In this edition of InfoRM:
Election Privacy Issues
In an election campaign full of surprises, it is no surprise that privacy issues have hit the headlines this election. Privacy issues ranging from the disclosure of MP's personal information to the collection of personal information by elected officials, should be a reminder to everyone about the importance of understanding and complying with New Zealand's privacy regime.
When the news about Winston Peters' superannuation overpayment came out, Mr Peters was quick to ask how the information made it to the media. The Ministry of Social Development, the Inland Revenue, and the Department of Internal Affairs have investigated but found no evidence of staff leaking the details. A spokesperson for the Ministry of Social Development pointed out "the Ministry holds a great deal of very personal information that we have a duty of care to protect…It is not our information to share."
Every agency holding personal information has a duty to ensure that information is kept secure. Under the "no surprises" policy, the Social Development Minister, State Services Minister and the Chief of Staff of the Office of the Prime Minister were informed about the overpayment. However, Privacy Commissioner, John Edwards has pointed out that Cabinet Manual policies do not override the Privacy Act and any disclosure would have to be justified or authorised in accordance with the privacy principles or some other legal source.
Meanwhile, other public officials have also come under fire for collecting personal information. Todd Barclay's recording of conversations made headlines, with reports that a complaint had been lodged with the Privacy Commissioner, and the Horowhenua District Council's Chief Executive controversially screening emails to staff and councillors has also been in the news.
All of that should serve as a reminder that agencies should never lose sight of the basic rule that unless an exception applies, the collection, use and disclosure of personal information must be for a lawful purpose, from the person, making the person aware of the collection, and not unfair nor unreasonably intrusive. That includes individuals collecting information about other individuals.
'Harm' under the Harmful Digital Communications Act
The introduction of the Harmful Digital Communications Act in 2015 gave New Zealand a targeted offence for cyber bullying and harassment. The courts have since then had the task of interpreting the offences and privacy concepts in this age of fast-evolving technology.
Earlier this year, we wrote about a District Court decision considering the test for 'serious emotional distress'. The Police appealed that decision, leading to the first High Court consideration of harm under the Harmful Digital Communications Act.
Downs J observed that the definition of harm as 'serious emotional distress' is exhaustive and requires more than minor harm. The 'serious' requirement reflects the criminal nature of sanctions and the need to balance considerations of freedom of expression. He held that determining harm is "part fact, part value judgment". Courts need to consider the nature of the emotional distress experienced by the plaintiff, and whether a reasonable person in the plaintiff's position would have suffered serious emotional distress.
Downs J rejected the respondent's submission that the photos were "not especially revealing". Importantly, he recognised that despite explicit material being accessible online generally, these images were obtained and posted without the plaintiff's knowledge and consent. The photos were personal to the complainant who intended them to be private.
Downs J expressed the importance of considering evidence of emotional harm in its totality. Downs J found that approached correctly, the evidence was capable of establishing the level of serious emotional harm required under the Act. He remitted the case to the District Court to be retried.
Meanwhile, the Court of Appeal in Waine v R  NZCA 287 has considered the gravity of conduct amounting to an offence under the Act in terms of sentencing. The Court found that sending threats via text messages to publish intimate photos online was a bad case of digital bullying, justifying the District Court's assessment that that gravity of offending was high and supporting a sentence of 150 hours' community service and 12 months' supervision. Despite the photos never being published, the threat was clear and the accused knowingly took advantage of the victim's emotional vulnerability. The Court stated that the purpose of the Act is to prevent the use of digital communications to cause the sort of emotional harm and pressure that the victim was subjected to in this case.
Changes to the Privacy Principles
Amendments to the Privacy Act and privacy codes will take effect from 28 September 2017. The Intelligence and Security Act 2017 amends section 57 of the Privacy Act so that the intelligence and security agencies exemption from privacy principles will be reduced to privacy principles 2, 3 and 4(b). The exemption from principles 1, 5 and 8 to 11 will no longer apply. However, principle 11 is amended so that information may be disclosed if it is necessary for the intelligence and security agencies to perform their functions.
The Act also amends privacy principle 10 to allow the NZSIS and the GCSB to use personal information obtained in connection with one purpose for any other purpose if the agency believes on reasonable grounds that the use is necessary to enable the agency to perform any of its functions.
Information Security Programmes play a central role in Target data breach settlement
In 2015, a US judge certified a class action by consumers affected by a cyber-attack, which obtained payment and contact data relating to millions of customers. Target has now reached the largest multi-state settlement for the data breach, which includes a number of technical, administrative, and physical safeguards.
The settlement terms stress the "need for an information security plan that fits the actual risks of the entity and its customers". Some of the key provisions require that Target encrypt cardholder and personal information, implement greater control over who can access the network and employ a Chief Information Security Officer to report and advise on security risks.
Target's experience highlights the importance of secure data storage and provides an example of practical steps that New Zealand companies can take to ensure compliance with IPP 5, which requires agencies that hold personal information to ensure that information is protected against loss, access, disclosure and misuse. These steps include conducting cybersecurity risk assessments, implementing comprehensive information security programs and incident response plans, and stress testing information security programs.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.