Under current law, there is little to stop the NZSIS accessing any public or private sector database with the consent of the agency concerned, and allowing the SIS to have access is never a breach of the Privacy Act. Cullen and Reddy described this as “open slather”. It also lacks transparency.
Part 5 of the Bill provides for the intelligence and security agencies to have routine direct access tospecified databases, but this access will be governed by “direct access agreements” entered into between the minister responsible for the agency with the database, and the minister responsible for the intelligence and security agency. In preparing those agreements, the ministers have to consult with the Privacy Commissioner, and the Inspector General of Intelligence and Security, and must have regard to our comments. We will be looking for proportionate access, good record keeping and audit, and sound policies around the retention of the data accessed.
Those agreements will be publicly available. That represents a significant improvement on the status quo in relation to those databases.
That is a significant change.
for the last 23 years, the intelligence and security agencies haven’t even had to worry about complying with the information privacy principles everyone else has to comply with (except for 6 and 7 which provide for your access and correction rights, and 12 which is about unique identifiers).
Neither the Law Commission in its review of the Privacy Act in 2011, nor the Cullen/Reddy review recommended changing that position. However, my office continued to advocate for the agencies to be subject to a greater range of privacy principles.
As a result, the government has agreed that the intelligence and security agencies should be exempt only from principles 2, 3 and 4(b). I’ll be taking that up with the Select Committee, but the Bill as introduced represents a significant advance. Principles will have exceptions to allow the agencies to carry out their statutory functions, and I want to look at whether those are sufficiently clear to ensure the application of the privacy principles will be meaningful. I’d like to have seen a link to a more clearly defined imperative to protect national security, but we’ll keep working on it, and see if we can come up with something workable for the committee to consider.
The fact that the agencies will be subject to nine of the 12 privacy principles means that my office will play a greater role in the oversight of the agencies, and concerned individuals will have a right to make complaints about a wider range of activities. I’ll work out with the Inspector-General which cases it will make more sense to transfer to her, but again, that represents an improvement on the status quo.
Worth remembering this as the Greens and Peter Dunne denounce the bill.
The Inspector General has been very active in examining the practices and procedures of the GCSB and NZSIS. Of course she is there to ensure they are complying with the law, but she has increasingly pointed out risks and practices that could be improved, even when they are not unlawful.
Take security vetting for example. The SIS holds very personal and intimate details about thousands of New Zealanders who needed to undergo vetting as a condition of their employment. She has reported on her concerns that vetting information could be used by the Service for unrelated purposes. I share that concern.
The Bill proposes that that information be subjected to protections even more stringent than the Privacy Act, so that is another improvement on the what we have at the moment.
Also sounds good.