Government made 12,000 privacy requests to just 10 companies

Nearly 12,000 requests for New Zealanders personal information were made by Government agencies. Photo / iStock

• The Privacy Commissioner has revealed almost 12,000 requests for Kiwis' personal information were made by Government agencies
• Only a fraction of the requests for information were rejected
• More than 1000 information requests were incorrectly labelled
• The revelations come after the Herald reported police were regularly seeking personal data

Nearly 12,000 requests for New Zealanders personal information were made by Government agencies over three months and to just 10 companies, new research reveals.

The Office of the Privacy Commissioner, which oversaw the transparency project, has warned that more than 1000 requests were incorrectly characterised - and that this could have legal consequences.

It has also stressed to companies that they do not have to comply with many requests, and law enforcement agencies should make this clear.

Read more:
• Police given personal information without search warrants

Senior lawyers, privacy advocates and companies have concerns about the growth in government requests for company records and personal data.

Instead of seeking a legal order, police have asked companies to hand over the information to assist with the "maintenance of the law"-- requests that carry no legal force but are regularly complied with.

Privacy Commissioner John Edwards and his office developed a pilot transparency reporting project, and he presented the results at Parliament's justice and electoral select committee this morning.

The 10 companies that revealed how many requests they had fielded from August to October 2015 did so on a voluntary basis after being asked to take part in a new transparency reporting programme.

The companies came from the financial services, communications and utilities sectors. They declined only a fraction of the requests for information -- of the 11,799 made, 449 were rejected.

There were also three bulk requests received over the course of the trial -- requests for a group of people, such as all individuals that accessed a service during a set time period.

The willingness of New Zealand companies to comply with information requests (96 per cent) was high compared with international companies (63 per cent).

The OPC found that more than 1000 information requests were incorrectly labelled by the companies receiving them as being made under the Privacy Act.

"This is an incorrect characterisation as the Privacy Act provides no mechanism for government agencies to make requests for personal information of individuals. The mischaracterisation is more than trivial and has legal consequences beyond mere linguistics," the OPC report states.

Last year, the Herald reported that police were regularly seeking personal data from airlines, banks, electricity companies, internet providers and phone companies.

A range of agencies have been citing clauses in the Privacy Act to get people's personal details. Clauses in Principle 11 allowed personal information to be provided if it was for "the maintenance of the law", "protection of the public revenue", to "prevent or lessen a serious threat"to individuals and similar clauses.

The OPC report, released today, advised that companies must decide if a clause justifies information release.

"If the company decides not to release the information without a court order then it is entirely legal for it to do so ... to avoid confusion, law enforcement agencies should consider making it clear on request forms that it is a voluntary decision for the agency being asked to accept or decline a request."

Requests for all information held about a person on an account -- such as name, address, subscriber services, transactional information and communications -- were the most common.

The five government agencies which made the most requests for personal information were Inland Revenue (4670 requests), Police (3513), Ministry of Social Development (3150 requests), Ministry of Business, Innovation and Employment (99) and Customs (73).

Mr Edwards' office found the most frequently cited information gathering powers used by government agencies were section 17 of the Tax Administration Act (4470 requests), section 11 of the Social Security Act (3108) and production orders under section 71 of the Search and Surveillance Act (962).

The other requests were complied with without compulsion or an express statutory power, with companies in the transparency trial most commonly citing Principle 11 in the Privacy Act.

The OPC said it was important to acknowledge that companies that hand over information were fulfilling an essential corporate duty. Government agencies relied on the information to carry out duties including fraud detection and crime investigation.

The findings of the transparency trial indicated that companies wanted advice about how to reveal how many requests they were handling, and the legal implications of responding to information requests from government agencies.

The OPC plans to extend the trial this year, with more companies from other sectors such as health and retail -- and will consider including requests from intelligence and security agencies.