Data Privacy about more than Privacy

It is often forgotten that laws concerning data privacy serve purposes other than protecting privacy alone. Research conducted by this writer in New Zealand over the last decade has conclusively established in the first place that the vast majority (around 80% in one study) of litigation brought under the Privacy Act 1993 (the Act) was connected with a pre-existing dispute between the parties unrelated to privacy which spilt over into a privacy dispute. Secondly, the research has established that the rights conferred by the Act have been extremely useful for individuals to exercise other legal rights and benefits.

These benefits include those under New Zealand’s comprehensive “no-fault” compensation scheme for injury from accidents as well as information needed to pursue myriad claims ranging from family or domestic disputes to ones involving employers or former employers. The Act’s entitlements, especially the right to access personal information held by agencies, have clearly helped address the informational power imbalances between individuals on the one hand and government agencies and corporations on the other.

It is important to stress at the outset that, unlike in many countries, litigants who pursue a claim under the Act in New Zealand do not have to go to the courts to do so and most litigants tend not to be legally represented. This is due to the existence of a specialist tribunal, the Human Rights Review Tribunal (the Tribunal), which adjudicates claims brought under the Act (appeals to the High Court are relatively rare). Claims can be referred to the Tribunal by the Privacy Commissioner through the Director of Human Rights Proceedings but individuals can bring proceedings themselves following an investigation (and attempted conciliation) by the Privacy Commissioner.

The existence of a significant number of such cases, decided by the Tribunal, has provided a rich source of material for research. The Tribunal has awarded a range of remedies ranging from sizeable damages to orders requiring the defendant to undergo privacy training. In one celebrated instance, a former employee, who iced a cake with her sentiments regarding a former employer at a private party before posting it on Facebook to her friends, brought a claim when the employer coerced one of its employees to share it before posting a screenshot to recruitment agencies severely prejudicing her employment prospects. The award by the Tribunal (NZ$168,000) has been the largest to date but there has been a steady increase in the sums awarded and self-funded litigants in the Tribunal have often ended up being successful.

A further point of difference between the federal privacy regime in Australia and the Act in New Zealand is that, with a few exceptions (discussion of which is beyond the scope of this article) employee records are not exempt from the requirements of the latter, unlike the case in Australia. As a consequence, one of the primary areas of application for data privacy in New Zealand has been in the employment arena. The remainder of this article will report some of this writer’s findings in this field where a fascinating cross-fertilisation has taken place between the rights afforded under employment law and those contained in the Act.

In the first place, despite clear stipulations in the Act that the rights it contains may not be adjudicated in a court of law, the Act has been used, in several instances, by employment courts to inform them as to the proper interpretation of other legislation and as to what is “reasonable” in employment relationships. This has been the case, for instance, with regard to random drug testing of employees and the like.

Furthermore, early applications of the Act in the employment sphere centred on regulating communications between employers and employees and their authorised bargaining agents together with third parties such as news-media. It became established early on that employers were not at liberty to disclose the pay rates and conditions of employment of individual employees or categories of employees in the course of bargaining even to “set the record straight” although disclosures by Unions were permissible as they occurred with the consent of the individuals concerned.

Likewise, an intriguing question posed in one case was whether the freedom to receive a communication (under New Zealand’s Bill of Rights Act 1990) also meant that a person could not force a communication on an unwilling recipient (an issue with wider scope within data privacy). Hence, employees were free to stipulate all communications should be channelled through their bargaining agent. These issues were largely supplanted by the statutory duty of good faith subsequently incorporated into New Zealand’s employment legislation.

A further technique was the incorporation of the Act’s requirement into individual and collective agreements. This proved to be a double-edged sword in several cases as far as employees were concerned as they were found to be in breach of such clauses where they had disclosed or improperly handled personal information. There was also confusion in some instances between the information covered by the Act (any information about an identifiable individual) and confidential information (a somewhat narrower category).

The Act has proved most useful in conjunction with the right of employees to access their information and overlapped rights to information contained within the employment legislation itself. The Act has been used in numerous cases brought before employment courts and tribunals. These included one example where, despite an employment relationship breaking down the employee was able to obtain a copy of their agreement under the Act and, in another, the right to request correction was used to have an alternate version of disputed minutes of a disciplinary meeting recorded.

Finally, non-compliance with the Act’s requirements has been a factor in numerous cases involving unjustified dismissal or disadvantage in employment. For the most part this has been in connection with requests for information under the Act. Employees’ inability to access their information in a timely manner was often the focus for grievance especially where access to it was needed to pursue claims against the employer or other parties. The Act is well-known to serve a forensic purpose but its application in the employment arena was often much wider in scope.

Data privacy rights in New Zealand are now a fundamental part of its legal architecture and serve to advance many areas of human rights other than the narrow confines of informational privacy. A further strengthening of data privacy rights is expected when the Government unveils the much-anticipated Privacy Bill to replace the Act one hopes in the course of this year.

This feature is part of a Digital Asia Hub Data Protection Day specialFor permission to republish or for interviews with the author please contact Dev Lewis.

Gehan Gunasekara

Gehan Gunasekara

Associate Professor at University of Auckland Business School
Gehan Gunasekara is an Associate Professor in the Department of Commercial Law at the University of Auckland Business School, specialising in the areas of franchising law and privacy law. Gehan is a regular commentator in national media. His research on cross-border personal information flows has been cited by both the New Zealand and Australian Law Commissions as well as by the Canadian Privacy Commissioner.
Gehan Gunasekara

Latest posts by Gehan Gunasekara (see all)