10 and 11 of the Privacy Act.

The man took his case to the HRRT claiming NZTA interfered with his privacy and seeking damages and compensation for expenses.

NZTA disputed there had been any interference with the man’s privacy under principles 5, 8, 10 and 11 of the Privacy Act and claimed immunity under the OIA and Disputes Tribunal Act.

Section 48 of the Official Information Act

NZTA said it was immune from HRRT proceedings in relation to its disclosure of the 2005 claim to VTNZ because of section 48 of the OIA.

Section 48 of the OIA says there can be no proceedings, civil or criminal, against a Crown agency which in good faith makes information available in accordance with the OIA.

The man claimed he was the victim of cronyism between NZTA and VTNZ and he had been racially discriminated against.

The HRRT found there was insufficient evidence to prove there was any cronyism, collusion, racism, or other form of bad faith in the NZTA’s OIA response. It decided the information was provided in good faith and the OIA immunity applied.

Section 58 of the Disputes Tribunal Act

Section 58(2) of the Disputes Tribunal Act confers the privileges and immunities available in judicial proceedings on all parties to Disputes Tribunal proceedings. This protects parties from civil actions relating to their conduct in Disputes Tribunal proceedings, including claims under the Privacy Act.

The HRRT agreed with NZTA’s argument that its Disputes Tribunal email to the parties with the 2005 decision attached was covered by the section 58 immunity provision.

NZTA also presented an alternative argument that, even if section 58 did not provide immunity, the disclosure was permitted by principal 11 of the Privacy Act because that disclosure was necessary for the conduct of proceedings before any court or tribunal.

The HRRT agreed that the disclosure was permitted by principle 11 as NZTA believed that it was necessary to send the information, the information was relevant to the Disputes Tribunal proceeding, and NZTA had considered whether it was necessary to send the decision to defend themselves against the claim.

Principle 5 of the Privacy Act

The man also claimed NZTA had breached principle 5. In response to his access request, he had been told that his 2005 complaint file had been accessed once but the access records showed it had been accessed more than once.

Principle 5 requires an organisation to maintain reasonable security safeguards over personal information.

NZTA clarified the man’s information was indeed accessed twice – once for the OIA request and once when the man himself requested a copy of it. The agency had told the man the information had been accessed once because it assumed his query did not include his own access to the information.

NZTA also provided significant detail to the Tribunal on the storage system it used, explaining how the audit system on its records database worked. The Tribunal was satisfied the system was robust and had clear audit trails.

Conclusion

The HRRT struck out the man’s claims against NZTA under principles 8,10 and 11 of the Privacy Act for providing his complaint file to VTNZ. It decided NZTA had acted on the VTNZ request in good faith. Section 48 of the OIA therefore prohibited this aspect of the man’s claim being pursued.

The HRRT struck out the man’s claims under principle 11 and 8 for the disclosure in the Disputes Tribunal because NZTA had immunity arising from its actions in such proceedings under section 58 of the Disputes Tribunal Act.

It said even without the immunity afforded by section 58 of the Disputes Tribunal Act, the email to the Disputes Tribunal and the other respondents did not breach principle 11 of the Privacy Act.

The HRRT found there was no breach of principle 5.

It noted that all the man’s claims against NZTA had been unsuccessful and made no orders in his favour.

Postscript

In addressing the issues raised by the case, the HRRT mentioned the transitional provisions of the Privacy Act 2020 which took effect on 1 December 2020.

It noted that the transitional provisions provide that HRRT proceedings must be continued and completed under the 2020 Act, but that does not alter the relevant legal rights and obligations in force at the time the actions subject to this claim were taken.

Accordingly, all references in this decision are to the 1993 Act. This aligns with our Office’s approach to the transitional provisions.

Image credit: Lancia Montecarlo via carfromuk.com

Human Rights Review Tribunal

Back

Source:

A woman worked as a receptionist for Manawatū Community Law Centre (the Centre) on a one-year contract. During her employment she alleged workplace bullying and harassment and filed personal grievance claims.

Against this backdrop, the Centre’s WINZ advocate (Ms A) made two requests to WINZ for the receptionist’s personal information:

• The first request was made in July 2016 immediately following an acrimonious performance review meeting with the manager of the Centre. The information request asked whether the receptionist was still receiving a benefit from WINZ or any WINZ assistance.
• The second request was made in March 2017, at which time the receptionist was on leave having filed two personal grievance claims against the Centre. This request asked for a wide range of personal information about the receptionist, including copies of WINZ file notes dating back to January 2012, and details of any outstanding debts.

On both occasions, Ms A attached a privacy waiver form that had been signed by the receptionist in May 2016.  That waiver had been given for the purpose of enabling WINZ assistance to be provided to the receptionist. The receptionist complained that the Centre’s actions in requesting information from WINZ and using that information in the context of an employment matter, breached her privacy.

The Centre denied breaching the receptionist’s privacy and argued it wasn’t unreasonable for it to re-use the privacy waiver.  It also argued that its employee, Ms A, had acted without its authority, had “gone rogue”, and that the Centre was therefore not responsible for her actions.

The Privacy Commissioner’s findings

The receptionist’s complaint was first investigated by our Office, which concluded that the Centre had breached privacy principles 1,2, and 4, but not principle 10.

We also concluded that the Centre’s actions caused harm to the receptionist, and that there was an interference with her privacy.

The Human Rights Review Tribunal decision [2021] NZHRRT 10

The Tribunal agreed with our assessment that it was unfair and unreasonably intrusive for Ms A to re-use the privacy waiver (and that this breached privacy principle 4).  The privacy waiver had been given for the narrow purpose of enabling WINZ assistance to be provided to her, and could not reasonably be relied on to authorise the collection of information within the

Further, the Tribunal found that the requests breached privacy principle 2 as there were no reasonable grounds to believe that the receptionist had authorised the disclosure or that any of the other exceptions applied, and that the second (but not the first) request breached privacy principle 1 due to the breadth of the information sought. 

The Tribunal also found that use of her social welfare number to obtain further information about her in the context of an employment dispute breached privacy principle 10. 

Harm

The receptionist gave evidence that she felt ‘disgusted and hurt’ that the Centre went behind her back twice to get information it was not entitled to, with the purpose of discrediting her in an ongoing investigation relating to her allegations of workplace bullying.

The receptionist said that when she found out about the privacy breach, she felt vulnerable and that her personal information had been exposed for the purpose of trying to belittle her.

The Tribunal was satisfied that the receptionist suffered significant humiliation and injury to her feelings as a result of the privacy breaches.

The Tribunal also found that the Centre was vicariously liable for the actions of Ms A in making the requests to WINZ, as she was acting in her capacity as an employee.

Damages awarded

While the receptionist had sought damages of between $98,000 – $200,000 (being the ‘category three’ band in Hammond v Credit Union Baywide), the Tribunal did not accept that the case was analogous.

The Tribunal made a declaration that the Centre had interfered with the receptionist’s privacy by breaching privacy principles 1, 2, 4 and 10, and awarded damages of $6,000. Costs have been reserved.

 

 

 

 

Back

Source:

The Human Rights Review Tribunal heard a case concerning a surgeon’s disclosure to ACC and other doctors that her patient’s mother had made a complaint to the Health and Disability Commissioner (HDC) about her.

The mother complained about this disclosure under the Privacy Act as she was anxious that the disclosure would prejudice her son’s care under his new physician. While the Tribunal found there was a breach of privacy principles 10 and 11, ultimately the Tribunal found this was not an interference with the mother’s privacy.

Corrective surgery had unexpected outcome

The mother’s son experienced pain and discomfort following surgery and his overall condition worsened.

During a follow up appointment, the mother asked for her son’s care to be transferred and made a complaint to the Health and Disability Commissioner (HDC).

When reviewing her file to respond to the HDC complaint, the surgeon wrote to his GP and the surgeon who was now treating him and completed the ACC form, referring to the fact that the mother had made an HDC complaint. The mother was unaware that ACC, the GP and the new surgeon had been informed about her HDC complaint and so made a complaint to OPC that this was an interference with her privacy and her son’s privacy.

Privacy Commissioner’s investigation

The Privacy Commissioner’s Office investigated the complaint but concluded this was not an interference with the mother’s privacy.

Tribunal finds privacy breach but no interference

The HRRT upheld the Privacy Commissioner’s finding, however notably the HRRT did find there had been a breach of principles 10 and 11. These principles require an agency not to use or disclose personal information unless it has reasonable grounds to believe that at least one of the exceptions applies. The Tribunal did not consider that the disclosure complied with the IPP 10 or 11 as the exceptions that the ADHB relied on, namely the authorisation exception (IPP 11) or the related purpose exception (IPP 10 and 11) did not apply.

The fact that the mother had made an HDC complaint was considered to be her personal information and her son’s health information (mixed information), and the privacy interests of both individuals needed to be considered before it could be used or disclosed. The surgeon subjectively believed that the mother had authorised the disclosure when signing patient registration forms, and that sharing the information was for one of the purposes it was collected for. However, the Tribunal did not have evidence that the disclosure was directly related to the purpose for which the information had been obtained, nor did the patient authorisation extend to the sharing of the mother’s personal information. The personal information relating to the HDC complaint was received by the surgeon for the purpose of responding to that complaint, it did not relate to ACC or another doctor, and there was no objective reason for sharing the existence of the HDC claim.

However, the Tribunal found this was not an interference with the mother’s privacy, despite the mother explaining the personal impact of the disclosure on her, which included stress, anxiety, despair and deep upset, and the Tribunal acknowledging that the realisation that the surgeon had told others about her HDC complaint had caused the mother stress.

While the Tribunal acknowledged that the consequences of the surgery had a profound impact on the mother and her son, the Tribunal had to be satisfied that the disclosure and use of the HDC complaint was a contributing or material cause, not just part of the overall background. The Tribunal did not have evidence that the son’s medical treatment was adversely affected by the ADHB disclosure and use of the mother’s personal information. While the Tribunal acknowledged that disclosure or use of the HDC complaint could amount to an interference with privacy under s 66(1)(b)(iii) (injury to feelings), evidence was required that this was significant and causally linked to the breaches of the privacy principles.

R v ADHB [2021] NZHRRT 5  

Note: This case was heard in December 2019 and decided under the Privacy Act 1993. The Privacy Act 2020 came into force on 1 December 2020.

Back

Source:

When caught out by her employer shopping online during working hours, a woman’s attempt to claim reparations for humiliation and distress was thrown out by the Human Right’s Review Tribunal when a series of light-hearted, emoji-filled messages between the woman and her employer revealed that there was no evidence of harm.

The online shopping incident

A woman bought shoes online from Betty’s Empire Limited during work time, using her workplace address for delivery.

On receipt of the woman’s order, a Betty’s Empire employee realised he knew someone at her place of work and thought the delivery address did not match the one he was personally familiar with. He sent a copy of the invoice to his contact and asked whether the delivery address was correct.

When the woman found out her employer knew about her shopping, she contacted the online customer service team at Betty’s Empire to cancel the order and complain about the sharing of her order with her employer. Betty’s Empire ordered a courier to uplift the shoes from her. She was provided with an apology, a full refund, and offered a $200 credit. Betty’s Empire issued a warning to the employee involved.

The woman contacted the Office of the Privacy Commissioner to complain. She said she felt violated and stressed following the incident and that it had caused animosity in her workplace.

The Privacy Commissioner’s findings – no significant humiliation

The Office of the Privacy Commissioner (OPC) found that the woman’s complaint raised issues under principle 11 of the Privacy Act 1993. Principle 11 says that agencies that hold personal information about an individual must not disclose that information, unless one of the exceptions listed in principle 11 applies.

In order to find an interference with the woman’s privacy OPC had to be satisfied that Betty’s Empire breached principle 11, and that the woman had been harmed, as defined in section 66(1)(b) of the Privacy Act 1993, by that breach.

OPC found that while the woman appeared to be annoyed and embarrassed by the actions of Betty’s Empire, she was not significantly humiliated. As Betty’s Empire acknowledged the breach, took steps to ensure the mistake did not happen again, apologised, and offered the woman a $200 credit, OPC closed the file.

Following this investigation, the woman took her case to the Human Rights Review Tribunal.

The Human Rights Review Tribunal decision [HRRT 009/2019] – no interference with privacy

The Human Rights Review Tribunal did not accept the woman’s evidence of harm, which included being paranoid to shop online and that retail therapy was no longer a “thing”.

The Tribunal noted that when her employer received the receipt from Betty’s Empire, they sent her a message with a photo of her online shopping order stating, “I see your (sic) being productive at work”. This was accompanied by three emojis, two of them showing laughing faces.

Rather than embarrassment, the woman’s response to her employer was to acknowledge that while she was “snapped”, she referred to her employer as also shopping online during work hours. She also added emojis showing laughing faces to her reply.

The Tribunal was not satisfied that the breach of privacy principle 11 by Betty’s Empire caused the woman harm and ruled that there had been no interference with her privacy. The case was dismissed, and no damages were awarded.

No Costs award against the unsuccessful plaintiff

Betty’s Empire sought costs of $6,000 against the woman, on the grounds that her case had brought discredit to their business.

The Tribunal dismissed the application for costs stating that the purpose of a costs order is not to punish an unsuccessful party, and that the prospect of an adverse costs award may discourage others from bringing proceedings to ‘the inexpensive and accessible form of justice which is the hallmark and strength of a tribunal’.

As stated in an earlier case, apart from the Tribunal, there is no other forum for a plaintiff to test an agency’s compliance with the Privacy Act. In this case, the Tribunal was the only forum for her to seek a remedy for the admitted breach of privacy principle 11. While the Tribunal can make costs awards against unsuccessful plaintiffs where a claim is found to be without merit or justification, the plaintiff’s failure to properly articulate appropriate remedies did not justify a costs award.

Human Rights Review Tribunal, IPP11 – disclosure

Back

Source:

The Privacy Act is changing – and one significant feature of the changes will be to put a time limit on when complainants can bring a complaint to the Human Rights Review Tribunal.

We’ve highlighted the issue of investigating a complaint about events long in the past in our blog before, and the view of the Tribunal. Complainants and our office need to be aware of how the Tribunal is operating and when a case may not be accepted.

Too long ago

Earlier this year, the Tribunal rejected a complainant’s request for judgement because she waited five years to bring her case to its attention. Our office had earlier declined to investigate her complaint because it involved events that were too far in the past.

Section 74 of the Act says the Privacy Commissioner may decide not to investigate a complaint if “the time that has elapsed between the date on which the subject of the complaint arose and the date on which the complaint was made is such that an investigation of the complaint is no longer practicable or desirable”.

You can read about the case in our blog post. 

The Tribunal decision can be found here. 

Six-month limit – section 98

What the Privacy Act 2020 does is clarify the law on the practical temporal limitations on taking a case to the Tribunal.

Under section 98 of the new Act, an aggrieved individual must commence proceedings in the Tribunal within six months after the Privacy Commissioner has notified the complainant of the result of the complaint investigation.   

Section 98 sets out the main criteria that complainants can rely on when bringing their cases to the Tribunal – and they can do this even if our office declines to investigate or decides not to further investigate a complaint.

But despite widening the criteria for taking complaints to the Tribunal, there are clues as to how the Tribunal might refuse to hear a case. For instance, in 2018, the Tribunal took a dim view of a complainant who had withdrawn his complaint to our office and then filed proceedings with the Tribunal.

Complainant withdrew complaint

Ordinarily, when our office completes an investigation into a complaint, we issue the complainant with the Certificate of Investigation. This certificate gives the complainant an avenue to then take their case to the Tribunal.

In this case, the complainant withdrew his complaint before we were able to make a final view. Our office issued the complainant with the certificate, but it recorded that the Privacy Commissioner, having started an investigation, reached no final view because the complainant had withdrawn his complaint.

In its decision to strike out the case, the Tribunal said: “Any influx of cases taking a short cut will limit the effectiveness of the Tribunal’s processes for those claimants who have proceeded in good faith through the Privacy Act’s mandated consideration of the Privacy Commissioner, followed by a decision in accordance with the requirements of the Act.”

The Tribunal added: “It would also be unfair to those people who engage with the Commissioner’s process were it permissible for other complainants to jump the queue by withdrawing from the statutory filtering mechanism in order to file proceedings with the Tribunal.”

By the simple action of first lodging and then withdrawing a complaint to the Privacy Commissioner, a complainant could bypass “the filtering mechanism” provided by our office.

The Tribunal noted that the time available for hearing cases was a limited resource. The average length of a hearing is about three days and it is not uncommon for complex cases to run for two weeks or more.

Follow the process

Our office tries to resolve complaints using our dispute resolution process. When a case is successfully resolved, it is one fewer case that might be escalated to the Tribunal. In addition, if a complaint is withdrawn before our investigation has run its course, the respondent agency might not learn of the complaint until it was before the Tribunal. This, the Tribunal also noted, would also deprive agencies of the opportunity to engage in meaningful mediation with all its advantages of resolving a complaint at an earlier stage.

For these reasons, the Tribunal decided it did not have jurisdiction to hear and determine if the complainant’s privacy had been interfered with. You can read the decision here.

The two Tribunal examples help us understand the Tribunal’s reasoning in determining how it applies its jurisdictional criteria. A significant factor appears to be whether the issue mattered enough to the complainant to follow it through the process with our office and then to do so in a timely way with the Tribunal.

Image credit: The persistence of memory (edit) by Salvador Dali. 

Back