Office of the Privacy Commissioner | Case 3132147 [2024] NZPrivCmr 1: Access to Police audit log decision to deny upheld by Tribunal
Background
Mr Rendell was convicted for dangerous driving in 2018. He had concerns about the way Police conducted the investigation that led to his conviction and made some requests for information. Eventually, he asked Police to provide him with a list of Police employees who had accessed information about him held in his National Intelligence Application (NIA) file between 2013 and 2020, and the dates and times of their access. These are commonly known as requests for audit or transaction logs or audit trails.
Police refused his request on the basis that releasing the information would be likely to prejudice the maintenance of the law, relying on section s27(c) of the Privacy Act 1993 (now section 53(c) of the Privacy Act 2020). Following engagement with our complaint process, Mr Rendell applied to the Human Rights Review Tribunal, asking for an order that Police release this information to him.
Principle 6 and maintenance of the law
Principle 6 provides that an individual is entitled to request access to personal information about them held by an agency. However, an agency may refuse access for the reasons set out in sections 49-53 of the Act.
Section 53(c) of the Act allows an agency to refuse to provide information if disclosure of it would prejudice a public sector agency’s ability to maintain the law, including the prevention, investigation and detection of offences.
OPC‘s approach
The assessment on whether disclosure of audit log information would prejudice an agency’s ability to maintain the law must be done on a case-by-case basis. In reviewing an agency’s decision, we take into account factors such as the specific circumstances of the individual concerned, the agency’s role, the information that is held and any relevant wider circumstances to determine whether the agency has a proper basis for its decision to apply this ground.
In some cases (such as those set out in our Case note 208123), we have reached the view that Police have a proper basis for the decision to withhold this information. In other complaints before our Office, we have reached the view that audit log information ought to be released, as it does not appear to us in the circumstances that disclosure to the requestor would prejudice the maintenance of the law.
The Tribunal’s decision in this case
Police argued that disclosing NIA access logs to an individual could prejudice the maintenance of the law as the logs indicated when, where and who within the Police had cause to be interested in an individual’s movements or behaviour, including where that interest did not lead to any Police interaction. This would risk an individual becoming aware of times that their offending had been detected or investigated by Police, or conversely, had not.
The Tribunal noted in its decision that a case-by-case assessment of the merits is required; an agency may not simply create a blanket rule to withhold information in a particular set of circumstances. Police have the onus of proving the exception to the Tribunal, by showing that the release of the information would be likely to prejudice the maintenance of the law.
The Tribunal conducted part of its hearing in a closed court room open only to counsel for the Police and relevant witnesses. This allowed it to review the evidence and receive submissions without prejudicing the interests the exception is designed to protect.
Having considered that material, the Tribunal agreed that in this case, a real and substantial risk of prejudice to the maintenance of the law was demonstrated as releasing this information would mean the individual would become aware of the times their offending has not been detected or investigated. Releasing this information to Mr Rendell would prejudice Police’s ability to prevent, investigate or detect future offending. As such, the Tribunal considered that Police were entitled to refuse Mr Rendell’s request for this information from the NIA transaction logs under section 27(c) of the Privacy Act 1993 (now section 53(c) of the Privacy Act 2020).
Conclusion
We are pleased that the Tribunal has continued to acknowledge that a case-by-case assessment of the merits of withholding information is required. This requires a principled application by the agency that holds the audit log, taking into account the specific circumstances of the requestor.