Digital technology is integrating into our everyday lives at an ever-increasing rate. The digital interface is now the conduit for many of our interactions and activities and has altered, probably irreversibly, the way that we communicate and socialise with one another.
We produce vast amounts of data about ourselves in a variety of contexts through our use of smart phones and social media, our consumer activity, our use of on-line search engines, and our interactions with public services and institutions.
In this respect, digital technology has created a symbiotic relationship of sorts. It enables us to access and share information for our own benefit. At the same time, the data we generate is of immense value to the public and private entities that facilitate and control our digital interactions.
While this has the potential to produce great benefits and improve social outcomes, it also poses risks to our fundamental human rights. The surveillance and collection of vast amounts of personal information and meta data, and the processing of such data using new analytical techniques, has major implications for our right to privacy and our right to be free from discrimination.
The impact of digital technology on the right to privacy is of particular significance. Privacy is central to our enjoyment of personal dignity and autonomy. It enables the expression of individuality, facilitates trust, friendship and intimacy, empowers the individual against the state and is necessary for securing other human rights, such as the right to freedom of expression and opinion.
This paper provides a high-level summary of the key international and domestic human rights standards and principles that can guide legal and policy frameworks in responding to the rapid advance of digital technology. It is intended to assist anyone in New Zealand engaging in advocacy, research, policy or legislative development in this area, as well as those with a general interest in these issues.
Part I of the paper sets out the international human rights framework that applies to surveillance and personal data, with a focus on the right to privacy. Part II provides an overview of the legal and policy framework that applies in New Zealand and Part III outlines the permissible limitations on the right to privacy. Part IV discussed the safeguards that States should put in place to prevent adverse human rights impacts. This is followed by an overview of the remedies available for human rights violations relating to surveillance and personal data in Part V. The paper concludes with a focus on some of the emerging human rights challenges arising in the digital age.
These emerging challenges include the responsibilities of private businesses in this area. While governments are primarily responsible for protecting human rights, businesses also have a duty to respect human rights, as set out in the United Nations Guiding Principles on Business and Human Rights (UNGPs). While this paper touches on the UNGPs, it is mainly focused on public sector obligations. Nevertheless, we hope that businesses and other private sector 6 and non-government organisations find it a useful point of reference when considering the broad implications of their practices and policies concerning the use and protection of personal data.
Part 1: International Human Rights Framework
The collection, storage, sharing and re-purposing of personal information, whether obtained by surveillance or interception, or freely provided by individuals, poses a challenge to universally recognised human rights.
International human rights law provides an instructive framework for the protection of the affected rights, including the right to privacy and its permissible limitations, freedom of expression and opinion, freedom of association, the right to be free from discrimination, and the right to be free from unreasonable search and seizure.
The first part of this paper is intended to provide readers with an overview of the international law and standards relevant to:
- Affected rights under the International Covenant for Civil and Political Rights (ICCPR) • United Nations resolutions and reports on human rights in the digital age
- International and regional guidelines and standards regarding personal information
Together, these instruments, reports and standards provide a framework to guide the formation of law and policy concerning personal data, surveillance and human rights in New Zealand.
1.1 International Covenant for Civil and Political Rights
The right to privacy is a fundamental human right, guaranteed under Article 12 of the Universal Declaration on Human Rights and Article 17 of the ICCPR. In 1978, New Zealand agreed to be legally bound by the ICCPR. Article 17 of the Covenant affirms:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.
In reflection of its status as a fundamental right, the right to privacy is included in similar terms in other international human rights treaties to which New Zealand is a party, protecting the rights of children, and people with disabilities.1 The scope of the right under article 17 is broad. It not only protects individual privacy, but also interference with the individual’s family and home life, written affairs, personal identity and standing. This illustrates how closely the right is linked to the human rights concepts of personal autonomy and dignity.2 The right to privacy is also underpinned by a right to legal protection from arbitrary and unlawful interference.
The UN Human Rights Committee (UNHRC), the UN body of independent experts that monitors the implementation of the ICCPR, has issued interpretative guidance on the nature and scope of the right to privacy under article 17 in its General Comment No. 16. The UNHRC sets the following threshold for State compliance with the right to privacy:
In the view of the Committee this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons. The obligations imposed by this article require the State to adopt legislative and other measures to give effect to the prohibition against such interferences and attacks as well as to the protection of this right.
In other words, a robust legal framework that protects the right to privacy as a free-standing right and provides measures to prohibit and sanction breaches of the right, is a minimum requirement for State parties to the ICCPR to meet.
This was illustrated in the most recent review of New Zealand’s compliance with the ICCPR, in which the UNHRC expressed concern that the right to privacy is not protected as a freestanding right in New Zealand legislation. More specifically, the UNHRC expressed concern that surveillance activities carried out under New Zealand’s intelligence and security legislation (at that time) lacked sufficient oversight and safeguards mechanisms, and did not meet the requirements of Article 17. Similarly, the UN Committee on the Rights of the Child has recommended that New Zealand social sector policies that impact upon privacy rights fully protect the right to privacy and are included in relevant legislation.
The right to freedom of expression and the right to hold opinions without interference, affirmed under article 19 of the ICCPR are also important. As stated in the preamble to the Global Principles on the Protection of Freedom of Expression and Privacy:
Without privacy, individuals lack the space to think and speak without intrusion and to develop their own voice. Without freedom of expression, individuals would be unable to develop their sense of self. At the heart of the protection of these rights lies the respect for, and protection of, human dignity and individuals’ ability to live freely and engage with one another.
The application of algorithms to data to predict future behaviour or generate risk assessments to inform social spending may also implicate the right to be free from discrimination under Article 26 of the ICCPR. This issue will be discussed further below.
1.2 International Resolutions, Reports & Groups
The UNHRC’s interpretation of the right to privacy in General Comment 16 is now approaching 30 years old. While its principles are still applicable, it does not specifically address the challenges that have arisen from the information technology revolution over that period.
In recent years UN human rights entities such as the Human Rights Council, General Assembly, Special Rapporteurs and the Office of the High Commissioner for Human Rights (OHCHR)12 have produced numerous reports and resolutions on the human rights challenges brought about by the digital age. The principles and recommendations contained in these documents contribute to the international jurisprudence on the right to privacy and, as such, provide an important reference point when assessing the rights-consistency of domestic policies and practices that utilise digital technologies to gather, share and assess personal data.
UN General Assembly and Human Rights Council
In December 2013, the UN General Assembly adopted its first resolution on the right to privacy in the digital age. The development of the resolution followed the 2013 Snowden revelations that the National Security Agency (NSA) in the United States and the General Communications Headquarters (GCHQ) in the United Kingdom were undertaking extensive surveillance and interception of global internet traffic, digital personal information records and metadata.
The resolution expressed “deep concern at the negative impact that surveillance and interception of communications may have on human rights.” In doing so, it emphasised the need for States to:
- Respect and protect the right to privacy;
- Review domestic practices and laws regarding communications surveillance, interception and collection of personal data in line with international human rights obligations;
- Establish effective oversight mechanisms; and
- Ensure that any practice that limits or interferes with the right to privacy is subject to a “careful and critical assessment” of its necessity, legitimacy and proportionality, in accordance with international law.
Two further resolutions on the right to privacy in the digital age were adopted by the General Assembly in 2014 and 2016. Both resolutions reaffirmed and built upon the principles established in the 2013 resolution and included additional calls for:
- States to provide access to an effective remedy for individuals whose rights have been violated by the use of unlawful or arbitrary surveillance; and
- Business enterprises to respect human rights in accordance with the UN Guiding Principles on Business and Human Rights; to establish transparency policies; and to take measures to enable secure communications and protect customers from interference with their privacy.
On 1 April 2015, the Human Rights Council adopted a similar resolution on the right to privacy in the digital age. The resolution reflected the General Assembly’s resolutions and, in recognition of the global nature of the internet and rapid advancement of information and communication technology, affirmed that “the same rights that people have offline must also be protected online.”17 Most significantly, the resolution established the role and mandate of the Special Rapporteur on the right to privacy, an independent expert appointed by the Human Rights Council to examine and report back on a country situation or a specific human rights theme in relation to the right to privacy.
In March 2017, the Human Rights Council adopted an updated resolution on the same issue that reflects many of the points made in the General Assembly resolutions.
Since 2013, the OHCHR and several Special Rapporteurs have produced reports that further extrapolate the international human rights standards relevant to the interception, surveillance and sharing of digital communications. The reports of the Special Rapporteurs examine specific practices and are applicable to related policy development by governments. The most relevant reports that are referenced throughout this paper include:
- Report on the right to privacy in the digital age (30 June 2014)
- Special Rapporteur on the right to privacy
- Report to the Human Rights Council providing an overview of the right to privacy (24 November 2016);21
- Report to the Human Rights Council outlining first approaches to a more privacy-friendly oversight of government surveillance (24 February 2017)22 and
- Report to the General Assembly on Big Data and Open Data (19 October 2017).
- Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism
- Report to the General Assembly examining the use of mass digital surveillance for counter-terrorism purposes and the implications of bulk access technology for the right to privacy (24 September 2014).24
- Report to the General Assembly examining surveillance of electronic communications data in the counter-terrorism context (11 August 2017)
- Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression
- Report to the Human Rights Council analysing the implications of States’ surveillance of communications on the exercise of the human rights to privacy and to freedom of opinion and expression (17 April 2013)
- Report to the Human Rights Council addressing the roles played by private actors engaged in the provision of Internet and telecommunications access and providing principles to guide the private sector on human rights in the digital sector and new modalities of surveillance (30 March 2017).
International legal framework to regulate surveillance in cyberspace
The Special Rapporteur on the right to privacy has collaborated with the European Union-supported Management Alternatives for Privacy, Property and Internet Government, otherwise known as the MAPPING project, on issues relating to the “protection of privacy in this age of ubiquitous surveillance.”28 The collaboration led to the development of a draft legal instrument on surveillance.29 The document is expected to be ready for consideration by the Human Rights Council by 2021 and may compromise “soft law” in the form of recommendations or an international multilateral treaty.
D7 – Digital Rights Working Group
The New Zealand Government is to lead an international working group on digital rights, made up of New Zealand, United Kingdom, South Korea, Estonia and Israel, Uruguay and Canada.31 The Group’s aim is to enable the digital environment to meet human rights standards and protections through the creation of a multinational framework for digital rights.
1.3 Data Privacy Guidelines and Principles
Essential to the right to privacy is the right to protection of personal data. The Organisation for Economic Co-operation and Development (OECD), European Union (EU) and Asia-Pacific Economic Forum (APEC) have developed guidelines and regulations on this issue which influence domestic privacy laws in New Zealand.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
The OECD Guidelines were developed by OECD Member countries in 1980 and were revised in 2013.33 The Guidelines were formed to help harmonise national privacy legislation and, while upholding human rights, at the same time prevent interruptions in international flows of data. The Guidelines set out eight core principles that apply to the processing of personal data. They form the basis of the information privacy principles in New Zealand’s Privacy Act 1993 and consist of the follow key principles:
- Collection Limitation Principle: Personal data should only be collected lawfully and fairly and where appropriate with knowledge and consent of the individual concerned.34
- Purpose Specification Principle: The purposes for which personal data are collected should be specified at the time of or before data collection. Subsequent use of such data is limited to the purpose of collection or a compatible purpose and that these should be specified whenever there is a change of purpose.35
- Use Limitation Principle: Restricts the disclosure of personal information for reasons other than the specified purpose except with the individual’s consent or by legal authority.
Other principles in the Guidelines include:
- personal data should be protected by reasonable security safeguards; governments should be open about policy developments and practices with respect to personal data; individuals should be able to request data about themselves and receive reasons for denial of such requests; and that data controllers should be accountable for complying with the principles.
Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data
The Council of Europe Convention was the first binding international instrument to protect individuals against abuses resulting from the collection and processing of personal data and to regulate the trans-border flow of personal data.38 Many of the principles reflect those of the OECD Guidelines. Countries from outside Europe can sign up to the Convention, but only Uruguay has done so to date.
General Data Protection Regulation (GDPR)
The EU also has its own internal law regarding data protection. On 8 April 2016, the EU adopted the GDPR which takes effect on 25 May 2018.39 The GDPR applies to the public sector, EU-based entities and non-EU based entities processing data of individuals within the EU. As noted by New Zealand’s Privacy Commissioner, the GDPR’s “standards lift the baseline internationally in response to challenges to consumers and data protection in today’s global digital economy.”
Some of the key aspects of the GDPR are set out below:
- Increased territorial scope: Applies to all companies (data controllers or processors) whose processing activities relate to offering goods or services or monitoring behaviour of individuals residing in the EU, regardless of the company’s location.
- Data Protection Officers: In some circumstances data controllers or processors must designate a Data Protection Officer as part of their accountability programme. This covers processing carried out by a public authority, where core activities are involved, monitoring data subjects on a large scale; and where core activities consist of processing on a large scale of special categories of data.
- Consent: Restrictive approach to consent requiring that it must be “freely given, specific, informed and unambiguous.”
- Penalties: A tiered approach to penalties is established with fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (e.g. breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Civil liability is also possible with a right to compensation.
- Data breach notification: Data controllers must notify most data breaches to the Data Protection Authorities within 72 hours of awareness.
- Data subject rights: Rights of individuals are bolstered including rights to: require information about data being processed about themselves; be forgotten entitling individuals to have personal data about them erased; correction of data which is wrong; a right to restrict certain processing; object to their personal data being processed for direct marketing purposes; and to an explanation about information based on algorithms.
The GDPR may impact on New Zealand in two ways. First, any public agency or business in New Zealand that handles personal data of individuals residing in the EU will need to ensure that their internal data processing procedures comply. Second, it is possible that the EU may find that New Zealand’s data protection laws are no longer ‘adequate’ for the transfer of European-originated data for processing.42 The Office of the Privacy Commissioner has indicated that they are in regular communication with the European Commission on this issue.4
APEC Privacy Framework
The APEC Privacy Framework was developed in light of the 1980 OECD Guidelines and applies to all 27-member countries.44 The Framework sets out principles and implementation guidance for the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information. Key principles include:
- Preventing harm: Preventing misuse of personal information and consequent harm to individuals.
- Notice: Individuals should know that information is collected about them and the purpose for which it is used.
- Collection limitation: Limited collection of information to the purposes for which it is collected.
- Use limitation: Limits the use of personal information to fulfilling the purposes of the collection.
Also included in the framework are the principles of choice and consent, data integrity, security safeguards, access and correction and accountability. Progress on the implementation of the Framework includes the application of Information Privacy Individual Action Plans by 14 economies. New Zealand last updated its Data Privacy Individual Action Plan, in 2011.
Comprehensive and Progressive Agreement for the Trans-Pacific Partnership Agreement (TPP)
In March 2018, New Zealand signed the Comprehensive and Progressive Agreement for the Trans-Pacific Partnership (CPTPP) and is currently considering its ratification. Chapter 14 of the TPP on electronic communications includes several provisions that affect data and privacy obligations with respect to New Zealand’s activities with the ten other member countries.46 Relevant provisions include:
- Personal Information Protection: Each Party is called on to adopt or maintain a legal framework that protects users of electronic communications personal information. It recommends looking toward existing privacy principles when doing so.
- Cross Border Transfer of Information by Electronic Means: Allows for the crossborder transfer of personal information when the activity is for the “conduct of the business of the covered person. • Data localisation: Parties cannot require companies to locate computing facilities in another Party’s territory as a condition for conducting business in that territory. This ensures that businesses who want to conduct business in a Party’s territory will have the freedom to choose where to store the data.
- Source Code: Prevents a country from requiring access to source code as a condition for conducting business. However, this does not extend to software used for critical infrastructure.
Part 2: New Zealand's Legal and Policy Framework
2.1 Application of International Human Rights Framework to New Zealand
While Parliament holds the ultimate power to legislate in New Zealand, the Government must take into account the impact of international law on domestic legislation as a result of its international treaty obligations and the principles of customary international law.47 The Vienna Convention on the Law of Treaties48 provides that treaty obligations are binding on a State party and its territory and that domestic law may not be used as a justification for its failure to perform a treaty obligation.
Accordingly, the Cabinet Office Manual and the ancillary Legislation Design and Advisory Committee Guidelines50 direct the Government and public servants to ensure that proposed legislation and policy conforms with international obligations.
The Government’s approach to applying human rights treaty obligations to legislation and policy development has been somewhat uneven to date. However, it is notable that the recent reforms to New Zealand’s intelligence and security jurisdiction, which had considerable implications for the right to privacy, gave careful scrutiny to international human rights standards. This resulted in human rights considerations being elevated amongst the new legislative principles and decision-making criteria that the reforms have introduced.
This focus on international human rights obligations has been further reflected in related policy developments in the sector. In 2017, a Ministerial Policy Statement (MPS) regarding functions of the intelligence and security agencies when cooperating with overseas public authorities listed the ICCPR and seven other ratified UN human rights treaties as being among New Zealand’s “core human rights obligations.” The MPS noted that “actions or activities that run contrary to the obligations within those instruments may constitute a human rights breach in the context of this MPS.
Furthermore, the New Zealand Courts have affirmed that they can be expected to interpret legislation in a manner consistent with international treaty obligations53 and that it is not to be assumed that Parliament intentionally passed legislation contrary to those treaty obligations.54 In addition, the reference to the ICCPR in the Long Title of The New Zealand Bill of Rights Act 1990 indicates a legislative desire to achieve compliance with international rights obligations.
The Courts have also applied non-binding international human rights documents, such as UN Minimum Standards passed by the General Assembly, as persuasive interpretative aides when considering the application of a human rights obligation under an international treaty.56 The High Court has stated that “subject to express or implied contrary provisions in domestic legislation, New Zealand Courts will pay regard to internationally accepted human rights norms in the exercise of judicial discretion”.
Jurisprudence arising from the judgments of the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union on the application of the right to privacy under the European Convention on Human Rights (ECHR) may also be considered by the New Zealand Courts. While judgments of the European Courts are not binding upon them, New Zealand Courts have displayed a willingness to consider and refer to decisions of the ECtHR, and to decisions of the UK courts made under its Human Rights Act 1998 which incorporates much of the ECHR into UK law.
2.2 New Zealand Bill of Rights Act 1990
The preamble of the New Zealand Bill of Rights Act 1990 (BORA) provides that it is an Act to:
a. affirm, protect, and promote human rights and fundamental freedoms in New Zealand; and
b. affirm New Zealand’s commitment to the International Covenant on Civil and Political Rights.
The preamble enunciates the purpose of the BORA as a legislative instrument that affirms New Zealand’s human rights obligations under the ICCPR. Notably, BORA does not contain a freestanding right to privacy equivalent to Article 17 of the ICCPR.
The challenges brought about by contemporary and future electronic surveillance and data interception technology raise the question of whether the BORA should be updated to include a free-standing right to privacy. The Human Rights Commission,59 the Office of the Privacy Commissioner,60 and human rights advocates and academics61 have called for the inclusion of the right to privacy in the BORA or a written constitution for New Zealand. To do so would not only bring the BORA into greater substantive alignment with the ICCPR. It would also ensure that the Attorney-General considers the effect of the right to privacy on any new bill introduced into parliament under its BORA reporting function.62 Furthermore, it would allow the Courts to issue a declaration of inconsistency if they believe that legislation is inconsistent with the right to privacy.
BORA does, however, provide for the right to protection from unreasonable search and seizure,64 a right that is engaged when considering the surveillance and interception of personal data. There is a corollary between the civil right to protection from unreasonable search and seizure and the common law recognition of the privacy of the home.65 The New Zealand Courts have affirmed that private property rights, in this context, have “special significance” in that they “enable individuals to maintain their right to privacy and their civil liberties in general and…underline the value attached to personal independence and freedom from official harassment.”
2.3 Privacy Act 1993
The Privacy Act 1993 regulates the collection, use and disclosure of information about individuals. At the core of the Act are the 12 information privacy principles (IPPs) that guide the way that government agencies and businesses (referred to in the legislation as Agents) handle personal information, including in relation to the collection, storage, security, access, accuracy, retention, and disclosure of personal information.
The Act itself does not provide for, or affirm, a free-standing right to privacy. However, the information privacy principles are fundamentally congruent with the right to privacy and provide presumptive rights for a person to access their personal information and have their personal information protected from unauthorised use or disclosure to third parties. The information privacy principles are designed as operational safeguards and thus are subject to exceptions in certain circumstances (for example where nonconsented disclosure of personal information may be required to avert a likelihood of serious harm).
Compliance with the Privacy Act is overseen by the Privacy Commissioner, who may investigate and instigate proceedings against agencies that may be in breach. In addition, the Privacy Commissioner may produce sector-specific codes of practice, such as the Health Information Privacy Code and the Telecommunications Information Privacy Code, that derive from the foundational information privacy principles in the Act.
Among other things, the Privacy Act regulates information matching practices between specified public-sector agencies and information sharing practices among agencies that would otherwise breach one or more of the information privacy principles. Agencies that wish to share personal information in such a manner are required by the Privacy Act to enter into Approved Information Sharing Agreements.
On 20 March 2018, a new Privacy Bill was introduced into Parliament to repeal and replace the existing Privacy Act 1993. The new Bill follows the 2011 Law Commission Review of the Privacy Act which contained 136 recommendations for change,68 as well as calls by the Privacy Commissioner to modernise the Act.
The new Bill proposes modernising the Privacy Act in response to the way technology has revolutionized the handling of personal data, while retaining the 12 IPPs. The IPPs largely remain the same under the Bill, with the exception of IPP 11 on disclosure of information and IPP 4 on the manner of collection of personal information. IPP 11 strengthens the requirements relating to the disclosure of information to an overseas person. Among the new requirements are that the disclosing agency must not disclose the personal information unless the agency believes on reasonable grounds that the overseas person is required to protect the information in a way that, overall, provides comparable safeguards to those in the Act.70 IPP 4 is amended to require an agency to consider the age of an individual when deciding whether the means of collection of personal information is fair and not unreasonably intrusive.
Importantly, the purpose statement of the Bill has been strengthened to contain a clearer focus on protecting and promoting privacy. It directly incorporates an “individual’s right to privacy of personal information” and recognises “privacy obligations and standards in relation to the privacy of personal information, including … the International Covenant for Civil and Political Rights.”
The most significant reforms to the law are the increased accountability mechanisms supporting the early identification of systematic privacy risks. These changes include:
- Mandatory reporting of data breaches: One of the major changes under the Bill is the introduction of a mandatory requirement for agencies to report privacy breaches to the Privacy Commissioner and affected individuals if the breach has caused or risks causing harm.72 This is consistent with mandatory reporting regimes that are increasingly required in privacy legislation overseas, including in Australia, Canada and the European Union. Notification must occur as soon as practicable after an agency becomes aware of a breach, and if it is not reasonably practicable to notify affected individuals, the agency must instead give public notice of the breach. It is an offence to fail to notify the Commissioner, with a maximum penalty of $10,00073 and the Commissioner has the power to publish the identity of an agency that has notified him or her of the privacy breach, if the agency consents or if the Commissioner is satisfied that it is in the public interest to do so
- • Compliance notices: The Commissioner’s functions are expanded under the new Bill. It allows the Commissioner to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law.75 The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals.
- • Information-gathering powers: The Bill expands the Commissioner’s information gathering powers when investigating complaints about an interference of privacy. The Commissioner can require any person to provide information or documents and can specify a time limit for providing information.
- Access requests: The Commissioner is also given a new power to direct an agency to confirm whether it holds specified information about an individual, permit access to that information or to make the information available in a particular way.
2.4 Approved Information Sharing Agreements
In 2013, the Privacy Act was amended to introduce Approved Information Sharing Agreements (AISAs) which are the legal mechanism that authorises the sharing of information about an individual by one government agency to another, usually for a purpose unrelated to the reason for which the information was originally collected or provided. Currently, there are seven AISAs in place.79 The Privacy Act provides for procedural safeguards in the formation of AISAs as well as continued oversight, including:
- Agencies must consult the Privacy Commissioner, any person or organisation representing the interests of the people whose information will be affected and any other person that the agencies consider should be consulted.
- The Minister must be satisfied of a number of factors including that the AISA does not unreasonably impinge on privacy and it contains adequate safeguards.81
- The Privacy Commissioner also has the power to prepare a report on any privacy matters relating to the AISA.
2.5 Predictive Risk Modelling
In New Zealand, the development of a proposed predictive risk modelling (PRM) programme in the child protection sector may have significant implications for children’s privacy rights. The aim of the proposed programme, developed by the Ministry of Social Development (MSD), is to identify children at risk of maltreatment as they enter the public welfare system in order to target interventions and service delivery. PRM is generated from a large data set of public welfare and child protection services information. An algorithmic program is applied to the data to generate ‘risk’ scores for individuals. Service responses are then ascertained according to the risk score. As a PRM initiative requires agencies to share identifiable personal information without consent, it requires either an AISA83 or enabling provisions in primary legislation to legally override standard Privacy Act protections.
Concerns have been raised about the ethics and human rights implications of PRM, including in relation to the security of information; unanticipated uses of information; stigmatisation of people identified as having high risk scores; systematic discrimination occurring as a result of the algorithmic techniques used to filter data; and transparency in relation to the data used to create algorithmic design.
In order to ensure that privacy, human rights and ethical considerations are factored into the development and implementation of PRM, MSD is currently developing a Privacy, Human Rights and Ethics (PHRAE) Framework as a procedural safeguard. At the time of writing both the child protection PRM initiative and the PHRAE Framework are still under development and yet to be implemented. At this stage, it is understood that the PHRAE framework is intended to be a policy-level process that will be undertaken by Ministry officials and is not intended to be vested under any specific legislative or regulatory provision.
It is notable that in 2016 the UN Committee on the Rights of the Child recommended that the New Zealand Government ensure “that the Privacy, Human Rights and Ethics framework governing predictive risk modelling takes in to consideration the potentially discriminatory impacts of this practice, is made public and is referenced in all relevant legislation.
The advent of this approach has coincided with extensive reforms to the legislation governing New Zealand’s child protection and youth justice jurisdictions. The Children, Young Person’s and their Families Act and Young Persons (Oranga Tamariki) Legislation Act has greatly expanded the powers of specified government agencies to share and use personal information held about children and their families, including enabling the creation of combined data sets.86 In doing so, legislation expressly provides for a principle that the well-being and best interests of a child will generally take precedence over any duty of confidentiality owed to the child or young person or a member of the child’s family.
This is an example of primary legislation being used to over-ride the information privacy principles that otherwise would have applied under the Privacy Act in respect of sharing of personal information between agencies.88 Other PRM initiatives, such as one that was directed at identifying young people at risk of long-term benefit dependency,89 have relied upon AISAs.
More generally, New Zealand academics at the University of Otago have commented on the use of PRM tools used by the Accident Compensation Corporation, New Zealand’s government entity responsible for administration of the accidental injury compensation scheme. The academics found that the practice raised a number of fundamental questions that the government ought to be able to address when considering the implementation of PRM.90 These questions include whether:
- The PRM tool is accurate – this requires both transparent evaluation processes and a thorough description of the data set on which it was assessed
- The responsible agency can explain how the PRM tool works so that clients can appeal a decision made by it
- The PRM tool distorts the way the agency pursues its policy objectives
- The PRM tool enables the agency to ‘duck’ its responsibility to make fair and humane decisions • The PRM tool implicitly discriminates against individuals – evaluative processes should be used to identify whether this is the case
- The responsible agency is effectively training employees in the use of the PRM tool and associated decision-making system
2.6 Citizen Based Analytics
New Zealand is taking a leading and innovative approach to the use of scientific evidence to inform public policy, led by the Office of the Prime Minister’s Chief Science Advisor, Sir Peter Gluckman. In June 2017, the Office released a discussion paper on the benefits and limitations of how the Government can use big data to better inform social policy decisions, an approach described as “social investment” in New Zealand.91 The research was the result of a collaboration with European data statisticians via the European Commission development of the Integrated Data Infrastructure (IDI), a large research database containing microdata about people and households taken from a range of government agencies, Statistics NZ and NGOs.92 Once the data is linked it is anonymised and placed under the custodianship of Statistics NZ. Researchers and analysts can then examine the data to look for trends and relationships between factors.93 The IDI has been subject to privacy impact assessments and is subject to the privacy protocols of Statistics NZ.
Sir Peter Gluckman’s research notes that there are also circumstances where identifiable client level data may be used and therefore appropriate data governance, safeguards, accountability and oversight must be in place to ensure social acceptability and the social license for the use of big data.94 According to the discussion paper, in order to address the multiple uses of data, the Government Statistician, the Privacy Commissioner, the Chief Science Advisor and the Data Futures Partnership are working together to recommend an assurance and governance system for data access and use.
Countervailing privacy risks associated with policies that enable the state access to and use of client level data were addressed by the Privacy Commissioner in a major 2017 inquiry and report on a controversial policy of the previous government to require NGOs to disclose individual client level data to the Ministry of Social Development as a condition of their funding contracts.96 The contracts were linked to MSD’s four service lines – Work and Income, Child, Youth and Family, Family and Community Services, and the Ministry of Youth Development, including services that have a children, young person, family or whanau focus.97 The coercive nature of the policy was of considerable concern to many NGO service providers working in those sectors.
The Privacy Commissioner accordingly utilised his statutory function under s 13 of the Privacy Act to undertake a self-directed inquiry into the policy. The Commissioner concluded that the policy was inconsistent with the Privacy Act.98 He noted, among other things, that while the Government can legitimately require good information from its providers in order to evaluate the efficacy of a funded programme, the proposed policy was “excessive, disproportionate to the Government’s legitimate needs and therefore…inconsistent with the information privacy principles.”99 He also noted that “the manner in which the policy change has been effected risks undermining the trust between individual service users and NGOs” and may accordingly “deter some of the most in need from accessing necessary help.”100 The Privacy Commissioner accordingly recommended that the policy be amended to conform with the IPPs under the Privacy Act. Subsequently, the policy appears to have discontinued.
2.7 Intelligence and Security Act 2017
In March 2016, a major independent review of the intelligence and security legislation was presented to parliament.102 The review itself was conducted following calls by the Human Rights Commission103 in a report to the Prime Minister and in the wake of the arrest and surveillance of Kim Dotcom by New Zealand intelligence and law enforcement agencies in 2013, an event which highlighted significant deficiencies in New Zealand’s legislative framework. Reflecting the earlier recommendations of the Human Rights Commission, the terms of reference of the review included scrutiny of New Zealand law against international human rights law and standards. It included recommendations to consolidate the legislation into one statute and strengthen oversight and accountability mechanisms, including those regarding access to information from other government agencies, and set out a proposed authorisation framework for intelligence and security activities.
The Government accepted most of the reviewers’ recommendations and in April 2017 the Intelligence and Security Act was enacted, replacing the four separate laws that previously governed this area.104 The strong human rights-based approach adopted in the review is reflected in the new legislation, resulting in human rights considerations being elevated among the purposes of the law and decision making principles.
The purposes of the Act include: “ensuring that the functions of the intelligence and security agencies are performed – in accordance with New Zealand law and human rights obligations recognised by New Zealand law”; and ensuring “that the powers of the intelligence and security agencies are subject to institutional oversight and appropriate safeguards.” This has included enhancing the functions of the principal oversight entity, the Inspector-General of Intelligence and Security and requiring the responsible Minister to issue Ministerial Policy Statements (MPS) which set out policy and practice standards concerning the operational activities of the intelligence and security services.
Another legislative outcome of considerable significance was the amendment to section 57 of the Privacy Act to provide that intelligence and security agencies are subject to most of the Act’s IPPs,106 including the requirement under IPP 4(a) that personal information is collected by lawful means. Prior to the amendment, the agencies were exempt from this requirement, as well as most of the other IPPs.107 This amendment was sought by the Privacy Commissioner and has the effect of significantly strengthening the application of privacy rights and standards to the surveillance and information gathering activities of the intelligence and security agencies.
In March 2016, Sir Michael Cullen and Dame Patsy Reddy presented the First Independent Review of Intelligence and Security to parliament (Cullen/Reddy Report).108 The review focused on the legislative framework governing the Government Communications Security Bureau (GCSB) and NZ Security and Intelligence Service (NZSIS) and their oversight regime. They concluded that there should be a single, integrated and comprehensive Act clearly setting out how and why the agencies are constituted; how their intelligence and security activities are authorised; and their oversight.
2.8 Legislative Advisory Committee Guidelines, the Chief Privacy Officer and the Government Chief Data Steward
Chapter 7 of the Legislation Advisory Committee (LAC) Guidelines on Process and Content of Legislation (LAC Guidelines), directs Government officials as to their legal and ethical obligations regarding privacy and personal information when developing legislation:
The Government should respect privacy interests and ensure that the collection of information about people is done in a transparent manner, where the type and amount of information collected and what is done with that information is clearly explained. Maintaining the community’s trust that government will respect privacy interests is key to the Government’s ability to collect the information it needs to provide many public services.
The LAC Guidelines provide that if proposed legislation affects the privacy of individuals, the Privacy Commissioner and the Government Chief Privacy Officer (GCPO)110 should be consulted. Ministers and their officials are required to advise Cabinet of aspects of Bills that depart from principles in the Guidelines. The Guidelines set out the following five-part set of questions that officials must apply to proposed legislation:
- Is the legislation consistent with the requirements of the Privacy Act 1993 and its 12 Information Privacy Principles? Have you complied with any relevant Code of Practice issued by the Privacy Commissioner?
- Have you consulted the Privacy Commissioner, the Ministry of Justice and the GCPO?
- Does the legislation require a complaints process?
- Have you considered the consequences of non-compliance with the Privacy Act 1993?
The Guidelines also provide that if any policy development involves personal information then a Privacy Impact Assessment (PIA) should be carried out to assess the extent of the impact and how it can be managed in the policy development process. The Office of the Privacy Commissioner has produced guidance on whether a PIA is needed; and on how to complete a PIA. According to the PIA guidance, organisations should check that the legal framework complies with the principles in the Privacy Act; identify privacy risks and how to mitigate them, and produce and then act on a PIA report.
The LAC Guidelines can be seen, in this respect, as establishing a legislative due diligence procedure on privacy. The GCPO is also an integral component of the Government’s internal due diligence processes on privacy. Unlike the Privacy Commissioner, who as the Privacy Act ‘watchdog’ agency, is an Independent Crown Entity and therefore legally independent of the Government, the GCPO is a government official tasked with developing standards, issuing guidance and providing assurance to Government agencies to help build their privacy and security capabilities.112 The GCPO accordingly has no role in investigating non-compliance with the Privacy Act.
In 2017, the State Services Commissioner designated the Chief Executive of Statistics New Zealand (Stats NZ) as the Government Chief Data Steward. Stats NZ has a key role in supporting government agencies to build their capabilities as regards their use and management of data. This includes the development and implementation of data standards. The principles of transparency, trust and integrity around the use of government data are described by Stats NZ as being “at the heart of this work.
2.9 Common law
As described earlier in the paper, the common law has long recognised that personal property rights enable “individuals to maintain their right to privacy and their civil liberties in general.”114 The New Zealand Courts have extended these principles to include informational privacy, such as in the Duffield and Moulton cases which regarded the statutory power of police to compulsorily acquire information from arrestees to confirm identity.115 In Moulton, the Court of Appeal held that the statutory power should be confined to recording details necessary to identify the arrestee, and may not be used to compile a personal history or dossier of information on the persons employment record, schooling, friendships, financial circumstances and the like under pain of legal penalty.
The existence of a tort for breach of privacy in New Zealand law was also inferred by the Court of Appeal in the case of Hosking v Runting. 117 In that case, the Court held that the omission in the BORA and the Privacy Act of a free-standing privacy right did not preclude the existence of a common law remedy for breach of privacy.
The Court considered that the legislative intent instead indicated that privacy law would be left for “incremental development” in the absence of a statutory right to privacy.118 The Court also held that the New Zealand’s international human rights obligations under the ICCPR also provide a basis for the New Zealand common law recognising the tort of breach of privacy.
Part 3: Permissible limitations on the right to privacy
The right to privacy is not absolute. At times governments will need to protect the interests of its citizens and to do so may gather intelligence to assist with the detection, investigation and prosecution of crime, as well as for national security.120 Personal information may also be collected about individuals for research and policy purposes. In such cases limits may be placed on the right to privacy.
Unlike other provisions of the ICCPR, the right to privacy does not explicitly set out what limits are permissible.121 However, authoritative international sources have established principles against which rights limiting measures can be assessed. These are the principles of legality, necessity and proportionality.122 Any rightslimiting measure that does not accord with these principles is likely to be unlawful or arbitrary and in breach of Article 17 of the ICCPR.
The UNHRC has explained that “unlawful interference” with the right to privacy means that no interference can take place unless it is envisaged by the law.123 This means that States are required to have in place legislation that specifies in detail the precise circumstances in which interferences with the right to privacy may be permitted.124 The law must be publicly accessible, clear and precise,125 and individuals must be put on notice and foresee the application of the law that limits their right to privacy.126
The principle of necessity requires that any interference with the right to privacy must be limited to that which is strictly and demonstrably necessary to achieve a legitimate aim and the lest intrusive option available.
Any measures that intrude on the right to privacy must be proportionate to the objective. This involves a balancing exercise of the benefit sought to be achieved against the harm that would be caused to the individual’s rights and to other competing interests.
3.4 Principles in New Zealand Law and Policy
New Zealand legislation and policy instruments broadly reflect the principles of legality, necessity and proportionality. For example, the information privacy principles set out in the Privacy Act 1993 provide that personal information shall not be:
- Collected unless for a lawful purpose connected with a function or activity of the collecting agency129 (reflecting the legality principle).
- Collected unless collection of the information is necessary for that lawful purposes130 (reflecting the necessity principle).
- Used or disclosed without consent unless certain prescribed grounds are met e.g. to avoid prejudice to maintenance of the law, to prevent of lessen serious harm131 (reflecting the proportionality principle).
The limiting principles are more explicitly referenced in Ministerial Policy Statements issued under the Intelligence and Security Act 2017132 by the Ministers Responsible for the GCSB and the NZSIS.133 These will be discussed further below.
Part 4: Adequate safeguards
4.1 Oversight and Authorization
Even if a limitation on the right to privacy is permitted by law, any measures must be subject to procedural and legal safeguards, via a sufficiently independent and robust oversight and authorisation mechanism. This ensures:
- Public trust and confidence in the work of government agencies empowered with privacy-limiting functions, such as intelligence agencies.134
- Information concerning a person’s private life does not fall into the hands of those who are not authorised by law to receive it.135
- Government agencies and their delegates are held accountable for activities that result in arbitrary or unlawful interference with privacy.
Safeguards are accordingly a central requirement in the relevant international frameworks. For example, the OECD has specified that:
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
The UN General Assembly has called on States:
To establish or maintain existing independent, effective, adequately resourced and impartial judicial, administrative and/or parliamentary domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data.
In the intelligence and security sector, adequate authorisation and oversight may occur at three stages of surveillance activities:
- when the activity is ordered,
- while the activity is carried out, or
- after the activity has been terminated.
All three branches of government should be involved in the oversight of surveillance. Mixed models whereby layers of oversight are provided by the administrative (executive), judicial and parliamentary branches of government are considered desirable.
Targeted surveillance, which usually involves traditional methods such as the interception of phone calls, is usually subject to prior judicial or executive authorisation before the measure is carried out and subsequent review of legality by reference to the particular circumstances and the individual whose communications were intercepted.
However, mass surveillance and the collection of metadata are usually subject to much weaker safeguards142 because there is no opportunity for prior authorization (for a brief explanation of metadata see below). Metadata can reveal much information about an individual’s personal life. Therefore, UN experts have recommended strong independent oversight mechanisms should be in place to scrutinise such surveillance.
The importance of independent intelligence oversight in the New Zealand context was highlighted in the report of the First Independent Review of Intelligence and Security in New Zealand:
Independent external oversight is . . . essential to ensure that by working to secure populations against internal and external threats and advance the interests of the nation as a whole, intelligence and security agencies do not undermine democracy or the rights of individuals in the process. As publicly funded agencies, they must also be held accountable for how they use public money. Oversight must ensure the Agencies are operating efficiently and effectively in the interests of the country and in accordance with the values of its citizens.
New Zealand has several intelligence and security oversight mechanisms in place.145 The Inspector General of Intelligence and Security (IGIS) is provided with powers under the Intelligence and Security Act 2017 to inquire into complaints by individuals who claim they have been adversely affected by any act, omission, practice, policy, or procedure of an intelligence and security agency.146 During an inquiry the IGIS may compel the giving of information, take evidence from witnesses in private, summon and examine under oath any person who is able to give information relevant to the inquiry. On the completion of the inquiry, the IGIS must prepare a written report containing his or her conclusions and recommendations which may include recommendations that the agency provide redress including remedies that involve the payment of compensation.147 The report is published publicly and the report or findings cannot be challenged or reviewed or called into question by a court except on the grounds of lack of jurisdiction.
Other intelligence and security oversight mechanisms include the Chief Commissioner of Intelligence Warrants who considers applications (jointly with the Minister) for any warrant that targets a New Zealander and makes application by agencies to access “restricted information” that is subject to strict statutory restrictions. The Intelligence and Security Committee is the parliamentary oversight committee for the intelligence agencies. The Committee’s functions include examining policies of security agencies; considering bills or petitions relating to security agencies, and requesting the Inspector-General to conduct an inquiry into any matter relating to compliance with NZ law, including human rights law and propriety of activities.
Within New Zealand, there has been an oversight group established that includes the IGIS, Privacy Commissioner, Auditor-General and the Chief Ombudsman.149 The NZ Intelligence Community is also subject to oversight of the independent authorities such as the Auditor-General, Privacy Commissioner, Ombudsman and the judiciary. In terms of oversight of the use of personal data in the social sector, as discussed earlier, the Ministry of Social Development is currently developing a Privacy, Human Rights and Ethics Framework. The original intention of the framework is that it would apply to predictive risk modelling initiatives in the social sector (specifically the child protection and social security sectors). However, the framework potentially could be expanded to apply more generally to all information sharing initiatives within the social sector.
States should be transparent about the use and scope of techniques and powers that potentially infringe the right to privacy.150 This includes administrative processes related to the gathering of personal information and data.
David Anderson, the UK’s Independent Reviewer of Terrorism legislation, helpfully summed up the need for transparency in his review of surveillance legislation in the UK stating:
The fact that the subject-matter is technical is no excuse for obscurity. It should be possible to set out a series of limited powers, safeguards and review mechanisms with a high degree of clarity and . . . without technical jargon: the place for the latter is in regularly updated Codes of Practice.
The First Independent Review of Intelligence and Security in New Zealand similarly placed greater transparency as a central objective of reform to the intelligence and security sector, providing that one of its key purposes was:
to provide transparency and accountability through its recommendations for a “single, integrated and comprehensive Act of Parliament that lays out in plain English how the agencies are constituted what their purposes are; how all their intelligence and security activities are authorised; and how they are overseen so as to protect those freedoms and liberties that are part of what we are as a nation.
It is notable that the Privacy Act 1993 requires procedural transparency and consultation in the development of Approved Information Sharing Agreements (AISAs), as well as publication and public access following the passage of an AISA into law. Transparency requirements also extend to private sector actors. For example, the Special Rapporteur on the right to freedom of expression has recommended that telecommunications companies should be transparent in how they communicate the impact of their activities on human rights externally, including the number of government requests they have received for things such as customer data, and the availability of remedies for persons whose rights have been breached as a result of their activities.
4.3 Purpose Specification
The Special Rapporteur on the right to privacy has affirmed the principle of “purpose specification” as fundamental to ensuring that data collection and use adheres with the right to privacy. He notes:
Put simply, personal data should be collected, used, stored and re-used for a specified legitimate purpose or for a compatible purpose. Once the time required for the data to be stored by that specified purpose runs out then the data should be deleted permanently. Re-using personal data is not part of our privacy or data protection DNA.
Against this context, it is notable that the OHCHR has expressed concern that “personal data ends up in the same ‘bucket’ of data which can be used and re-used for all kinds of known and unknown purposes.”157 In addition, the Special Rapporteur on countering terrorism has noted that many States lack “purpose specification” provisions that restrict information gathered for one purpose from being used for other unrelated governmental objectives, leading to “purpose creep”.158 The Special Rapporteur observed:
This means that data for national security purposes may be shared between intelligence agencies, law enforcement agencies and other State entities, including tax authorities, local councils and licensing bodies. National security and law enforcement agencies are typically excluded from provisions of data protection legislation that limit the sharing of personal data. As a result, it may be difficult for individuals to foresee when and by which State agency they might be subjected to surveillance. This “purpose creep” risks violating article 17 of the Covenant, not only because relevant laws lack foreseeability, but also because surveillance measures that may be necessary and proportionate for one legitimate aim may not be so for the purposes of another
In New Zealand, the Privacy Act places limits on the use of personal information that was obtained in connection with one purpose from being used for another purpose, unless specific criteria are met.160 One of these criteria relates to the activities of New Zealand’s intelligence and security agencies and was introduced by the enactment of the Intelligence and Security Act 2017. It provides that:
An intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes on reasonable grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.
However, any use of information by those agencies would have to be consistent with the policy principles set down in Ministerial Policy Statements by the Ministers responsible for the GCSB and the NZSIS and accordingly meet legality, necessity and proportionality requirements, minimise impact on third parties and facilitate effective oversight by the oversight entities.
4.4 International Intelligence Sharing and Data Transfers
The OECD Guidelines provide member countries with a framework for managing the flow of data across their borders. The Guidelines require member countries to:
- Take steps to ensure that trans-border flows of personal data are uninterrupted and secure.163
- Restrict the sharing of personal data with other member countries that do not substantially observe the OECD Guidelines or that do not have in place equivalent privacy protections in domestic legislation.164
- Ensure that procedures for trans-border flows of personal data, including those that protect of privacy and individual liberties, are simple and compatible with those of other member countries.165
- Establish procedures to facilitate information exchange and mutual assistance in procedural and investigative matters.
The OECD Guidelines are reflected in the Privacy Act 1993. The Act gives the Privacy Commissioner power to prohibit a transfer of personal information from New Zealand to another State by issuing a transfer prohibition notice.167 Such a notice may be issued if the Commissioner is not satisfied that:
- Information has been received in New Zealand from another State and it is likely to be transferred to a third State which does not provide comparable safeguards to the Privacy Act; and
- Transfer would be likely to lead to a contravention of the basic principles of national application set out in part two of the OECD Guidelines.
When considering whether to issue a Notice, the Privacy Commissioner must have regard to whether the proposed transfer of personal information affects, or would be likely to affect any individual, the desirability of facilitating the free flow of information between New Zealand and other States, and any existing or developing international guidelines relevant to trans-border data flows.
As noted above, the new Privacy Bill strengthens the requirements relating to the disclosure of information to an overseas person. Among the new requirements under privacy principle 11 are that the disclosing agency must not disclose the personal information unless the agency believes on reasonable grounds that the overseas person is required to protect the information in a way that, overall, provides comparable safeguards to those in the Act.
In December 2012, the European Council issued a formal decision recognising that New Zealand law provides an adequate level of data protection for the purposes of EU law.171 This decision means that personal data can flow from the EU member states to New Zealand for processing without other safeguards being necessary.172 The decision does not cover data exchanges in the law enforcement sector. The European Commission has only recognised eleven other countries as providing adequate protection, including Canada and the United States.173 As noted above, New Zealand may no longer meet the EU’s data protection standards in light of the new European data protection regulation that goes into effect in May 2018. This may also be relevant to the current negotiations between the New Zealand Government and the EU for a free trade agreement of which negotiations are expected to begin in 2018.
The Intelligence and Security Act 2017 requires that the Minister responsible for intelligence and security agencies issue Ministerial Policy Statements in relation to lawful activities of the Agencies and sets out guiding principles. In particular, the MPS on Cooperation of New Zealand intelligence and security agencies with public overseas authorities adopts a strong human rights approach for the exercise of due diligence when determining whether it is appropriate to engage with a particular overseas public authority and determining whether proposed activities are consistent with the law, particularly with respect to ensuring that the security agencies do not become complicit in human rights abuses. The MPS lists the ICCPR and seven other ratified UN human rights treaties as being among New Zealand’s “core human rights obligations.” The MPS noted that “actions or activities that run contrary to the obligations within those instruments may constitute a human rights breach in the context of this MPS.” The following key principles must be applied by the Agencies when cooperating with overseas public authorities:
- Legality: Cooperation must be conducted in accordance with New Zealand law and all human rights obligations recognised by New Zealand law.174
- Human rights obligations: Agencies must not cooperate with overseas public authorities where they know or assess that there is a real risk that the activity will lead to, or has been obtained as a result of, human rights breaches in that country. This includes a duty of due diligence and applies to requests to share intelligence on a case-by-case basis or within the context of a broader standing authorisation.175
- Necessity: Cooperation with overseas public authorities should only occur for the purposes necessary to support the Agencies to perform their statutory functions.176
- Reasonableness and proportionality: The Impact of cooperation with overseas public authorities should be reasonable and proportionate to the purpose for carrying out the cooperation, the benefit gained and the reputational risk to the Agencies and the New Zealand Government. The MPS includes a range of factors in determining reasonableness.177
- Protections for New Zealanders: When cooperating with overseas public authorities, the Agencies must continue to apply the same protections for New Zealand citizens and permanent residents that would normally apply, including adherence to the information privacy principles in the Privacy Act.178
- Information Management: Steps must be taken to ensure that information obtained by the Agencies and subsequently shared with overseas public authorities is managed in accordance with all information management requirements, standards and guidelines that relate to that information in New Zealand.179 The Agencies are also required to specify the protection, storage and use (including the passing on of that information to any third parties) to be adhered to in respect of personal information about New Zealanders, shared with an overseas public authority.
- Oversight: All cooperation must be carried out in a manner that facilitates effective accountability, transparency and oversight, including the use of clear authorisation procedures, the keeping of appropriate records, maintaining up-to-date internal policies and procedures and guidance for staff, and reporting to the responsible Minister on the nature and outcomes of cooperation with overseas public authorities.
In terms of human rights obligations, security agencies must not cooperate with overseas public authorities where they know or assess that there is a real risk that the activity will lead to, or where information has been obtained as a result of, human rights breaches in that country. This includes a duty of due diligence and this applies to requests to share intelligence on a case-bycase basis or within the context of a broader standing authorisation.
Part 5: Remedies