Privacy you can bank on

Barrister and information law specialist John Edwards


You know what? 

The Privacy Act doesn't protect you as much as you thought it did.

For a whole bunch of reasons. 

First, it is subservient to other laws.

Second, people who collect your personal information get to write their own rules; third, in some cases it offers less protection of personal information than what was the case before it came along.

Banking is one of those areas. Here's an interesting article reporting on the practice of banks routinely handing over personal information to the police without a warrant [it also involves Kim Dotcom and the allegation that "Kiwibank appeared to use a police request as a sign of impending trouble for the tycoon, rejecting a loan application".]

How do they do that? 

Well, the part of the Privacy Act that says agencies are not allowed to disclose personal information says "unless they believe on reasonable grounds that the disclosure is necessary for the maintenance of the law".

But do not fear! All this means is that when you complain to the Privacy Commissioner about a bank disclosing your personal information to the police, the bank can put its hand on its heart (*choke*) and say "I believed on reasonable grounds that there was an exception to information privacy principle 11, and therefore we are not liable", and the Privacy Commissioner might go away.

The bank's problem, however, does not. 

I had a case like this a few years ago, when a bank let one of its staff take transaction information of one of its customers into a judicial hearing about a dispute between the employee and the customer. 

The bank took advice and maintained that its actions were not a breach of the Privacy Act because the disclosure was "necessary for the conduct of proceedings", which is yet another exception to the "do not disclose" rule.

I told the bank I didn't care about that, because we weren't going to take a Privacy Act complaint, we were going to sue them for breach of confidence.

The relationship between a banker and a customer has been known to the common law as being of a strictly confidential nature for centuries. Nothing in the Privacy Act affects that duty of confidence, or the right of a customer to sue where that duty is breached.

Of course, a customer couldn't sue for breach of confidence if the bank was complying with a court order, like, I dunno, a warrant, so banks that decide just to co-operate on the sayso of the police without some proper judicial oversight are taking a real chance.

I don't think banks should necessarily force the police to get a warrant where the police are desperately trying to locate a missing person and need to know whether the account has been active during the period of absence.

But banks really do need to be a little more cautious than the NZ Herald article and Privacy Commissioner imply they are being.

Oh, by the way, my client in the case I mentioned above got a very handsome settlement for the disclosure that was not a breach of the Privacy Act.

John Edwards is a Wellington barrister, information law specialist and former adviser to the Office of the Prime Minister and Cabinet. He blogs at

6 · Got a question about this story? Leave it in Comments & Questions below.

This article is tagged with the following keywords. Find out more about MyNBR Tags

Post Comment

6 Comments & Questions

Commenter icon key: Subscriber Verified

Very Interesting. Common law built and tested over centuries I find comforting and thank you for sharing your experience.

  • 0
  • 0

Precisely. I was going to write a post about this unjustifiable breach of Mr Dotcom's rights as a customer and contacted Mr Dotcom about it om October, but Mr Dotcom replied that he wasn't interested in highlighting the issue or seeking any remedies at this time.

The issue is not about whether a handsome settlement would result, the issue is that it's illegal and practically reduces the little financial privacy we have to the level of a sick joke.

An extract from my message to Mr Dotcom back in October:
'Your banking privacy was violated by NZ Police / Ofcanz, and your banks illegally disclosed your banking information to them. The article is incorrect about the Privacy Act letting your banks off the hook.

There are two bad guys in this: Ofcanz (the most out of control NZ govt agency in your case), and your banks (who have their own common law duty of secrecy to their customers, which is independent from and additional to and more serious than their duties under the Privacy Act 1993).

I'm not sure if you may be able to do about ofcanz getting your banks to violate their legal obligations to you, maybe their action is illegal and you could make some trouble for them for being involved in violating your banking secrecy rights, or maybe not -- ask your lawyers.

But your banks are not entitled to disclose your banking information to the police unless both the Privacy act, and the common law on bank secrecy allow it. The Privacy Act does not give you any serious rights to privacy in the sense of protection from non-consensual disclosure (so many vague exceptions, and little consequences for them if a breach is demonstrated), but the common law duty of secrecy lists only 4 qualifications:
where disclosure is under compulsion of law
where there is a duty to the public to disclose
where the interests of the bank require disclosure
where disclosure is made by the express or implied consent of the customer.
Qualification 1 does not apply unless the disclosure is compelled, i.e. the bank is legally required to disclose. Since there was no statutory requirement to disclose, nor was there a warrant requiring the disclosure, the banks cannot rely on this. This ought to be their primary defence for this situation, but they cocked it up by disclosing too readily and when it wasn't legally required.

Qualification 2 is rather vague but it would be difficult for them to rely on this. The bank's duty to the public is to keep confidences, so the threshold for disclosure under this qualification is quite high. The police could have got this information through the proper channels by applying to the court for the requisite warrant, and the bank should know this, and require the police to follow the rules. Your case does not carry any additional element of public duty to disclose, since the area of concern is covered by statutory law and procedures that are supposed to give you some protection from casual and informal disclosure of private information about you that the bank has a duty to keep secret.

The other two do not apply, so the banks appear to have breached their duty to you of secrecy.

The next question is whether any legislation lets them off the hook, or makes them immune from liability.

The Financial Transactions Reporting Act 1996 only protects them from disclosure in relation to suspicious transaction reports, which this disclosure was not in relation to.

The Criminal Proceeds (Recovery) Act 2009 only protects them from disclosure in relation to actions taken in relation to various kinds of court order, which this disclosure was not pursuant to.'

  • 0
  • 0

Are you saying that the Privacy Act is subjective?

  • 0
  • 0

The banks have become just another arm of the state, the dark side of the faustian pact with the banks implicit state guarantee is to keep the financial information flowing ... to the state.

For all those barristers and politicians who are just catching up with the information age .... the search and surveillance laws rolled out under guise of "anti-terrorism" was precisely to allow law enforcement wide access to citizen's information, financial, medical, personal, etc.

They have got everything they wanted, beyond anything the Stasi would have dreamt of. The computer age has made possible this massive expansion of the police state but was it really such a wise idea to grant a democratic limited govt so many powers?

  • 0
  • 0

Had a client once who was an overstayer, INZ had located him by asking (inter alia) banks for his address details. The Schedule under the legislation at that time authorized INZ to acquire information. Banks et alia were not included. I managed to arrange a trial where I tried to argue the government had acted illegally. Cross-examined the compliance officer as to what legal basis she had to get the address information. Her answer was, in essence, that this was the way things were done. I asked her to look at the Schedule and point to me where the authority came to get info from the banks et al. She could not, said her boss told her it was okay. It was beyond cavil I had proved the point, Judge in her decision shrugged it off saying the Schedule did not limit the powers (actually, that is exactly what the point of codifying would be). In New Zealand, the legal culture is too much about getting the job done regardless of the law, and then chances are nobody will challenge and even if they do chances are the Courts will let law enforcement get away with it. If you are the "bad" guy, you have "rights" to privacy, sure...

  • 0
  • 0

Interesting comment on the "judge" shrugging it off as I am aware of similar instances of judicial ignorance resulting in a Court of Appeal case which does not reimburse the complainant for the costs of the unnecessary appeal. Perhaps it's time the costs in such cases should be paid out of court funds and disclosed annually as a performance test of the judiciary generally.

  • 0
  • 0

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.