There has been a significant amount of media coverage about our investigation into Westpac bank disclosing journalist Nicky Hager’s bank account information to Police in 2014. In the course of that reporting, some misconceptions have emerged. Because of the interest in the case, and the potential implications for future practice, we have noted some points of clarification and context below.
Coverage of the story has focussed on our final opinion letter to Mr Hager that he chose to make public. The final opinion is the tail end of a long process that involved submissions, meetings and careful consideration of the facts of the case.
Key background facts
- Westpac disclosed Mr Hager’s account information during a Police investigation that followed the publication of Mr Hager’s book Dirty Politics. In the course of investigating how Mr Hager got the information he used to write the book, Police asked Westpac for information about Mr Hager. Westpac provided Police with several months of Mr Hager’s transaction information.
Privacy Commissioner’s legal opinion
The Privacy Commissioner’s opinion is just that – it is not a ‘ruling’ and it is not legally binding. The Human Rights Review Tribunal – where Mr Hager has taken his case now – issues rulings. It hears evidence and argument afresh and comes to its own conclusion.
- We form a view of each case based on its specific facts. The law describes a range of circumstances where organisations like banks can disclose customer information, but they have to be able to justify why they did so
- The views expressed in our correspondence are not changing or reforming the law. The Police sought Mr Hager’s information without seeking a production order from a court. That in itself is unremarkable; there is nothing in the Privacy Act that requires a production order before information may be released.
Westpac’s decision to disclose the information
- Westpac told us its authority to disclose Mr Hager’s banking details came from its terms and conditions, which Mr Hager had accepted. Principle 11(d) of the Privacy Act allows agencies to disclose personal information if the agency believes on reasonable grounds that the disclosure is authorised by the individual concerned. For example, a home insurer may share information with a mortgage holder, with customer consent.
- The relevant clause said that Westpac would disclose information to Police whenever it “reasonably believes that the disclosure will assist it to comply with any law, rules and regulations in New Zealand or overseas or will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences.”
Privacy Commissioner’s view of Westpac’s reasoning
- We found that a reasonable Westpac customer would think the phrase “fraud, money laundering or other criminal offences” suggests “other criminal offences” would be similar sorts of financial crimes. Police asked for Mr Hager’s information as part of an investigation involving section 249 of the Crimes Act (accessing a computer for a dishonest purpose), and fraud. Mr Hager himself was not a suspect in this investigation. Westpac has noted that this latter fact was not clear at the time the information was requested. We therefore formed our view that Westpac could not reasonably believe Mr Hager had given his consent for his account information to be disclosed to the Police, given that set of specific facts.
- When an agency sets its terms and conditions, it needs to abide by them. Our view was that Westpac’s interpretation of its terms and conditions was too broad, particularly in its definition of “other criminal offences”.
- Westpac also argued that the disclosure was allowed under principle 11(e)(i), which allows agencies to disclose information “to avoid prejudice to the maintenance of the law.” We thought this argument was difficult to sustain. If Westpac thought that Mr Hager had authorised it to disclose his information to Police, then “maintenance of the law” didn’t need to enter consideration. It is not consistent to disclose information based on both criteria because they address different circumstances, and one of the two should be enough to authorise disclosure.
Why do production orders and search warrants exist?
- Production orders oblige agencies to provide information. The Privacy Act exceptions do not oblige an agency to disclose information - they enable an agency to disclose information.
How does the “maintenance of the law” exception work?
- The Privacy Act maintenance of the law exception (principle 11(e)(i)) allows an agency to give information to the Police, provided certain criteria are met.
- This exception does not give Police the right to see any information they would like in order to maintain the law. Rather, it only applies to situations where not seeing the information would prejudice, or do some harm to, maintaining the law. Fraud is a good example. If banks suspect fraud, they are absolutely within their rights to disclose information to the authorities. Police cannot investigate without good information from the bank. Similarly, in missing persons’ cases, bank transactions could indicate where someone is. Under these circumstances, if the agency refused to provide the information to Police, it could be hindering an investigation or, in other words, prejudicing the maintenance of the law, and they could therefore provide the information without breaching the individual’s privacy.
- A good way to think of the maintenance of the law exception is that it functions as “a shield, not a sword.” Rather than a government agency saying “you must give this information so we can maintain the law”, the exception enables an agency receiving the request to say “explain to me why not giving this information would stop you from maintaining the law.”
- The case law in this area underlines that when government agencies ask for information under this exception, they need to provide reasons why they think the exception applies. In the Westpac-Hager complaint, Police did not provide any reasons, so Westpac had no way to assess whether the “maintenance of the law” exception applied.
Role of the Human Rights Review Tribunal
- Mr Hager’s legal counsel has indicated that he will be taking the case to the Human Rights Review Tribunal. The Tribunal will hear the case “afresh” (i.e: without taking the Privacy Commissioner’s view into consideration), and then issue a judgment. Tribunal judgments, unlike findings from this office, are enforceable rulings. We will be keeping a keen eye on the outcome in order to inform our approach to future cases.
Image credit: Brook Ward via Flickr