Privacy commissioner John Edwards assesses the newly drafted Intelligence and Security legislation, and responds to Kim Dotcom’s suggestion he’s a government lackey and ‘clown’
Until last night I was unfamiliar with the commissioning process for pieces for The Spinoff. Mine came in the form of a Twitter direct message. “John! fancy writing us a post for the Spinoff on the new legislation and why you’re not a cheerleader clown!?”
The Bill, with its explanatory note, is 150 pages long, made up of 280 clauses, and it was tabled yesterday afternoon. So obviously I haven’t got chapter and verse yet. We will be diving deep into the details, and making a submission to the Select Committee. You should too. To use the old cliché, Mephistopheles resides in the particulars.
No Privacy Commissioner would champion legislation that permits intrusive and prying practices, hence the “no cheerleader” undertaking, but this Privacy Commissioner has an obligation to have due regard for the protection of important human rights and social interests that compete with privacy. I have to deal with the world as it is, and the intelligence and security functions, and agencies, are part of that world.
I respect the position of others who question the legitimacy of those activities, support their right to advocate that position with the Select Committee, and their political representatives and encourage them to do so.
My own advocacy has been directed at improving the transparency and oversight, and I think considerable gains have been made. As to some of the other aspects of the Bill, I’ve been interested in comparing and measuring the proposals against the current situation. Here are some of my initial impressions.
So the GCSB will be allowed to spy on New Zealanders?
Yep. That was provided for in the controversial 2013 amendments, passed as a result of the findings of the Kitteridge Report. Rebecca Kitteridge herself recommended the amendment as a “clarification” of the GCSB’s authority to assist other agencies. GCSB had always assumed its mandate to “provide advice and assistance to any public authority” allowed it to facilitate the execution of interception warrants obtained by the Police and the NZSIS despite the prohibition elsewhere in the Act on targeting New Zealand citizens .
The Bill implements the recommendations of the Reddy/Cullen Review, to provide for surveillance of New Zealand citizens that would otherwise be unlawful only on the authority of a warrant issued by the Attorney-General and Commissioner of Intelligence Warrants, where strict criteria are met.
Doesn’t the Bill allow the SIS to snoop around public databases?
Under current law, there is little to stop the NZSIS accessing any public or private sector database with the consent of the agency concerned, and allowing the SIS to have access is never a breach of the Privacy Act. Cullen and Reddy described this as “open slather”. It also lacks transparency.
Part 5 of the Bill provides for the intelligence and security agencies to have routine direct access to specified databases, but this access will be governed by “direct access agreements” entered into between the minister responsible for the agency with the database, and the minister responsible for the intelligence and security agency. In preparing those agreements, the ministers have to consult with the Privacy Commissioner, and the Inspector General of Intelligence and Security, and must have regard to our comments. We will be looking for proportionate access, good record keeping and audit, and sound policies around the retention of the data accessed.
Those agreements will be publicly available. That represents a significant improvement on the status quo in relation to those databases.
Part 5 also allows access by request for other information held by both government and private sector agencies. I’ll be looking closely at what controls there are on this access and whether these are sufficient.
But their activities are inherently anti privacy?
That’s true and for that reason, for the last 23 years, the intelligence and security agencies haven’t even had to worry about complying with the information privacy principles everyone else has to comply with (except for 6 and 7 which provide for your access and correction rights, and 12 which is about unique identifiers).
Neither the Law Commission in its review of the Privacy Act in 2011, nor the Cullen/Reddy review recommended changing that position. However, my office continued to advocate for the agencies to be subject to a greater range of privacy principles.
As a result, the government has agreed that the intelligence and security agencies should be exempt only from principles 2, 3 and 4(b). I’ll be taking that up with the Select Committee, but the Bill as introduced represents a significant advance. Principles will have exceptions to allow the agencies to carry out their statutory functions, and I want to look at whether those are sufficiently clear to ensure the application of the privacy principles will be meaningful. I’d like to have seen a link to a more clearly defined imperative to protect national security, but we’ll keep working on it, and see if we can come up with something workable for the committee to consider.
The fact that the agencies will be subject to nine of the 12 privacy principles means that my office will play a greater role in the oversight of the agencies, and concerned individuals will have a right to make complaints about a wider range of activities. I’ll work out with the Inspector-General which cases it will make more sense to transfer to her, but again, that represents an improvement on the status quo.
Hasn’t the Inspector General expressed concerns about their own internal data security? Why should we trust them?
The Inspector General has been very active in examining the practices and procedures of the GCSB and NZSIS. Of course she is there to ensure they are complying with the law, but she has increasingly pointed out risks and practices that could be improved, even when they are not unlawful.
Take security vetting for example. The SIS holds very personal and intimate details about thousands of New Zealanders who needed to undergo vetting as a condition of their employment. She has reported on her concerns that vetting information could be used by the Service for unrelated purposes. I share that concern.
The Bill proposes that that information be subjected to protections even more stringent than the Privacy Act, so that is another improvement on the what we have at the moment.
So you are a cheerleader after all?
I still wouldn’t say that. There’s lots more for us to study. I want to examine the provisions for giving personal information to overseas agencies, see how different the “whistleblower” protections are and compare the new offences for wrongful communication, retention, or copying of classified information with the current law.
There are already bloggers and commentators condemning and praising the reforms. That’s healthy. Inform yourself, and participate in the discussion. If you think there needs to be greater privacy protection in the reforms, make your submission. I’ll look forward to reading it.
I don’t even have big shoes.