A man requested his personal information from the New Zealand Security Intelligence Service (“the Service”) and the Government Communications Security Bureau (“the Bureau”). He asked for “any file and/or any information that is held in regards to myself by the New Zealand Security Intelligence Service and/or the GCSB.”
The Service and the Bureau, in their separate responses, said they could neither confirm nor deny the existence or non-existence of information about him. The Service and the Bureau said that to do so would likely prejudice the interests protected by section 27(1)(a) of the Privacy Act 1993 (“the Act”), specifically, the security or defence of New Zealand.
Complaint to OPC
In his complaint to us, the man explained that he was dissatisfied with the Service and the Bureau responses. As a result of the agencies’ responses, he made a request of each agency under the Official Information Act:
"in terms of the number of requests such as mine that the NZSIS [GCSB] receives, I would like to know what percentage of such file requests receive the response that I received from you [section 32 response]".
He provided us with a copy of the replies to those requests. The Bureau replied that in the two years prior to receiving his request, from October 2014 to October 2016, the Bureau had responded to 88% of all requests under the Act with a section 32 response.
The Service replied that it did not keep statistics on the number of section 32 responses, but had recently analysed information over a six month period. The result of that analysis showed that a “neither confirm nor deny” response was provided by the Service in 50% of Privacy Act responses.
The complaints raised issues under principle 6 of the Privacy Act. We notified both the Service and the Bureau about the complaints and asked each agency to provide comments to us.
Principle 6 and section 32
Principle 6 provides, in general, that where any agency holds personal information in such a way that it can be readily retrieved, the individual concerned is entitled to obtain confirmation that the agency holds the information and to have access to that information.
Principle 6 is subject to section 32 of the Act. This section allows the Service and the Bureau to neither confirm nor deny the existence or non-existence of information about the person. Because of security considerations, the Service and the Bureau cannot be as open with individuals about the personal information they hold or don’t hold about them, compared to other public sector agencies. Due to the sensitive nature of their work, responding to principle 6 requests and revealing what is known or not known about a person can have national security implications. Individuals could share principle 6 responses with each other to draw inferences about what the Service or the Bureau is or is not aware of. A requester may in fact present no security risk, however section 32 allows the Service and the Bureau to take a cautious approach to revealing whether or not it holds the personal information requested.
To rely on section 32, an agency has to be satisfied that disclosure of the existence or non-existence of information in response to a request would prejudice an important interest such as national security or international relations (or one of the other interests as set out in sections 27 and 28).
Privacy Commissioner’s investigation
Investigating a complaint about access to personal information has two components. First, we establish if an agency has responded to the request in accordance with its obligations under Part 5 of the Privacy Act (that is, regarding timeliness, assistance, charging, urgency, and transfer). Secondly, we assess the agency’s reasons for the response it has provided
In this case, the Service advised that, when responding to principle 6 requests, it discloses information unless there is good reason to refuse to do so, or to give a notice neither confirming nor denying the existence or non-existence of the information. Ultimately, the Service advised, the decision about what, if any, information is provided will be determined on a case by case basis.
The Bureau advised that it had reasons for giving notice neither confirming nor denying the existence or non-existence of information. The Bureau also confirmed to the Privacy Commissioner that each information request is considered on a case by case basis before deciding whether it must rely on section 32.
Outcome of the investigation
In this case, we accepted that both the Service and the Bureau did have reasons to neither confirm nor deny the existence or non-existence of the information and that section 32 had been correctly applied in the circumstances. We were satisfied that the Service and the Bureau had responded to the request within 20 working days, meeting their responsibilities for timeliness. We concluded, therefore, that the complainant had not suffered an interference with his privacy.
The complainant was not happy with this outcome, but agreed with our suggestion to prepare a case note to highlight the results of his Official Information Act requests, the issues for complainants with section 32 responses and resources for assistance.
The takeaway for complainants – where section 32 is upheld
A complainant should not necessarily draw a negative conclusion if the Privacy Commissioner considers a “neither confirm nor deny” response to avoid prejudice to security or defence is not an interference with privacy. This finding does not confirm that any information about the complainant is, or is not, held by the Service or Bureau. Nor does it confirm that the complainant is considered to present a security risk. It simply confirms that, in our view, section 32 has been correctly applied in the circumstances and that we agree with its application.
It can be unsettling for people to receive a “neither confirm not deny” response to an access request. However, in cases such as these where we have not upheld the complaint and the information sought has not been provided, a complainant can take some comfort from the fact the decisions of the Service and the Bureau have been independently reviewed by the Privacy Commissioner and found not to be contrary to the Privacy Act.
Points of guidance – making principle 6 requests to the NZSIS and the GCSB
The Privacy Commissioner’s investigations of other complaints about reliance on section 32 by the Service and the Bureau indicate that, in some instances, the personal circumstances of the requester can be relevant in assessing the response.
For example, in general a requester is entitled to ask for and receive any personal information held by an agency, without having to disclose why the information is being requested. However, an information request to the Service or the Bureau will involve an additional assessment of security implications of the response. Giving context information for the request may, in specific cases, allow the Service or Bureau to provide a factual response, rather than relying on section 32 to neither confirm nor deny whether information exists.
Requesters should consider providing an explanation for their request or an overview of their personal circumstances that might provide further context. Another option is to limit the information request to a particular time period, place or event, rather than making a general information request
Government Communications Security Bureau – New Zealand Security Intelligence Service – access to personal information – section 32 – neither confirm nor deny the existence of information -– Privacy Act 1993; principle 6