14.10As we noted in the Issues Paper, the role of the Privacy Act needs to be clear in relation to requests for information. In the Issues Paper, we raised three options for guarding privacy interests in relation to MACMA requests:
(a) the information-holder agency ought to bear responsibility for considering privacy risks;
(b) the Central Authority ought to bear responsibility for considering privacy risks; or
(c) the public benefit in providing assistance in criminal matters outweighs privacy interests.
14.11Ultimately, we have decided that the Central Authority should play the primary role in guarding privacy interests. As we wrote in the Issues Paper, the advantage of making privacy considerations primarily the responsibility of the Central Authority is that:
… the Central Authority already has to consider a number of factors in deciding whether to accede to a MACMA request. It seems both inappropriate and inefficient to separate out consideration of the privacy of personal information.
14.12Under our scheme, the Privacy Act 1993 would still apply to information-holder agencies. However, our Bill explicitly provides that the “maintenance of the law” exception in Privacy Principle 11 applies to requests made by the Central Authority on behalf of a foreign country. Privacy Principle 11 provides:
An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds,—
(a) that non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; …
14.13Although this leaves the information-holder agency with some discretion to refuse to disclose, practically we expect responsibility will fall on the Central Authority to consider whether personal information released to it under this exception should be disclosed to the foreign country.
14.14In view of this, we have included a new ground on which assistance may be refused in clause 23, if “providing the assistance would unreasonably interfere with the privacy of an individual”. We have also provided a requirement that the Central Authority must develop and maintain guidelines, in consultation with the Privacy Commissioner, in relation to exercising the privacy ground for refusal. We think this provides an efficient way to deal with privacy issues, while still providing the degree of protection of personal information New Zealanders would expect.
Recommendation
- R35 The Central Authority ought to be made primarily responsible for guarding privacy interests in relation to mutual assistance requests.