Case notes - Office of the Privacy Commissioner

Case Notes released October 2009

Fri, 22 Aug 2008 11:04:04 +1200

View the latest case notes released by the Privacy Commissioner.

Case Note 204595 : Commissioner sets charge for providing information. Read more...

Case Note 206924: Man urgently requests personal information from the Police. Read more...

Case Note 211257 : Several people complain that a government department lost their personal information. Read more...

Case Note 207459 : Woman's request for information from insurance company refused. Read more...

Case Note 202115: Man complains about estranged family member unlawfully accessing IRD file. Read more...

Case Note 210634: Date of birth displayed on secondhand dealers' licences. Read more...

Case Note 209438: Estate for deceased doctor fails to transfer files. Read more...

Case Note 204595 [2009] NZPrivCmr 14: Commissioner sets charge for providing information

Mon, 12 Oct 2009 12:36:55 +1300

A couple approached their accountant and requested copies of their personal information. Some of the information held by the accountant also related to a company run by the couple.

The accountant refused to provide any information as the couple allegedly owed him money for services provided. He said he would not provide any information until the couple had paid the debt.

The couple complained to us that the accountant's actions were a breach of principle 6 of the Privacy Act.

Principle 6 states that individuals have a right to access their personal information held by an agency. An agency may refuse access requests but only for the reasons set out in sections 27-29 of the Privacy Act. The fact that a bill is unpaid, or money is owed, is not a reason to refuse access to personal information.

We explained this to the accountant. We also explained that section 35(5) of the Privacy Act allows a private sector agency to make a reasonable charge for making personal information available. He therefore had the option of charging the couple a reasonable fee for providing copies of their personal information.

Personal information

‘Personal information' is defined in the Act as being information about an identifiable individual - that is, a human being. Information about a company is not personal information. The Privacy Act only governed the information about the couple themselves. It did not dictate whether the accountant had to provide the company information.

A reasonable charge

The accountant advised us that the information consisted of around 500 pages. He advised us that he wanted to charge $795 to photocopy the information and provide it to the couple.

The Ministry of Justice guidelines for charging under the Official Information Act are a useful measure of what a reasonable charge will be. These guidelines state that the first 20 pages should be provided free of charge and that the agency can charge 20c per page for any pages after that. The agency can not charge for the first half hour spent on collating and copying, but after that can charge $38 per half hour.

We indicated that we did not think the accountant's proposed charge was reasonable. It was well in excess of what the guidelines would indicate was a reasonable fee. We encouraged him to reconsider his position but he refused to do so.

Section 78 of the Privacy Act gives the Privacy Commissioner the discretion to determine the amount of a charge where we take the view that a charge is unreasonable. Any determination under section 78 is final and binding on the agency and on the requester. It cannot be appealed to the Human Rights Review Tribunal.

The Commissioner made a determination that the $795 charge was unreasonable. In coming to this view, she took the following factors into consideration:

• The Ministry of Justice guidelines are a useful reference point. Since they apply to public sector agencies, and to providing information under the Official Information Act, they are only indicative. However, as with section 35(5) of the Privacy Act, the guidelines are based on a reasonable cost-recovery figure. The policy reasons for allowing charging under the OIA and the Privacy Act are closely enough aligned that the guidelines are a good starting point.
• A reasonable charge under the Privacy Act may in some cases be lower than the charges indicated under those guidelines. It is rare that a higher fee would be justifiable. For instance, the guidelines allow for generous labour charges that will not always be appropriate.
• The accountant proposed to use a professional copy service to do the photocopying and those service charges accord roughly with the per-page copying charge indicated in the guidelines. The Commissioner noted that it was important in such cases to have proper agreements as to confidentiality of the information that is sent to the professional copy service.
• Applying the guidelines to this situation, based on the estimate of 500 pages of information, the charge would amount to no more than $150.00. This allowed for one chargeable hour of time spent photocopying.

The Commissioner therefore determined that the accountant was entitled to charge the couple $150.00 for access to the information.

This determination was final and legally binding on both parties. Either party could therefore have enforced it.

However, the accountant still refused to make the information available. The accountant had therefore interfered with the couple's privacy and we referred the matter to the Director of Human Rights Proceedings.

It transpired that the accountant had miscalculated and that there was substantially more than 500 pages of information involved. The Director settled the complaint. The accountant provided all the information for only a little more than the $150.00 that the Commissioner had originally set. The couple were satisfied with this result.

October 2009

Access to personal information - accountant - refusal to provide information - unreasonable charge - formal determination of reasonable charge - settlement by Director of Human Rights Proceedings - Privacy Act 1993, sections 35, 78

Case Note 206924 [2009] NZPrivCmr 15: Man urgently requests personal information from the Police

Mon, 12 Oct 2009 12:42:15 +1300

A Police employee applied for a promotion but was unsuccessful. The Police have an internal review process that unsuccessful applicants can elect to take, and the employee wanted to do so. Applicants have to request a review within 10 days.

To support his request for review, the man made an urgent request to the Police for personal information relating to his application and interview. In particular he wanted access to notes made by the short-listing panel.

There were no notes made by the short-listing panel, so the Police could not provide the employee with this information. The Police decided to release the other information they held to him, but they did not send it to him until 10 days after his request.

Principle 6

Principle 6 of the Privacy Act states that where an agency holds personal information in such a way that it can be readily retrieved, the individual concerned can ask the agency for access to that information.

Section 40 of the Privacy Act states that an agency that receives a request under principle 6 must, as soon as reasonably practicable, and in any case not later than 20 working days after the day on which the request is received, decide whether the request is to be granted and notify the requester of the decision.

The Police made their decision to release the information to the man within the section 40 timeframe and had provided the information to him within that time. However, the issue here was whether the Police had breached the Act because the employee's request was urgent.

Section 37 of the Privacy Act states that if a requester asks that his or her request be treated as urgent, that individual shall give reasons why the request should be treated as urgent.

An urgent request does not necessarily oblige the agency to treat the matter urgently. However, it does raise questions about how soon it is reasonably practicable to provide information (in terms of section 40) or whether the agency has unduly delayed in providing information that it has decided to release (section 66(4)).

It was clear here that the employee had provided reasons for requesting the information under urgency.

The Police did not hold the information that the employee particularly wanted, so they could not provide it. In the circumstances, it appeared that the Police had provided the remaining information as soon as was reasonably practicable. They had treated his request as urgent, and had supplied the information as quickly as they could.

We therefore considered that the Police had not breached principle 6.

It was evident, though, that the Police should have had systems in place to allow them to provide such information within the 10 day period set by their own policies. As a consequence of the complaint, the Police amended their internal process so they would better handle such requests.

We closed our investigation on this basis.

October 2009

Access to personal information - Police - urgent request - as soon as reasonably practicable - change of process - Privacy Act 1993, principle 6; sections 37, 40

Case Note 207459 [2009] NZPrivCmr 17: Woman's request for information from insurance company refused

Mon, 12 Oct 2009 12:51:19 +1300

A woman made a request for a copy of a report prepared by a private investigator for her insurance company. The report related to an investigation being undertaken by the insurance company into alleged insurance fraud involving her insurance claim. The insurance company refused to provide the woman with a full copy of the report. The woman subsequently made a request to the insurance company for all of the personal information held by it about her and her husband.

Principle 6

Principle 6 of the Privacy Act provides that where an agency holds personal information in such a way that it can be readily retrieved, the individual concerned can ask the agency for access to that information.

The insurance company provided us with a copy of the report and advised that they wished to withhold parts of it on the basis that it was not the woman's personal information and that to release the whole report would involve the disclosure of other individuals' information. It became apparent that the insurance company were seeking to rely on section 29(1)(a) of the Privacy Act.

Section 29(1)(a) of the Privacy Act sets out that an agency may refuse to disclose any information requested under principle 6 if disclosure of the information would result in an unwarranted disclosure of the affairs of another individual.

We reviewed the information and advised the insurance company that we considered that some of the withheld information could be released to the woman. We also advised that some of the information could be withheld under section 29(1)(a) of the Privacy Act and some information could be withheld under section 27(1)(c) of the Privacy Act.

Section 27(1)(c) of the Privacy Act sets out that an agency may refuse to disclose any information requested under principle 6 if disclosure of the information would be likely to prejudice the maintenance of the law, including the prevention, investigation and detection of offences.

Section 27(1)(c) was an appropriate withholding ground as some of the information related to the fraud investigation, the techniques that it employed and the content of that investigation. If the insurance company released the information it might enable people to circumvent the law, or avoid detection.

Section 27(1)(c) only occasionally applies to private companies, usually where they act as a conduit of information from informants to the Police. The Police in turn rely on the informant's information to maintain the law by further investigating and prosecuting offences.

The insurance company could be characterised in a situation such as this as a law enforcement agency by proxy, as it was holding a class of information that could be described as necessary for maintenance of the law.

As a result of our comments the insurance company reviewed the information it was seeking to withhold and released a copy of the report to the woman with some information withheld either because it was not her personal information or because sections 27(1)(c) and 29(1)(a) of the Privacy Act applied. We were satisfied that the information released was all of the information the woman was entitled to.

The woman believed that there was further information that had not been provided to her. After we consulted the insurance company, it advised us that there was indeed further information.

This information included recorded phone conversations between the woman and the insurance company and between third parties and the insurance company. These recordings, together with some further documents, were released to the woman. One recorded phone call was withheld from the woman under sections 27(1)(c) and 29(1)(a) of the Privacy Act.

We reviewed the recorded phone call and concluded that the insurance company was entitled to withhold it under sections 27(1)(c) and 29(1)(a) of the Privacy Act. The release of the recorded phone call would have prejudiced the insurance company's investigation and also resulted in an unwarranted disclosure of information about other individuals.

The woman accepted the results of our review and advised that she was satisfied with the outcome of our investigation.

We closed our investigation on this basis.

October 2009

Access to personal information - insurance company - fraud investigation - maintenance of law - unwarranted disclosure of another's affairs - Privacy Act 1993, principle 6; section 27(1)(c), section 29(1)(a)

Case Note 211257 [2009] NZPrivCmr 16: Several people complain that a government department lost their personal information

Mon, 12 Oct 2009 14:56:08 +1300

In 2008 a staff member from a government department dropped a file in an Auckland street. The file contained a list with personal information about a large number of individuals.

The information was subsequently passed to media outlets.

The department followed the Privacy Breach Notification Guidelines responding to the incident. They informed the Privacy Commissioner's Office and all individuals affected about what had happened. Some of those individuals then complained to the Privacy Commissioner.

The complaint raised issues under Principle 5 of the Privacy Act.

Principle 5 - security safeguards

Principle 5 provides that:
An agency that holds personal information shall ensure -
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against -

(i) loss; and
(ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii) other misuse; and

(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

In considering whether a security safeguard is reasonable, the kind of matters we take into account include:
• the steps and/or policies in place to guard against a breach of principle 5;
• whether those steps and/or policies have been followed;
• training provided to staff; and
• the sensitivity of the information.
Here, we formed the view that the loss of the file was a breach of principle 5, and the department accepted this.

Generally, in order to find an interference with privacy, there must not only be a breach of a privacy principle, but also some harm, loss or detriment.

Harm can include significant humiliation, loss of dignity or injury to the feelings of the individual.

Here, the department acted promptly to mitigate the harm to individuals arising from the breach. They followed the Privacy Breach Notification Guidelines in order to minimise the impact of the incident. The steps taken included:
• getting the original file and copies back, with the assistance of the police;
• seeking and receiving legal undertakings from media outlets that the information would not be published or disclosed;
• notifying the Privacy Commissioner's Office and seeking advice;
• notifying all affected individuals; and
• investigating and taking steps to reduce the likelihood of the situation reoccurring.

Because it took these steps, the department managed to contain the disclosure. The file was promptly recovered and was not widely circulated before recovery. The incident had the potential to cause harm to the individuals, but the steps taken meant they suffered no harm as a result of the incident.

Although the department breached principle 5, there was no interference with privacy because the individuals did not suffer any harm. We informed the individuals of our conclusions and closed our file.

View the Privacy Breach Notification Guidelines. These are also available by contacting the Privacy Commissioner's Office.

October 2009

Security of personal information - government department - file lost on street - personal information passed to media - privacy breach notification guidelines followed - no harm suffered - Privacy Act 1993, principle 5, section 66

Case Note 202115 [2009] NZPrivCmr 18: Man complains about estranged family member unlawfully accessing IRD file

Mon, 12 Oct 2009 15:03:55 +1300

A man became estranged from his sister and, ultimately, found himself in a financial dispute with her. The sister worked for IRD. During the financial dispute, it became apparent to the man that his sister was accessing his IRD files. The man told IRD of his concerns and IRD agreed to investigate them.

Some time later, the man's concerns were confirmed and he again brought this to IRD's attention. The man made a complaint to us about the fact that IRD had let his sister access his files even though he had warned them that he thought there was a risk of this happening.

Principle 5 of the Privacy Act

Principle 5 of the Act provides that agencies must protect personal information by safeguards that are reasonable in the circumstances. In particular, an agency must ensure that the personal information it holds is protected, by reasonable security safeguards, from unauthorised access or disclosure.

Importantly, however, principle 5 is not primarily concerned with individual instances of unauthorised access. Rather it focuses upon the overall systems in place to prevent such occurrences and whether these are reasonable in the circumstances. This is because no system can be foolproof. Agencies can put in place significant safeguards but one-off incidents can and do still occur, whether due to human error or deliberate intent.

IRD advised us that it has a stringent code of conduct designed to ensure that staff are aware that they may not access personal information relating to family members, friends or acquaintances. Any breach of this code was considered by IRD to be serious misconduct.

IRD also advised us that it took action in relation to the man's specific concerns but found that, at the time he initially raised them, there was no evidence of unauthorised access. IRD made the decision that it was not necessary to restrict access to the man's files at that time. IRD commented to us that, with a staff of over 5,000, it must rely to some degree on the integrity of its employees.

After the man raised his concerns again at a later date, IRD conducted a further investigation, found that the sister had accessed his files and therefore breached the code of conduct, and took disciplinary action against her.

I formed the opinion that the general security safeguards IRD had in place were reasonable in the circumstances. This was a case in which a staff member, who was well aware of her obligations under the Privacy Act, decided to breach those obligations and IRD's code of conduct. I was therefore satisfied that IRD had not breached principle 5 of the Act.

However, I felt that IRD could have handled the man's concerns in a better way. IRD did not inform the man of the outcome of its investigation into the incident and, as a result, the man felt that his complaint was not taken seriously and that his information remained at risk. I conveyed my view to IRD and it agreed to fully restrict access to the man's files, apologise to him for the incident, and provide him with a summary of what had been done about it. I thought that these were positive steps for IRD to take and I closed my file.

October 2009

Security of personal information - IRD - unauthorised access to files by family member - general security safeguards reasonable in the circumstances - Privacy Act 1993, principle 5

Case Note 210634 [2009] NZPrivCmr 19: Date of birth displayed on secondhand dealers' licences

Mon, 12 Oct 2009 15:25:21 +1300

A man complained to us that Secondhand Dealers' licences contain the holder's date of birth. These licences must be displayed to the public. The man was concerned that publicly displaying the date of birth could create a risk of identity theft, and also that a date of birth is a personal matter.

We raised the issue with the Ministry of Justice.

Section 8 of the Secondhand Dealers and Pawnbrokers Act 2004 ("the Act") provides that an application for a Secondhand Dealer's Licence must include:
• an applicant's full name;
• residential address; and
• date of birth.
Section 36 of the Act sets out that every licence holder must ensure that a certified copy of their licence is displayed in their place of business.

The Act does not require that a date of birth has to be included on the licence issued to a secondhand dealer. Section 9 of the Act only requires that the licence must include a photograph of a licence holder.

We asked the Ministry of Justice whether there was any authority under which the licence had to show the date of birth.

The Ministry of Justice consulted the Licensing Authority. The Authority accepted that there was no express statutory requirement for an individual's date of birth to appear on either the original licence or the certified copy that must be displayed in the licence holder's place of business. The date of birth was simply included as an additional means of identification for the purposes of section 36(1) of the Act, which requires a licence holder, on request, to show their licence to a member of the Police.

The Licensing Authority proposed to review the practice. In the meantime, the Licensing Authority has taken steps to delete the date of birth from the certified copy of the licence that must be displayed in the licence holder's place of business.

We considered that this was an appropriate resolution of the man's complaint. The man was also satisfied at the outcome of our investigation.

We therefore closed our investigation.

October 2009

Disclosure of personal information - secondhand dealers' licence - date of birth included on licence and displayed to public - settlement: review of policy; Secondhand Dealers and Pawnbrokers Act 2004, sections 8, 9 & 36

Case Note 209438 [2009] NZPrivCmr 20: Estate for deceased doctor fails to transfer files

Mon, 12 Oct 2009 15:29:38 +1300

Following the death of a general practitioner, the medical files of his patients went into storage along with the rest of his professional and personal belongings.

A number of the deceased doctor's patients went to a new practice nearby. The new practice contacted the spokesperson for the deceased doctor's estate and requested that he send through the files of these patients under section 22F of the Health Act.

The spokesperson for the estate advised that, as no executor had been appointed to the estate, he was not in a position to transfer any of the deceased doctor's files. The spokesperson for the estate was concerned that he would face liability for making a decision about the deceased doctor's estate without the legal authority to do so.

Section 22F of the Health Act

Section 22F of the Health Act places strict legal obligations on health agencies to transfer health information when requested by a health provider in order to treat a patient.

This obligation is essential to the efficient provision of health care to New Zealanders. It is crucial that health providers have access to medical notes about a patient in order to ensure that they receive the correct treatment.

There are circumstances in which a health agency may refuse to transfer health information. These include where the patient vetoes the transfer or where the health agency has a lawful excuse for not transferring the information.

We contacted the spokesperson for the estate immediately on receiving this complaint. We acknowledged that he was in a very difficult position. On the one hand, he was personally not legally responsible for the files, but on the other hand the patients' new doctor needed the information urgently and the estate was obliged to ensure that the files were sent to that doctor.

As a result of my discussions with the spokesperson, he agreed to immediately transfer the files that the new practice had requested. The spokesperson acted quickly and, as a result, we were able to resolve this complaint just over one month after receiving it. The new practice was very happy with this result.

Finally, I explained to the spokesperson for the estate that it was essential that he continue to quickly transfer any future files requested by new doctors. I also asked the spokesperson to ensure that, once appointed, the executor of the estate was made aware of the legal obligations created by section 22F of the Health Act. The spokesperson agreed to do so.

Having resolved the complaint, I closed my file.

October 2009

Disclosure of health information - deceased doctor's estate - transfer to new health provider - settlement: transfer of files - Health Act, section 22F

Case Note 203856 [2009] NZPrivCmr 12 : Bank teller improperly accesses customer account information

Mon, 04 May 2009 09:23:58 +1200

A bank discovered that a teller had accessed a couple's joint bank account without authorisation 58 times over two months. The teller also disclosed information about their accounts to a third party, a former partner of one of the couple.

The bank contacted the couple to let them know what had happened. It set up a meeting between the couple and an area manager to discuss the situation and appropriate compensation. However, the bank and the couple were unable to settle the matter.

Principles 5 and 11

Principle 5 of the Privacy Act provides that an agency must protect personal information by such security safeguards as are reasonable in the circumstances to take against loss, access, use, modification or disclosure, and other misuse.

Agencies such as banks must therefore take reasonable steps to ensure that their employees do not inappropriately access customer information. These reasonable steps will include having good policies, procedures and training in place. They should have systems that record when a person has accessed information.

Principle 11 provides that an agency that holds personal information must not disclose the information unless the agency believes on reasonable grounds that one of the exceptions contained within principle 11 applies.

We did not need to investigate to see whether principles 5 or 11 had been breached as the bank accepted that it had breached the Privacy Act. Instead, our focus was on working with the parties to find what would be a satisfactory resolution of the complaint.

A major consideration was the level of harm that the couple had suffered as a result of the teller accessing their account and disclosing information to the former partner. They had to change bank accounts and had suffered considerable stress from finding out what the teller had done.

On the other side, it appeared that the teller had not looked at their account details in depth, and they had not been contacted by the former partner.

We helped the parties to reach a settlement. This consisted of a one-off cash payment of several thousand dollars. Both parties were happy with this result and we closed our file.

May 2009

Security of personal information -disclosure of personal information - bank - security breach - employee browsing - settlement - Privacy Act 1993, principles 5 and 11

Case Note 209125 [2009] NZPrivCmr 9 : Parole Board subject to requests for personal information

Mon, 04 May 2009 09:08:58 +1200

A prisoner complained that he had made two requests to the Parole Board ("the Board") for copies of his file but had not received a response.

Under principle 6 of the Privacy Act, an individual is entitled to have access to personal information that is held by an agency. However, the definition of ‘agency' in section 2 of the Privacy Act does not include a court or tribunal, in relation to their judicial functions.

Normally, the judicial functions of the Board would be exempt from the Privacy Act. It is a body empowered under statute to exercise judicial functions such as the ability to conduct hearings and receive evidence. Its decisions have a substantial effect on parties before it, and can be appealed. Under current law, therefore, the Board would usually be classified as a "tribunal" and would not have to comply with the Privacy Act.

However, section 108 of the Parole Act 2002 explicitly states that the Board is subject to the Privacy Act. The Board was therefore obliged to respond to the prisoner's request under principle 6.

The Board advised us that it had responded and that it had provided the prisoner with background papers for his upcoming hearing. It said it is standard practice for a full file to be sent to offenders ahead of the first appearance before the Board and to send only updated information for subsequent hearings. The Board had not interpreted the prisoner's two requests as being for a copy of his full file.

The Board agreed to provide this information to the prisoner and we then closed our file.

May 2009

Access to personal information - New Zealand Parole Board - "agency" - tribunal - Privacy Act 1993, principle 6, section 2(b)(viii) "agency"; Parole Act 2002, section 108