Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy issues

Privacy regulator

The Office of the Privacy Commissioner is an independent oversight authority that was created prior to the Privacy Act by the 1991 Privacy Commissioner Act, which focused on the supervision of information matching among government departments.1 The Privacy Commissioner oversees compliance with the Privacy Act 1993, but does not function as a central data registration or notification authority. The Privacy Commissioner's principal powers and functions include promoting the objects of the Act, monitoring proposed legislation and government policies, dealing with complaints at first instance, approving and issuing codes of practice, and authorizing special exemptions from the information privacy principles, and reviewing public sector information matching programs.

Complaints by individuals are initially filed with the Privacy Commissioner, who then attempts to conciliate the matter. A total of 636 formal complaints were received during the 2005-2006 fiscal year, compared to 934 in the 2003-2004 fiscal year. The Privacy Commissioner’s Office attributes the continuing downward trend in the number of formal complaints registered to proactive handling of complaints – encouraging early action and self-resolution - and more targeted privacy training.2 The Commissioner regards the power to investigate and to require answers during investigations as "a vital element" in securing such a high conciliation rate. When conciliation fails, the Director of Human Rights Proceedings3 or the complainant (if the Director of Human Rights Proceedings is unwilling) can bring the matter before the Human Rights Review Tribunal, which can issue decisions and award declaratory relief, issue restraining or remedial orders, and award special and general damages up to NZD 200,000 (~USD 115,000).4

The Office of the Privacy Commissioner issued its first Statement of Intent on July 31, 2006. The purpose of this Statement is to set out the medium term intentions and undertakings of the Office of the Privacy Commissioner for the period 2006/07 and its direction to 2009/10, and thereby promote its public accountability. Specific goals include: aligning New Zealand’s privacy standards with international requirements; continuation of public outreach and education; and further review and amendment of privacy legislation and codes.5

Privacy case law

A landmark Employment Court ruling in April 2004 gave Air New Zealand the right to conduct random drug tests on its workers in "safety-sensitive areas."6 This was the first comprehensive decision on the issue in New Zealand. While the court ruled that the national airline may not impose random tests for drugs or alcohol across its workforce, it may undertake random testing of workers in certain circumstances: in safety sensitive areas; to carry out pre-employment testing of workers before they join the company; testing of workers whose behavior suggests they have taken drugs; and workers involved in an accident or near-miss.

In 2005, the New Zealand Court of Appeal rejected broadcaster Mike Hosking's complaint of breach of privacy over the intended publication of photographs taken of his twin baby daughters on a public street. However, while the Court of Appeal unanimously dismissed the Hoskings' appeal on the basis that the facts as alleged did not amount to a civil wrong, the majority of the Court accepted the existence of an interference with privacy tort, and set out two fundamental requirements for a successful claim: the existence of facts in respect of which there is a reasonable expectation of privacy; and publicity given to those private facts that would be considered highly offensive to an objective reasonable person.7

The New Zealand Court of Appeal considered the countervailing interests of privacy and freedom of information in two separate 2006 cases. In Mafart and Prieur v. Television New Zealand Limited, the Court of Appeal affirmed the High Court’s authorization of Television New Zealand to search and copy videotapes, taken at the time of the appellants' committal and guilty pleas, under the Criminal Proceedings (Search of Court Records) Rules 1974. The Court determined that the strong public interest in the subject matter of the tapes (the sinking of the ship Rainbow Warrior), the lack of harm to the appellants, and the appellants’ prior agreement to the tapes becoming part of the official Court record provided no justification for the court to "exercise a quasi-censorship function".8 The Supreme Court declined leave to appeal.9

In the second case, Television New Zealand Limited v Rogers, the Court of Appeal overturned a High Court injunction against broadcasting a videotape that depicted the respondent participating in a reconstruction of a high-profile murder in respect of which he was in due course acquitted. 10 Although the High Court found that the broadcast would have given rise to an unlawful interference with his privacy, as the tort was recognized Hosting, the Court of Appeal regarded the balancing of the legitimate public concern against the respondent's right to privacy as a matter of proportionality. Since the privacy value of the facts in issue was at the lower end of the scale, the Court considered the degree of legitimate public concern necessary to establish a defence to the invasion of privacy would also be at the low end of the scale. When the videotape was made, the respondent must have had the understanding and expectation that its contents would be made public in the context of the criminal proceedings. Leave to appeal from this decision was granted by the Supreme Court.11

The principles in Hosking and in Television New Zealand Ltd v Rogers were applied in Andrews v Television New Zealand Limited, where the High Court dismissed the plaintiff couple's claim of unlawful invasion of privacy for broadcast of a car accident scene in which the plaintiffs were trapped in their vehicle for a considerable period of time. The programme in which the plaintiff's predicament was broadcasted appeared some months afterwards, and it was broadcasted without their consent and without prior notification to them.12

Medical privacy

The Criminal Investigations (Blood Samples) Act of 1995 authorized the establishment of a national DNA databank. Police are required to obtain an order from a High Court judge before a compulsory test can be conducted, and they can take samples only from suspects of violent crimes and convicted burglars. Voluntary samples from anyone can be included in the databank. In October 2000, police were ordered to reduce the number of voluntary DNA samples due to budgetary concerns. By 2002, however, it was reported that police were being advised to increase this number again and to try to obtain voluntary samples from anyone arrested with a prior criminal record.13 As of June 2006, the total number of DNA profiles stored in a DNA databank in New Zealand was 63,572. Of these, 53,623 were obtained by consent and 9,949 were obtained by compulsion notices or orders.14 By contrast, in June 2004, the total number of DNA profiles stored in the national database was 42,844 (up from 33,892 in 2003). Of these, 36,439 were obtained by consent and 6,239 were obtained by compulsory order.15 In May 2002, a new NZD 3,000,000 (~USD 2,000,000) laboratory was opened in Auckland for the purpose of forensic DNA testing.16 Testing is carried out by the New Zealand Government-owned Institute of Environmental Science and Research (ESR).17

In February 2006, a Memorandum of Understanding between the Ministry of Health and the New Zealand Police relating to the disclosure of newborn blood spot samples and related information (also known as "Guthrie" cards) came into effect. The card holds both the blood spot sample and identifying details relating to the newly born (name, date of birth, place of birth, birth mother's name, National Health Index number, sex, birth weight, lead maternity carer's name, registration number and contact details). Guthrie cards have been used by the Police only once or twice a year to identify dead or missing persons. This is done mainly with parental consent (for example, where a child dies in a house fire). The Guthrie cards are only used as a last resort where all other means for identifying the person are not practicable or have failed. The Memorandum acknowledges that the blood spot card and information is collected for health purposes only. Any use of the blood spot card for any non-health related purpose is exceptional, and the Police should have recourse to the blood spot cards and associated information only rarely, and as a last resort.18

The Privacy Commissioner has proposed amendments to the Health Information Privacy Code 1994. One proposed amendment would allow health practitioners to disclose patients’ genetic information to genetic relatives if the "disclosure is necessary to prevent or lessen a serious threat to the life or the health" of the relative.19 The amendments are currently in public consultation, and are expected to be implemented sometime in 2007.

Unsolicited commercial e-mails

New Zealand recently enacted anti-spam legislation, modeled on Australia’s Spam Act 2003. The Unsolicited Electronic Messages Act 2007 received royal assent on March 5, 2007, and comes into force six months after the date of assent.20 The Act aims to create a safe and secure environment in New Zealand for the use of information and communication technologies by minimizing spam and the costs to the community and business that arise from it.21 The Act uses an opt-in consent model for commercial messages, and applies to telecommunications services such as email, instant messaging and texting. The Act does not apply to phone calls, VoIP voice calls, or faxes.

The Unsolicited Electronic Messages Act 2007 applies to any commercial message with a New Zealand link sent to an electronic address using a telecommunications service without the consent of the recipient. The legislation requires commercial messages to include accurate information about the person who authorized the sending of the message; mandates a functional unsubscribe function for all such messages at no cost to the recipient; and prohibits address-harvesting software or a harvested-address list from being used in connection with sending unsolicited commercial messages in contravention of the Act.

InternetNZ,22 a non-profit Internet interest group, created the Anti-Spam Task Force, which counts the New Zealand Direct Marketing Association among its members. The group has met with the New Zealand government, held a conference in November 2003, funded a member to attend the OECD Conference on Spam, and worked with the press. The group encourages all ISPs to refer their customers to their Web site, which includes advice to individuals and businesses, and a discussion of legislative activity in the country. The Internet Society of New Zealand, the Direct Marketing Association, and the Telecommunications Carriers Forum have developed an ISP Spam Code of Practice, which is intended to work in conjunction with the government's legislation in this area. The Code, which applies to email spam, will be implemented as self-regulation or as a voluntary code at the same time as the Unsolicited Electronic Messages Act 2007 comes into force later this year in order to assist direct marketers in complying with the new law.23 In December 2004, the Telecommunications Carriers Forum adopted the SMS Anti-Spam Code.24 It has been ratified by Telecom, Vodafone, TelstraClear, TUANZ, WorldxChange, CallPlus, BCL, Vector Communications, and the Direct Marketing Association.

Trans-border dataflows

New Zealand is one of several countries involved in negotiations with the European Commission concerning the "adequacy" of its privacy regime in relation to the European Union Data Protection Directive (1995/46/EC). Since 1998 the Commission has been urging the Government to introduce two minor amendments to the Privacy Act in order to secure a finding of adequacy. The first amendment would remove the existing requirement that in order to make an access or correction request, an individual must be a New Zealand citizen or permanent resident, or present in New Zealand at the time the request is made. The second would introduce a limited data export control to regulate the transfer of personal information outside New Zealand. On December 12, 2000, these changes were finally included in the Statutes Amendment Bill25 and submitted to Parliament. Accordingly, it was expected that these amendments would be approved and enacted without delay.26 In the fall of 2001, however, one party withdrew its support of one of the amendments. In his annual report for the year ending June 30, 2001, the Privacy Commissioner encouraged "those responsible for the business of the House of Representatives [to] ensure that whatever vehicle these amendments proceed in is given priority." There has been no apparent progress on this issue. The Statutes Amendment Bill has not yet been re-introduced.

In September 2006, the New Zealand and Australian Privacy Commissioners signed an agreement that will allow for cooperation between their offices on privacy-related issues until September 2008. The agreement, modeled in part on the APEC Privacy Framework, OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum, covers the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies. Other areas addressed include cooperation on complaints with a cross-border element and the possible undertaking of joint investigations. The agreement is not legally binding.27