REPORT BY THE PRIVACY COMMISSIONER

TO THE MINISTER OF JUSTICE

ON THE INTELLIGENCE AND SECURITY AGENCIES BILL

REPORT BY THE PRIVACY COMMISSIONER

TO THE MINISTER OF JUSTICE

ON THE INTELLIGENCE AND SECURITY AGENCIES BILL

1.0 Introduction

2.0 Intelligence organisations and the Privacy Act

2.1 The existing position

2.2 Aspects of the bill touching upon the Privacy Act

2.3 Extension of other privacy principles to intelligence organisations?

3.0 Positive aspects of the bill

4.0 Extension of meaning of "security" in SIS Act

5.0 Review of other issues

Attachment 1

Suggested amendments - clause by clause

Additional clauses in Australian Act having no equivalent in the bill

Other recommendations

1.0 Introduction

1.1 Fear of state surveillance and secret informers can probably be traced back to the start of organised societies. The fears have often been well placed as the opening of the files following the fall of the iron curtain have shown. Attempts to place limits on the state's power to intrude on private lives to carry out surveillance dates back to at least Entick v. Carrington in 1765 and probably earlier. New Zealand, like other free and democratic societies, has generally accepted the need for some form of secret state surveillance to guard against those who would undermine democratic structures. However all democratic societies have also wrestled with the appropriate legal and administrative controls to ensure that any secret services remain accountable to those democratic institutions and do not go beyond what is reasonable to achieve their assigned mandate.

1.2 It is in this context that I have examined the Intelligence and Security Agencies Bill. It appeared to me possible that the bill may affect the privacy of individuals. I now report the results of that examination.

1.3 Undoubtedly the work of intelligence and security agencies is a major inroad into our privacy. This view is probably more widely held than previously following the collapse of most communist states. Many New Zealanders will accept the need for these agencies but take the view that perceived weaknesses in oversight and control mechanisms provide a possibility for unnecessary breaches of privacy. In a free society, the burden of justifying the continuation of the level of activity of such bodies falls on those who wish to maintain their work. Similarly falls the onus of proving the need to extend it into new fields. The case for loss of privacy has to be convincingly made out. It is not for those who would maintain existing levels of privacy to try to prove the importance of doing so.

1.4 In my view, there is much to support in this Bill. In general, I do support it and hope the mechanisms in it will help us avoid becoming a "surveillance state". However, I also note that the Bill has potential for increasing the realm of state surveillance and I have misgivings about this. I believe that the creation of the Intelligence and Security Committee and Inspector-General of Intelligence and Security will both enhance oversight and accountability.

1.5 The restrictions on the flow of information necessary to successful intelligence operations limits the application to intelligence and security agencies of standard public accountability controls. The intelligence agencies have been subject to little direct scrutiny from outside the executive government. There is presently some limited external scrutiny from the Commissioner of Security Appeals, Auditor General, the Ombudsman and Privacy Commissioner, and probably to some limited extent certain other bodies. This Bill will enhance Parliamentary oversight of the agencies and replace the limited brief of the Commissioner of Security Appeals with an Inspector-General with a wider mandate and greater powers. The existing roles of the Ombudsmen and Privacy Commissioner are unaffected.

1.6 In approaching the Bill I have taken the view that secret surveillance and intelligence gathering creates profound privacy risks for the individuals affected and society at large. To constrain those risks I take the view that:

the role of intelligence agencies should be kept to a tight brief and not be allowed

to stray into areas which can be appropriately managed by normal and open governmental and policing activities;

while the agencies will require to conduct a significant proportion of their work in secret there will be areas in which some information can be disclosed publicly, to the individuals affected or to oversight bodies, and the greatest degree of openness and disclosure should be promoted;
as far as possible similar accountability mechanisms as apply to other bodies should apply to the agencies (perhaps in a modified manner) unless there is a good reason for that not to occur; and
there should be redress for actions of intelligence agencies which breach individual rights without justification, including the right to privacy.

1.7 I will begin the body of the report by briefly outlining the current arrangements in the Privacy Act whereby three of the information privacy principles apply to intelligence organisations and I can investigate complaints of breaches of those principles under a special procedure. This bill does not affect those current arrangements. I then make a few other observations on provisions in the bill where those may affect individual privacy. In the course of preparing this report I refer to the legislative controls adopted in Australia, Canada and the United Kingdom, as these societies would seem to have much in common with New Zealand. It so happens that each has, in the last few years, revised their oversight mechanisms.

2.0 Intelligence organisations and the Privacy Act

2.1 The existing position

2.1.1 The Privacy Act contains two specific provisions dealing with intelligence organisations: sections 57 and 81. The term "intelligence organisation" is defined in section 2 of the Privacy Act to mean the New Zealand Security Intelligence Service and the Government Communications Security Bureau.

2.1.2 Section 57 of the Privacy Act provides:

"Intelligence organisations - Nothing in principles 1 to 5 or principles 8 to 11 applies in relation to information collected, obtained, held, used, or disclosed by, or disclosed to, an intelligence organisation."

Only the principles dealing with the rights of access to personal information by the individual concerned (principle 6), the right of the individual concerned to seek correction of personal information (principle 7) and that relating to unique identifiers (principle 12) apply to intelligence organisations.

2.1.3 There is a special procedure set out in section 81 in relation to investigations which may be undertaken in relation to an alleged breach by an intelligence organisation of principles 6, 7 or 12. Most of the complaints I receive and investigate relate to a request for a review of a decision by an intelligence agency to refuse access to information that it holds or to refuse to confirm or deny that it holds any information. The special procedure that applies under section 81 means that neither I (through the Proceedings Commissioner) nor the complainant may refer a complaint to the Complaints Review Tribunal for determination. Rather the procedure anticipates my conducting an investigation, forming an opinion, and if the complaint cannot be resolved making a recommendation to the intelligence organisation and awaiting the organisation's response. If no response is made within a reasonable time or, after considering any comments made by the intelligence organisation, I may send a copy of my report and recommendations to the Prime Minister. In turn the Prime Minister may lay a copy of all or any part of the report before the House of Representatives.

2.1.4 I have conducted or am conducting investigations under the special procedure. I have not, as yet formed any view as to the adequacy of the special procedure but anticipate that it might be a matter worthy of re-examination when I review the operation of the Privacy Act later this year. At present I base my comments on an assumption that the existing special investigation procedure is satisfactory to both resolve complaints and meet the special needs of intelligence organisations.

2.2 Aspects of the bill touching upon the Privacy Act

2.2.1 The bill does not affect or limit the existing (limited) rights that individuals have under the Privacy Act in relation to intelligence organisations and my functions and powers in relation to resultant investigations. This is made express at clause 34(3) which provides:

"Nothing in section 31 of this Act shall limit the powers, duties, and responsibilities of ... the Privacy Commissioner under any enactment".

2.2.2 With the establishment of the new Inspector-General, provision has been made in clause 31(2) for consultation. That subclause provides:

"Notwithstanding ... section 45(1) of this Act, the Inspector-General may from time to time undertake a consultation with ... the Privacy Commissioner in relation to any matter relating to the functions of the Inspector-General under section 30 of this Act, and, for the purposes of any such consultation, the Inspector-General may disclose to ... the Privacy Commissioner such information as the Inspector-General considers necessary for the purpose."

2.2.3 I support the approach of clauses 31 and 34 which will enable the Inspector-General to consult with me in undertaking his or her functions without limiting the powers, duties and responsibilities placed on me under the Privacy Act. In the attachment to this report I propose some technical amendments which may assist in relation to the administration of consultations between the Inspector-General and the Privacy Commissioner.

2.2.4 Clauses 7 and 12 will have some effect on the applicability of the Privacy Act to actions of Members of Parliament and the Committee and my investigations (if any) of complaints in relation to such actions. First of all, clause 7(3) declares that any Member of Parliament who acts as a member of the Committee "shall be deemed, in so acting, to be acting in his or her official capacity as a Member of Parliament". For the purposes of the Privacy Act the definition of "agency" makes it clear that it does not include "a Member of Parliament in his or her official capacity". Therefore, when acting as a member of the Committee, a Member of Parliament will not be an "agency" for the purposes of the information privacy principles (which would be unlikely even without clause 7). Furthermore, clause 12(4) states that the proceedings of the Committee are deemed to be proceedings in Parliament for the purposes of article 9 of the Bill of Rights 1688. This prevents the impeaching or questioning of proceedings in the Committee in any court or place outside Parliament. I would take this to preclude the investigation of a complaint asserting a disclosure of personal information to a Committee meeting or relating to whatever was said about individuals at such a meeting. It is likely that I would decline to conduct such an investigation in any case given article 9 of the Bill of Rights and the general exclusion of the House of Representatives from the Privacy Act definition of "agency".

2.3 Extension of other privacy principles to intelligence organisations?

2.3.1 Undoubtedly, there is always the concern in free and democratic societies as to the effect on privacy of the surveillance activities of the state. It is not possible for a concerned citizen to know whether the surveillance activities being carried out on his or her behalf are excessive or are being properly kept in check. The secrecy under which the activities are carried out, the various laws limiting public scrutiny for reasons of national security, and the limited public reporting by oversight bodies, all give rise to anxieties as to whether intelligence organisations are overstepping the mark between prudent intelligence gathering to safeguard society and a more sinister "surveillance state". The various scandals that surface from time to time with overseas intelligence organisations heighten public concerns. For these reasons I welcome the establishment of the strengthened oversight mechanisms contained in this bill. That support is tempered by caution at the extension of secret surveillance anticipated by the redefinition of "security".

2.3.2 It is my view that adherence by the intelligence organisations to the laws that the rest of society lives by, particularly those relating to respect for human rights and accountability to democratic institutions to the greatest extent possible consistent with the tasks that these agencies are called upon to perform is to be desired. At the time that the Privacy Act was enacted in 1993 the Government applied information privacy principles 6 and 7 to intelligence organisations (although accompanied by a special complaints procedure which is not as robust or as open as with other agencies). This was essentially the continuation of the access and correction rights which existed under the Official Information Act 1982. However, the Government also applied information privacy principle 12 to intelligence organisations. Although a small step it was a welcome one. Other more secretive states might not have even contemplated that.

2.3.3 However, I now suggest that it may be the time to apply more of the remaining principles to intelligence organisations (subject always to the special investigation procedure which safeguards any reasonable need for secrecy in relation to complaints investigation and determination). Although I think the case exists already, I suggest the need is made more urgent by the proposal to redefine "security" so as to extend the mandate of the New Zealand Security Intelligence Service into new areas.

2.3.4 In my view, the information privacy principles provide a good sound basis for fair information handling practices and have clear relevance to intelligence organisations. Principles 1, 5, 8 and 9 in particular ought, in my view, be applied as an obligation to intelligence organisations. These principles are, I submit particularly suitable as they take account of the purposes of the agencies concerned, apply standards that are reasonable in the circumstances, and would not need to be amended to establish any national security exception. There may be a case for considering the application of all the principles to intelligence agencies (perhaps with appropriate security exceptions crafted) but I suggest that broader issue can be examined later on a review of the Privacy Act.

2.3.5 I suggest that each of principles 1, 5, 8 and 9 has a relevance in relation to intelligence agencies just as they do in other contexts. The standards and expectation will vary depending upon that intelligence context but the principle will provide a guide as to the fair information handling requirements. I suggest that the relevance of each of the four principles, which I will set out below, should almost be self-evident on a simple reading. However, I will add a few observations on each. Information privacy principle 1 states:

Principle 1

Purpose of collection and personal information

Personal information shall not be collected by any agency unless-

the information is collected for a lawful purpose connected with a function or activity of the agency; and
the collection of the information is necessary for that purpose.

In the context of the SIS the lawful purpose will, of course, be linked to the definition of "security" as set out in the New Zealand Security Intelligence Service Act 1969 and which is proposed to be amended by this bill.

2.3.6 Information privacy principle 5 provides:

Principle 5

Storage and security of personal intelligence

An agency that holds personal information shall ensure -

(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against -

(i) loss; and

(ii) access, use, modification or disclosure, except with the authority of the agency that holds the information; and

(iii) other misuse; and

(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised disclosure of the information.

Of all the information privacy principles I would have expected that this would cause least difficulty for intelligence agencies given their emphasis on security of information held and controls on its disclosure. However, in some circumstances there may be information about an individual which the intelligence organisation has a proper reason to hold but which, through a lapse in reasonable security safeguards or otherwise, is disclosed publicly or to another agency that has no purpose in receiving the information thereby harming the individual. An example would be certain material uncovered in the vetting process.

2.3.7 Information privacy principle 8 provides:

Principle 8

Accuracy, etc, of personal information to be checked before use

An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.

I appreciate that some small piece of intelligence may seem of little importance at the time it is gathered or shortly thereafter and yet, when it accumulated with various other pieces of the jigsaw puzzle, achieve a significance weeks, months or years later. However, at the time that the information actually is to be put to use, particularly where a decision based upon it will affect the interests of individuals, it is not unreasonable that the standards of principle 8, which require that having regard to the purpose for which the information is proposed to be used that reasonable steps (if any) be taken to ensure the information is accurate, up to date, and so forth. It may be that in the circumstances no checks are feasible and therefore no breach of the principle would be possible. However, where some reasonable step to check information which is to be used in such a way as to affect an individual could be checked it ought to be checked.

2.3.8 Information privacy principle 9 states:

Principle 9

Agency not to keep personal information for longer than necessary

An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

If intelligence organisations open files on individuals, which turn out not to be necessary, maintain vast numbers of files on individuals, or retain personal data long beyond its proper usefulness, there are risks to privacy. Application of principle 9 would require agencies to have policies on the retention of personal information about individuals. These policies will be linked to the usefulness of the data for an agency's purposes and, for instance, to the statute under which the SIS operates. It would better serve individual privacy if some information was not kept overly long with the dangers that it will paint an inaccurate picture, be out of date, or inaccurate. That is not to say that intelligence of a particular nature might nonetheless be held for a long period where it is reasonable to do so. The importance is that intelligence organisations consider the principle, apply it as relevant for their purposes and ideally that some independent oversight body be able to look at the result, challenge it and for the agency to have to justify its position where it seems at variance with the principle. It is also important for individuals to have access to a complaints procedure when they are harmed by an agency's disregard of the principle.

2.3.9 I believe that the new Committee may have a role in examining, and providing guidance on, matters such as records retention policies just as the Australian Joint Committee has examined and reported on certain information handling practices. Similarly the Inspector-General may have a useful role in relation to information handling practices as has been the case in Australia. Additionally a function could be conferred on the Ministers responsible for intelligence agencies to issue guidelines to be observed by the agencies. A provision of that type is found in section 8A of the Australian Security Intelligence Organisation Act 1979 under which guidelines to ASIO on the collection of intelligence relevant to security have been issued (copy attached).

2.3.10 In addition to suggesting that four of the twelve principles should now be directly applied to intelligence agencies (although subject to a special complaints procedure whereby the needs of security are accorded a priority), I also think there is a role for expressly encouraging the adoption of internal policies to give effect to privacy accompanied by an independent mechanism to scrutinise those general policies and check that they are implemented, in a general sense, even if not on a day-to-day basis. Part of that would be achieved by my suggestion in the previous paragraph that the responsible Minister be able to issue guidelines to be observed by the agencies. However, that suggestion is primarily directed towards asserting the constitutional principle of responsible government that the agencies are subject to democratic control through the responsible Minister. This part of my suggestion is directed towards ensuring that the agencies themselves, take account of the needs of individual privacy and produce policies that they believe are adequate to meet those issues. In other words, I suggest the Act require the agencies to take account of the privacy interests in the discharge of their obligations. I believe that a number of privacy issues in any context, whether it be government agency or private business, can be satisfactorily resolved by adoption of good working practices. While it may be a challenge to do so in an intelligence context I suggest the basic approach remains sound. Accordingly, my suggestion that there be written into the Act an obligation on intelligence agencies to "adopt policies and practices which take account of the reasonable needs of individual privacy and, as far as practicable, and consistently with the requirements of security, accord with the information privacy principles in the Privacy Act 1993". Such an obligation should be supplemented by a requirement to put the policies before the Committee to be advised of those policies and for the Inspector-General to have a mandate to enquire into the implementation of such policies. If that suggestion is adopted it may also be considered appropriate for such policies to be discussed with the Privacy Commissioner, subject to the requirements of security.

3.0 Positive aspects of the bill

3.1 As earlier noted I believe the bill does provide for better oversight and accountability mechanisms than have previously existed. For that reason, I support the bill as placing better and more appropriate controls on surveillance which may infringe on the privacy of individuals.

3.2 As some apparently minor provisions in the bill may nonetheless be of significance I thought it might be useful to canvass some of the aspects of the bill which I particularly commend. Those features include the following:

Clause 6

The functions of the Committee would appear to be wider than bestowed on the UK Intelligence and Security Committee or the Australian Parliamentary Joint Committee on ASIO. In particular, I am pleased to note that, subject to the constraints in subclause 6(2) (which mirror the constraints on the Australian Committee) it appears, like the UK Committee, this Committee may pursuant to its function under clause 6(1)(a) adopt projects of its own motion which have not been expressly referred to it by the Government. The Australian Committee has been subject to criticism in that its functions are limited to reviewing matters that are referred to it by the responsible Minister or Parliament itself (although sometimes at the Committee's request). Given the "high powered" nature of the Committee and the security safeguards that have been adopted in relation to its operation I am pleased that the issues on which it can focus are not overtly limited by Ministerial control although, of course, the Committee is chaired by the Prime Minister and there is a government majority.

Clauses 7 and 8

The Committee includes the Prime Minister, the Leader of the Opposition, two Government MPs and a further member from the Opposition parties. The Prime Minister nominates the two Government members following consultation with the leader of each party in Government and the Leader of the Opposition nominates the other opposition member with the agreement of the Prime Minister following consultation with the leader of each party that is not in Government. Following this process of nomination the House of Representatives is given the opportunity to endorse each of the nominations and if necessary further nominations may have to be presented by the Prime Minister or the Leader of the Opposition. The procedure does seem to be a reasonable attempt to construct a committee enjoying support across party lines. In particular, it recognises a formal role for both the Leader of the Opposition and Parliament itself. Since privacy may be enhanced by having a committee with broad political support in its oversight task over agencies undertaking surveillance, I welcome this procedure. It is to be preferred over the Australian system which involves nominations solely by the Government (although with consultation with leaders of other parties and having regard to the desirability of ensuring representation of various political parties) or the UK position whereby the members are simply appointed by the Prime Minister after consultation with the Leader of the Opposition.

Clause 16

This clause deals with the provision of information to the Committee. Although it generally restricts the giving of "sensitive information" to the Committee I do support the fact that subclause (2) provides that sensitive information can be disclosed to the Committee if the chief executive of an intelligence agency "considers it safe" to disclose the particular documents. Although it is almost taken for granted for legislation of this type that some sensitive information may need to be withheld (not a proposition that every citizen accepts but which I take as accepted for this bill) I nonetheless support a provision which enables, in the circumstances of the case, a discretion to be exercised to release the information. This provides a flexibility which would not exist without subclause (2). Similarly, I support the inclusion of subclause (4) which acknowledges that while "sensitive information" might initially be withheld from the Committee it is open to the Prime Minister to nonetheless disclose the information where he or she "considers it desirable in the public interest" (although subclause (4) makes it clear that the Prime Minister does not have that discretion where it is sensitive information provided by a foreign government which does not consent to its release).

Clause 17

As with clause 16 I am pleased to note that subclause (3) confers a discretion on the Committee to disclose to Parliament certain information that would normally be withheld where it considers that there are "compelling reasons in the public interest why the information should be disclosed or published". It seems to me that in certain extreme circumstances the needs of security have to give way to public accountability through the democratic processes. The nature of the Committee gives me confidence that it can exercise that discretion wisely. I trust the Committee will bear in mind the privacy interests of individuals who may incidentally be named in documents which they release.

Clause 23

I am pleased to see the objects of this part of the Act spelt out and, in particular, that the Inspector-General will assist the Minister to ensure that the activities of intelligence agencies are consistent with human rights. Although that jurisdiction will not impinge directly on the administration of the Privacy Act I do note that amongst recognised international human rights is the right to respect for private life.

Clause 29

I note that the Inspector-General may appoint employees to carry out his or her functions. I welcome the fact that the Inspector-General may have his or her own staff since it would undermine public confidence in the role if an official in that position were to allow the intelligence agencies themselves to carry out investigations into complaints and simply review the results. The public might soon have seen that as calling into questions the independence of the process.

Clause 30(1)©

Currently complaints can only be made to the Commissioner of Security Appeals by "any person ordinarily resident in New Zealand". This has been widened in clause 30 to include New Zealand citizens and employees and former employees which, by implication, might include citizens and employees no longer ordinarily resident in New Zealand. The jurisdiction of the Inspector-General is broadened beyond the activities of the SIS to include the actions of any intelligence agency and the specific functions of the Inspector-General are in a number of case much wider than the former Commissioner. I welcome the broadening of these complaints mechanisms.

Clause 46

I support the provision for annual reports by the Inspector-General. There was no statutory requirement in the Commissioner of Security Appeals to produce such a report. I welcome the requirement to table the report in Parliament thereby promoting public accountability.

Clause 52

I support greater detail being given in the SIS annual report in relation to interception warrants. However, I suggest that even within the existing annual report provisions it should be possible for the SIS to give a somewhat greater account of its work during the year. Other intelligence agencies, such as ASIO, have found it possible to publish a significant degree of information without compromising security. At least one, the CIA, has established an internet site to disseminate information on its functions to the public.

4.0 Extension of meaning of "security" in SIS Act

4.1 The bill amends the New Zealand Security Intelligence Service Act 1969 by extending the meaning of the term "security". Presently, the Act defines the term as follows:

"'Security' means the protection of New Zealand from acts of espionage, sabotage, terrorism and subversion, whether or not it is directed from or intended to be committed within New Zealand."

Within that definition there are several defined terms as follows:

"'Espionage' means any offence against section 78 of the Crimes Act 1961";

"'Sabotage' means any offence against section 79 of the Crimes Act 1961";

"'Subversion' means attempting, inciting, counselling, advocating, or encouraging -

(a) the overthrow by force of the Government of New Zealand; or

(b) the undermining by unlawful means of the authority of the State in New Zealand"; and

"'Terrorism' means planning, threatening, using, or attempting to use violence to coerce, deter, or intimidate -

(a) the lawful authority of the State in New Zealand; or

(b) the community throughout New Zealand or in any area in New Zealand for the purpose of furthering any political aim".

4.2 The bill proposes to alter the definition by extending its meaning so as to also include "the ensuring of New Zealand's international well-being or economic well-being". Accordingly, the new definition would read:

"'Security' means the ensuring of New Zealand's international well-being or economic well-being and the protection of New Zealand from acts of espionage, sabotage, terrorism, and subversion, whether or not it is directed from or intended to be committed within New Zealand".

The new definition is not accompanied by any definitions of any of the terms or phrases used within the additional words. No guidance is given to the exact meaning that is intended to be given to the phrase "the ensuring of New Zealand's international well-being or economic well-being".

4.3 The term "security" is central to the New Zealand Intelligent Service Act and the operations of the SIS. The functions of the SIS are primarily defined by reference to the term "security". The Act provides that the functions of the SIS shall be:

to obtain correlate, and evaluate intelligence relevant to security, and to communicate any such intelligence to such persons ... as the Director considers to be in the interests of security:
to advise Ministers ... in respect of matters relevant to security, so far as those matters relate to Departments or ... State Services for which they are in charge;
to co-operate ... with such State Services and other public authorities ... in the performance of its functions;
to inform the New Zealand Intelligence Council of any new area of potential espionage, sabotage, terrorism, or subversion in respect of which the director has considered it necessary to institute surveillance."

Other parts of the Act under which the SIS operates makes reference to "security", notably in relation to the interception warrants.

4.4 Interestingly, paragraph (d) of the functions of the SIS is not proposed to be amended to extend the functions either to "security" as a whole or to the international well-being or economic well-being aspects of security. Given the lack of a definition of the new terms being incorporated into the meaning of "security", the vagueness inherent in the phrase itself, it is not entirely understandable either what is intended by the new definition or by the failure to amend paragraph (d). A close reader of the Act is left wondering whether it is accordingly intended that the SIS will not institute surveillance in respect of that aspect of security dealing with "the ensuring of New Zealand's well-being or economic well-being". Perhaps it is intended that surveillance forms no appropriate part of those security functions and instead the SIS is only expected to receive intelligence from overseas or be involved, say, in relation to vetting in relation to that new part of the definition. Or, perhaps, it is intended that surveillance will form part of the new functions but the New Zealand Intelligence Council is not intended to be informed of such surveillance.

4.5 Perhaps some guidance as to what the new, wider, definition of security means can be found by noting what it does not include. Section 4(2) of the New Zealand Security Intelligence Service Act which provides:

"It shall not be a function of the Security Intelligence Service -

to enforce measures for security; or
to institute surveillance of any person or class of persons by reason only of his or their involvement of lawful protest or dissent in respect of any matter affecting the Constitution, laws, or Government of New Zealand."

4.6 In my view, the new phrase inserted in the definition creates a degree of uncertainty which I believe is undesirable for individual privacy. The uncertainty makes it difficult to judge the proposed change and offer an opinion on the reasonableness of the extension of the powers of the SIS. Even if one believed that the SIS has a proper role in some aspect of "ensuring New Zealand's international well-being or economic well-being" the uncertainty in the phrase, and the possible interpretations which might be placed upon it, make it in my view a potentially dangerous step in relation to individual liberties to take. However, if the proponents of the change are able to more carefully express what they have in mind then I expect it may well be possible to obtain consensus for some limited extension. I do not come from a position of implacable opposition to any extension of the remit of the intelligence agencies but I do believe, from the perspective of individual privacy and civil liberties, that any extensions must be made cautiously and in full knowledge of the new tasks that society is intending to ask its intelligence agencies to undertake. I believe that this particular amendment is too open-ended to give comfort to those with concerns as to how far the change is intended to be and what the new role will entail.

4.7 In addition to recommending that an attempt be made, if possible, to more clearly define what is intended in this new role I would also express some caution as to simply extending the remit of the SIS because a problem is identified. I believe that some of the risks in relation to actions which might undermine New Zealand's international well-being or economic well-being can probably adequately be undertaken by other arms of the government, such as the Ministry of Foreign Affairs and Trade or the Police, without necessarily assuming that the role is appropriate in all respects for the SIS. Some aspects may need to be addressed by creating new criminal offences, as has happened recently in relation to money laundering and has been mooted for computer "hacking".

4.8 For example, if there is a risk of someone doing significant damage to a major New Zealand government entity or commercial enterprise such as a bank, through hacking into a computer, then I believe this ought to be directly addressed by the criminal law and the mandate given as appropriate to the normal policing authorities, such as the New Zealand Police and Serious Fraud Office. Only on careful examination of that context (or other identified contexts) would it then be possible to identify whether there remains an appropriate role for the SIS.

4.9 The issues that I raise are not unlike concerns that have been expressed before in relation to the meaning of "subversion" which appears in the meaning of "security". Concern on that point has never entirely disappeared from the minds of people concerned about the status of liberties in this country. I believe it has always been accepted, even by ardent supporters of intelligence agencies, that it is appropriate for society to keep their remit tightly defined given the limited open public accountability. I believe that is why the SIS's functions were first put on a statutory footing in 1969, why some of the safeguards recommended by Sir Guy Powles are now included in that Act were adopted in 1977 (although the purpose of the 1977 amendments, like this one, was also to extend the SIS's functions) and why this bill proposes new oversight and review mechanisms.

4.10 Australia also had a debate in relation to the term "subversion" which was also used in their definition of "security". Some argued that the inclusion of the term enabled ASIO to monitor and adversely record any political expression dissenting from the prevailing norm. However, rather than judge these terms by their harshest civil liberties critics I would rather briefly quote from the 1985 Hope Royal Commission on Australia's Security and Intelligence Agencies which recognised dangers to political expression and concluded:

"that there is substance in the proposal to do away, in the definition of 'security', with the separate characterisation of activities under the heading of 'subversion'. As I previously pointed out, subversion is not the name of any common law or statutory offence. The word has produced much adverse reaction and may also, by its vague overtones of anti-government activity, tend to mislead people as to the nature of the activity which ASIO is intended to investigate."

4.11 The Australian response to these concerns, following the Hope report was to redefine their definition of security by omitting "subversion" and adding in new definitions substituting precise concepts. Mr Justice Hope took the view that, in the absence of violence or foreign interference, types of activities such as the manipulation of trade unions and other groups so as to create industrial and commercial chaos, the manipulation of the money supply, and the infiltration of government and other areas of constitutional power, were not the proper work of the Security Service in the absence of violence or foreign interference. Accordingly, the Australian Act replaced "subversion" within the definition of the word "security" two terms which are not found in the New Zealand equivalent. These are "politically motivated violence" and "acts of foreign interference" which are precisely defined. I am not arguing that the Australian definition is ultimately "better" than the New Zealand one and some of the concepts are interchangeable with the New Zealand definitions of "subversion" and "terrorism" (neither of which appear in the Australian definition). What I am saying is that an appropriate response, as in Australia, may be to try to more clearly articulate and define the concepts encompassed in the meaning of "security". At least one Australian commentator has suggested that similar moves in Australia to encompass within ASIO's remit issues relating to commercial information may, in any case, be covered within functions conferred already to deal with foreign interference directed towards government processes.

5.0 Review of other issues

5.1 There are a variety of other privacy issues which arise in relation to intelligence agencies. Other concerns could be raised in relation to the SIS Act. For example both the Canadian and Australian legislation regulate in more detail the function of vetting. This "privacy costly" activity is not spelt out in our legislation despite being a significant part of the function of the workload of the SIS. The failure to put GCSB on a statutory footing, given its partial exemption from the Privacy Act (not to mention other types of control or oversight), may be a concern. However although I may have strayed a little I have tried to largely keep my focus on the direct subject matter of the bill: that is, what it does reform rather than on issues worth reforming but on which this bill is silent.

5.2 As there are a number of these other issues, and the institutions created by this bill will have a useful perspective on them, I suggest that a requirement for a review be incorporated into the Act. My suggestion is that the Committee be given the task, in the three years' time, to report on the operation of this bill and the SIS Act, and to recommend any amendments which may be desirable. I anticipate, from a privacy perspective, that two issues particularly worthy of examination are whether provisions for vetting should be detailed in law and whether GCSB should be put on a statutory footing.

B H Slane

Privacy Commissioner

26 February 1996

ATTACHMENT 1

Suggested amendments - clause by clause

This part of the report amplifies some of the comments made earlier and suggests some possible amendments. Some of the other points made here have not been alluded to in the report but should be self-explanatory.

Clause 2

A definition of "sensitive information" is given which is then utilised in the provisions dealing with disclosure of information (clause 16-18). This term is modelled on the definition of "sensitive information" which is contained in clause 4 of schedule 3 to the Intelligence Services Act 1994 (UK). However, it should be noted that there are two significant differences in the definition which make the category of "sensitive information" in the New Zealand bill potentially wider than that defined in the UK Act. A broader definition may mean that more information can be withheld from the Committee. The effect of that may be that the degree of oversight that the Committee might be able to exercise in particular cases may be somewhat more limited than is the case with the definition in the UK Act (although that is not necessarily to be assumed just by the difference in definition since there are, for example, differences in the discretions that may be exercised to release information to the respective committees). This is a matter I considered ought to be drawn to your attention but I have no recommendation as to whether the definition ought to be changed.

The two differences would seem to be that the New Zealand legislation will include as "sensitive information" information which has been provided to an intelligence agency by another department or agency of the government of New Zealand (sub paragraph ©(ii) of the definition) whereas the UK definition will only encompass in that respect information provided by an agency of a government of a territory outside the United Kingdom. The second notable difference is that of the drafting of subparagraphs ©(iii) and (d)(ii). The relevant part of the UK definition (with emphasis added) reads:

"Information provided by ... the government of a territory outside the United Kingdom where that government does not consent to the disclosure of the information"

whereas the phrase used in the New Zealand definition is:

"Information that has been provided ... by the government of any other country ... and is information that cannot be disclosed by the intelligence ... agency without the consent of the government ... by which that information has been provided."

It appears to me that the UK legislation anticipates an intelligence agency being able to assert that the foreign government "does not consent" to the release of the information, which in turn anticipates the agency knowing what that other government's attitude is (presumably by asking it). The New Zealand provision, on the other hand, would appear to anticipate that there is a class of information that cannot be disclosed without the consent of another government and does not necessarily imply that the intelligence agency actually knows what that other government would think on a particular occasion.

Clause 13

Clause 13(7) indicates that officers from the Prime Minister's department can be appointed, with the concurrence of the Intelligence and Security Committee, to assist in the conduct of business of the Committee. Under subclause (8) those officers would be security cleared. However, the Prime Minister is the Minister in charge of the SIS and therefore there is the possibility that members of the Committee or commentators may see the staff as executive-oriented. For the committee to be most effective it will need intelligent, independent and diligent staff to assist to formulate the correct questions, follow through between meetings and develop a work programme. It may also be preferable to state that such staff are not to be current or (recent) former employees of any intelligence agency.

Clause 13 also provides that meetings may be convened "as the Prime Minister thinks necessary". The quorum for the meeting requires the Prime Minister's presence. Accordingly, clause 13 allows the work of the committee to be stalled or never commenced if the Prime Minister chooses not to convene meetings or is too busy to attend them sufficiently frequently. I suggest that consideration be given to:

a requirement to convene, say, at least two meetings every year;

enabling the convening of meetings either by the Prime Minister or by resolution of the committee.

Clause 24

Evident in this Bill, particularly with regard to the establishment and operation of the Committee, is a concern to recognise that oversight of intelligence agencies needs to be carried out in a non-party political way. The Australian legislation providing for the appointment of an Inspector-General requires the Prime Minister to consult with the Leader of the Opposition before a recommendation is made to the Governor General for the appointment of a person as Inspector-General. This may be a feature worthy of incorporation into clause 24.

Clause 25

Clause 25(1) enables an Inspector-General to be appointed for a term of three years and provides that he or she may from time to time be reappointed. Given the secrecy of the work of intelligence agencies and the confidentiality imposed on the activities of the Inspector-General it is inevitable that some members of the public will be suspicious as to how diligent and independent the Inspector-General will remain. Some will retain a suspicion that an Inspector-General who has been in the position for a few years will no longer retain the detachment with which he or she entered the position. There may be a risk that the person subconsciously absorbs the culture of secrecy and surveillance. I suggest that it may well be appropriate to limit the Inspector-General to a maximum of two terms. An alternative would be a longer term, say 5 years, which cannot be renewed.

Clause 30

Subclause 30(4) provides that the Inspector-General shall not inquire into the "day-to-day operations" of an intelligence agency except to the extent "strictly necessary" for the performance of functions under subclause 30(1). A similar limitation is placed on the Committee in subclause 6(2). While appropriate for the Committee I question whether the restriction, which might be considered relatively vague, is appropriate in respect of the Inspector-General. I recommend that clause 30(4) be deleted or, at least, that the word "strictly" be omitted. Some latitude is necessary I believe if the Inspector-General is to carry out his or her functions effectively as the Prime Minister's assistant.

Clause 30(5)(b) provides that the Inspector-General must not conduct an enquiry in relation to a complaint by an employee or former employee of an intelligence and security agency alleging that he or she has been adversely affected unless "all established internal remedies have been exhausted". While it is desirable to avoid the resources of the Inspector-General being wasted on employee grievances which should be able to be solved internally this does present problems. It may be harsh to deny an employee or former employee access to the external complaints mechanism for failure to utilise some forms of internal mechanism, especially informal ones. I suggest that consideration be given to modifying the provision in one or more of the following ways,

delete the word "and" at the end of subparagraph (a) and substitute "or";
add the word "reasonable" after the word "all" in subparagraph (b);
apply the subsection to current employees but enable former employees to complain directly to the Inspector-General (note that this last proposal will have limited application for some time anyway given clause 33).

Clause 31

I suggest that consideration be given to whether there is a need for a provision to mirror clause 31(2) to appear in the Privacy Act given that I am also under a secrecy obligation. Such a clause may enable me to disclose information in my possession, particularly where part of an investigation I am undertaking in relation to an access review or other complaint may partly involve a non-privacy complaint more properly considered by the Inspector-General. Amendment to section 55 of the Privacy Act may also be desirable, to mirror section 55(d).

Clause 37

Clause 37 is a "whistleblowing" provision prohibiting the victimisation of an employee of an intelligence agency who brings a matter to the attention of the Inspector-General in good faith. I support this provision but suggest that consideration be given to:

what effect clause 30(5) will have on the provision;

the position of former employees; and

whether the whistleblower protection should be extended to any other class of person, such as employees of other public sector bodies which supply information to an intelligence and security organisation, or some other source or former source.

Clause 41

Clause 41 enables the Inspector-General to hear evidence in private where "to do otherwise would be likely to prejudice one or more of the interests referred to in section 45(3)(a) of the Act". This essentially refers to security and safety interests and therefore may be availed of by an intelligence agency to exclude a complainant when the agency is giving evidence. However, it is hardly likely that a complainant could, under this clause, exclude an agency when giving evidence. This is a change from the present position which applies to the proceedings of the Commissioner of Security Appeals. In the current Act it is provided in section 20(3) that:

"In arriving at his conclusions the Commissioner shall hear separately and in private such evidence (if any) as may be tendered by the complainant and any witnesses whom he may wish to adduce, and shall hear separately and in private such evidence (if any) as may be tendered by the Director and any witnesses whom he may wish to adduce."

Accordingly, while appearing neutral this provision is, in fact, one that will only really be able to be utilised by intelligence agencies. It involves a change from the existing provision which gave complainants the right to be heard in private without employees of intelligence agencies being present.

The same issue was considered in Australia and in that case the Australian Government favoured the position adopted in this bill. However, a different conclusion was drawn by the Royal Commission into Intelligence and Security which recommended that:

"The Director General or his representative should be present when [the applicant's] evidence is being tendered, save to the extent that the Tribunal otherwise directs in order to protect the privacy of the appellant or a witness...".

I strongly recommend that consideration be given to modifying clause 41 to enable the Inspector-General to hear evidence separately and in private where to do otherwise would be likely to prejudice the privacy of an individual or the interests of justice. Note that this would still amount to a tightening of the existing provision in favour of allowing agencies to be present when complainants give evidence but would leave more discretion with the Inspector-General than is allowed in the clause as drafted.

Clause 44

The provisions establishing the Inspector General's functions, powers and procedures would seem simply to anticipate an investigative role followed by, if appropriate, a report of conclusions and recommendations to the responsible Minister and the Chief Executive of the intelligence agency (refer subclause 44(1)). Of course, in many cases this Ombudsman-like arrangement will be entirely adequate to resolve complaints satisfactorily. However, given that matters which will be handled by the Inspector General will generally not be capable of being remitted to a regular court, or some other determinative forum, it may be desirable to give the Inspector General some determinative functions or, if that is clearly inappropriate, some powers to expressly recommend specific remedies like compensation. I make these suggestions bearing in mind that the bill specifically anticipates a current or former Judge undertaking the role of Inspector General.

The Ombudsman-type recommendation is at the weaker end of the models that could be adopted for providing redress on complaints that are upheld. It relies upon the Minister accepting the recommendation and, in his or her discretion, resolving it in the manner that the Inspector General has recommended or in some other manner. The complainant is not free to take the matter anywhere else and therefore even a successful complainant is not in a strong position. Even in the UK, there is provision for a tribunal not simply to make a recommendation to the Government but to actually to direct the Secretary of State to pay to the complainant a specified sum in compensation in relation to certain complaints. In Australia, concern over how individual staff grievances had been handled led to some employees "going public" on a ABC Four Corners programme in February 1994. This was one of the reasons for the Australian government established an enquiry into ASIS. Amongst the recommendations of the enquiry was to transfer external review of staff grievances from the Inspector General to the Security Division of the Appeals Tribunal which has a determinative power. That was seeing as having the advantage of keeping the staff grievance review function on a more detached and judicative basis and would provide for legally binding findings. It would also allow the Inspector General more time for agency monitoring functions. The Australian government's preferred position was for the Inspector General to retain the grievance function but for that to be more clearly delineated and for the Inspector General to act in a more adjudicative manner in relation to staff grievances. The government concluded that the Inspector General should be given a determinative power.

Clause 45

Clause 45 has its equivalent in section 20A(1) of the present Act. However, section 20A has a safeguard in subsection (2) which does not appear to have been carried over into the bill. That subsection provides that the Minister cannot issue a certificate which will effectively prevent the Inspector-General from obtaining or receiving certain information (and therefore stop an investigation) until the consultations provided for in section 20(2A) have been completed. This appears to anticipate a Minister delaying the issue of a certificate until the Inspector-General has consulted with the Director and they have considered all the precautions that may be necessary to protect the secrecy of any source. Presumably, in some cases the issue of a certificate, which is a power which should only be exercised sparingly in a free and democratic society, may turn out not be necessary. The explanatory note to the bill gives no explanation to that change. I suggest that there may be a case for re-enacting the same or a similar safeguard.

Clause 46

As earlier mentioned, this bill already recognises the desirability of taking steps to avoid any suggestion of party political control of the oversight mechanisms. Clause 46, for obvious reasons, anticipates the exclusion of material from the Inspector-General's annual report where the publication of such matters would prejudice the security or defence of New Zealand, certain other intelligence concerns or if the publication would endanger the safety of any persons. I note that the equivalent provision in the Australian legislation allows a copy of the Inspector-General's complete report (including the material which will be excluded from the published version) to be given to the Leader of the Opposition. There is an obligation on the Leader of the Opposition to treat as secret any part of the report that is not tabled in Parliament. I suggest that this provision may be worthy of consideration for inclusion in clause 46.

Clause 48

Clause 48 places some restrictions on publication of information unless it has been "approved for release (the approval being an approval given in writing after the Inspector-General had consulted, in relation to security requirements, with the Chief Executive of the intelligence ... agency to which the enquiry or complaint relates)." I am not sure that clause 48(1) adequately takes account of clause 46(2)(b) which anticipates the Inspector-General including in a report a brief description of the outcome of each enquiry. I suggest section 48 make quite clear the freedom to publish anything that appears in a report released under section 46.

Additional clauses in Australian Act having no equivalent in the bill

As earlier mentioned, I have examined the legislation in force in the UK, Canada and Australia as part of my examination of this bill. Each piece of national legislation has its own characteristics and it will not be necessary or appropriate to shape our legislation in identical terms to any of the other models. Indeed, in many small respects the provisions in this bill relating to the Committee and the Inspector-General may be better than the models upon which they are based. Nonetheless, I have noticed two particular provisions in the Australian Act of interest.

The Australian legislation enables a person in custody to communicate directly with the Inspector-General confidentially using a sealed envelope. The need to communicate privately with independent complaints bodies has been recognised in other New Zealand legislation dealing with closed institutions. Obviously, a person in custody who believes that he or she has need to communicate with the Inspector-General will feel somewhat constrained if it is perceived that any communications with the outside world are subject to surveillance by the SIS. That will particularly be the case if the person perceives that they have been brought to their present state through the actions of an intelligence agency. A person in custody can send a sealed letter to the Ombudsman who could pass it on to the Inspector-General. That being the case, direct access would seem to be appropriate.

I would also commend for consideration a power to issue guidelines to intelligence agencies, such as is found in the Australian legislation.

Other recommendations

I suggest that information privacy principles 1, 5, 8 and 9 be extended to apply to intelligence organisations and that a review clause be included in the legislation for some other issues to be addressed in three years' time. I also suggest that intelligence agencies have policies to comply as far as practicable with the information privacy principles, consistent with the requirements of security, and for such policies to be subject to the scrutiny of the Committee and for the Inspector-General to be able to review their implementation.

SOURCE