The leak of the confidential personal information of COVID-19 patients by Clutha-Southland MP Hamish Walker and influential party figure Michelle Boag has been highly embarrassing for the National Party.
In less than 24 hours their attack strategy has detonated in their own trenches and newly elected party leader Todd Muller has been scrambling to explain why.
New Zealand was only saved from an even more outrageous privacy breach because various media acted with proper restraint.
They are both guilty by their own admission of a serious breach of privacy – but are they guilty of a breach of the law? Given the official inquiry being undertaken by Mike Heron QC, the legal implications of what has happened will undoubtedly come into sharper focus.
Privacy is about trust
The principles of personal privacy are very important. They allow citizens to control their own lives and they control the power others have over citizens.
A respect for privacy allows a system of trust to develop between citizens and governing authorities.
That trust is especially important when it comes to the confidentiality of medical records. While there is no shame in any illness, at a time of paranoia, abuse and intolerance, discretion and security are paramount.
This extends to public health management. People being tested for COVID-19 and receiving medical assistance must be assured it is private – even more so at a time when the power to gather and collect information is so strong.
The law is vague
Unfortunately, it’s not as clear in practice as it is in theory.
While privacy is important, it is not an unambiguous right of the type found in the New Zealand Bill of Rights. Rather, it sits between criminal law, civil law and other statutes such as the Privacy Act (currently being updated).
To help govern this area of information privacy there are generic rules and specific codes. The Health Information Privacy Code sets rules about the ways health information is collected, used, held and disclosed by health agencies.
These include ensuring information is not improperly disclosed. While there are some exceptions to the rule, the importance of information being used only for the purposes it was obtained, and not identifying individuals without their consent, is critical.
In theory, this all sounds good and should be sufficient for the Human Rights Tribunal to investigate a possible breach. The problem is that the Privacy Act – explicitly – does not apply to members of parliament in their official capacity.
What about whistle blowers?
One possible defence might be that an MP or other party was blowing the whistle on government incompetence.
The law in this area is designed to facilitate the investigation of serious wrongdoing. This covers alleged conduct by public officials that is grossly negligent or constitutes gross mismanagement.
Whether the Walker-Boag leak reaches such a standard is debatable. What is not debatable is the process set down in law for whistle blowers to follow. This includes first exhausting internal processes to resolve the problem. That would not appear to have happened in this case.
It’s also highly questionable whether it would have been necessary to reveal the private health information of citizens to prove the point.
However, MPs don’t require whistle-blowing protection when they are speaking in the House of Representatives as they have parliamentary privilege. Generally this means they can’t be brought before the courts for what they say, and the privacy of individual citizens can be pushed to one side.
In any event, Walker did not use parliament to release the information, so the point is moot.
The Privacy Commissioner needs more power
Where to from here? At the political level it will be for voters to use the ballot to express their opinion of what has just occurred.
But in terms of the law there are gaping holes that need to be fixed.
First, the right to privacy should be adopted unequivocally in law.
Second, greater powers should be given to the Privacy Commissioner to protect this right. When it is in the public interest, the commissioner should be able to instigate civil law actions for attempted or actual breaches of privacy.
Finally, members of parliament should only be allowed to override the privacy of fellow citizens when they are using parliamentary privilege.
At all other times they should be held accountable.