In this edition of InfoRM:
Privacy as a Proxy for Defamation
Privacy complaints have provided an effective remedy for people who believed they have been brought into disrepute, as illustrated by two recent cases involving the Privacy Commissioner.
One case involved a young woman who was involved with a group accused of shoplifting by a shop owner. The woman herself cooperated fully with police and it turned out that other members of her group had taken the items in question without her knowledge. In the meantime, the shop owner had posted a surveillance picture of the group on its Facebook page entitled ‘Wall of Shame’.
A second case involved a woman’s personal details being posted on a website’s forum by another user, alongside an accusation that she was “dodgy”. This led to harassing phone calls and enquiries from her bank.
In each case, the traditional legal remedy would lie in defamation. The journey through the courts would be long, expensive and potentially humiliating for the claimants (as the adversarial process sought to determine whether the accusations were true). However, following the involvement of the Privacy Commissioner in the above cases, each ended in an early settlement between the relevant agencies and individuals, and the offending material being taken offline.
In the first case, the Privacy Commissioner considered that the publication of the photo on the ‘Wall of Shame’ was in violation of Privacy Principles 10 and 11 and there was no proper basis to justify posting it. The use of the images was not consistent with collecting them for security reasons, and even though the woman was not named, she was identifiable from her image alone.
In the second case, the Privacy Commissioner considered that allowing the details to remain on the website breached Privacy Act obligations including to: correct personal information when asked; make sure personal information on the site was relevant, up-to-date and not misleading; and not to improperly disclose personal information (Privacy Principles 7, 8 and 11).
This second case is particularly interesting as it did not involve any assessment of whether the accusations were true. Truth is not a defence to a privacy breach, which is one more reason why privacy may be a more attractive option to complainants than more conventional causes of action.
A privacy complaint can be a powerful tool in the hands of an individual who feels that they have been wronged by an agency which holds their personal information. As recent decisions of the Human Rights Review Tribunal have shown, there is the potential for significant damages awards in privacy proceedings.
With the growth of user engagement on websites and platforms, effective (and pre-emptive) moderation practices might well prove to be increasingly valuable to avoid complaints and to help demonstrate compliance with the Privacy Act.
Social Media Use on MSD’s Radar
Recent comments by a Ministry of Social Development spokesperson have confirmed that Government investigators use social media as part of efforts to track potential welfare fraudsters.
This kind of social media surveillance is said to usually occur once an investigation has already started, but if staff become aware of a potential fraud through social media they are obliged to notify the investigation team.
The Ministry has said that it uses a range of techniques and follows “all sorts of lines of inquiry”, pointing out that social media is an obvious publicly available source of information. That said, information sharing between Government agencies remains the most successful method for catching benefit fraudsters.
The Privacy Commissioner has cautioned against too much stock being put into information gleaned from social media profiles, since “[just] because somebody posts something doesn‘t mean it’s true and can be relied upon.”
The Minister of Social Development, for her part, came out in strong support of the Ministry’s monitoring of social media, stating, “If they’re silly enough to use social media to broadcast the fact that they’re trying to defraud the taxpayer, well then they’re silly enough to get caught.”
Case comment: Council disclose identity of complainant
The Human Rights Review Tribunal has ordered $2,000 in damages for humiliation, loss of dignity and injury to feelings against the Whangarei District Council (WDC) as well as ordering WDC to provide privacy training to its staff.
Mr Deeming complained to WDC regarding alcohol fuelled incidents at the Mid Western Rugby Squash Club. Although WDC has a policy of protecting complainants’ identities, the complaint was disclosed to the Club President. Following this, Mr Deeming received a lifetime ban from the Club, was harassed at home by the Club President, and was publically humiliated through hostile media reports.
The Tribunal held that the information provided by Mr Deeming was not personal information and could have been disclosed for the purpose of investigating the complaint, but his identity could not be disclosed. Furthermore, the evidence demonstrated that WDC was aware of the privacy concerns relating to disclosure and acted in a manner deliberately intended to hurt Mr Deeming.
However, damages were minimal because Mr Deeming had also complained to the Northland Rugby Union without requiring confidentiality, and there was a significant delay before bringing proceedings. The Tribunal held that parallel disclosure complicated the causal connection between interference of privacy and the damages awarded and the delay made it difficult to assess the degree of emotional harm experienced over six years earlier.
The significance given to the parallel disclosure is interesting given that the Tribunal was satisfied that the breach caused harm, and recent clarifications that a material contribution is sufficient.
This case serves as yet another example of a deliberate and malicious privacy breach resulting in proceedings and demonstrates that agencies have continuing responsibility to ensure employees take privacy seriously.
Telstra Corporation Limited v Privacy Commissioner
The Administrative Appeals Tribunal of Australia has overturned a decision of the Australian Privacy Commissioner which found that all metadata held by a telecommunications provider in relation to a person’s account was ‘personal information’ under the Privacy Act 1988. The decision turned on the critical question of whether the information was about an individual and is relevant to New Zealand, which uses a similar test.
Mr Grubb had requested all data about his mobile phone use and the Privacy Commissioner had decided that ‘network data’ (the IP address and cell tower details) was “information... about an individual” because it could be linked to Mr Grubb. However, the Administrative Appeals Tribunal held that the ability to link the information to him was not enough, because the network data was simply about how services were provided to Mr Grubb and were not ‘information about’ him.
This saga is set to continue as the Privacy Commissioner has launched a Federal Court challenge to the Tribunal’s decision and this is understood to be the first time that the Office of the Commissioner has done so.
The decision of the Administrative Appeals Tribunal (under appeal) can be found here.
Ferrier Hodgson, currently acting as receiver of Dick Smith’s New Zealand assets, has agreed to sell the failed electronics retailer’s customer database, highlighting a tension between the natural desire to realise assets for creditors and the need to comply with privacy obligations.
There is no doubt that the information held by Dick Smith is personal information for the purposes of the Privacy Act. Accordingly, customers have been offered an ‘opt-out’ option to exclude their data from the sale. The Privacy Commissioner has stated that he will look into the issue further, and it will be interesting to see whether what constitutes sufficient authorisation is clarified.
This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.