Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

Website logo 275x60

Print | Email this page

Case 324205 [2023] NZPrivCmr 3: Photo of woman kept in public view at organisation

Background – Data retention and disclosure of identifying information.

An agency kept a photo of a woman on the wall in its reception for several years. The photo wasn’t displayed in the main, publicly accessible, reception desk or waiting area. However, because of where it was in relation to a doorway, and a window behind the reception desk, the photo would have been potentially visible to a member of the public from certain positions in the public reception area, depending on where they were standing. The photo had been pinned to a low partition wall of the sort that typically separates workstations in an open-plan office. When our investigator asked the agency why it had a photo of the complainant on the wall, they were unable to give a reason, but they noted that the complainant did have dealings with the organisation. The agency said the photo had been up there for several years, and no current staff could remember exactly why the photo was was there, nor why it had been there for so long.

The principles applying to this case:

This case raised issues under principles 5, 10 and 11 of the Privacy Act, which set out the obligations for agencies in security, use, and disclosure of personal information. While this was not an area accessible to the public, the photograph was brought to the attention of the complainant by a member of the public who was able to identify her and notified her of its existence.

OPC Investigation:

OPC’s investigation found that it was no longer clear why the agency was using this photograph. The original purpose as to why the photograph was collected, the basis on which it was disclosing this photograph, or what steps, if any, the organisation took to keep the complainant’s personal information safe or secure from unauthorised disclosure were unsatisfactory and we found that the organisation were not meeting their obligations in the following ways:
Principle 5 states that an agency must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse, or disclosure of personal information. In this case, the agency failed to ensure the photograph of the woman was secure from public view.
Principle 10 states that an agency can generally only use personal information for the purpose for which it was collected, and there are limits on using personal information for different purposes. In this case, the agency could not explain the purpose for the photograph, or the reason it was displayed on the wall. 
Principle 11 says an agency should not disclose personal information unless it can rely on exception for doing so. The reason for displaying the photograph had long since been forgotten, yet it was kept up for several years.

The agency accepted it had not met its obligations under the Privacy Act in this case. OPC also investigated how this had affected the complainant. In order for an action to be an interference with privacy, a breach of a privacy principle must have also caused harm to the individual to meet the threshold in section 69.

In this case the woman explained that finding out about the photograph from a third party led to significant humiliation and injury to her feelings. She said the fact of the photograph being visible in the reception area was open to the interpretation that she was a criminal or significant risk to the public. She said she suffered from social anxiety as a result and that she was afraid to go out and interact with other agencies.
The agency took the photograph down and offered the woman an apology. The woman was not satisfied with the apology and explained she wanted financial compensation.

The agency was not prepared to offer financial compensation to the woman, so we closed our file, for the woman to pursue her concerns in the Human Rights Review Tribunal.

Summary:

In recent times agencies have put their focus under principles 5 and 11 on electronic systems- making sure that emails go to the correct place and that there are proper access controls in place for employees. However, this case is a reminder that the privacy principles apply to information in the physical environment too. Agencies must have up to date information disposal, information safeguarding, and information retention policies for all the personal information they hold, electronic and physical.

In this situation, the agency removed the photograph from their reception area, and we asked the agency to put processes in place to prevent this sort of thing from happening again. The agency acknowledged that this photograph should not have been kept where it was, and the fact that this was potentially visible, and would have been seen by visitors, was wrong. That said, there was no malicious intent behind it.

Commentary

Agencies need to be cautious of complacency. Having a complacent approach to privacy, especially the privacy of the people who come to them for help, is not a defence for breaching the Privacy Act and we encourage organisations to make sure their information retention policies are adhered to.
Read more about information retention and storage best practice.

 

Back to top