Police backdoor access to private data

Once again it seems that the banks have been handing over private customer information to the Police. They handed over Kim Dotcom's, they handed over Nicky Hager's, and this time they've handed over information about activist and journalist Martyn Bradbury. And, as far as we know, they've handed over information for a lot of people that none of us have ever heard of.

This is not a case where the Police went to a judge, made an argument that they needed the information to investigate a crime, and received a search warrant, examination, or production order. Rather they wrote to the bank on an official looking form and the bank voluntarily handed over the information. There's no oversight and the Police don't even bother to track the number of requests they make.

You can see an example of one of the forms here: page 1 & page 2. Copies of the old and new forms, as well as the associated Police procedures, can be found as the response to an Official Information Act request sent through FYI.

The Privacy Act and Commissioner

The Privacy Act says that organisations like banks have a duty to keep private information private. The Police and the banks rely on a hole in the law that says that you can reveal information that you hold if you believe it is "to avoid prejudice to the maintenance of the law". They've been using this for years but John Edwards, the Privacy Commissioner has just said "No more". 

He not only found that the Police failed to give any information that the bank could use to make a determination that the information could be released but that:

…we concluded that Police had collected his information in an unlawful way by asking for such sensitive information without first putting the matter before a judicial officer. Our view is that this was a breach of Principle 4 of the Privacy Act, which forbids agencies from collecting information in an unfair, unreasonable or unlawful way.

Civil liberties

We say that people should not only be entitled to privacy (as protected by the Privacy Act) but that they should be protected from unreasonable search and seizure as per section 21 of the Bill of Rights Act:

"Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise."  

The Police behaviour has been failing on both of these grounds. While we're not completely opposed to that section of the Privacy Act (e.g. it's obvious you should be able to report a serious crime without falling foul of the law), we think that this purpose has been stretched beyond breaking point and we're glad to see that the Privacy Commissioner agrees.

The Search & Surveillance Act provides ample tools for the Police to use when they need access to information. Of course, as in the Bradbury case, it looks as though many of these requests would have been rejected by any sensible judge – which is probably exactly why the Police chose to use this backdoor no-oversight method.

We're also disappointed in the behaviour of the banks and other companies who have been handing over data. They've failed to keep their customer's information private, and they've done it in a way that shows they just don't care about it enough. We hope that this is a wake-up call to them to take their responsibilities more seriously.

In a world where everything about our lives is steadily becoming digitised, we need people who will stand up for our privacy and against unwarranted government snooping.