Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

More Close ×

We respect your Do Not Track preference.

Close ×

logo-desktop.png
  • Home /
  • Blog /
  • Hager and Westpac - A bit more context, information and clarification

Print | Email this page

Hager and Westpac - A bit more context, information and clarification Sam Grover
22 March 2017

vault

There has been a significant amount of media coverage about our investigation into Westpac bank disclosing journalist Nicky Hager’s bank account information to Police in 2014. In the course of that reporting, some misconceptions have emerged. Because of the interest in the case, and the potential implications for future practice, we have noted some points of clarification and context below.

Coverage of the story has focussed on our final opinion letter to Mr Hager that he chose to make public. The final opinion is the tail end of a long process that involved submissions, meetings and careful consideration of the facts of the case.

Key background facts

  1. Westpac disclosed Mr Hager’s account information during a Police investigation that followed the publication of Mr Hager’s book Dirty Politics.  In the course of investigating how Mr Hager got the information he used to write the book, Police asked Westpac for information about Mr Hager. Westpac provided Police with several months of Mr Hager’s transaction information.

Privacy Commissioner’s legal opinion

The Privacy Commissioner’s opinion is just that – it is not a ‘ruling’ and it is not legally binding. The Human Rights Review Tribunal – where Mr Hager has taken his case now – issues rulings. It hears evidence and argument afresh and comes to its own conclusion.

  1. We form a view of each case based on its specific facts. The law describes a range of circumstances where organisations like banks can disclose customer information, but they have to be able to justify why they did so

  2. The views expressed in our correspondence are not changing or reforming the law. The Police sought Mr Hager’s information without seeking a production order from a court. That in itself is unremarkable; there is nothing in the Privacy Act that requires a production order before information may be released.

Westpac’s decision to disclose the information

  1. Westpac told us its authority to disclose Mr Hager’s banking details came from its terms and conditions, which Mr Hager had accepted. Principle 11(d) of the Privacy Act allows agencies to disclose personal information if the agency believes on reasonable grounds that the disclosure is authorised by the individual concerned. For example, a home insurer may share information with a mortgage holder, with customer consent.

  2. The relevant clause said that Westpac would disclose information to Police whenever it “reasonably believes that the disclosure will assist it to comply with any law, rules and regulations in New Zealand or overseas or will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences.”

Privacy Commissioner’s view of Westpac’s reasoning

  1. We found that a reasonable Westpac customer would think the phrase “fraud, money laundering or other criminal offences” suggests “other criminal offences” would be similar sorts of financial crimes. Police asked for Mr Hager’s information as part of an investigation involving section 249 of the Crimes Act (accessing a computer for a dishonest purpose), and fraud. Mr Hager himself was not a suspect in this investigation. Westpac has noted that this latter fact was not clear at the time the information was requested. We therefore formed our view that Westpac could not reasonably believe Mr Hager had given his consent for his account information to be disclosed to the Police, given that set of specific facts.

  2. When an agency sets its terms and conditions, it needs to abide by them. Our view was that Westpac’s interpretation of its terms and conditions was too broad, particularly in its definition of “other criminal offences”.

  3. Westpac also argued that the disclosure was allowed under principle 11(e)(i), which allows agencies to disclose information “to avoid prejudice to the maintenance of the law.” We thought this argument was difficult to sustain. If Westpac thought that Mr Hager had authorised it to disclose his information to Police, then “maintenance of the law” didn’t need to enter consideration. It is not consistent to disclose information based on both criteria because they address different circumstances, and one of the two should be enough to authorise disclosure.

Why do production orders and search warrants exist?

  1. Production orders oblige agencies to provide information. The Privacy Act exceptions do not oblige an agency to disclose information - they enable an agency to disclose information.

How does the “maintenance of the law” exception work?

  1. The Privacy Act maintenance of the law exception (principle 11(e)(i)) allows an agency to give information to the Police, provided certain criteria are met.

  2. This exception does not give Police the right to see any information they would like in order to maintain the law. Rather, it only applies to situations where not seeing the information would prejudice, or do some harm to, maintaining the law. Fraud is a good example. If banks suspect fraud, they are absolutely within their rights to disclose information to the authorities. Police cannot investigate without good information from the bank. Similarly, in missing persons’ cases, bank transactions could indicate where someone is. Under these circumstances, if the agency refused to provide the information to Police, it could be hindering an investigation or, in other words, prejudicing the maintenance of the law, and they could therefore provide the information without breaching the individual’s privacy.

  3. A good way to think of the maintenance of the law exception is that it functions as “a shield, not a sword.” Rather than a government agency saying “you must give this information so we can maintain the law”, the exception enables an agency receiving the request to say “explain to me why not giving this information would stop you from maintaining the law.”

  4. The case law in this area underlines that when government agencies ask for information under this exception, they need to provide reasons why they think the exception applies. In the Westpac-Hager complaint, Police did not provide any reasons, so Westpac had no way to assess whether the “maintenance of the law” exception applied.

Role of the Human Rights Review Tribunal

  1. Mr Hager’s legal counsel has indicated that he will be taking the case to the Human Rights Review Tribunal. The Tribunal will hear the case “afresh” (i.e: without taking the Privacy Commissioner’s view into consideration), and then issue a judgment. Tribunal judgments, unlike findings from this office, are enforceable rulings. We will be keeping a keen eye on the outcome in order to inform our approach to future cases.

Image credit: Brook Ward via Flickr

0 comments

, ,

Back
Previous Blog Post Next Blog Post

Comments

No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries

Blog

Browse by Date

Subscribe via RSS

Tag Cloud

AboutMe ACC access adequacy advisory opinions AISA ANZ APEC APPA apps Ashley Madison Asia AskUs bankruptcy big data biometrics bloggers breach case breach notification BSA CCTV children children's commissioner collection complaints compulsory meetings Court of Appeal CPEA Credit reporting Crimes Act Customs cybercrime dash cams data breach data portability data protection data safety deidentification DHB Dirty Politics disclosure drones electoral roll email employee browsing enquiries EU European standards Facebook filming Five Eyes GCPO GCSB Google Google Analytics GPEN hacking harmful digital commmuncation Harmful Digital Communications HDCA health HIPC HRRT Human Rights Review Tribunal IAPP iappanz ICDPPC identity conference IGIS immigration information sharing intelligence International Internet of Things IoT IPLL ITU Kim Dotcom lawyers Maori naming policy news media nurses NZFS NZNO NZTA OAIC OECD Ombudsman OMSA online media open source OWLS penetration testing PIA Piwik Police policy PORT principle1 principle 2 principle 3 principle 4 principle 5 principle 6 principle 7 principle 8 principle 9 principle 11 priv-o-matic privacy Privacy Act privacy commentators privacy commissioner privacy directory privacy experts Privacy Good Privacy Impact Assessment privacy training Privacy Week PRM Profile Engine recruitment reidentification research schools Section 56 security social media spreadsheets Supreme Court surveillance surveillance technology technology telecommunications television TIPC transparency reporting Tribunal Twitter UAVs UN vacancy vulnerable children Westpac YouTube

Back to top