You know what?
The Privacy Act doesn't protect you as much as you thought it did.
For a whole bunch of reasons.
First, it is subservient to other laws.
Second, people who collect your personal information get to write their own rules; third, in some cases it offers less protection of personal information than what was the case before it came along.
Banking is one of those areas. Here's an interesting article reporting on the practice of banks routinely handing over personal information to the police without a warrant [it also involves Kim Dotcom and the allegation that "Kiwibank appeared to use a police request as a sign of impending trouble for the tycoon, rejecting a loan application".]
How do they do that?
Well, the part of the Privacy Act that says agencies are not allowed to disclose personal information says "unless they believe on reasonable grounds that the disclosure is necessary for the maintenance of the law".
But do not fear! All this means is that when you complain to the Privacy Commissioner about a bank disclosing your personal information to the police, the bank can put its hand on its heart (*choke*) and say "I believed on reasonable grounds that there was an exception to information privacy principle 11, and therefore we are not liable", and the Privacy Commissioner might go away.
The bank's problem, however, does not.
I had a case like this a few years ago, when a bank let one of its staff take transaction information of one of its customers into a judicial hearing about a dispute between the employee and the customer.
The bank took advice and maintained that its actions were not a breach of the Privacy Act because the disclosure was "necessary for the conduct of proceedings", which is yet another exception to the "do not disclose" rule.
I told the bank I didn't care about that, because we weren't going to take a Privacy Act complaint, we were going to sue them for breach of confidence.
The relationship between a banker and a customer has been known to the common law as being of a strictly confidential nature for centuries. Nothing in the Privacy Act affects that duty of confidence, or the right of a customer to sue where that duty is breached.
Of course, a customer couldn't sue for breach of confidence if the bank was complying with a court order, like, I dunno, a warrant, so banks that decide just to co-operate on the sayso of the police without some proper judicial oversight are taking a real chance.
I don't think banks should necessarily force the police to get a warrant where the police are desperately trying to locate a missing person and need to know whether the account has been active during the period of absence.
But banks really do need to be a little more cautious than the NZ Herald article and Privacy Commissioner imply they are being.
Oh, by the way, my client in the case I mentioned above got a very handsome settlement for the disclosure that was not a breach of the Privacy Act.
John Edwards is a Wellington barrister, information law specialist and former adviser to the Office of the Prime Minister and Cabinet. He blogs at www.johnedwards.co.nz