Email this page

Send this page to a friend.

This page is printer friendly.

Personal Property Securities Register

Report to the Commerce Committee on the Personal Property Securities Bill by the Privacy Commissioner


1. I have prepared this report in response to the Commerce Committee’s request of 25 March to appear before the Committee on 30 March.

2. I am pleased to offer these comments directly to the Committee and to answer any questions that the Committee may have. Although the report itself is relatively brief, my office and I have been involved in more detailed correspondence and discussions with the Ministry of Commerce.

3. My comments, and concerns, are solely directed towards the register of personal property securities to be established in the bill. I have no concern about there being such a register, which is probably beneficial in commercial terms, but solely in the detail of how the register is to be established and operated, what personal information it will contain and how this might be held, used, accessed and disclosed. From a privacy perspective the “devil is in the detail” of these arrangements. One of my difficulties with this particular bill, compared with other legislation establishing new registers, is that a number of the critical information aspects cannot be discerned from the text of the bill as introduced but are to be later revealed through regulations. In some respects, even the Ministry is unclear as to precisely the manner in which things will be done.

4. At its simplest, the proposal could be described as the combination of existing registers into a single “super register” of personal property securities. I have taken a close interest in the proposal since the character of the existing registers will significantly alter and the effect on privacy is probably detrimental. For example, at present a search may be made of a motor vehicle to see if it is the subject of a charge. The new register may, conversely, allow a search in relation to an individual to see which vehicles (and other chattels) that person owns that are subject to charges. Furthermore, the register is to be available for accessing through the Internet which raises novel information privacy and security issues compared with existing arrangements.

5. In any new proposal to establish, consolidate or continue a public register there is scrutiny by departments and my office in respect of the information privacy issues. This can involve considering, for example:

  • What is the purpose for having the statutory register?
  • Often there is a need to have a statutory register for official purposes of verification and law enforcement. Sometimes registers are made available for direct public inspection. Proposals are scrutinised to identify the purpose for granting such rights of public search. What is intended to be achieved by a public search right?
  • There are questions as to which of the official register information is also necessary to be available for public search. For example, if a person’s residential address is necessary for official purposes, need it also be on the part of the database open for public search?
  • How is the register to be structured to ensure that it achieves its intended purposes? For example, how is it to be indexed?
  • Questions arise as to how the register is to be accessed. For instance, which search references will be used? The privacy consequences may significantly differ depending on whether, for example, the name of an individual is a search reference. Depending upon the circumstances, requiring the name to be the search reference can protect privacy (preventing, for instance, mass “trawling”). In other circumstances, allowing searches undertaken by name can create risks (e.g. to track or stalk a particular individual).
  • How is the information to be made available? Existing registers span the spectrum from being solely available at public counters by way of inspection of a paper record through to remote searches by post, fax, telephone or electronic access. The privacy implications of each differ. In some cases, the mechanisms that are available make a tremendous difference to the privacy balance. In this case, the proposal is a marked change from how the existing registers are searched. The privacy implications of a change from counter searches at High Courts (chattels register) and freephone telephone searches (Motor Vehicle Securities Register) to new electronic mechanisms for searching a single combined register may be significant.


6. Such a list of matters is, wherever possible, gone into with each new register to be established. My objective is to get appropriately crafted public register legislation which ensures that information is expeditiously and conveniently released for purposes consistent with those for which the register is established while constraining disclosures for purposes unrelated to those for which the register is established or at least mitigating the privacy risks of allowing such disclosures. Accordingly, my basic concerns with, and work in relation to, the Personal Property Securities Register is to ensure that, as far as possible, the register can be made consistent with the approach of the principles in the Privacy Act while not, in any sense, wishing to diminish the usefulness of the register for the intended purposes. Some additional concerns about the proposal have arisen in relation to the proposed Internet search facility.

7. In my opinion the privacy issues (and probably other issues) arising from the combining of several registers and placement on the Internet were not the subject of sufficient study prior to the bill being introduced. Following an approach to me at the end of August 1998, I have urged the Ministry to go into the issues since I am convinced they are more complex and carry more risks than have been assumed. I am wary of the enthusiasm of officials for certain technologies, such as the Internet, when they do not necessarily fully understand the implications for personal privacy.

8. An Internet search facility offers a challenge to hackers and crackers. No doubt the Ministry will seek to adopt state of the art protection measures, such as firewalls, but these must potentially repel the most advanced hackers from throughout the world where the facility is available on the Internet. This requires a constant upgrading of protective measures to the best available. Whatever is adopted in 1999 will not be satisfactory in 2002 and I query whether the Ministry will always be able to invest in necessary upgrading. A greater degree of risk may be assumed as time goes on if reinvestment is postponed. The Committee should ensure the Government is in no doubt that the establishment of a register on the Internet is a solemn commitment to future upgrades and continual expenditure to achieve that. Requiring a registry, for instance, “to manage the privacy risks within existing budgets” is simply not an adequate covenant with the subjects whose information will be registered therein but it will remain protected by the best technical safeguards available.

9. In this brief report I have necessarily spoken in general terms. It is difficult to speak precisely in terms of clauses in the legislation since the bill is silent on many of the matters with which I am concerned. For example, one can read the entire bill and still not know what is to be contained in the “financing statement”. Knowledge of the content of that, the register’s search references and the means by which searches will be made, are all necessary to an understanding and resolution of any privacy issues. For this reason, I have concentrated on working with the Ministry which has been researching some of the issues and developing an appropriate response. That work is on-going. I see the likely resolution as involving identification and articulation of the purposes for which the register is maintained and held open for public search. This has been successfully achieved in several other registers created, or continued, since 1993. The articulation of purposes within the bill should be combined with appropriate and effective means for facilitating disclosure consistent with those purposes and constraining inconsistent disclosures. As every statutory register has unique characteristics, the means by which this has been attempted or achieved on other occasions is not necessarily a guide to the appropriate response with this register. The issues are being worked through and I believe that it may be possible to link the question of lawful search under the bill with information privacy principle 4 which constrains collection of personal information by means which are unlawful. If the link can be successfully made in the bill and supporting administrative arrangements, I believe that a reliance may be placed upon the enforcement and redress mechanisms in the Privacy Act for any breach of a scheme which may be devised under the bill.

10. As work by officials (to which my office is responding) is on-going, it is difficult to say very much more on the subject in this report but I would be happy to further explain my views to the Committee. However, I do emphasise that the approach that I have taken is consistent with the international approach to personal information handling and the approach that is increasingly taken in New Zealand and other jurisdictions to public register issues. However, making the task more complex in this case is the lack of specificity in the bill as to the personal information in issue and the challenges created by placing the register on the Internet, which is a new issue for New Zealand legislation.

B H Slane
Privacy Commissioner
25 March 1999