Privacy Awareness Week 2012
Notes from the coalface
Presentation byMike Flahive and Dawn Swan
In March : The News
• Australian Cricket Association
• ACC data breach
• Ports of Auckland
• Law Commission / Code amendments
• CCTV in Pukekohe
• Police to pay damages
• Coronor’s comments
The Reality
• Complaints
> 968 last year, 915 currently
• Enquiries
> 7006 last year, 6475 currently
• Eight team members hold files
• On average, each investigator will
receive 125 files and close 120 each
year
Work in progress
• An average of 50 files
• Half access, 25% disclosure
• Even split public and private sector
• Age of files: 88% under 6 months
• Dominant focus settlement
• 30% settled
Outcomes on closed files 2010/11
Closed 999
No interference with privacy 686
Complaint has substance 313
Settled / mediated 281
Referred to Director of HumanRights Proceeding 19
Settlement record (2010/11)
Access
• 534 access complaints
• 208 settled
• 185 involved release or partial release of information
• 21 involved payment of money averaging $650 for slow release or refusal
• 2 payments in excess of $2,000
Settlement record (2010/11)
Disclosure
• 267 closed
• 52 settled
• 19 involved payment of money averaging $8000
• 3 payments in excess of $10,000
• 1 payment more than $40,000
• Average without large payment $5,000
continued
Examples of settlement
Health agency
• Gave information to person about patient
• Person not a relative or holding EPOA
• No checking by health agency
• Apology, assurances, training and
$5,000
Examples of settlement
• Agency repeatedly sent correspondent to complainant’s residential address contrary to arrangements to use PO Box
• Spouse found out about secret arrangement
• $1,000 new terms of contract
continued
Examples of settlement
Agency employee browsing
• Information used outside agency to
significantly embarrass complainant
• Loss of confidentiality
• Loss of employment
• Agency paid more than $40,000
continued
Lochead-MacMillan vs AMI Insurance Ltd[2012] NZHRRT 5
• Fire damaged property, home and
contents insurance claim
• $10,000 damages
• “Multiple, sustained and systemic
failures” to comply with Privacy Act
Multiple information requests
• 4 February – request for audio files
and transcripts
• 2 March – request for audio repeated
• 13 April – Feb and March requests
repeated
• 6 May – request for fire report
• 19 May – first three requests repeated
• 8 July – request for AMI file
Breaches by AMI
• Failure to comply with statutory time
limit = deemed refusal
• Failure to advise of right to seek an
investigation by Privacy Commissioner
• Refusal to release fire report –
unjustifiably withheld twice
Damages Awarded
• $10,000 for injury to feelings
• Repeatedly ignored requests
• Plaintiffs kept in dark
• Impression Privacy Act obligations
not important
• Unequal relationship
• Plaintiffs made to feel insignificant,
ineffectual and unimportant
HRRT Comments
• Privacy principles are fundamental
to good process
• Requests for information cannot
be ignored or dismissed
• Good administration demands full
compliance with Privacy Act
[2011] NZHRRT 5 (25/2/11)
• Withholding grounds
[2011] NZHRRT 6 (9/3/11)
• Non compliance with Part 5
procedural provisions of the Act
Sharoodi v Director of Civil Aviation
General Advice from Tribunal
• Full index of documents
• Pagination of documents
• Identification of released, withheld
or redacted information
Managing Access Requests
• Anticipate having to explain what
you have done
• A discovery process of indexing all
documents is very handy
• Create separate record of total
information
• Create separate record of withheld/
redacted information
Tribunal discussion
• Series of misunderstandings around
request for personal information which
became “personnel” information
• Request not answered until 21/2 months
after reasonably expected to comply
Therefore
• Deemed refusal and undue delay
Damages
Loss of benefit - $5,000
• A reluctant and piecemeal release
• Revoked pilot’s licence before release
• Not able to use/check information
before revocation
• Not given a “fair crack of the whip”
Damages
Humiliation, loss of dignity, injury to
feelings - $5,000
• Interpreted request in a limited way
• Revoked pilot’s licence knowing that
information yet to be released
• Late decisions to mitigate only after
involvement of Privacy Commissioner
continued