The spotlight is on data protection, both on a national and international level. This follows the proposed reform to the Privacy Act 1993 (Act), which is working its way through the Parliamentary process, and the implementation of the European Union’s General Data Protection Regulation. In a space where increasing sanctions are forecast, we now have a decision from the Human Rights Review Tribunal (HRRT) awarding $90,000 in damages for breaches of the Act. This shows the momentum that our privacy rights are gaining in our institutions.

In the decision of Dotcom v Crown Law Office,[1] the HRRT found that the Crown had interfered with Kim Dotcom’s privacy in declining 52 near identical requests to various Ministers and government departments for all personal information held about him. The decision provides useful guidance on when it is permissible for an agency to transfer a request for personal information made under the Act to another agency and when an agency may refuse to disclose personal information on the basis that the request is frivolous or vexatious, or the information requested is trivial.

What are the key facts?

In July 2015, Mr Dotcom made 52 information privacy requests under section 34 of the Act to all 28 Ministers and nearly every government department (Government Departments) requesting all personal information held about him. The requests sought urgency on the basis that the information was required for “pending legal action”. The pending legal action included Mr Dotcom’s extradition eligibility hearing in the District Court then due to commence on 21 September 2015.

Nearly all of the Government Departments transferred their requests to the office of the Attorney-General under section 39 of the Act.

On 5 August 2015, the Solicitor-General provided a response on behalf of the Attorney-General in which Mr Dotcom’s requests were denied on the basis that they were vexatious and included information which was trivial under section 29(1)(j) of the Act. The Solicitor-General also advised that there were insufficient reasons provided for urgency.

The primary issue before the HRRT was whether Mr Dotcom had established that there had been an interference with his privacy, particularly:

• whether the transfer of the requests to the Attorney-General was permitted under section 39 of the Act; and
• whether there was a proper basis for declining Mr Dotcom’s requests under section 29(1)(j) of the Act.

Ultimately, for the reasons set out below, the HRRT found that there was no proper basis for declining Mr Dotcom’s requests and that there had accordingly been an interference with his privacy. Mr Dotcom was awarded damages of $90,000: $30,000 for the loss of the benefit Mr Dotcom might reasonably have been expected to obtain but for the interference with his privacy and $60,000 for loss of dignity and injury to feelings.

Read the decision.

Was the transfer of the requests to the Attorney-General permitted?

Section 39(b)(ii) of the Act authorises an agency to transfer a request for personal information to another agency if it believes that the information requested is more closely connected with the functions or activities of that agency.

In arguing that the transfer to the office of the Attorney-General was appropriate, the Crown relied on the link between the request and the ongoing litigation with the Crown. In particular, it argued that the information requested was more closely connected with the functions of the Attorney-General because the requests were not genuine, but rather a litigation tactic and a fishing expedition, and required a coordinated and consistent response. By that time, Crown Law had been leading the Crown’s litigation against Mr Dotcom for more than three years.

The HRRT found that the transfers took place in the absence of a properly grounded belief that the information requested was more closely connected with the functions or activities of the Attorney-General. It held that the phrase “more closely connected” under section 39(b)(ii) must be given proper weight and that it is the personal information to which the request relates which must be believed to have that closer connection with the functions or activities of the proposed transferee agency. In other words, the proposed transferee ought to have had some prior engagement or dealing with the information sought.

In the present case, the transfers to the Attorney-General were found to be in his capacity as a Law Officer representing the Crown in litigation against Mr Dotcom. It was a mechanism to assist the Crown’s legal advisors to better manage the Crown response to the requests in the context of the litigation. The HRRT concluded, therefore, that there was an insufficient connection between the activities of the Attorney-General and the information sought.

Was there a proper basis for declining the requests?

Section 29(1)(j) of the Act allows an agency to refuse to disclose information if “the request is frivolous or vexatious, or the information requested is trivial”.

The heart of the Crown’s rationale for declining the requests was its view that Mr Dotcom’s requests were not genuine and were instead intended for the improper purpose of disrupting the extradition hearing and were therefore vexatious. The Crown relied on the broad scope of the request (which sought all personal information held by the Government Departments and Ministers about Mr Dotcom) that made compliance difficult or impossible, the request for urgency and the fact that, as a result of its breadth, it would include information that was trivial.

In considering the meaning of “vexatious”, the HRRT said that whether a request is vexatious “is a judgment which can only be reached after an overall objective assessment has been made of the entire context in which the request has been made”.[2] There must be an element of impropriety with the request. It emphasised that agencies must exercise caution in declining access on the grounds that a request is frivolous or vexatious as agencies are not aware of the personal circumstances of the requester or aware of the use to which the information is to be put. Under the Act, a requester is not required to justify a request for access to personal information (although reasons must be given for urgency if it is sought).

The HRRT concluded that on the facts known at the time, there was no reasonably justifiable basis for the Crown to decline the requests. Declining the request for urgency did not justify declining the requests themselves on the grounds of vexatiousness. While Mr Dotcom’s requests were broad in scope, the HRRT observed that such broad requests were not uncommon. It noted that, in most circumstances, it is not possible for Privacy Act requests to specify exactly which information is sought and attempts by the requester to list categories of information potentially held by the agency are both unnecessary and unhelpful. Importantly, the “frivolous or vexatious” ground cannot be used to decline an access request when what is really being asserted by the agency is that the information cannot be readily retrieved.

What does this mean for you?

This decision is a timely reminder that on receipt of a request for personal information, an objective assessment of the entire context in which the request is made is required before determining whether a request is vexatious, frivolous or trivial. A requester is not required to give reasons for a request. Further, the relevance of the requested information to the requester is not a reason to deny providing the information sought.

It is also important for agencies to keep in mind that a blanket request for ‘all personal information’ is permissible under the Act and requires the agency to provide all information which is readily retrievable unless there is a proper basis for withholding it under the Act. A blanket request for all personal information is not a proper basis for categorising a request as vexatious.

Footnotes

[1] [2018] NZHRRT 7.

[2] At [149].