The most chilling aspect of the police intrusion into Nicky Hager's privacy is how ordinary it was.

Detective Inspector Dave Lynch, in an affidavit to the court, said "such enquires are basic steps in many investigations to pursue a variety of legitimate enquiries".

He was referring to the practice of pointing institutions to the Privacy Act clause 11(e) which allows institutions to disclose people's personal information if there is a "reasonable belief" it helps with the "maintenance of the law".

So for police there was nothing unusual about asking airlines, banks, phone companies and TradeMe for personal details without a legal basis. Westpac complied and handed over 10 months of Hager's banking and credit card records.

Advertisement

While Westpac has been pilloried for doing so, there has been silence from the other institutions Hager did not bank with. They had nothing to give, but there is nothing to suggest they would act any differently.

In the Hager case, did the institutions which refused to comply do so because they never provide these details - or was it because a request for Hager's details set off warning bells? It wouldn't be hard to predict that it might not be the best idea to hand over highly personal information on the country's best-known investigative journalist in what was inevitably going to end in a messy court battle.

Evidence compiled by the Herald shows it is not uncommon for all those institutions at one time or another to act just as Westpac did.
How often, nobody knows. Aside from TradeMe, none of the bodies publish data showing how often police seek customers' personal data without legal order, or how often they comply. In TradeMe's case, it's 2014 Transparency Report showed police made warrantless requests for information on 1663 occasions while other government agencies made 641 requests.

If a comparable number of requests is made of the banks - and Kiwibank has previously said there are daily requests - that's more than 30,000 requests a year across the 16 banks targeted in the Hager case.

You won't find out from police. It does not publish data showing how often it makes such requests, saying it doesn't need to. The statement from Detective Inspector Lynch of the requests being "basic steps in many investigations" is also in conflict with the position Assistant Commissioner Malcolm Burgess asserted for police in March this year. He said: "While the Privacy Act provisions can be used to access low-level information, such as basic account details, higher level data must be obtained through a production order."

Is there really anything "low-level" about 10 months of bank and credit card statements, all handed over without a legal order? It becomes even less "low-level" when considered against the other information police sought, which included phone and email information, travel data and information about anyone Hager might have traveled with. Combine those details and it becomes retrospective, warrantless surveillance.

The Herald has reported on police use of this exception since 2012 when it was discovered that KiwiBank handed over Kim Dotcom's personal banking details without any compulsion to do so. What's more, the bank cancelled a mortgage application from Dotcom. An executive at the bank later told the Herald: "Kiwibank takes any approach from police seriously, and as a prudent lender, would consider any such approach as part of its overall assessment of any banking relationship.

"It does not influence the bank's position one way or another but is taken into account as part of the bank's holistic assessment of a customer's character and suitability for lending or general banking services."

But it is not just the banks. Senior lawyers told the Herald earlier this year of airline, bank, electricity company, internet provider and TradeMe providing data without any legal order. A district court judge in one case in which electricity details were provided raised concerns about "the increasingly intrusive nature of the information gathered by power companies". The judge said "one must question whether this is material which ought to be handed over without the authority of a production order".

Concern over this practice is such that the Privacy Commissioner, John Edwards, is carrying out a pilot transparency project capturing the number of requests made by agencies. Police are believed to be involved.

But don't expect it to reveal the extent to which the exception has been used. The simple act of transparency is likely to reduce the practice. That was TradeMe's experience with its Transparency Report.

It is likely those who value their privacy will be less inclined to bank, or do any business with, an institution that is casual with its personal information. Expect to see those institutions, now that the Privacy Commissioner is shining a light into this secretive practice, tell police and other law enforcement agencies to come back with a search warrant or production order.

That's what has happened at Westpac, which will now only confirm it has accounts held by a person of police interest and insist on a production order before providing further information.

This will not harm the "maintenance of the law". If anything, it should enhance respect for it - and for the privacy of citizens.