Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
A recent decision by the Human Rights Review Tribunal (HRRT) illustrates how other legislation can interact with and override the Privacy Act.
When a man imported a 1982 Lancia Montecarlo car, he became unhappy about the repair work and certification necessary for it to be registered for use on New Zealand roads.
The man had requested advice and repair from an NZTA accredited repair certifier at a car repair company. After the car had been repaired and was certified as compliant by VTNZ, the man noticed a crack in the car’s chassis. He then complained to NZTA about the repairer. After an investigation, NZTA advised it would not be taking any further action on his complaint.
Disputes Tribunal
The man then filed a claim against NZTA and VTNZ with the Disputes Tribunal. The claim was also made against the car repairer and the repair company. In response, VTNZ used the Official Information Act (OIA) to request any information about previous complaints involving the man. NZTA responded to this request by providing a copy of a complaint the man had made in 2005 which also resulted in a Disputes Tribunal claim.
The circumstances of the 2005 claim had similarities to his recent claim. At that time, the Disputes Tribunal dismissed the man’s claim. This led NZTA to email the Disputes Tribunal, attaching the Tribunal’s 2005 decision and requesting that his second claim be dismissed for the same reasons. As required by the Dispute Tribunal’s procedures, NZTA’s correspondence to the Tribunal was copied to the man, VTNZ and other respondents.
The man then withdrew his claim against NZTA and was unsuccessful in his claim against VTNZ and the other parties. However, he requested under the OIA copies of emails between VTNZ and NZTA. He wanted to find out who had accessed his personal information and he subsequently complained to the Privacy Commissioner.
The Privacy Commissioner’s investigation found no breaches of principles 5, 8, 10 and 11 of the Privacy Act.
The man took his case to the HRRT claiming NZTA interfered with his privacy and seeking damages and compensation for expenses.
NZTA disputed there had been any interference with the man’s privacy under principles 5, 8, 10 and 11 of the Privacy Act and claimed immunity under the OIA and Disputes Tribunal Act.
Section 48 of the Official Information Act
NZTA said it was immune from HRRT proceedings in relation to its disclosure of the 2005 claim to VTNZ because of section 48 of the OIA.
Section 48 of the OIA says there can be no proceedings, civil or criminal, against a Crown agency which in good faith makes information available in accordance with the OIA.
The man claimed he was the victim of cronyism between NZTA and VTNZ and he had been racially discriminated against.
The HRRT found there was insufficient evidence to prove there was any cronyism, collusion, racism, or other form of bad faith in the NZTA’s OIA response. It decided the information was provided in good faith and the OIA immunity applied.
Section 58 of the Disputes Tribunal Act
Section 58(2) of the Disputes Tribunal Act confers the privileges and immunities available in judicial proceedings on all parties to Disputes Tribunal proceedings. This protects parties from civil actions relating to their conduct in Disputes Tribunal proceedings, including claims under the Privacy Act.
The HRRT agreed with NZTA’s argument that its Disputes Tribunal email to the parties with the 2005 decision attached was covered by the section 58 immunity provision.
NZTA also presented an alternative argument that, even if section 58 did not provide immunity, the disclosure was permitted by principal 11 of the Privacy Act because that disclosure was necessary for the conduct of proceedings before any court or tribunal.
The HRRT agreed that the disclosure was permitted by principle 11 as NZTA believed that it was necessary to send the information, the information was relevant to the Disputes Tribunal proceeding, and NZTA had considered whether it was necessary to send the decision to defend themselves against the claim.
Principle 5 of the Privacy Act
The man also claimed NZTA had breached principle 5. In response to his access request, he had been told that his 2005 complaint file had been accessed once but the access records showed it had been accessed more than once.
Principle 5 requires an organisation to maintain reasonable security safeguards over personal information.
NZTA clarified the man’s information was indeed accessed twice – once for the OIA request and once when the man himself requested a copy of it. The agency had told the man the information had been accessed once because it assumed his query did not include his own access to the information.
NZTA also provided significant detail to the Tribunal on the storage system it used, explaining how the audit system on its records database worked. The Tribunal was satisfied the system was robust and had clear audit trails.
Conclusion
The HRRT struck out the man’s claims against NZTA under principles 8,10 and 11 of the Privacy Act for providing his complaint file to VTNZ. It decided NZTA had acted on the VTNZ request in good faith. Section 48 of the OIA therefore prohibited this aspect of the man’s claim being pursued.
The HRRT struck out the man’s claims under principle 11 and 8 for the disclosure in the Disputes Tribunal because NZTA had immunity arising from its actions in such proceedings under section 58 of the Disputes Tribunal Act.
It said even without the immunity afforded by section 58 of the Disputes Tribunal Act, the email to the Disputes Tribunal and the other respondents did not breach principle 11 of the Privacy Act.
The HRRT found there was no breach of principle 5.
It noted that all the man’s claims against NZTA had been unsuccessful and made no orders in his favour.
Postscript
In addressing the issues raised by the case, the HRRT mentioned the transitional provisions of the Privacy Act 2020 which took effect on 1 December 2020.
It noted that the transitional provisions provide that HRRT proceedings must be continued and completed under the 2020 Act, but that does not alter the relevant legal rights and obligations in force at the time the actions subject to this claim were taken.
Accordingly, all references in this decision are to the 1993 Act. This aligns with our Office’s approach to the transitional provisions.
Image credit: Lancia Montecarlo via carfromuk.com
Back