Case note 103185 [2008] NZPrivCmr 8: Council charges lawyer for rates information

Thu, 21 Aug 2008 09:42:15 +1200

A couple instructed a lawyer to complete the sale of their property. The lawyer contacted the Council and requested details of the annual rates on the property and confirmation of whether the couple had paid all the rates instalments.

The Council provided a copy of the property details and charged a “Rates Enquiry Fee” of $25. The couple’s lawyer queried this fee and the Council advised that it was a standard charge for business enquiries.

The couple complained to us that the information requested by their lawyer was personal information, not a business enquiry. They believed that the Council was not entitled to levy a charge. We agreed with them.

It is common practice for lawyers to request information on behalf of their clients. Our view is that these requests should be treated as if they were made by the clients themselves.

We were satisfied that the details of the couple’s property and payments was personal information about them. They were identified by name, and the information related to their responsibilities in relation to their property.

We wrote to the Council pointing out that section 35(1)(e) of the Privacy Act prevents public sector agencies from requiring payment when making information available under principle 6. The Council, as a public sector agency, was subject to this section.

We therefore considered that the Council had breached principle 6 by charging the couple’s lawyer for this information.

As a result of our letter, the Council altered its charging policy. It no longer charges for providing information in these circumstances. The Council also refunded the $25 that the lawyer had paid. It was willing to contribute to the couple’s legal fees, but their lawyer suggested that the Council provide some seasonal fruit instead.

On this basis the complaint was settled and we discontinued the investigation.

August 2008

Access to personal information – local authority – request for rates information – personal information – charge – settlement – Privacy Act 1993, principle 6, s 35(1)

Case Note 2438 [1994] - Complainant wanted access to two letters which had made allegations about her being involved with selling drugs at school

Fri, 12 May 2006 13:22:16 +1200

The complainant wanted access to two letters which had made allegations about her being involved with selling drugs at school. One letter was signed, one anonymous, but both were handwritten. The school initially refused to give copies of the letters to the complainant because it was concerned that this might discourage students from reporting drug dealing. The school considered this to be an important priority given the grave nature of the problem. The complainant asked me to investigate the school's decision.

I accepted that if the school were to release information about the identity of an informant who has reported an alleged breach of the law then, not only the informant but also, other potential informants would be reluctant to supply such information in the future. The fact that the school passes such information to the police is probably known to informants, so that the school may be seen as a conduit by which children or parents may initiate police action to enforce the law. Such a conduit is particularly important when informant information concerns children or activities on school premises. I formed the opinion that s.27(1)(c) of the Privacy Act provides the school with good reason to withhold the identity of the informants who provided information about the complainant.

However, the complainant was entitled to be informed of the substance of the letters. The complainant has a right to know what allegations have been made and to request correction of them where appropriate. I formed the opinion that extracts from the letters should be released to the complainant.

I noted that several spelling mistakes had been made in the letters. I did not know whether they had been made deliberately so as to disguise the authors or, conversely, whether the errors were genuine and would tend to identify the authors. I recommended to the school that a typed copy of the extracts with correct spelling should be released to the complainant. The school did so. The complainant disagreed with but accepted my opinion about identity and informed me that no application would be made to the Tribunal.

July 1994

Access to personal information - School - Informant identity - Allegations of drug dealing- School a "conduit" by which people may initiate police action to enforce the law - Releasing informant identity would be likely to "prejudice the maintenance of the law" - Privacy Act 1993, s 27(1)(c) - Information privacy principle 6

Case note 10141 [2008] NZPrivCmr 14 : Advertising material sent to all members of a club

Mon, 25 Aug 2008 09:27:25 +1200

A man was a member of a club. He complained to us that the club supplied his personal details to a direct mailing company and as a result he received unsolicited direct mail from insurance companies.

The man stated that he did not know that his personal information would be used in this manner when the information was collected from him. He was unhappy about the way his information had been used and that his personal information had been disclosed to a third party.

His complaint raised issues under principles 3 and 11 of the Privacy Act and he raised concerns about principle 10.

Principle 3

Principle 3 of the Privacy Act concerns the collection of personal information from individuals. It requires an agency to notify individuals of the purpose for collecting the information, and the intended recipients of the information, among other things.

At its AGM in 1984, the club had resolved to release members’ contact information to an independent direct mailing company for the purpose of providing targeted advertising material to its members.

The club had advised its members of this change through the minutes of its Executive Committee, its newsletter and circulars distributed to its branches. They continued to provide this advice to their members in the intervening years.

Since the club had advised its members clearly that contact details would be disclosed, it was our opinion that there was no breach of principle 3 of the Privacy Act.

Principle 11

Principle 11 states that an agency that holds personal information shall not disclose that information unless that agency reasonably believes it can rely on one of the exceptions set out under principle 11.

We considered that principle 11(a) applied. This exception states that an agency can disclose personal information if it reasonably believes the disclosure is one of the purposes in connection with which the information was obtained, or directly related to the purposes in connection with which the information was obtained.

It was apparent that since the AGM in 1984, release of the information to the direct mailing company was one of the purposes for collecting the information.

This purpose also predated the Privacy Act by nine years, and had been notified to members on many occasions. This was not a situation where the purpose of collecting the information had been changed without notice to members.

Outcome

We concluded that there was no interference with the man’s privacy. However, we acknowledged that it was upsetting for him to receive advertising material in this way.

We suggested to the club that at the time a person’s membership comes up for renewal, there should be a standard statement that membership contact information is provided to the direct mailing company, so that it can offer services that may be of use to the club members. We also suggested that the club should at least allow members to opt out of this service, and that it is preferable to invite members to opt in.

We then closed our file.

August 2008

Collection of personal information – club – membership information provided to marketing agency - informing individual of purposes of collection and intended recipients of the information – standard statement at time of membership renewal – at least offer opt-out – opt-in preferable – Privacy Act 1993, principle 3

Disclosure of personal information – club – membership information provided to marketing agency – one of purposes of collection – Privacy Act, principle 11(a)

Case note 102741 [2008] NZPrivCmr 13: Recruitment agency discloses applicant's email address to other email recipients

Thu, 21 Aug 2008 10:56:46 +1200

A recruitment agency sent an email out to a number of its clients with each of the clients’ email addresses visible. One of the clients complained to the agency about the disclosure of his email address, and received an apology. He did not consider that the apology was satisfactory in the circumstances.

The man complained to us about the disclosure of his email address.

Principle 11

Principle 11 of the Privacy Act states that an agency that holds personal information must not disclose that information unless one of the specified exceptions applies. In this case the recruitment agency acknowledged that they had mistakenly disclosed the man’s email address to a number of other people. The actions of the recruitment agency therefore constituted a breach of principle 11 of the Privacy Act.

The recruitment agency explained that the error had occurred as the ‘cc’ field had been used instead of the ‘bcc’ field and that it had been a one-off incident. They expressed their sincere apologies and stated that the mistake was unacceptable, given the nature of their business where confidentiality is important. They assured us and the man that they had implemented processes to ensure that the mistake did not occur again.

The man accepted this apology from the recruitment agency and the complaint was settled as a result.

We also wrote to the recruitment agency and stated that we would be concerned if the situation recurred.

We then closed the file.

August 2008

Principle 11 – disclosure of personal information – recruitment agency – email addresses sent to all recipients – settlement – Privacy Act 1993, principle 11

Case note 99971 [2008] NZPrivCmr 12: Man receives summary of allegations against him

Thu, 21 Aug 2008 10:54:14 +1200

A man had been the subject of an investigation by a government agency. He wanted a copy of his file as he believed that a third party had given the government agency false information.

The agency provided the man with some of the information on his file but withheld other information on the basis that it would identify the informants who provided information to the agency.

Principle 6

Principle 6 of the Privacy Act provides that an individual has a right of access to the personal information that an agency holds about them, unless one of the stated exceptions applies.

The government agency relied on sections 27(1)(c) and 29(1)(a) of the Privacy Act to refuse the man’s request for the remaining information.

We were satisfied that the agency was entitled to rely on section 27(1)(c) of the Privacy Act to withhold information which would identify informants. This was because this agency relied upon the free flow of information from third parties in order to detect and prevent offences. Those people would not provide information unless their identities were protected.

We were also satisfied that the agency could rely on section 29(1)(a) of the Privacy Act to withhold information that would disclose the affairs of the informants. The people had provided information that was highly personal to themselves. They had expressly requested that it remain confidential. In the circumstances, revealing that information would have been an unwarranted intrusion into their privacy.

However, we took the view that the agency could not withhold all the information. It was important for the man to know the substance of the allegations against him. Here, it was possible to provide him with a summary of the allegations without jeopardising the privacy of others, or identifying the informants. Providing a summary would strike a balance between the very strong rights of the requester to receive information about himself, and the agency’s interest in minimising the risk of identifying its informants.

We therefore recommended that the agency should provide the man with a summary of the information. The agency agreed to do so.

This was a positive outcome for all concerned. The man was happy with the summary and the agency recognised that this was a useful way of dealing with such matters.

Since the matter was settled on this basis, we then closed our file.

August 2008

Access to personal information – government agency – identity of informants – information about affairs of other individuals – summary of allegations – settlement – Privacy Act 1993, principle 6, sections 27(1)(c) and 29(1)(a)

Case note 92895 [2008] NZPrivCmr 11: Court employee discloses information about enquiry to man's former partner

Thu, 21 Aug 2008 10:50:23 +1200

A man was engaged in court proceedings with his former partner. He contacted the court to enquire about making an “ex parte” application – that is, an application without notice to his former partner.

The court employee who answered his enquiry then contacted the man’s former partner and told her about the man’s enquiry. The man complained to us that the court employee had unjustifiably disclosed information about him.

Principle 11 prohibits an agency from disclosing any personal information that it holds, unless a relevant exception applies.

The Ministry of Justice argued that its employee’s actions were those of a “court in relation to its judicial functions”. Under section 2 of the Privacy Act, courts acting in relation to their judicial functions are not “agencies” and are exempt from the privacy principles.

We investigated what had happened and we disagreed with the Ministry. The man had simply been making an enquiry, as any member of the public could do. He had not filed any papers. Matters had not reached the stage where the employee was acting as part of the judicial functions of the court. The Ministry was therefore an “agency” under the Privacy Act for the purpose of this complaint.

The Ministry also argued that it could rely on the exception set out at principle 11(f)(ii) to allow the disclosure. This exception provides that an agency can disclose personal information if it has a reasonable belief that it is necessary to do so to prevent a serious and imminent threat to the life or health of an individual.

We were not convinced that the man’s enquiry indicated there was any threat to the life or health of the man’s former partner. The court employee was aware that the man had an acrimonious relationship with his former partner. However, there had never been any violence or threats of violence. If the man had gone on to make an ex parte application, it could certainly have resulted in some inconvenience and stress to the former partner. However, this was not enough to amount to a serious and imminent risk to her life or health

Since no other exception applied we were therefore satisfied that the Ministry had disclosed personal information in breach of principle 11.

For there to be an interference with privacy in disclosure cases an agency must not only breach principle 11, but the disclosure must also cause the individual some form of harm (section 66).

Section 66(1)(b)(ii) states that there will be an interference with privacy if the action “has adversely affected or may adversely affect, the rights, benefits, privileges, obligations, or interests” of the individual. Here, the man had lost his opportunity to file an application without notice to his partner. The court employee’s actions had put the former partner on notice. This was sufficient to amount to an interference with privacy under section 66(1)(b)(ii).

Where we believe that there is an interference with privacy, and we do not succeed in settling the matter, we have the discretion to refer the complaint to the Director of Human Rights Proceedings. The Director then considers whether to take proceedings against the agency in the Human Rights Review Tribunal.

Here, we did not refer the complaint to the Director. This was for several reasons. There were some gaps in the documentary evidence which could have caused difficulties in proving the case to the satisfaction of the Tribunal. The man was ambivalent about whether he was seriously intending to file an application, so the exact level to which his interests had suffered was not plain. The Ministry had policies in place to prohibit and prevent the type of disclosure that took place here. This appeared to be an isolated incident of bad judgment by a court employee rather than a systemic problem. The Ministry had been able to reinforce its policies with its staff to help prevent recurrence. There was therefore little point in putting the complaint onto a litigation track.

However, we advised the man that he could bring proceedings in the Human Rights Review Tribunal himself if he wished. We then closed the file.

August 2008

Disclosure of personal information – government department – court employee – definition of “agency’ – “court acting in relation to its judicial functions” - whether there was serious and imminent threat to safety - Privacy Act 1993, section 2; principle 11(f)(ii)

Adverse consequences - adverse effect on rights, benefits, privileges – disclosure undermined ability to make ex parte application to court – Privacy Act 1993, section 66(1)(b)(ii)

Case note 88137 [2008] NZPrivCmr 10: Lawyer complains that access request not treated with proper urgency

Thu, 21 Aug 2008 10:41:33 +1200

A man needed urgent access to information held by the Child Youth and Family Service (“CYFS”) as part of a dispute about his immigration status. His lawyer made a request for access to the information, and explained that the request was urgent.

CYFS contacted the lawyer the day after receiving the request, to clarify how urgent it was. The lawyer did not specify a timeframe. Two days later, the man was deported. CYFS provided the requested information nine working days after the initial request, with some deletions under provisions of the Privacy Act (“the Act”).

The man’s lawyer complained that CYFS had not treated the request with enough urgency and that there was undue delay in providing the information.

Urgency and undue delay

Section 37 of the Act states that if a requester asks that their request be treated as urgent, the requester must give reasons for the urgency.

The Act does not oblige an agency to always treat such a request urgently. However, agencies do have to provide information without “undue delay”. This is because undue delay in making information available in response to an information privacy request is treated as a refusal to make that information available (section 66(4)). An undue delay can be an interference with privacy if there is no proper basis for the agency to withhold the information (section 66(2)).

If an agency has been told that there are genuine reasons for urgency, and that the information needs to be provided within a particular timeframe, this will be an important factor in calculating whether any delay is “undue” – that is, whether the delay is excessive or disproportionate. Other factors are also relevant, including the amount of information requested, the nature of the information, and ease of retrieval.

Here, while it was evident that there was some need for urgency, the lawyer’s request did not make it clear what the level of urgency was and why urgency was important. For instance, the request did not state that the man was on the point of being deported – on the contrary, it stated that the removal process had been delayed. It was also not plain from the context how the information that CYFS held could be relevant to the issue of deportation. Once the man had been deported (three days after CYFS received the request), the level of urgency also diminished somewhat.

It was evident that CYFS did treat the request with considerable urgency. It attempted to clarify the request with the lawyer the day after receiving the request. It told him that it would provide access. It then gathered the information, of which there was a fair amount. Much of the material needed to be considered carefully because, for example, it contained information about other people as well as the requester. The decision about whether to provide the information was therefore not straightforward. CYFS sent the information to the lawyer nine working days after receiving the request.

We found that there was no undue delay in this instance. CYFS had done all it could to ensure that the information was provided as urgently as possible. While, in retrospect, it would have been better if the information could have been given to the lawyer earlier, the lawyer did not give CYFS clear enough reasons for it to have further accelerated the process.

We advised the man’s lawyer of our opinion. We suggested that where, as here, there is a genuine need for urgency, requesters can assist departments by:

clearly stating what information is required, for example in bullet-point form;
clearly indicating how quickly they need to get the information, and why that level of urgency is necessary; and
ensuring that the department has clear contact details for the requester.

The more assistance and clarity that a requester can provide to a decision-maker about what is needed and why it is urgent, the more likely it is that the information can be found, and quickly brought to the attention of the people within the department who have to make the decision on release.

Since we found that there was no interference with privacy here, we closed the file.

August 2008

Principle 6 – access to personal information – Department of Child Youth and Family – urgency – need to provide reasons for urgency - reasonable degree of urgency in circumstances – no undue delay in provision of information – Privacy Act 1993 principle 6; s 37; s 66(4); s 66(2)

Case note 94692 [2008] NZPrivCmr 9: Man's colleague receives information about application

Thu, 21 Aug 2008 10:40:34 +1200

A man applied for registration with his professional body (“the Board”). As he would be unable to be contacted for a short time, the man authorised a colleague to pay the necessary fees so that his registration was not delayed.

A few months later, without the man’s knowledge, the colleague emailed the Board and expressed general dissatisfaction with the registration process and delays.

The Board replied by email. In the reply, the Board disclosed specific information about the man’s application. In particular, the Board gave details of steps taken during his application process and said that the man had not provided enough information to prove that he was competent in the profession. These details were embarrassing for the man.

We investigated this complaint under principle 11 of the Privacy Act. Principle 11 provides that an agency that holds personal information should not disclose it unless it believes, on reasonable grounds, that an exception applies.

The Board submitted that the man had authorised his colleague to act as his agent. It therefore believed it could rely on the exception at principle 11(d) that the disclosure was authorised by the individual concerned.

Actual authorisation is not required by the Act as long as the agency has reasonable grounds for believing that the disclosure was authorised.

However, here, the Board could not have reasonably believed that the man had appointed the colleague as his agent, or had authorised disclosure of this information. He had only asked his colleague to pay his fees. The Board had not dealt with the colleague in relation to any other aspect of the application. We therefore considered that the Board’s actions, in disclosing the man’s personal information, had breached principle 11.

The man suggested that the Board could resolve the dispute by refunding his registration fee and providing a written apology. The Board agreed to this in full and final settlement of the man’s complaint. On that basis, we closed the file.

August 2008

Disclosure of personal information – professional body – whether disclosure was to agent – whether disclosure authorised –Privacy Act 1993, principle 11(d)

Case Note 100734 [2008] NZPrivCmr 7: Woman asks for investigation information

Thu, 21 Aug 2008 09:36:54 +1200

A woman asked the Parliamentary Commissioner for the Environment (“the PCE”) to investigate an environmental dispute she had with her local council. The PCE’s office considered the matter, but concluded that there was no way in which it could assist her.

The woman then asked for access to the PCE’s file. The PCE gave her some of the information (for example copies of the correspondence she had had with them), but withheld various documents. The woman then asked the Ombudsmen to review the PCE’s decision to withhold those documents.

The file contained some information that was not about the woman (this was “official information”, which fell within the Ombudsmen’s jurisdiction). It also contained information about the woman herself (this was “personal information”, which fell under our jurisdiction). These two categories were not always easy to separate. For example, some documents contained a mixture of official information and personal information. To avoid confusion and unnecessary duplication, we investigated the woman’s complaint in parallel with the Ombudsmen.

Our investigation particularly focused on information that the PCE had received from third parties about the woman’s dispute with the council.

Section 7 of the Privacy Act and section 20 of the Environment Act

Principle 6 of the Privacy Act states that individuals have the right to request access to information about themselves. This right is subject to the provisions in parts 4 and 5 of the Act. Also, under section 7(2) of the Act:

7(2) Nothing in principle 6 … derogates from any provision that is contained in any other Act of Parliament and that –

(a) imposes a prohibition or restriction in relation to the availability of personal information.

Section 20(2) of the Environment Act 1986 is such a provision. It states:

20(2) Except for purposes connected with the administration of this Act or with the carrying out of the provisions of this Act, the [Parliamentary] Commissioner [for the Environment] … shall maintain secrecy in respect of all matters that come to [her] knowledge in the exercise and performance of [her] powers and functions under this Act.

We took the view that this section clearly restricts the PCE in what she can provide to requesters. She can only provide personal information where she believes that information is for purposes connected with the administration of the Environment Act or with carrying out the provisions of that Act. If it is not for those purposes, she must maintain secrecy. The Environment Act therefore limits the rights that would usually be available under principle 6.

The PCE took the view that releasing the information here would not be for a purpose connected with the administration of the Environment Act, or carrying out its provisions. Indeed, she argued that it would impair her ability to function under that Act.

We agreed. The PCE has an obligation under the Environment Act to investigate complaints. To do so, she needs to talk to all relevant people and get free and frank information from them. That level of frankness would be seriously impaired if the Privacy Act imposed additional obligations on the PCE to release information that she, in her specialist judgment, believed she was obliged to keep secret.

We therefore concluded that the PCE was entitled to withhold the remaining personal information, and I closed my file.

The Ombudsmen concluded that the Official Information Act also permitted the PCE to withhold the remaining official information on the file.

August 2008

Access to personal information – Parliamentary Commissioner for the Environment – obligations of secrecy under the Environment Act – Privacy Act overridden – Privacy Act 1993 principle 6, section 7(2); Environment Act 1986 section 20

Case Note 83994 [2008] NZPrivCmr 6: Law firm discloses woman's personal information to another client

Wed, 20 Aug 2008 14:16:17 +1200

A woman had instructed a law firm to act for her in relation to a number of claims against a government agency. One of her files was accidentally placed in a box containing the files of another client who had claims against the same government agency. This other client discovered the woman’s file among his own and briefly viewed its contents before advising the law firm that it was not his.

The woman complained to us that the law firm failed to ensure that her personal information was adequately protected from unauthorised access and that the law firm had disclosed her personal information to the other client. Her complaint raised issues under principles 5 and 11 of the Privacy Act.

Principle 5

Principle 5 places a general obligation on agencies that hold personal information to protect that information from loss, unauthorised access, use, modification or disclosure, by safeguards that are reasonable in the circumstances.

Principle 5 does not require that the safeguards are absolute, but that they are reasonable in the circumstances. In considering whether a security safeguard is reasonable, the kind of matters we take into account include:

• the steps and/or policies in place to guard against a breach of principle 5;
• whether those steps and/or policies have been followed;
• training provided to staff; and
• the sensitivity of the information.

We considered the safeguards taken by the law firm – which included the careful naming and storing of files – and we were satisfied that they were adequate. In this case, the woman’s file was marked with the same government department logo as the other client’s files and was mistakenly placed in his box for this reason. We formed the opinion that this incident was a “one-off” disclosure based on human error and, therefore, that the law firm had not breached principle 5.

Principle 11

Principle 11 provides that an agency must not disclose personal information unless one of the exceptions applies.

The law firm submitted that the disclosure of the woman’s personal information was unintentional and so there was no breach of principle 11. However, a disclosure does not have to be intentional for principle 11 to apply. In our view, the matters to be determined in relation to principle 11 are as follows:

• Did the agency disclose personal information?
• If so, do any of the exceptions apply?

On the evidence, it was clear that the other client read information concerning the woman’s claim during the time that the file was in his possession. Accordingly, we were satisfied that the law firm had disclosed personal information. In the absence of any applicable exception, the law firm had breached principle 11.

We were also satisfied that the disclosure included highly sensitive information and had caused the woman significant humiliation and loss of dignity. We therefore concluded that the law firm had interfered with the woman’s privacy by breaching principle 11 in this case.

Positive Resolution

After receiving our opinion, the parties agreed to attempt resolution and we acted as mediator. The outcome was that the law firm agreed to waive the fees that the woman owed. This was a substantial sum.

The woman was satisfied with this result and we closed the file.

August 2008

Security of personal information – law firm – file placed with another client’s files – general security safeguards adequate – one-off mistake – Privacy Act 1993 – principle 5

Disclosure of personal information – law firm - file disclosed to another client – intention to disclose irrelevant – no exception applied – disclosure caused significant humiliation – successful mediation – Privacy Act 1993 – principle 11, section 66(1)(b)