Privacy Awareness Week 2012 Notes from the coalface Presentation by Mike Flahive and Dawn Swan
description
Transcript of Privacy Awareness Week 2012 Notes from the coalface Presentation by Mike Flahive and Dawn Swan
Privacy Awareness Week 2012
Notes from the coalface
Presentation byMike Flahive and Dawn Swan
In March : The News
• Australian Cricket Association
• ACC data breach
• Ports of Auckland
• Law Commission / Code amendments
• CCTV in Pukekohe
• Police to pay damages
• Coronor’s comments
The Reality
• Complaints
> 968 last year, 915 currently
• Enquiries
> 7006 last year, 6475 currently
• Eight team members hold files
• On average, each investigator will
receive 125 files and close 120 each
year
Work in progress
• An average of 50 files
• Half access, 25% disclosure
• Even split public and private sector
• Age of files: 88% under 6 months
• Dominant focus settlement
• 30% settled
Outcomes on closed files 2010/11
Closed 999
No interference with privacy 686
Complaint has substance 313
Settled / mediated 281
Referred to Director of HumanRights Proceeding 19
Settlement record (2010/11)
Access
• 534 access complaints
• 208 settled
• 185 involved release or partial release of information
• 21 involved payment of money averaging $650 for slow release or refusal
• 2 payments in excess of $2,000
Settlement record (2010/11)
Disclosure
• 267 closed
• 52 settled
• 19 involved payment of money averaging $8000
• 3 payments in excess of $10,000
• 1 payment more than $40,000
• Average without large payment $5,000
continued
Examples of settlement
Health agency
• Gave information to person about patient
• Person not a relative or holding EPOA
• No checking by health agency
• Apology, assurances, training and
$5,000
Examples of settlement
• Agency repeatedly sent correspondent to complainant’s residential address contrary to arrangements to use PO Box
• Spouse found out about secret arrangement
• $1,000 new terms of contract
continued
Examples of settlement
Agency employee browsing
• Information used outside agency to
significantly embarrass complainant
• Loss of confidentiality
• Loss of employment
• Agency paid more than $40,000
continued
Lochead-MacMillan vs AMI Insurance Ltd[2012] NZHRRT 5
• Fire damaged property, home and
contents insurance claim
• $10,000 damages
• “Multiple, sustained and systemic
failures” to comply with Privacy Act
Multiple information requests
• 4 February – request for audio files
and transcripts
• 2 March – request for audio repeated
• 13 April – Feb and March requests
repeated
• 6 May – request for fire report
• 19 May – first three requests repeated
• 8 July – request for AMI file
Breaches by AMI
• Failure to comply with statutory time
limit = deemed refusal
• Failure to advise of right to seek an
investigation by Privacy Commissioner
• Refusal to release fire report –
unjustifiably withheld twice
Damages Awarded
• $10,000 for injury to feelings
• Repeatedly ignored requests
• Plaintiffs kept in dark
• Impression Privacy Act obligations
not important
• Unequal relationship
• Plaintiffs made to feel insignificant,
ineffectual and unimportant
HRRT Comments
• Privacy principles are fundamental
to good process
• Requests for information cannot
be ignored or dismissed
• Good administration demands full
compliance with Privacy Act
[2011] NZHRRT 5 (25/2/11)
• Withholding grounds
[2011] NZHRRT 6 (9/3/11)
• Non compliance with Part 5
procedural provisions of the Act
Sharoodi v Director of Civil Aviation
General Advice from Tribunal
• Full index of documents
• Pagination of documents
• Identification of released, withheld
or redacted information
Managing Access Requests
• Anticipate having to explain what
you have done
• A discovery process of indexing all
documents is very handy
• Create separate record of total
information
• Create separate record of withheld/
redacted information
Tribunal discussion
• Series of misunderstandings around
request for personal information which
became “personnel” information
• Request not answered until 21/2 months
after reasonably expected to comply
Therefore
• Deemed refusal and undue delay
Damages
Loss of benefit - $5,000
• A reluctant and piecemeal release
• Revoked pilot’s licence before release
• Not able to use/check information
before revocation
• Not given a “fair crack of the whip”
Damages
Humiliation, loss of dignity, injury to
feelings - $5,000
• Interpreted request in a limited way
• Revoked pilot’s licence knowing that
information yet to be released
• Late decisions to mitigate only after
involvement of Privacy Commissioner
continued