REVIEW OF THE PRIVACY ACT 1993

DISCUSSION PAPER No.8

LAW ENFORCEMENT INFORMATION AND RELATED ISSUES

The Privacy Commissioner is reviewing the operation of the Privacy Act 1993 as he is required to do under section 26 of the Act. The Commissioner will consider whether any amendments to the Act are necessary or desirable and will report his findings to the Minister of Justice.

This paper is one in a series which will cover the entire scope of the Act and highlight some issues so far identified. To find out which other discussion papers have been released, and to obtain copies of them contact the Commissioner's office. Copies of the discussion papers are also available through the Commissioner's web site.

The Privacy Commissioner welcomes comments on this paper and seeks responses to any specific questions raised. Submissions should be made in writing and be forwarded to the Commissioner's office by post or email no later than 31 August 1997 20 October 1997 (deadline extended).

The Commissioner will hold a series of consultation meetings in the main centres and some regional cities during November. If you would like to be invited to a consultation meeting please indicate this with your written submission.

Contact details for consultation

Privacy Act Review 1997

Office of the Privacy Commissioner

P O Box 10-094

Wellington

fax: 04-474-7595 privacy hotline: 0800-803-909 email: privacy@actrix.gen.nz

For general enquiries about the review please speak to the enquiries officers at the freephone number. If you have a more detailed enquiry concerning your submission or the review please speak to the Codes and Legislation officer at 04-474-7597.

Background information on the Privacy Act is availabe on the Internet at:

http://www.knowledge-basket.co.nz/privacy/welcome.htm

ISBN 0-478-10363-8


INTRODUCTION

This discussion paper concerns law enforcement information and related issues. The Act deals with law enforcement issues in a number of different ways. For example, "information matching" can be seen as a law enforcement issue, as it is used to detect and deter benefit fraud.

Various other sections are relevant to law enforcement, such as the exceptions to the principles for "the maintenance of the law", and similar grounds for withholding of information on an access request. The paper will also cover Part XI of the Act.

This paper is not a comprehensive consideration of all the Privacy Act issues bearing upon law enforcement information. For example, there will be another discussion paper covering information matching. However, individuals wishing to make submissions are invited to comment on the matters raised in this paper, and also to make submissions on other related issues which might not be fully covered in this paper.


PART XI OF THE ACT

What is law enforcement information?

An answer to this question might be "information used by law enforcement agencies like the police in discharging their functions". However, this would be wider than the way the term is used in Part XI of the Act. Section 110 defines "law enforcement information" for the purposes of Part XI to refer only to the information referred to in the Fifth Schedule. The Fifth Schedule lists certain information held by the Department for Courts, Police, Land Transport Safety Authority, Ministry of Transport and Department of Corrections.

To understand why this seemingly very narrow interpretation is given to the term, it is necessary to look at the history of ss.110 -114 and the Fifth Schedule.

In the mid 1960s various parts of government recognised the benefits of having a large computer system which could be used by different agencies. Plans to develop the Wanganui Computer Centre and allow agencies to have routine access to certain bits of information held by other agencies caused public concern. To allay this the government passed the Wanganui Computer Centre Act 1976 ("WCC Act") to regulate its use. Under the WCC Act the types of information that any one agency was permitted to have access to were described in detail. Other agencies had to be authorised under the Act to have access to that specified information. The descriptions of the information were linked to the way in which the computer worked with specified bits of information on particular 'subsystems' of the computer.

One shortcoming for privacy protection of the WCC Act was that there were restrictions on the sharing of information where the Wanganui Computer was used but not if an official used another computer or shared paper copies of information.

The agencies which used the Wanganui computer, the types of information held, and the agencies allowed access to the information, were all written down in a schedule to the Act. That schedule was inserted into the Privacy Act as the Fifth Schedule. Sections 110 -114, carried the procedure that had been in the WCC Act, for changing the schedules, into the Privacy Act.

Of course, computers have changed a lot in the last 20 years as has law enforcement. It may be that a rethink of the approach of Part XI and the Fifth Schedule may now be warranted.

Q.1 Should Part XI of the Act and the Fifth Schedule continue as they are?

If the Fifth Schedule is seen as the means by which routine computerised information sharing by law enforcement agencies is allowed for law enforcement purposes, it may be sensible to list all such sharing arrangements and prohibit routine sharing not explicitly provided for.

It may not be practicable to write down all the circumstances in which a customs officer could tell a police officer something or when an immigration officer could give a document to a customs officer. The information privacy principles seem to provide for this adequately. However, to keep with the original rationale of the Schedule it could perhaps record all computerised access in circumstances where the agency holding the information does not have to separately consider whether to grant access to the accessing agency as a prerequisite to the accessing agency seeing the information. This essentially covers the grant of "on-line" access rights by one law enforcement agency to another.

This might provide greater transparency in the information practices of all law enforcement agencies. The schedule might then reflect the practical realities of law enforcement in the technologically sophisticated 1990s rather than continuing to reflect a more limited (although updated) view of how things seemed in the 1970s.

Q.2 Should an attempt be made to cover all on-line linkages between all government agencies with law enforcement functions and not just those which were involved in Wanganui?

A schedule broadened in this way might be perceived as sanctioning a great many more intrusions to people's privacy - however, at least the authorisation would be granted openly and be subject to scrutiny in a general sense. Care would need to be taken to ensure that law enforcement agencies were not prevented from carrying out particular functions through the change.

Q.3 Would the operation of the Act be enhanced through repeal of Part XI and the Fifth Schedule?

If Part XI were to be repealed law enforcement agencies would need to ensure that each on-line instance of collection or disclosure of "law enforcement information" complied with information privacy principles 2 and 11. This would mean that if someone made a complaint that a police officer had improperly looked up the complainant's criminal conviction history from Department for Courts computers, both the Police and the Department for Courts would need to be able to show one of the exceptions to the principles applied (for example, that the access to the particular record was necessary in the circumstances to avoid a prejudice to the maintenance of the law).

One advantage of this approach might be that each agency would be more directly accountable for its information practices. One disadvantage might be that the justifications might be artificial in practical terms, and lead to a widening of the exceptions under the Act.

Amendment of the Fifth Schedule

Currently the Fifth Schedule may be amended only by further Act of Parliament. During the Act's first 4 years of operation the Schedule was able to be amended by Order-in-Council.

If an amendment Act is required to amend the Schedule, the public gets the chance to make submissions on whether they think a change is justified. The change will be scrutinised by a select committee and Parliament gets to decide. The downside for the agencies concerned is that it can take a long time to have a law passed and involve a great deal of officials' time and some parliamentary time.

Part XI could be changed so that the Fifth Schedule could be amended by regulation - as was the position from mid 1993 - mid 1997. There is no public scrutiny of regulation making but it is more efficient in the sense that it does not require Parliamentary time. The Privacy Commissioner can be consulted in the process. It can be cheaper and faster than using statutory amendment to meet technological advances and operational needs.

Other options for enabling amendment of the Schedule could be considered such as removing the entire Schedule into regulations or by allowing changes on the direction of a Minister by notice in the Gazette.

Q.4 Should the process for amending the Fifth Schedule be changed? How?

At the moment some local authorities are allowed Fifth Schedule access to the drivers licence and motor vehicles registers. There was a special procedure for authorising local authorities to access these registers under the WCC Act, and this has been carried into s.112 of the Privacy Act.

Only five local authorities have such access - obtained under the WCC Act. Many more either get by without the information, or obtain access in ways that may not be covered by the schedule (such as simply searching the motor vehicle register in the same way as the public, at New Zealand Post or other outlet).

Q.5 Is there a continuing need to include local authorities in the Fifth Schedule?

CRIMINAL CONVICTIONS, POLICE CLEARANCE CERTIFICATES, POLICE VETTING

One of the features of the Wanganui Computer Centre Act was a section prohibiting anyone from requiring a person to produce a printout from the computer showing criminal convictions (or their absence). It was not an offence to ask anyone (for example a job applicant) if that person had any criminal convictions or to require them to make a statutory declaration that they had none. It was an offence to make anyone prove it by getting a copy of their printout from the computer.

This prohibition was not carried over into the Privacy Act. It may have been thought that the general protections in the new Act were sufficient.

It has become more common since the repeal of the WCC Act for a range of different organisations to require individuals to obtain and furnish printouts showing their convictions. These printouts come from the Department for Courts. Such requirements "piggy back" on the access rights granted to individuals under principle 6 - the organisations have no rights to obtain the information themselves. Job applicants may feel unable to resist such a request, whether or not they have any convictions.

Q.6 Should the prohibition on requiring individuals to obtain criminal conviction histories be reinstated?

There are several reasons why the present situation may be unsatisfactory. An employer may have a legitimate reason for requiring proof that a person has not got any convictions for a particular offence. For example, a bank may have a genuine wish to be sure that a person they wish to hire to handle cash has not been convicted of an offence of dishonesty.

The only way the bank can get that official record would be to require the applicant to obtain a printout from the Department for Courts and give it to the bank. This would show all convictions entered in respect of that person and not simply the ones the bank is interested in. That may have an adverse effect on the privacy of an applicant.

Another problem is that the printouts may be easy to fake.

Some organisations already get conviction information because of statutory obligations to check people's "good character". Examples include the Teacher Registration Board and Land Transport Safety Authority. An alternative that has been suggested is the introduction of a "Police clearance certificate" of the type available in some countries whereby a prospective employer or other person, with the consent of the subject, could ask the police or courts for a certificate specifying whether the individual has relevant convictions. Another option may be for the police to be authorised to "vet" particular people, with the person's consent. There are anomalies in the range of organisations for which the Police currently carry out vetting with organisations with similar functions and needs are treated differently.

Q.7 If the prohibition on making people supply their printouts were to be reinstated how could organisations with a legitimate need to verify criminal convictions obtain that information? Is the Privacy Act an appropriate vehicle to tackle this issue?

A related issue is whether there should be a "spent convictions" regime, whereby minor convictions are no longer recorded after a certain period or their use in employment or certain other contexts is prohibited. A spent convictions regime is administered by the Commonwealth Privacy Commissioner in Australia.

Q.8 Would a spent convictions regime be an appropriate response to the privacy issues surrounding conviction information?

These are information privacy issues. The Privacy Act already deals with them in a general way. For example, an employer that makes an employee furnish a list of criminal convictions might be found to be in breach of information privacy principle 1 or 4. Use of old or irrelevant conviction records for taking an action against the employee might breach privacy principle 8.

"MAINTENANCE OF THE LAW" EXCEPTIONS TO THE INFORMATION PRIVACY PRINCIPLES

It is an exception to information privacy principles 2, 3, 10 and 11 where the agency collecting or holding the information believes on reasonable grounds that non-compliance is necessary:

"To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences."

The words "public sector agency" are included in the exception to ensure that only agencies with a proper function connected with the maintenance of the law would be able to act in reliance on the section. For instance there was concern that if the exception was not limited in this way that private investigators might rely on the exception to justify their actions.

Q.9 Have the words "by any public sector agency" caused any difficulties in operation? Should the phrase be dropped or amended?

The exception in information privacy principle 11

Any (public sector) agency which has reasonable grounds to believe non-compliance with principles 2,3 or 10 is necessary to avoid a prejudice to the maintenance of the law may proceed under the exception. Principle 11 states:

"An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds,--

(e) That non-compliance is necessary-

(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences"

There are two situations in which the exception is supposed to apply. First, to allow law enforcement agencies themselves to disclose information to avoid a prejudice to the maintenance of the law. The Police might rely on this exception when seeking public assistance to locate a suspect (for example by releasing a photograph to the media). The second is where an agency holding information wants a law enforcement agency to prevent, investigate or prosecute an offence. For example, if a bank has been robbed, it needs to disclose relevant information to the Police. A taxi driver who made a drop to the bank might be asked to disclose information about his customer to the Police.

The same exception must therefore apply to the Police, the bank, and the taxi driver. How does the taxi driver know whether disclosure of the information is necessary to avoid a prejudice to the maintenance of the law? Would it be clearer to have different exceptions applying to law enforcement agency than apply to other agencies? For example, one exception might apply to an agency that believed on reasonable grounds

that disclosure to a public sector agency was necessary to assist the public sector agency to discharge its functions in relation to an offence. The second exception might permit law enforcement agencies to disclose information for their purposes in relation to the maintenance of the law.

Q10. Should the maintenance of the law exception in principle 11 be redrafted?

LAW ENFORCEMENT REASONS FOR WITHHOLDING INFORMATION

Section 27(1)(c)(i) allows an agency to refuse to disclose any information requested pursuant to principle 6 if the disclosure of the information would be likely to prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial.

This section was based on an earlier provision in the Official Information Act. It differs from the "maintenance of the law" exceptions of principles 2, 3, 10 and 11 in that it does not have the "public sector agency" qualification mentioned above. Also the exceptions to the principles do not refer to the "right to a fair trial" example.

Access requests to public sector law enforcement agencies are able to be contested in the court, unlike alleged breaches of the other principles. This may be the reason that the deviation developed. Parliament might have wished not to reduce existing rights by expanding the scope of a reason for refusing information.

The fact that s.27(1)(c) does not contain the "public sector agency" qualification might suggest that private investigators and other private sector agencies are entitled to rely on the section in withholding information. This does not appear to be the intention.

Accordingly, should the "public sector agency" qualification be added? Or would the opposite approach be more desirable, so that information held by agencies which cooperate with the Police can more clearly be withheld? For instance, if "informant" information is protected in the hands of the Police perhaps it should also be protected in the hands of a private sector agency. Take the example of the bank robbery above, if the defendant asks the Police for the identities of the people who had given them information, the Police may be able to refuse the request on the basis that it came from an informant and that making such information available might prejudice the maintenance of the law. If the same defendant asked the bank for the information, it might not have the same reason under the Act to refuse the request, even though its interest in withholding the information might be similar.

Q11. Should the ground in s.27(1)(c)(i) allowing withholding information for prejudice to the maintenance of the law be aligned with the exception to the principles?

MISCELLANEOUS LAW ENFORCEMENT ISSUES

Section 31

For some years there has been discussion of creating a criminal discovery procedure, that is, a formal means for defence and prosecution counsel to exchange information about a criminal case. In the absence of a statutory discovery procedure the Courts may make decisions under the Privacy Act and Official Information Act.

Once a criminal discovery procedure is enacted, section 31 may be brought into effect. Section 31 would allow the police to refuse a request for information relating to an offence where the person concerned has already be convicted for that offence. The section comes from the Official Information Act. It is waiting to be enacted by an Order in Council, as it was when it was in the Official Information Act.

Q12. Would the enactment of a criminal discovery process enhance the operation of the Privacy Act? If a criminal discovery regime is not enacted should s.31 be repealed?

Neither confirm nor deny

Section 32 allows an agency to respond to a request for access to information by neither confirming or denying whether or not information actually exists.

The section applies where to acknowledge that information exists would cause a prejudice to the maintenance of the law, personal safety, security or defence, or one of the other listed reasons for withholding information. The section is used sparingly by most agencies (with the exception of intelligence and security agencies like the Security Intelligence Service).

Section 32 is an exceptional inroad into the normal right of access.

Q.13 Has the power to "neither confirm nor deny" that information is held worked adequately? Should it be revisited or be narrowed in any way?


The Privacy Commissioner may include in his final report a list of submissions received. He may also refer to submissions in the text of his report. If you want your submission treated confidentially, or do not want it used in this way, please indicate this clearly. The Commissioner is subject to the Official Information Act. Copies of submissions may therefore be released on request. Any request for the withholding of information on the grounds of confidentiality or for any other reason will be determined in accordance with that Act and section 116 of the Privacy Act.