Privacy Implications of Westpac's Release of Nicky Hager's Personal Information
We've heard this week that Westpac Bank voluntarily provided the New Zealand Police with author Nicky Hager's bank account information, without requiring a production order or warrant from the Court. The information was apparently requested on the basis that it might reveal information about the person known as Rawshark, who had allegedly supplied illegally obtained material to Mr Hager, for use in his book, Dirty Politics.
There has been criticism of both the Police and Westpac.
Some of the criticism (that the Police are acting as "totalitarian enforcers" for example) is a little unfair, particularly where the request was made of Westpac, which was fully capable of looking after itself, as did the other organisations that refused the Police request. In the absence of any evidence of political motivation, the Police were doing what they considered to be their job. They operated within the bounds of the Privacy Act, which, as we shall see, envisages information being provided by an "agency" (a Privacy Act term for a holder of personal information) such as a bank, without the need for any court order. That's not to say that the Police weren't pushing the boundaries. It's revealing they did not proceed to obtain court orders against the other organisations that refused their request. Perhaps the Police got all they needed from Westpac, or perhaps they didn't quite have enough evidence to chance refusal of an application to the Court for a production order in respect of the personal information of a high profile person like Mr Hager.
But, it's Westpac's approach that we're more interested in.
Let's first understand what has happened here.
Sometimes banks, ISPs and other agencies that hold information of value to the Police and other enforcement authorities will agree information sharing protocols with those authorities. Those protocols might detail what level of information the agency is prepared to give up without a court order under a Privacy Act exception, who the request should be directed to within the agency (usually in-house legal/privacy officer), what seniority of officer must make the request and other particular processes that suit the agency. This may be what Westpac has referred to in the media as its "internal policy". That policy has now apparently been clarified (more on this below). If there was such a protocol, we expect it wasn't followed as it seems highly unlikely that any in-house legal team or privacy officer would have approved informal release in this way for fear of exactly the media storm that has occurred.
Two things we know though.
Firstly, that the information in question is personal information under the Privacy Act. That's easy when we're talking about confidential financial information.
Secondly, it's clear it was released in response to an informal request by the Police without a court order.
But, contrary to various reports we've seen, this does not automatically mean there has been any Privacy Act breach. The Privacy Act allows an agency to disclose personal information, without the consent of the individual, where (among other exceptions) that:
is necessary … (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences (IPP 11(e))
So, the Police would have sent a request to Westpac, referencing this exception to the prohibition on disclosure without consent and, presumably (although, maybe not, given that other agencies refused), providing evidence why the information was "necessary".
The interesting thing about these requests is, while they have no more legal weight than a quick email from the proverbial Constable Smith, they often look very "official". Here's an example of a form that was provided to us recently, complete with the official Police logo and persuasively formal language. But, it's still just a request.
When Westpac received the request, whether in this form or any other, its role as the agency holding the personal information, in order to comply with its obligations under the Privacy Act, was to first decide whether it had enough information to determine that the above exception applied - i.e., was disclosure "necessary ... for the ... investigation of an offence". This is Westpac's responsibility. The fact that the request came from the Police does not absolve it from that.
But, even if Westpac did determine that the exception applied, it still had a choice. It would have been perfectly legitimate for it to decide not to release the information and require a court order, as the other organisations that refused the Police request appear to have done.
In those circumstances, assuming they had enough evidence to persuade an issuing officer of the Court, the Police or other enforcement authority would apply for a production order, which is like a warrant except typically used to obtain information from third parties who are not in any way involved in the alleged offence itself. Here's an example of one obtained in respect of allegedly objectionable material uploaded by a user to an overseas content host client's systems, which evidence our client wished to share with New Zealand authorities.
Production orders are approved by District Court registrars or other officers of the Court specifically authorised as issuing officers under the Search and Surveillance Act.
As you can see, a production order is based on submission of evidence sufficient to reasonably satisfy the issuing officer that an offence has been committed, so a higher bar than simply making a request.
Despite the Privacy Act allowing disclosure in certain circumstances, our view is a production order should be obtained unless there is an imminent threat, which means that the short delay in obtaining one is outweighed by the danger to personal safety or property. This protects the agency holding the information from having to cast aside its customer's privacy on the basis of an assessment of "necessity" that may be difficult for it to make. It no longer has a choice. It also protects the enforcement authority from overstepping the mark and opening itself up to the very criticisms that have been levelled at the Police in this case.
As we said though, sometimes even the hours or days that may be required to get a production order may be too long to wait. Child exploitation situations are an obvious example. These are the type of situation covered by another exception to the non-disclosure rule (IPP 11(f)(ii)). So, we wonder if Westpac's reported change to its "internal policy", that it will now always require a production order for any financial information, goes too far the other way. Privacy is never an all or nothing equation.
We are biased because we wrote it, but an example of a more nuanced approach can be seen with Mega's takedown guidance.
Which brings us to our final point. Given the increasing amount of personal information (including metadata) now held by third parties, particularly as a result of all of our internet use, there is a need for much clearer public explanation by agencies who hold our information as to whether and how it will be released. "Internal policies" no longer cut it in our view.
Image courtesy of https://www.flickr.com/photos/anonymouscollective/...