The Privacy Commissioner is reviewing the operation of the Privacy Act under section 26 of the Act. The Commissioner will consider whether any amendments to the Act are necessary or desirable and will report his findings to the Minister of Justice.
This paper is one in a series which will cover the entire scope of the Act and highlight some issues. To find out which other discussion papers have been released, and to obtain copies of them, you may contact the Commissioner's office. Copies of the discussion papers will also be available through the Commissioner's web site.
The Privacy Commissioner welcomes comments on this paper and seeks responses to any specific questions raised. Submissions should be made in writing and be forwarded to the Commissioner's office by post or email no later than 3 November 1997.
The Commissioner will hold a series of consultation meetings in the main centres and some regional cities during November. If you would like to be invited to a consultation meeting please indicate this with your written submission.
Privacy Act Review 1997
Office of the Privacy Commissioner
P O Box 10-094
Wellington
fax: 04-474 7595 privacy hotline: 0800-803 909 email: privacy@actrix.gen.nz
For general enquiries about the review please speak to the Enquiries Officers at the freephone number. If you have a more detailed enquiry concerning your submission or the review please speak to the Codes and Legislation Officer at 04-474 7597.
Background information on the Privacy Act is available on the Internet at:
http://www.knowledge-basket.co.nz/privacy/welcome.htm
Fear of state surveillance and secret informers can probably be traced back to the start of organised societies. The fears have often been well founded as the opening of secret service files from East Germany and Poland have shown. New Zealand, like other free and democratic societies, has generally accepted the need for some form of secret state surveillance to guard against those who would undermine democratic structures. However all democratic societies have also wrestled with the appropriate legal and administrative controls to ensure that any secret services remain accountable to those democratic institutions and do not go beyond what is reasonable to achieve their assigned mandate.
Undoubtedly the work of intelligence and security agencies is a major inroad into our privacy. The inroad has not diminished following the collapse of most communist states whereas arguably the need for it has. Many New Zealanders will accept the need for these agencies but take the view that perceived weaknesses in oversight and control mechanisms provide a possibility for unnecessary breaches of privacy.
The restrictions on the flow of information necessary to successful intelligence operations limits the application to intelligence organisations of standard public accountability controls. Intelligence organisations have been subject to little direct scrutiny from outside the executive government. There is presently some limited external scrutiny from the Auditor General, the Ombudsman and Privacy Commissioner, and probably to some limited extent certain other bodies. The limited brief of the former Commissioner of Security Appeals has recently been replaced by an Inspector-General of Intelligence and Security with a wider mandate and greater powers.
Secret surveillance and intelligence gathering creates profound privacy risks for the individuals affected and society at large. To constrain those risks the Privacy Commissioner has taken the view that:
This discussion paper focuses exclusively on whether an existing exemption should be narrowed so as to apply further information privacy principles to intelligence organisations. Material in this paper (including expressions of the Commissioner's views) is drawn from the Privacy Commissioner's report to the Minister of Justice on the Intelligence and Security Agencies Bill (February 1996).
The Privacy Act contains two specific provisions dealing with intelligence organisations: sections 57 and 81. The term "intelligence organisation" is defined in section 2 to mean the New Zealand Security Intelligence Service and the Government Communications Security Bureau (hereafter referred to as the SIS and GCSB).
Section 57 of the Privacy Act provides:
"Intelligence organisations - Nothing in principles 1 to 5 or principles 8 to 11 applies in relation to information collected, obtained, held, used, or disclosed by, or disclosed to, an intelligence organisation."
Only the principles dealing with the rights of access to personal information by the individual concerned (principle 6), the right of the individual concerned to seek correction of personal information (principle 7) and that relating to unique identifiers (principle 12) apply to intelligence organisations.
There is a special procedure set out in section 81 in relation to investigations which may be undertaken in relation to an alleged breach by an intelligence organisation of principles 6, 7 or 12. Most of the complaints the Commissioner receives and investigates relate to a request for a review of a decision by an intelligence organisation to refuse access to information that it holds or to refuse to confirm or deny that it holds any information. The special procedure that applies under section 81 means that neither the Commissioner (through the Proceedings Commissioner) nor the complainant may refer a complaint to the Complaints Review Tribunal for determination. Rather the procedure anticipates the Commissioner conducting an investigation, forming an opinion, and if the complaint cannot be resolved making a recommendation to the intelligence organisation and awaiting the organisation's response. If no response is made within a reasonable time or, after considering any comments made by the intelligence organisation, the Commissioner may send a copy of his report and recommendations to the Prime Minister. In turn the Prime Minister may lay a copy of all or part of the report before Parliament.
There is always the concern in free and democratic societies as to the surveillance activities of the state. It is not possible for a concerned citizen to know whether the surveillance activities being carried out on his or her behalf are excessive or are being properly kept in check. The secrecy under which the activities are carried out, the various laws limiting public scrutiny for reasons of national security, and the limited public reporting by oversight bodies, all give rise to anxieties as to whether intelligence organisations are overstepping the mark between prudent intelligence gathering to safeguard society and a more sinister "surveillance state". The various scandals that surface from time to time with overseas intelligence organisations heighten public concerns.
The Commissioner has expressed the view that it is desirable that the intelligence organisations adhere to the laws that the rest of society lives by, particularly those relating to respect for human rights and accountability to democratic institutions, to the greatest extent possible consistent with the tasks that these agencies are called upon to perform. At the time that the Privacy Act was enacted in 1993 the Government applied information privacy principles 6 and 7 to intelligence organisations (although accompanied by a special complaints procedure which is not as robust or as open as with other agencies). This was essentially the continuation of the access and correction rights which existed under the Official Information Act 1982. However, the Government also applied information privacy principle 12 to intelligence organisations.
The Commissioner has suggested that now may be the time to apply more of the remaining principles to intelligence organisations (subject always to the special investigation procedure which safeguards any reasonable need for secrecy in relation to complaints investigation and determination). He has suggested that the need is made more urgent by the recent expansion of the mandate of the SIS into new areas concerning the security of New Zealand's economic wellbeing.
The Commissioner's view is that the information privacy principles provide a sound basis for fair information handling and have clear relevance to intelligence organisations. In particular he considers that principles 1, 5, 8 and 9 seem appropriate to be applied as an obligation on intelligence organisations. These principles are seen as particularly suitable as they take account of the purposes of the agencies concerned, apply standards that are reasonable in the circumstances, and would not need to be amended to establish any national security exception.
Each of principles 1, 5, 8 and 9 has a relevance in relation to intelligence agencies just as they do in other contexts. The standards and expectation will vary depending upon that intelligence context but the principle will provide a guide as to the fair information handling requirements.
Information privacy principle 1 states:
Principle 1
Purpose of collection and personal information
Personal information shall not be collected by any agency unless-
function or activity of the agency; and
In the context of the SIS the lawful purpose will be linked to the definition of "security" as set out in the New Zealand Security Intelligence Service Act 1969.
Q1. Should principle 1 be applied to intelligence organisations?
Information privacy principle 5 provides:
Principle 5
Storage and security of personal intelligence
An agency that holds personal information shall ensure -
Of all the information privacy principles, this would seem to cause least difficulty for intelligence agencies given their emphasis on security of information held and controls on its disclosure. However, in some circumstances there may be information about an individual which the intelligence organisation has a proper reason to hold but which, through a lapse in reasonable security safeguards or otherwise, is disclosed publicly or to another agency that has no purpose in receiving the information, thereby harming the individual. An example would be certain material uncovered in the vetting process.
Q2. Should principle 5 be applied to intelligence organisations?
Information privacy principle 8 provides:
Principle 8
Accuracy, etc, of personal information to be checked before use
An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
It might be thought that some small piece of intelligence may seem of little importance at the time it is gathered or shortly thereafter and yet, when it accumulated with various other pieces of the jigsaw puzzle, achieve a significance weeks, months or years later. However, at the time that the information actually is to be put to use, particularly where a decision based upon it will affect the interests of individuals, it seems not unreasonable to apply the standards of principle 8, which require that, having regard to the purpose for which the information is proposed to be used, reasonable steps (if any) be taken to ensure the information is accurate, up to date, and so forth. It may be that in the circumstances no checks are feasible and therefore no breach of the principle would be possible. However, where some reasonable step to check information which is to be used in such a way as to affect an individual could be checked this ought to be done.
Q3. Should principle 8 be applied to intelligence organisations?
Information privacy principle 9 states:
Principle 9
Agency not to keep personal information for longer than necessary
An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.
If intelligence organisations open files on individuals, which turn out not to be necessary, maintain vast numbers of files on individuals, or retain personal data long beyond its proper usefulness, there are risks to privacy. Application of principle 9 would require agencies to have policies on the retention of personal information about individuals. These policies would be linked to the usefulness of the data for an agency's purposes and, for instance, to the statute under which the SIS operates.
It would better serve individual privacy if some information was not kept overly long with the dangers that it will paint an inaccurate picture, be out of date, or be misleading. That is not to say that intelligence of a particular nature might nonetheless be held for a long period where it is reasonable to do so. The importance is that intelligence organisations consider the principle, apply it as relevant for their purposes. Ideally an independent oversight body should be able to look at the result, challenge it and for the agency to have to justify its position where it seems at variance with the principle. It is also important for individuals to have access to a complaints procedure when they are harmed by an agency's disregard of the principle.
Case study: file retention
In Canada the 1981 McDonald Commission inquiry into the activities of the RCMP found that the RCMP Security Services (improperly) had access to social insurance numbers and had maintained files on homosexuals in Canada and on tourists who had visited the Soviet Union. The McDonald Commission noted that the Security Services maintained files on 800,000 individual Canadians, that many such dossiers were needlessly opened and that this amounted to an invasion of privacy. As a result the Solicitor General announced procedures for the eventual destruction for many of the files. The Government accepted the Commission's criticisms and stated that files would be destroyed unless they related to a person who requires a security clearance for employment, there is reason to suspect that the person is a legitimate target for investigation or that a person with access to classified information may become a security threat. The files for possible destruction were to be reviewed by members of the Security Service and officials of the Department of Justice and Ministry of the Solicitor General. Source: Flaherty, Protecting Privacy in Surveillance Societies, 1989, 291. A discussion of the subsequent efforts to deal with the development of a policy and to carry out the destruction of files is at pages 292-294.
Q4. Should principle 9 be applied to intelligence organisations?
Accordingly the suggestion is that an additional four of the twelve principles should now be directly applied to intelligence agencies (although subject to a special complaints procedure whereby the needs of security are accorded a priority).
Q5. Should any of principles 2, 3, 4, 10 or 11 be applied to intelligence organisations?
Other issues
This paper has limited detailed discussion to the present exemption from most of the information privacy principles. Comments are nonetheless welcomed on any other relevant issues, such as in relation to the special procedure relating to intelligence agencies in section 81. The creation since the enactment of the Privacy Act of the position of Inspector General of Intelligence and Security might also be relevant. For instance it might be possible for the Inspector General to satisfy himself as to adequacy of organisation policies in respect of certain information privacy issues even in circumstances where rights of complaint are limited.
Q6. Are any other changes to the Act desirable in respect of intelligence organisations?
Q7. Should the Inspector General of Intelligence and Security be given any statutory role in respect of general compliance with principles for which there is no complaints provision?
The Privacy Commissioner may include in his final report a list of submissions received. He may also refer to submissions in the text of his report. If you want your submission or any part of it treated confidentially, or do not want it used in this way, please indicate this clearly. The Commissioner is subject to the Official Information Act. Copies of submissions may therefore be released on request. Any request for the withholding of information on the grounds of confidentiality or for any other reason will be determined in accordance with that Act and section 116 of the Privacy Act.
act-revi/intell