NZ Herald | 25 March 2015
Officers obtaining personal data from range of organisations by citing clauses in legislation
Broad swathes of people’s personal data are being sought regularly by police from airlines, banks, electricity companies, internet providers and phone companies without search warrants by officers citing clauses in the Privacy Act.
Senior lawyers and the Privacy Commissioner have told the Herald of concerns over the practice which sees the companies voluntarily give the information to police.
Instead of seeking a legal order, police have asked companies to hand over the information to assist with the “maintenance of the law”, threatened them with prosecution if they tell the person about whom they are interested and accept data with no record keeping to show how often requests are made.
The request from police carries no legal force at all yet is regularly complied with.
Production orders and search warrants, by contrast, carry a legal compulsion after being approved by a judge or senior court official.
The practice has emerged in recent cases cited by a number of lawyers and has seen a district court judge question the legal right of police to access a defendant’s electricity records without a legal order because of the “increasingly intrusive nature of the information gathered by power companies”.
Privacy Commissioner John Edwards said he was undertaking research to see if his office should become a central register recording the number of such requests. He said he intended to lead discussion with holders of information over how they could publicly declare the number of requests received.
“I have been concerned for some time there is not full transparency and accounting over the various means (those holding information) agencies are engaging with law enforcement agencies.”
He said a range of law enforcement bodies were citing clauses in the Privacy Act to get people’s personal details. Clauses in Principle 11 of the act allowed personal information to be provided if it was for “the maintenance of the law”, “protection of the public revenue”, to “prevent or lessen a serious threat” to inviduals and similar clauses.
But the broad intent of Principle 11 was to protect information, he said. “It is not a power to obtain information for the police.”
Mr Edwards said the ability to access information quickly was understandable when time was a critical factor.
He said there was value in a public declaration by companies and others supplying information to police under the clauses. “It may well impose a greater discipline.” It would mean people could “see how their information is flowing between different types of entities”.
Police assistant commissioner Malcolm Burgess said “there are controls around how information is both requested and provided”.
But he said there was no information held by police to show how often information was requested in this way because “there is currently no business requirement to do so”.
“While the Privacy Act provisions can be used to access low level information, such as basic account details, higher level data must be obtained through a production order.”
Jonathan Eaton QC provided to the Herald with an excerpt from a recent district court case in which the judge questioned whether a company surrendering a customer’s electricity information without a legal order was “authorised”.
The judge said: “Indeed, giving the increasingly intrusive nature of the information gathered by power companies, one must question whether this is material which out to be handed over without the authority of a production order.”
Mr Eaton said the issue had yet to be properly tested in court and prosecutors were in danger of having evidence tossed out if it was judged to have been obtained by improper process.
He said there was also a burden of transparency on companies which held personal information. “There’s a very reasonable argument they have an obligation to inform their customers.”
Criminal Bar Association president Tony Bouchier said he had a client whose phone and bank records had been provided to police with “absolutely no record whatsoever that any warrants had been issued”.
He said those providing information to police had an “obligation” to tell their customers they had done so.
Barrister Chris Wilkinson-Smith said a client’s personal information had been provided by an airline to police under a Principle 11 clause, showing booking details, immediate and future travel plans and personal information used to make the booking.
The information was revealed by the airline – which he did not name – after police said it would help with “maintenance of the law”. In this case, the person was the target of police inquiries into drug distribution.
He said he had also had cases where TradeMe provided information without any sign of legal orders.
He said police often sought search warrants to obtain information, which meant there was independent oversight.
“The danger for police is, if they don’t go through the search warrant process, there could be the criticism they have taken a short cut.”
Under the law the obligation to guard customers information lies with the company that holds it.
Vodafone and Air NZ were approached for information about the way they handled warrantless requests by police under the Privacy Act. Both companies said they acted in according to the law but refused further information.
A spokesman for Vodafone said questions about how often it provided information to police should be directed to police. “Where disclosure is made in response to authorities’ lawful demands, our responsibility to respect our customers’ right to privacy is being balanced against wider public interest considerations.”
The company’s “transparency report” is silent on providing information under the Privacy Act clauses even though it details search warrants and ther invasive powers available to New Zealand’s intelligence agencies.
In contrast, Spark detailed the process and type of information it made available. A spokesman said concerns about the safety of people would result in call or text metadata for the last week, IP address traces, location data of where calls were made and the name and address of the account holder.
For “maintenance of the law” requests, it would tell police if the numbers were active in the last seven days and trace listed numbers to the account holder.
A spokesman said it did not keep data on the number of requests made or complied with.
TradeMe was the sole holder of information identified by the Herald to publicly declare the number of Principle 11 clause requests it received. Police made warrantless requests for information on 1663 occasions ending June 2014 while other government agencies made 641 requests.