A recent finding by the New Zealand Privacy Commissioner (Commissioner) highlighted the need for organisations holding personal information to have appropriate policies and procedures in place to deal with requests from law enforcement agencies to hand over personal information.
The finding related to a complaint made by author Nicky Hagar against his bank for supplying more than 10 months of his banking information to the New Zealand police. The information was requested as part of the police's investigation into the identity of a hacker who had provided information to Hagar that was included in his book 'Dirty Politics'.
In a copy of the Commissioner's findings, released publically by Mr Hagar, the Commissioner criticised the bank's approach to dealing with the disclosure requests and upheld Mr Hagar's complaint, finding that the bank had interfered with Mr Hagar's privacy rights. The Commissioner has also issued a case note with further commentary on this case, which is available at here.
Principle 11 of the Privacy Act prohibits the disclosure of personal information by a holding agency to another agency, unless it believes, on reasonable grounds that the disclosure is provided for in law, either by virtue of the exceptions to the information privacy principles, or through some other authority which overrides the Privacy Act. Principle 11 (e)(i) specifically states that information may be disclosed where necessary 'to avoid prejudice to the maintenance of law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences'.
In this case, Mr Hagar's information was provided to the police upon request without any further enquiry into the reasons or authority. This appears to have followed an arrangement put in place by the police with all New Zealand banks. The Commissioner was very critical of the approach adopted by the bank, refusing to accept that it was a well-founded belief by the bank that every customer (by virtue of the banks terms and conditions with the customer) would have authorised the disclosure of their information to the police for whatever reason the police may give, without requiring the production of orders or other authorities to satisfy the agency that by not handing over the information it would stop them from maintaining the law. Ultimately it was found that insufficient evidence was provided to demonstrate the basis on which the bank believed that extensive disclosure of personal banking information was necessary to avoid a prejudice to the maintenance of law.
Whilst this case focussed only on the practices of one agency, it essentially sets a standard for the level of enquiry that should be met when an agency is presented with a request for information from law enforcement. In the absence of express consent from an individual concerned, an agency cannot assume that they have the permission of an individual to pass their information on to law enforcement without making due enquiries. Any agency that receives a request for information on the basis that it is necessary to avoid prejudice to the maintenance of law must ensure that it engages in the appropriate level of investigation as to the validity of that reliance.
The Commissioner did not exercise his discretion to refer the case to the Human Rights Review Tribunal for a binding order, leaving that to Mr Hagar. At the date of this publication, Mr Hagar has indicated his intention to take the case to the Tribunal personally. The bank had also changed its processes to avoid a repetition.
We can assist you in ensuring that your organisation's policies and procedures appropriately deal with requests by law enforcement agencies to disclose personnel information or if you have any questions on New Zealand date protection law, or the impact of this finding, please get in touch.