Privacy Awareness Week 2012

Notes from the coalface

Presentation byMike Flahive and Dawn Swan

In March : The News

• Australian Cricket Association

• ACC data breach

• Ports of Auckland

• Law Commission / Code amendments

• CCTV in Pukekohe

• Police to pay damages

• Coronor’s comments

The Reality

• Complaints

> 968 last year, 915 currently

• Enquiries

> 7006 last year, 6475 currently

• Eight team members hold files

• On average, each investigator will

receive 125 files and close 120 each

year

Work in progress

• An average of 50 files

• Half access, 25% disclosure

• Even split public and private sector

• Age of files: 88% under 6 months

• Dominant focus settlement

• 30% settled

Outcomes on closed files 2010/11

Closed 999

No interference with privacy 686

Complaint has substance 313

Settled / mediated 281

Referred to Director of HumanRights Proceeding 19

Settlement record (2010/11)

Access

• 534 access complaints

• 208 settled

• 185 involved release or partial release of information

• 21 involved payment of money averaging $650 for slow release or refusal

• 2 payments in excess of $2,000

Settlement record (2010/11)

Disclosure

• 267 closed

• 52 settled

• 19 involved payment of money averaging $8000

• 3 payments in excess of $10,000

• 1 payment more than $40,000

• Average without large payment $5,000

continued

Examples of settlement

Health agency

• Gave information to person about patient

• Person not a relative or holding EPOA

• No checking by health agency

• Apology, assurances, training and

$5,000

Examples of settlement

• Agency repeatedly sent correspondent to complainant’s residential address contrary to arrangements to use PO Box

• Spouse found out about secret arrangement

• $1,000 new terms of contract

continued

Examples of settlement

Agency employee browsing

• Information used outside agency to

significantly embarrass complainant

• Loss of confidentiality

• Loss of employment

• Agency paid more than $40,000

continued

Lochead-MacMillan vs AMI Insurance Ltd[2012] NZHRRT 5

• Fire damaged property, home and

contents insurance claim

• $10,000 damages

• “Multiple, sustained and systemic

failures” to comply with Privacy Act

Multiple information requests

• 4 February – request for audio files

and transcripts

• 2 March – request for audio repeated

• 13 April – Feb and March requests

repeated

• 6 May – request for fire report

• 19 May – first three requests repeated

• 8 July – request for AMI file

Breaches by AMI

• Failure to comply with statutory time

limit = deemed refusal

• Failure to advise of right to seek an

investigation by Privacy Commissioner

• Refusal to release fire report –

unjustifiably withheld twice

Damages Awarded

• $10,000 for injury to feelings

• Repeatedly ignored requests

• Plaintiffs kept in dark

• Impression Privacy Act obligations

not important

• Unequal relationship

• Plaintiffs made to feel insignificant,

ineffectual and unimportant

HRRT Comments

• Privacy principles are fundamental

to good process

• Requests for information cannot

be ignored or dismissed

• Good administration demands full

compliance with Privacy Act

[2011] NZHRRT 5 (25/2/11)

• Withholding grounds

[2011] NZHRRT 6 (9/3/11)

• Non compliance with Part 5

procedural provisions of the Act

Sharoodi v Director of Civil Aviation

General Advice from Tribunal

• Full index of documents

• Pagination of documents

• Identification of released, withheld

or redacted information

Managing Access Requests

• Anticipate having to explain what

you have done

• A discovery process of indexing all

documents is very handy

• Create separate record of total

information

• Create separate record of withheld/

redacted information

Tribunal discussion

• Series of misunderstandings around

request for personal information which

became “personnel” information

• Request not answered until 21/2 months

after reasonably expected to comply

Therefore

• Deemed refusal and undue delay

Damages

Loss of benefit - $5,000

• A reluctant and piecemeal release

• Revoked pilot’s licence before release

• Not able to use/check information

before revocation

• Not given a “fair crack of the whip”

Damages

Humiliation, loss of dignity, injury to

feelings - $5,000

• Interpreted request in a limited way

• Revoked pilot’s licence knowing that

information yet to be released

• Late decisions to mitigate only after

involvement of Privacy Commissioner

continued