Editorial: Privacy laws must focus on real problems

New Zealanders will have the option to opt out of telemarketing calls under proposed changes to the Privacy Act. File photo / Thinkstock

One of life's frequent annoyances is the telemarketing call that interrupts an evening meal. It is annoying, but should there be a law against it? Law should not restrict commercial freedom without good reason. The Government-appointed Law Commission has recommended legislation to make it illegal for direct marketers to contact anyone who has put their name on the industry's "do not call" register. Its reason: the right to privacy.

The commission is more sensitive than most people to the risks of letting any human right outweigh others. Privacy is a comparatively recent concern to be accorded statutory protection, and an increasingly difficult right to preserve in the age of the internet. The commission has just completed a long review of the Privacy Act 1993 and its suggested restriction on telephone marketing is one of several questionable recommendations in its final report.

There will be no argument with its suggested ban on web posts of indecent personal photographs which vindictive ex-partners are said to have published on the net. Personal material considered "highly offensive" and published without the subject's consent would be a breach of the Privacy Act, as would any use or disclosure of the material by others even once it was publicly accessible.

But it is less clear that the act needs to give the Privacy Commissioner power to undertake investigations on her own initiative rather than merely respond to complaints. She would be empowered to order audits of an organisation's handling of personal information and to issue notices requiring compliance with the act.

There is a risk in any regulatory regime that officials will concern themselves with possible problems that exist more in principle than in practice. A system driven entirely by complaints from the public is more likely to keep the regulator grounded in real issues. If misuse of personal information is as big a problem as it is thought to be these days, complaints alone should be keeping the Privacy Commissioner busy.

The Law Commission is concerned that too often people might not know when data about them has fallen into unauthorised hands. Recent events in Britain reinforce this fear. The commission suggests that in the event of data security breaches it should be mandatory to notify every individual whose privacy has been compromised. But only if the information is "particularly sensitive" or if notification would enable people to minimise the potential harm. The tests are subjective and needless. Notification should be mandatory in all cases.

The Law Commission is rightly concerned, too, that the Privacy Act is being invoked to inhibit exchanges of information that are clearly in the public interest. Information-sharing among health and social agencies is highly desirable for dealing with disease, child abuse and providing services from multiple agencies through a "one-stop shop".

Yet the commission proposes that any such arrangements should be a formally declared programme, drawn up in consultation with the Privacy Commissioner and approved by the Cabinet. It seems a laborious and discouraging procedure for the sake of privacy risks that sound hypothetical. People generally do not trust one government agency more than another. When they give personal information to one, they may not care and might even expect that it might be used for their benefit elsewhere in the state apparatus.

Privacy is an elusive subject for law. Its definition differs from one person to another more than ever these days. Matters that one person would keep private another would put on a web page. The law should assume nothing and respond to real and serious problems. The productive exchange of information is just as important.