InfoRM Privacy Law Update – March 2014

Home Insights InfoRM Privacy Law Update – March 2014

New Zealand Developments

To keep, or to delete?

One issue in information law that can be easily overlooked is the blurry line between when agencies must delete data and the sometimes conflicting obligations to retain data. Two recent examples demonstrate that difficulty in litigation, but the issue is much wider than that.

In one case (discussed below) the Human Rights Review Tribunal (HRRT) ordered an agency to give a failed job applicant access to other applicants’ personal information (ordinarily a grave breach of privacy); and, in another, Kim Dotcom has argued that the GCSB deleted information that he needed as evidence in his case against it. In contrast, a recent report shows that government agencies regularly retain information beyond the point at which it should have been deleted (see below).

Organisations looking to understand their obligations to retain information must look beyond the Privacy Act 1993, which requires agencies to delete information once it is no longer required for lawful purposes, but is subject to other obligations to retain data, which include:

  • Health regulations oblige all health providers to keep information for 10 years after the last encounter with the patient (even after death).
  • Various statutory obligations to retain information, even after it has no lawful use for the holding agency, to be shared with bodies such as ACC, the Ministry of Social Development, the Department of Internal Affairs, the Financial Markets Authority, the Commissioner of Inland Revenue, and AML/CFT supervisors.
  • Discovery obligations require the parties involved to retain information relevant to litigation that has begun or is contemplated. If personal information is relevant to litigation (including in the HRRT), the holding party cannot delete it, but its disclosure will not breach the Privacy Act.

How should an organisation faced with conflicting obligations manage the information it holds? 

  • Start with any express obligation to retain and keep information for the time or the purposes specified in those overriding provisions. 
  • After any mandatory retention time or purpose lapses, the organisation may keep the information only the extent it still requires it for lawful purposes (in accordance with the Privacy Act).
  • If there is no express duty to maintain the information, the organisation can normally delete it even if it could still retain it for a lawful purpose. If information has been deleted before any request for access was signalled, the information will not be “held” and there will be no breach of Privacy Act principles for failing to disclose (unless the information can still be recovered without excessive difficulty).

Some fundamental lessons are that the Privacy Act prohibitions on disclosure do not guarantee that the holders of personal information will not have to disclose it to third parties, nor does compliance with that Act satisfy all retention obligations. 

Case comment: disclosure of job applicants' personal information

The Human Rights Review Tribunal (HRRT) has ordered a company to disclose to a failed job applicant the CVs and reference checks of other applicants for the same position. The HRRT applied general discovery rules to hold that the defendant in a human rights case (Alpine Energy) must make available to the complainant (the failed job applicant) information on other applicants. 

The complainant had brought a claim under the Human Rights Act 1993, alleging that his application failed because of age discrimination. He applied for a discovery order for other applicants’ information. The defendant invoked s 69 of the Evidence Act 2006 (which allows a court to exempt confidential information from discovery), but the HRRT rejected this argument. It ordered the defendant to make available other applicants’ names, applications, CVs, references and security checks. Arguably, this order covers criminal records, debts, medical information, and work performance and behaviour issues.

The HRRT reasoned that:

  • Confidential information is discoverable, subject to a court’s discretion to withhold discovery where confidential relationships would be harmed. It is the public interest in retaining confidentiality that is relevant, not personal interests.
  • No evidential foundation had been laid to show harm to confidential relationships would result from disclosure.
  • If there were no disclosure, discriminatory conduct could be concealed behind a cloak of confidentiality.

The decision illustrates the importance of discovery, especially in anti-discrimination cases, and the power of the Courts (including HRRT) to expose individuals’ personal information, even where this is otherwise prohibited by the Privacy Act 1993 and other privacy safeguards. 

The decision of the HRRT can be found here.

Change of Privacy Commissioner

The Office of the Privacy Commissioner has welcomed new Commissioner John Edwards, who replaced outgoing Commissioner Marie Shroff on 17 February 2014. Both the previous and the current Commissioners have made noteworthy comments on privacy in New Zealand.

Marie Schroff has stated that handling the “tsunami” of informational advances was a major challenge for the Office, which is an Independent Crown Entity (ICE). To meet such challenges, she cited the need for ICEs to exhibit impartiality and fairness, effectiveness, credibility, advocacy and service to clients. Another challenge was the dangerously high concentration of private, unregulated information service providers, and the lack of control over their increasingly invasive innovations. The former Commissioner referred to Google's merger with Nest in the US, which will enable domestic appliances to collect, store, share household and private information.

These concerns were supplemented with praise of the New Zealand media for recognising, for the first time at end of last year, that privacy is a right, and something that need not always be subject to security concerns or even freedom of expression. While that is what the Court of Appeal had confirmed in 2004, public perception had only now begun to change. Marie Shroff cautioned, however, that there was still a need to reassess how to deal with privacy issues. She recommended abandoning the “balancing” test, and opting instead for an approach recognising privacy and the opposing interest as two equal pillars. The previous Commissioner also noted the need for government regulators to monitor these twin pillars, hoping the reform of the Privacy Act 1993 would get under way this year. (The full text of her address is available here.)

New Privacy Commissioner John Edwards is an information lawyer, with experience advising organisations on privacy, copyright, freedom of speech and social media. He has agreed with Marie Shroff's sentiments that privacy has gained a high profile of late, and has echoed her concerns at the growing global trend of technological innovations becoming more invasive. He too has signalled the need for changes to the Privacy Act, including mandatory reporting of data breaches, which the Law Commission had previously recommended.  John Edwards has also expressed an interest in making privacy more “user-friendly”, so that any changes should not be result in over-prescription. 

The new Commissioner has stated that agencies were not considering privacy properly because of their eagerness to connect and to share information. Systems had not been tailored to protect privacy sufficiently because of the modern preoccupation with having as much information as possible and delivering outputs as speedily as possible. Another disappointing trend was that people who had accidentally acquired personal information were using it for their own gains. Such people were typically already locked into a struggle with a large body, and the new Commissioner has recommended such people be treated fairly and properly in order to minimise the risk of wrongful use of stray information.

New Zealand's public sector and information-sharing

The push for public sector efficiencies has resulted increased information sharing across government agencies. While this has streamlined processes, in some instances agencies have cut corners, as highlighted by a series of reports from the Office of the Privacy Commissioner.

The reports, which cover several public bodies, centre on information-sharing and -matching agreements. These agreements are governed by the Privacy Act, and facilitate the sharing of information between government agencies for a defined purpose. Of the 54 agreements assessed, 22 were found to be non-compliant, and several bodies were found to have “substantial issues”. 

Most breaches relate to information-matching agreements, which provide for the passing of information relating to an individual from one agency to another, for the purpose of verifying that information. The duty that was breached most often was the duty to destroy information within 60 days. As the reports reiterate, destruction must be complete, and it is insufficient that it be removed from view but retained. Many receiving agencies have simply retained the information. This approach has become the default, unsurprisingly in one sense given that it is the normal practice of agencies to retain information, and that the providing agency still has a right to retain it. However, the policy behind the duty is clear: the information has been provided for one purpose (matching), and any further use must be strictly controlled.

The Government has not responded to these reports. Privacy Commissioner John Edwards has stated public faith in government agencies needs be rebuilt, and that these agencies must be seen to be complying with existing rules. He expressed his confidence in privacy being top of mind in Government, public and private organisations and health organisations. In terms of reform to the Privacy Act, he said including a power for the Commissioner to fine bodies would not be effective, and that naming and shaming still remains the most effective response. The Minister of Justice’s office has stated a Bill is expected to be introduced later this year.

The Electronic Data Safety Bill, which is a Member’s Bill, is currently before the House. It aims to establish an Electronic Data Safety Commission, which would inquire into government agencies’ breaches of privacy, and advise on how to improve the law and best practice in this area.

Legislation enabling FATCA overrides Privacy Act

The Taxation (Annual Rates, Employee Allowances, and Remedial Matters) Bill contains proposed legislative amendments to give effect to the intergovernmental agreement (IGA) New Zealand is currently negotiating with the United States in respect of the United States’s Foreign Account Tax Compliance Act (FATCA). 

The Commentary to the Bill states that under the terms of the IGA, New Zealand financial institutions will be required to collect information on their customers that are United States taxpayers or entities controlled by United States taxpayers. This information must be sent to the Inland Revenue Department, which in turn will transmit it to United States tax authorities.

Under the Bill, the IGA will have the status of a double tax agreement. As such, the IGA will generally override the provisions of the Privacy Act 1993. However, any information provided to the United States will be subject to the existing protections that apply to information provided to the United States under the New Zealand-United States double tax agreement.

Overseas Development

Last article

A United States Judge has dismissed a lawsuit based on Apple’s alleged violation of its own Privacy Policy with its iPhone technology. In effect, the Judge found the plaintiffs could not show their consumer grievance and loss could be fairly linked to Apple’s alleged misconduct (not keeping to its own Privacy Policy), or to any reliance the plaintiffs placed on Apple’s Privacy Policy. The decision has implications for how far companies’ self-imposed and publicly stated privacy policies reach in restricting the company and protecting its consumers.

The plaintiffs alleged Apple was not complying with its declared Privacy Policy, which provided that, as a priority, it would take precautions, including administrative, technical and physical measures, to safeguard its consumers’ personal information against unauthorised access and disclosure. They submitted the iOS environment that Apple had developed, and encouraged its consumers to adopt, enabled Apple easily to transmit consumers’ personal information to third parties that collect and analyse such data without user consent and detection. They further alleged Apple collected and exchanged users’ location information even when iPhone “location services” were switched off.

While that aspect of the decision was based on consumer protection law relating to misrepresentation and reliance, the result of the decision is relevant to the effect on privacy policies. It will not be enough for consumers to point to a company’s privacy policy to prove that a company’s information-sharing activities were harmful. More is needed to link a company’s conduct with the consumer’s decision-making and subsequent grievance (in this case, over-paying for iPhones and losing storage space due to unauthorised data transmission). The mere existence of a privacy policy will not show a company caused the consumer to rely on its assertions and to adopt software, which they thought would be less invasive than it ultimately proved to be.

This decision indicates that lower US courts are not prepared to treat a company’s privacy policy as a consumer guarantee of the exact extent of the company’s information collection and sharing activities. This seems to acknowledge the importance of informational accessibility to IT businesses. Consumers should not wholly rely on a privacy policy, and companies should not be obliged to limit their business’s technological tactics with a publicly stated privacy policy. It remains to be seen whether a claim would have more success under New Zealand’s Fair Trading Act’s misleading behaviour provisions, which do not require consumer reliance to be proved.

This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Related Expertise