The High Court judgment released (1 November) in Te Pou Matakana Limited v Attorney-General  NZHC 2942 is an important reminder that privacy shouldn’t be a blocker to the release of personal information, and that a more nuanced assessment is required of the circumstances in which information is requested before a decision is made whether or not to release. Indeed, privacy law establishes a framework which can and does facilitate the sharing of information – provided that such sharing is for proper purposes, and is undertaken in a way that preserves the status of information as taonga.
Te Pou Matakana Limited (operating as ‘Whānau Ora Commissioning Agency’, or ‘WOCA’) applied to the Court to judicially review a decision by the Ministry of Health to refuse to provide WOCA with relevant details of Māori who were unvaccinated against COVID-19. WOCA has a network of 96 Whānau Ora partner providers across Te Ika-a-Māui/the North Island, and has designed its service delivery model to overcome barriers Māori traditionally face in accessing healthcare.
The Ministry of Health had refused to provide WOCA with COVID-19 vaccination and booking status data regarding individual Māori within WOCA’s rohe (or ‘territory’) who had not previously been provided services by one of WOCA’s Whānau Ora partners. Rather, the Ministry of Health had decided that in respect of such individuals, it would only provide WOCA with ‘anonymised (to street level) mapping representations that show areas with unvaccinated communities’. In reaching that decision, the Ministry had formed a view that it could not disclose the more granular information requested, on the basis that it was prevented from doing so by Rule 11(2)(d) of the Health Information Privacy Code 2020 (‘HIPC’).
The practical ramifications for WOCA are not insignificant: rather than having direct access to the information needed to deliver a targeted vaccination campaign, WOCA would be reduced to door-knocking at random to seek out the ‘anonymised unvaccinated’ within each of the statistical areas.
Error of (privacy) law
From a privacy perspective, the most interesting aspect of the judgment is the assessment of the decision of the Ministry to refuse to disclose the information requested on the basis of Rule 11(2)(d) of the HIPC. That rule establishes a basis for an agency to disclose personal information if the agency believes, on reasonable grounds, that:
- It is not desirable or practicable to obtain authorisation for the disclosure from the individual concerned,
- There is a serious threat to public health or public safety, or the life or health of the individual concerned or another individual,
- Disclosure of the information is necessary to prevent or lessen that threat.
The second and third limb (but not the first) also form part of the ‘standard’ information privacy principle 11(f) under the Privacy Act, which governs the disclosure of personal information (that is not health information to which the HIPC applies) in the same circumstances.
Both WOCA and the Ministry of Health accepted that:
- It was neither desirable nor practicable to obtain individual consent to the disclosure of the information to WOCA,
- COVID-19 presents a ‘serious threat’ to public health and/or the health of the individuals concerned.
The issue in dispute was therefore whether disclosure of the information sought was ‘necessary’ to prevent or lessen that threat.
What constitutes ‘necessary’
WOCA argued that, in the context, ‘necessary’ means only ‘needed or requested’ – although it must be more than merely ‘desirable or expedient’ to make the disclosure, the threshold is not one of ‘indispensable or essential’. The Privacy Commissioner, intervening, endorsed that interpretation.
In response, the Ministry argued that not only was disclosure not ‘necessary’ (and therefore, not permissible under the HIPC), but that even if it was, nothing in the HIPC imposed a duty on the Ministry to disclose that information.
The Court’s assessment was that, in short, the Ministry’s decision that disclosure was not ‘necessary’ didn’t stack up. Having identified the existence of a serious threat to public health and/or the health of the individuals concerned, the proposed response of the Ministry to provide information in the ‘least-privacy invasive’ way failed to recognise that to most effectively prevent or lessen the threat posed, a more robust and targeted response by WOCA was warranted. While the Court acknowledged the Privacy Commissioner’s submission that a ‘least-privacy invasive’ test might be relevant if a decision were being made between two equally effective alternatives, that was not the situation before the Ministry.
Other grounds for decision
Having identified that the Ministry would have had grounds for making the disclosure sought by WOCA in accordance with the HIPC, the Court then turned to whether or not the Ministry made its decision in a manner consistent with the requirements of consistency and legitimate expectations imposed on the Ministry in its capacity as decision maker susceptible to judicial review.
In short, a decision to release (or not):
- Must be based on a correct interpretation of the law
- Must not be inconsistent with previous decisions made in the same context
- Must align with the legitimate expectations of the subject of the decision (including, where relevant, expectations that the decision maker will have regard to Te Tiriti and its principles in making the decision).
The Court ordered the Ministry to urgently retake the decision ‘in accordance with the law and having regard to the findings in [the] judgment’: a strongly persuasive direction to the Ministry to consider reaching a different decision to the one it reached initially.
What else does this mean from a privacy perspective?
The notion of ‘privacy’ is often used as a first line of defence when responding to requests for personal information where the agency holding that information (for whatever reason) is reluctant to make that information available. Often, that agency may have a valid reason for believing that the information is best withheld. However, where the agency is a government agency whose decisions are amenable to judicial review, the agency must closely consider whether the release of the information is justifiable from a privacy perspective. If so, the agency must also consider whether its decision to withhold that information is one that is warranted in the circumstances, taking into account the agency’s responsibilities as a decision maker. Government agencies should take note – while in many cases, they are the trusted kaitiaki of personal information regarding New Zealanders, with this duty of kaitiakitanga comes a responsibility to also ensure that the information is used appropriately, for the greater good.
For private agencies whose decisions are not subject to the scrutiny of judicial review, the situation is less complicated. However, the judgment serves as a reminder that privacy needn’t be a blocker to the sharing of information – especially where such sharing is undertaken in a reasoned and justifiable manner, consistent with the purposes for which the information was obtained, or in a way that aligns with the limited (but important) exceptions that facilitate information sharing for the public good.
While privacy law does not necessarily compel the disclosure of information, it does establish a framework which, in the right circumstances, encourages it. Any agency, when faced with an opportunity to share information, for the right purposes, would be well-placed to look into whether and in what circumstances that information can be shared – rather than searching for excuses as to why it shouldn’t.