The privacy of banking information is in the spotlight after Westpac told the Privacy Commission it did not need any legal order before handing over customers' personal banking details to police.
Westpac claimed it got the power to do so when customers signed the bank's "terms and conditions" - a move it claimed voided customers' rights.
It was an argument unsuccessfully made by the bank in its attempt to defend itself over the disclosure of Nicky Hager's details to police investigating his Dirty Politics book.
In a decision released today, the Privacy Commission expressed doubt in its ruling that the bank could actually hold a "well-founded belief" that its customers had signed away their rights.
In the ruling, Privacy Commissioner John Edwards said Westpac "believes that every customer has authorised the disclosure of all of their information from each of their accounts to Police for whatever reason Police give" even without a search warrant or other legal order.
"I simply cannot accept that is a well-founded belief. As a general proposition it seems untenable that Westpac would genuinely hold this belief.
"I am sure it would come as a surprise to a great many of Westpac's customers that this were so."
The ruling stems from a police inquiry into the identity of Rawshark, the hacker who provided Hager with information used in the 2014 book Dirty Politics. The book argued that John Key's Government was using right-wing bloggers as attack dogs to go after opponents.
A search warrant executed by police on Hager's home has already been ruled unlawful.
As part of the court process, it emerged police had also obtained Hager's personal banking information from Westpac.
The application for the information was based on a scheme used by police across the entire banking industry - a claim that an exception to the Privacy Act allowed banks to hand over information to police if they believe it will assist maintaining law and order.
The scheme was promoted by the NZ Bankers' Association and at one stage saw banks receiving daily requests for customer information.
In the case of one bank, an executive said the police requests were used as an early warning system for the bank to protect itself against customers who might be in trouble with the law.
It was on this basis that German entrepreneur Kim Dotcom was refused a mortgage after police began quiet background checks ahead of his arrest on copyright charges.
The Privacy Commissioner said Westpac had failed on both its arguments that it was allowed to provide the information to police. The commissioner said he "cannot accept that Westpac formed a belief on reasonable grounds that Mr Hager so authorised such a disclosure".
He also said there was insufficient evidence provided by Westpac to show it had to reveal Hager's information to avoid "prejudice to the maintenance of the law".
While he said Hager had suffered harm, it was not at the "extreme" end of the scale. He also said he would not put the case forward for prosecution by the Human Rights Tribunal because Hager had legal representatives who could take that step.
"While the decision was based on the particular facts of this case it will be relevant to the debate about whether this practice should be allowed to continue."
Hager said he was concerned about Westpac's claims of a "new policy" which halted this practice because the bank appeared to choose when it applied.
"If Westpac follow this new policy then that would be a massive improvement. I think Westpac needs to promise publicly to follow that policy in all circumstances.
"The Police had this arrangement with all banks. All customers should be asking their bank in what circumstances their bank will release their personal information to the police and others. This is also an issue for other companies that hold private data such as phone companies, utility companies, and online websites."
Westpac will not make public its "internal policy" which governs the requests from police and other government agencies but did make public an excerpt which stated that the "reason for the release of information is valid".
A spokesman said Westpac received close to 30,000 requests for information from agencies and Police in the past 12 months.
Of the 33 times information was made available without a formal legal order, 29 involved missing persons, "one involved assisting in identification of a foreign national who died here, one as evidence an elderly customer had been defrauded and one for Police trying to isolate the location of a fraudster using a stolen chequebook".