Source: Privacy Commissioner
Background
A woman applied to her local council for a necessary resource consent for her property. As part of this process, there were several emails between the woman and the Council containing her personal information, including the fact she was on a disability benefit. The council uploaded all the email correspondence alongside her resource consent application to its website.
The woman discovered her information was online and had been accessed by another person, who used that information to complain about her in court proceedings. The woman complained to our Office about the collection and disclosure of her personal information.
The principles applying to this case
This complaint raised issues under principles 3 and 11 of the Privacy Act. Principle 3 requires agencies to be open about the collection of personal information, telling people at the time of collection why it is being collected and how it will be used. Principle 11 prevents agencies from disclosing personal information unless one of the exceptions are operating.
Also relevant is section 24 of the Act. This section says that where another law allows or prevents personal information from being used or disclosed in a particular way, this will override any obligations under the Privacy Act to the extent they conflict.
OPC’s investigation
OPC’s investigation found the Council had breached principles 3 and 11 of the Privacy Act.
The Council said section 35(5)(g) of the Resource Management Act (RMA) required it to publish information relating to resource consent application. It also advised the application form advised the information “on the form” will be stored on a public register, and details about consents that have been applied for and issued by Council would be made available to the public.
We did not consider the notice on the resource consent application was sufficient to inform the public that all email correspondence above and beyond the application itself would be published, and therefore had breached principle 3. In any case, the application was submitted by the woman’s agent three months after the Council had published the email correspondence online, meaning the notice reasonably could not apply to information collected outside of the application.
We also found while there was an override in the RMA for the Council to publish the application itself, along with the associated evidence documents, we did not consider the override extended to the email correspondence with sensitive details. The Council was not able to rely on any of the exceptions in principle 11 for the publication of the email correspondence.
We issued our preliminary view to the Council and asked it what steps it would be willing to take to resolve this matter.
The Council apologised to the woman. It agreed to remove all the irrelevant email correspondence from its website, and to redact any unnecessary personal information in the information which needed to remain online, including the woman’s contact details. The woman advised she was seeking financial compensation for the harm she had experienced. OPC used shuttle negotiation to reach a financial settlement between the parties.
The Council also agreed to review its processes and update its privacy statement around the publication of resource consent applications, so future applicants would be aware of the public nature of these documents.
Commentary
Where agencies are relying on statutory overrides to publish information online, we caution them to carefully understand the scope of what is required by that Act. In this case, the Council had published sensitive personal information online without considering whether the RMA actually required this. If the use or disclosure of personal information is not covered by the other legislation, an agency must then comply with its obligations under the Privacy Act.
Agencies must also meet their obligations under principle 3, even where an override may be operating. Being transparent about what information is going to be made publicly available, means that individuals can choose what information they want to provide, and can choose, for example, to use an agent to submit the application so their personal contact details would not be public. This autonomy is crucial to allowing individuals to retain control of their personal information.