Are companies handing over your personal information too easily?
Before raiding Nicky Hager's house in October 2014, police asked Westpac to provide a record of the journalist's transactions. Police were investigating the identity of "Rawshark", a hacker who supplied ammunition for Mr Hager's book, Dirty Politics. The detectives hoped Mr Hager's transactions might disclose a payment to the hacker. Westpac complied with the request, even though police didn't have a court order for the information.
In December, the High Court ruled the raid on Mr Hager's house was "fundamentally unlawful". Court documents showed police had approached other organisations for the journalist’s information, but with limited success.
Mr Hager intends to complain to the Privacy Commissioner about Westpac. “I couldn't believe that my bank would hand all my records to police without even requiring a court order,” he says.
Two months after the High Court's judgement on Mr Hager’s case, the Office of the Privacy Commissioner (OPC) released the results of its transparency reporting trial.
The OPC asked 10 companies from the financial services, communications and utilities sectors to note the number and types of information requests they received from government agencies. Over a three-month trial period, the companies, whose names were withheld, received 11,799 requests for customer information.
The companies complied with 96 percent of requests. But the OPC says the true compliance rate was virtually 100 percent as requests were only declined when the company didn’t have data on the person in question.
The five government agencies that made the most requests were Inland Revenue (4670); Police (3513); Ministry of Social Development (3150); Ministry of Business, Innovation and Employment (99); and the New Zealand Customs Service (73).
The most common types of information request were:
- account requests for any information held about a person, including name, address, correspondence and transaction records
- content requests for non-transactional information, such as email and telephone records
- transaction requests for bank account statements, credit card use and so on.
Tools of the trade
The government’s information-gathering powers fall into three categories court orders, statutory compulsion (legislation that allows agencies to collect data) and requests made without express legal consent.
In a survey last year, carried out by Horizon Research, 78 percent of respondents thought a court order should be required by a company before it released any information. But based on the OPC trial, information requests are usually made under statutory compulsion. For instance, Inland Revenue uses section 17 of the Tax Administration Act to gather transactional data and snag tax evaders.
If a government agency makes a request without express legal consent, a company can sometimes release the information under principle 11 of the Privacy Act. This gives companies the option to disclose personal information in specific circumstances – to maintain the law, protect public revenue or lessen a serious threat to an individual. Crucially, the onus is on the company to defend the disclosure if questioned.
There are instances where government agencies have used information-gathering powers to go fishing. In 2012, Inland Revenue served Trade Me with a request under the Tax Administration Act for the personal information of nearly a million members. The request was part of an operation to catch tax evaders. Trade Me challenged the scope of the request. Following two years of negotiations, it eventually provided information on 44,368 customers.
Katrine Evans, a senior associate at Hayman Lawyers and former assistant privacy commissioner, says agencies have to be careful when using legislative powers to gather information in bulk. “Legislative powers exist for good reasons, like catching tax evaders. But it’s so easy to slide into collecting because you can, not because you really need to – usually not because of malice, but simply because nobody’s stopped to think through what information they genuinely needed.”
Companies in the OPC trial recorded more than 1000 instances where government agencies requested information under the Privacy Act. But the Act doesn’t provide government agencies with a mechanism to collect information. Rather, it gives companies the option to disclose information.
“I’ve seen a lot of examples of government agencies saying they’re asking for information under principle 11 of the Privacy Act. It’s frustrating because it’s legally wrong and they should know that by now,” Ms Evans says.
She says there's often food cause for releasing information, such as to protect a person's safety. However, companies that released information without a proper reason risk damaging their reputation. In serious cases, they may also wind up in the Human Rights Review Tribunal, which can award damages to individuals who’ve suffered an interference with their privacy.
The OPC says it’s not unreasonable for a government agency to give a company advice about the Act, but it must be careful not to imply the company has a legal obligation to respond to the request.
Where to from here
One of the OPC’s aims is to encourage more Kiwi companies to publish transparency reports. It says transparency reporting provides consumers with insight into how government agencies use their coercive powers to gather personal information. It also compels companies to improve processes for responding to – or rejecting – a request.
The OPC also wants government agencies to report on their use of information gathering powers. Only some agencies publish this. Police have a statutory obligation to list surveillance activities, such as the number of “warrantless search powers exercised”, in annual reports. But the reports don’t provide details about the number of requests made with, and without, a court order nor the types of request (account, content or transactions). We think they should.
Your privacy rights
Want to know more about your privacy rights? The Office of the Privacy Commissioner’s website contains a range of information, including:
- AboutMe: a tool that allows you to generate and send a formal request to an organisation for the information it holds about you.
- Privacy 101: a free online course that sets out the privacy principles and the scope of the Privacy Act.
By Luke Harrison
Trade Me's take on the issue
Trade Me head of trust and safety Jon Duffy says the company publishes an annual transparency report because it believes members deserve to know what’s happening with their data. But it’s also a means of holding government agencies to account. “We would like to see more done to encourage government agencies to make responsible requests.”
Between July 2014 and June 2015, the company received 3004 information requests from police, government agencies and members who wanted to take another member to the Disputes Tribunal.
Police made more than 60 percent of requests (1840 of 3004). The most common police requests related to stolen goods (39 percent), drugs (17 percent) and non-delivery of items (16 percent).
Trade Me responds to the majority of police requests under the Privacy Act. However, Mr Duffy says the company insists on production orders when police are investigating a serious offence or requesting information on multiple members. In the year to June 2015, Trade Me initially rejected 1.6 percent of police requests.
In many instances, Trade Me prefers releasing information under the Privacy Act rather than statutory compulsion. Mr Duffy says the Privacy Act allows Trade Me “to control what is released, rather than being legally obliged to respond to compulsion orders, which can be wide in scope and require us to release information not strictly relevant to the investigation”.
Note: Jon Duffy is a Consumer NZ board member.