Westpac New Zealand involved in data breach involving journalist
October 27, 2015 |
Banks and other financial institutions are generally quite good at securing documentation and complying with privacy regulations. Banking confidentiality obligations in equity long preceded data protection laws. Confidentiality is also a cornerstone of a relationship between customers and the institution. When there is a breach it is usually a crisis of some degree or other for the bank. As Westpac’s experience in handing over data without a court order is demonstrating in New Zealand the reputational damage can be disastrous.
The New Zealand press has become animated about Westpac possibly breaching New Zealand data protection laws and the privacy of a New Zealand journalist, Nicky Hager. The genesis of the breach was detectives asking Westpac for banking details as part of their investigation into a hacking investigation without a court order. The detectives also asked for telephone and travel records but were rebuffed because they did not have a court order. The story is reported in Cops got Hager data without court order. This report was followed quickly by Radio New Zealand’s report Westpac released Hager’s data to police. Which was followed by somber and censorious opinion pieces such as Private data deserves greater respect than Westpac showed Nicky Hager and earnest reporting of Hager’s demands for answers in Westpac, please explain! Nicky Hager wants answers after private information given to cops. Hager in following the adage that attack is the best form of defence strategy in considering issuing proceedings against Westpac with Hager explores options over Westpac privacy breach with a press release providing:
Privacy breach by Westpac
News release on behalf of Nicky Hager concerning privacy breach by Westpac
Several people, including news media, have been seeking comment from Nicky Hager and his legal team about the revelation on the weekend that Westpac Bank gave the Police his private banking information (including over 10 months of his banking transactions from all of his accounts).
It is difficult for Mr Hager to comment at this time. The part of his claim that deals with the legality of these Police information requests was deferred during the first hearing and has not yet been argued. However, Mr Hager is keen to clarify the position and answer the public’s questions as much as he is able.
Until this weekend, Mr Hager only knew about the privacy breach by Westpac through court discovery. Documents provided through discovery are not allowed to be used for any other purpose until they are relied on in open Court. Since this part of Mr Hager’s case has not yet been argued, he has not been able to make use of his knowledge of this breach, not even to raise the matter with Westpac or the Privacy Commissioner.
Mr Hager had also requested documents from the Police under the Official Information Act and the Privacy Act. Had he been provided with documents under those Acts he would have been able to use them to take this matter further. However, the Police have not been willing to provide the documents under those Acts. Indeed, the Police have refused even to acknowledge the existence of correspondence with Westpac under those Acts. This is despite Mr Hager expressly asking the Police to list all of the documents they were wholly withholding under those Acts.
Mr Hager has complained to the Privacy Commission and the Office of the Ombudsman about the Police failure to respond fully to his requests for documents. Representatives of both of those organisations have met with Mr Hager’s lawyers and have been liaising with Police over these complaints.
Now that the fact of this breach of privacy has been made public, Mr Hager intends to seek a full and frank disclosure of the extent of the breach from Westpac. He looks forward to receiving Westpac’s response to that request and will be considering his options to take this matter further.
Mr Hager is very concerned by this breach. His case before the High Court includes a claim against the Police under the Bill of Rights Act for seeking and obtaining that information without a production order. He fully intends to explore all options open to him now that he is free to do so.
In the circumstances, neither Mr Hager nor his lawyers are able to give interviews on this topic at this time. However, it is hoped that we will be free to do so in the future.
This is prompted Westpac putting out what may be best described as the opening apology, of sorts, relating to the breach as reported in Westpac modifies policy after Nicky Hager seeks disclosure over data release.
For a fuller factual background the New Zealand Herald article provides:
Detectives investigating the Dirty Politics hacker Rawshark sought the banking, telephone and travel records of author and journalist Nicky Hager without any search order or other legal power.
Court records show Westpac – the government’s banker for 26 years – handed over “almost 10 months of transactions from Mr Hager’s three accounts” at the request of detectives investigating the hacking of Whale Oil blogger Cameron Slater’s email and social media accounts.
Other companies that were asked for Hager’s private details told police to come back with a court order, which would have legally obliged them to surrender the information.
The details are revealed in documents obtained from the High Court by the Scoop news site, which intends to publish the full material today.
The documents come from Hager’s legal challenge to a police search warrant, which was executed on his Wellington home in early October last year. The High Court has yet to return a judgment on the case.
Hager’s legal teams used police documents to detail how detectives sought information on him in late September last year – just after the election – from 16 “bank contacts”, Air NZ, Jetstar, Spark, Trade Me and Vodafone. The request to Air NZ also sought information about anyone Hager might have been travelling with, the documents show.
Detectives told the companies they needed the information for an inquiry into “suspected criminal offending, namely fraud, dishonest access of a computer system”, telling the bank the information would help avoid “prejudice to the maintenance of the law through the detection of serious offending”.
The Privacy Act allows those holding personal information to waive the law if there are “reasonable grounds” to believe it would assist “maintenance of the law”. There is no sign in the High Court documents of Westpac – or any of the agencies – being supplied with additional information that might assist with the “reasonable grounds” test.
The documents do show the other companies rejected the request without a legal order. Hager’s lawyers said: “Police did not seek production orders for any of this information.”
Westpac sent detectives transaction details from December 2013 until September last year, with other personal details.
The police decision to seek detailed information without a legal order appears contrary to the position stated by Assistant Commissioner Malcolm Burgess to the Weekend Herald last March.
He said there were “controls around how information is both requested and provided … While the Privacy Act provisions can be used to access low-level information, such as basic account details, higher-level data must be obtained through a production order,” he said.
The court documents show Detective Inspector Dave Lynch testified that the banking inquiry was intended to track Hager’s travel movements and to see if there was a financial link to Rawshark. It was also to see if “he was generating income from the proceeds of the book that could be considered for proceeds of crime action”, suggesting the book’s income could be sought for seizure.
Hager’s lawyers told the court there were no reasonable grounds for police to seek information without a legal order and questioned whether such an order would have been granted were it applied for.
Lawyers for the police told the High Court the requests were simply the act of asking for information. They said just because police quoted the Privacy Act exception “did not mean the agency was obliged in any way to provide it”.
Westpac defended its decision to supply information, saying it followed internal policy in assisting with investigations into serious crimes. It did not supply a copy of the policy despite being asked to do so.
The issue – highlighted in Herald reports – moved the Privacy Commissioner to launch a “transparency project” to see how often law enforcement agencies used the exception.
Media Freedom Committee chairwoman Joanna Norris, editor of the Press in Christchurch, said the work done by journalists was a “safeguard of an open and transparent society”.
“I am concerned information of this type was released as a result of this request. The work of journalists should be protected – and the individual rights of any New Zealanders should be protected.”
Labour’s police spokeswoman, Jacinda Ardern, said it was concerning Westpac provided the information but it was “incredibly concerning” police had sought it.
Police Minister Michael Woodhouse refused to comment. A police spokesman said the agency was “bound by the provisions of the Privacy Act” and was working with the Privacy Commissioner on the transparency reporting project.
• David Fisher gave evidence as an “expert witness” in the Hager v Police case under High Court rules that require an “overriding duty to assist the court impartially on relevant matters”.
[…] Westpac New Zealand involved in data breach involving journalist […]