TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Asia Pacific Dashboard Digest | Notes from the Asia-Pacific region, 10 Dec. 2021 Related reading: Notes from the Asia-Pacific region, 3 Dec. 2021


Kia ora koutou.

In a recent editorial for the NZ Herald, our outgoing Privacy Commissioner John Edwards shared his thoughts on what privacy means in the modern age. One observation in particular stood out for me, reflecting the unique bicultural nature of NZ under its founding document, the Treaty of Waitangi (Te Tiriti). Noting the challenge we now face to indigenize the right to privacy, to reflect the culture of our region, which predominantly values the rights of the collective and the communal over the individual, Edwards lamented:

"[We] are beginning to engage in a process of understanding how this law, this human right, this commercial imperative, and this consumer protection might be informed by te ao Māori and engaged to meet the aspirations of tāngata whenua. This is exciting, and it saddens me to leave the role as we embark on this next stage in the evolution of privacy in Aotearoa."

This move to better recognize and accommodate indigenous views of privacy — as a collective rather than individual right — will indeed be a focus for NZ in the coming months and years. In my view, this is an exciting time for privacy professionals and NZ may well lead the way on this important endeavor.

This issue has been playing out in the NZ courts over the past month, in relation to a request from the Whānau Ora Commissioning Agency, which is contracted by the government to provide COVID-19 vaccination services through a network of almost 100 Māori health providers across NZ’s North Island, to the Ministry of Health for health information (name, contact details and vaccination status) about unvaccinated Māori in the North Island. WOCA wanted this information so it could individually target this group and increase vaccination rates. The Ministry had refused the request on the basis that disclosure of the information was not necessary. It considered that the disclosure of anonymized information would be a less privacy-invasive way for WOCA to achieve its goals.

WOCA took judicial review proceedings against the Ministry. In addition to providing some useful precedent on the interpretation of rule 11(2)(d) of the Health Information Privacy Code 2020 (relating to the disclosure of health information where necessary to prevent or lessen a serious threat to public health), the Court provided public sector agencies with clear direction on the relevance of Te Tiriti principles to decisions made under the Privacy Act. The Court agreed WOCA had, in public law terms, a legitimate expectation the Ministry would apply Te Tiriti and its principles in its COVID-19 response, but that it had failed to do so when it made its decision on WOCA’s request for data. Specifically, the Court found that, in exercising its discretion not to disclose the requested information, it did not have adequate regard to Te Tiriti and its principles, as informed by tikanga (Māori customary practices, principles and processes). The Court ordered the Ministry to reconsider its decision, which it did, providing some of the requested information but declining to provide all that had been requested.  

This second refusal led to new judicial review proceedings at the Court of Appeal, the decision on which was released 6 Dec. 2021. Examinations of this decision will no doubt abound in the coming weeks and I have not yet had the time to review it in detail. However, briefly, the Court again found in favor of WOCA, and has held that the Ministry’s exercise of discretion not to disclose information to WOCA was not consistent with the object and policy of rule 11(2)(d) of the Code. Interestingly, in reaching its decision, the Court appeared quite taken by a submission from the privacy commissioner that the Privacy Act is concerned with both protection and use: it is a “how to,” not a “do not do.”

This is my last APAC introduction for 2021. It’s been an immense year, dominated by the bedding in of Privacy Act 2020, major data breaches, new enforcement actions by the privacy commissioner and, of course, the announcement of the commissioner’s departure for the U.K. I doubt 2022 will be any less eventful, and the IAPP will soon release its predictions for 2022, including a short prediction from me on likely developments in NZ next year. 

In the meantime, Meri Kirihimete. Have a wonderful and well deserved break, and I look forward to engaging with you all again in 2022.

Ngā mihi nui


If you want to comment on this post, you need to login.