In this edition of InfoRM:
Key takeaways from new guidelines released by OPC, DPMC and the Data Futures Partnership
Recently, a number of different organisations have released new guidelines and policies on how to safely manage personal information and information disclosure.
Office of the Privacy Commissioner – releasing personal information to law enforcement agencies
This guideline is intended to allow companies or individuals holding personal information to establish when necessary grounds exist to authorise a disclosure to law enforcement agencies under the exceptions in Information Privacy Principle 11 – key points include:
- the importance of distinguishing between a requirement to provide information (where the information is sought under a search warrant, production order or by the operation of a statutory power) and a request for information (where the information is being released by the disclosing agency on a voluntary basis) to determine the responsibilities of the disclosing agency;
- ensuring that where the disclosing agency is relying on one of the exceptions in the Privacy Act, such as threat to health and safety (11(f)) or maintenance of the law (11(e)(i)), the disclosing agency ensures they believe on reasonable grounds that one of those exceptions applies at the time the information is released; and
- ensuring a law enforcement agency request provides enough information to allow the disclosing agency to make an informed view about whether there are those reasonable grounds – simply asserting the information is needed for an investigation is not enough.
This guidance is available here.
Department of the Prime Minister and Cabinet – new Official Information Act and Privacy Act policies
The Department of the Prime Minister and Cabinet (DPMC) has released policies outlining how DPMC will comply with its obligations under the Official Information Act 1982 (OIA) and the Privacy Act 1993.
- The Official Information and Proactive Release Policy illustrates a shift from the release of information only when subject to an OIA request, towards the proactive release of information that can either be official information in the public interest, or the public release of information provided in response to an OIA request. Increased reporting will track DPMC's compliance with the OIA. The aim of the policy is to promote good government, openness and transparency, and to foster public trust and confidence in agencies.
Data Futures Partnership – Guidelines for trusted data use
Data Futures Partnership, an independent group appointed and funded by the Government, has released Guidelines for Trusted Data Use, a guide for all organisations (companies, government and non-government) collecting or using personal information. The Guidelines focus on eight key questions that organisations can answer to explain how they collect and use data to make individuals feel more comfortable about their data being collected, such as identifying:
- who will be using the data and for what purpose;
- how the data will be protected; and
- what consents individuals can give about subsequent use of their data.
The questions were developed after engaging with the public, and public and private sector agencies, and considering local and international developments, with the hope that more transparency about data use will increase community acceptance of data use and allow New Zealand to embrace the opportunities presented by data.
Privacy Commissioner reiterates the need for privacy reform
A change in government has given the Office of the Privacy Commissioner the opportunity to push for urgent Privacy Act reform. In his briefing for the incoming Minister of Justice, Privacy Commissioner John Edwards stresses the time that has elapsed since the Law Commission's comprehensive review of privacy in 2011 and the delay in drafting a new Privacy Bill. He repeats the Office of the Privacy Commissioner's updated recommendations presented to Parliament in January 2017, including recommending the Government consider:
- empowering the Privacy Commissioner:
- to apply to the High Court for civil penalties in cases of serious privacy breaches; and
- to require an agency to demonstrate its ongoing compliance with the Privacy Act; and
- introducing data portability as a consumer right.
These new recommendations illustrate a shift towards giving the Office of the Privacy Commissioner more power to deal with repeat or serious offenders. The Privacy Commissioner’s Briefing to the incoming Minister of Justice is available here.
Caution for politicians using private email addresses and phones
In October 2017, the Ombudsman ruled that communications from a private email account can be "official information" and therefore the subject of information requests. The ruling related to a request made for a regional councillor's private email and telephone communications.
The Ombudsman held that certain communications were "official information" because they were made in the councillor's capacity as a councillor. However, the Ombudsman ruled that the councillor was entitled to withhold communications with a journalist: disclosure would be likely to damage the public interest by compromising the confidentiality of journalists' sources. Other communications were not "official information" because they were made in the councillor's capacity as a political candidate standing for election and as an editor of a magazine.
The ruling sends a clear message that official information provisions attach to the type of information rather than being limited to official accounts.
Work emails can contain "personal information" for the purposes of the Privacy Act
The Office of the Privacy Commissioner (OPC) has recently looked at whether work emails can be "personal information", despite being generated in a work capacity. In this case, a dismissed employee sought access to all of his work emails from a 12 month period of employment.
The OPC held that although work emails can contain personal information, it was reasonable for the employer to refuse the information request, as the mixed nature of the information requested meant the personal information about the employee was not readily retrievable from the other information contained in the work emails. Further, it would be significantly burdensome and would impair efficient administration to require the employer to separate out the information as part of the request. Interestingly, the OPC made no reference to the employment agreement.
This is a good reminder for employers that even after an employee has left, the employer may be required to provide access to personal information still held by the employer about the employee – including emails and documents. The case note is available here.