The Covid-19 pandemic has brought privacy sharply into focus in many different ways over the past eighteen months. The High Court’s recent decision in the judicial review proceedings brought by the Whānau Ora Commissioning Agency (WOCA) against the Ministry of Health (MoH) is one such example. This case considered MoH’s exercise of its decision making powers under the Health Information Privacy Code 2020 (HIPC) and in the context of its Tiriti obligations, and provides privacy professionals with some rare High Court legal precedent on privacy.
The case
WOCA is contracted by the government to provide vaccination services through a network of almost 100 Whānau Ora providers across Te Ika-a-Māui/North Island, including via mobile vaccination clinics. In October 2021 WOCA took MoH to court to challenge its decision not to give WOCA access to identifiable health information (name, contact details and vaccination status) about unvaccinated Māori in Te Ika-a-Māui/North Island. WOCA wanted this information so it could individually target this group.
MoH had agreed to share this identifiable information about those individual Māori who had previously been provided services by one of the Whānau Ora providers, but refused to disclose it for those who had not. Instead MoH offered to provide WOCA with anonymised data identifying streets where unvaccinated Māori lived, suggesting that WOCA could use that data to go door to door in those areas to try and identify individual unvaccinated Māori. WOCA considered such an approach would be very resource intensive and unlikely to be successful in significantly increasing vaccination, and so challenged this decision by way of judicial review.
The decision records that both parties agreed that the vaccination roll out had not resulted in equitable coverage between Māori and other ethnic groups, and that the underlying reasons for this inequity were the significant barriers to Māori to accessing primary health care services together with a lack of trust by Māori in government institutions. The Privacy Commissioner appeared as an intervenor, and his submissions are available here.
Disclosure under the Health Information Privacy Code 2020 (HIPC)
Rule 11 of the HIPC sets out a general prohibition on disclosing health information, unless one of the stated exceptions to the rule applies. The exercise of these exceptions is completely discretionary – they allow an agency to disclose information, but do not require it to, or give rights to force the release of information. Usually cases about rule 11 involve an allegation that health information was unlawfully disclosed but here, in the judicial review context, the Court was asked to consider whether MoH had erred in law in deciding not to disclose the requested information under the exception at rule 11(2)(d). This exception allows the disclosure of health information in circumstances where it is not feasible to get the individual’s consent to the disclosure, and the disclosure is necessary to prevent a serious threat to public health or safety.
WOCA and MoH agreed that it wasn’t feasible in the circumstances to obtain consent from all the unvaccinated Māori in Te Ika-a-Māui/North Island, and that the Covid-19 pandemic constituted a serious and urgent threat to public health and safety. They also agreed that time was very much of the essence in terms of increasing Maōri vaccination rates. The issue at point was the necessity of disclosing the requested information to prevent that harm.
MoH’s refusal was based on its view that the disclosure of individual names and contact details was not necessary to prevent the identified threat, and so the exception at rule 11(2)(d) was not available to it. Instead it considered that the disclosure of the ‘less invasive’ anonymised data would provide WOCA with the necessary information it needed to support its vaccination outreach programmes/prevent the threat. In coming to this decision MoH also considered the risks to public trust and confidence in the health system if the information was disclosed.
The Court agreed with the Commissioner’s submissions that in determining necessity under the HIPC and Privacy Act the test is one of ‘needed or required’, and while it must be more than merely ‘desirable or expedient’ it does not need to be ‘indispensable or essential’. The Commissioner also submitted, and the Court agreed, that in relation to rights to privacy and health, the actions and decisions of public bodies must be proportionate and evidence based.
In this case, the Court found that MoH had made a mistake by seeking to disclose the least amount of information possible without properly considering whether this would in fact be effective in preventing or lessening the identified urgent threat to public health and safety. It found there was no evidential basis for MoH’s view that the anonymised data would allow WOCA to make the required vaccination headway. The Court supported the submission of the Privacy Commissioner that a ‘least privacy invasive’ test might be relevant when assessing necessity, but only when choosing between two equally effective alternatives, which was not the case here.
This decision provides useful precedent around what ‘necessary’ means under the Privacy Act/HIPC, and affirms the flexible and pragmatic nature of the Privacy Act, balancing individual privacy rights against wider community benefits.
It also provides privacy professionals with some very useful precedent when faced with a difficult disclosure decision. Essentially an agency must be able to demonstrate that its decision to disclose under one of the exceptions to principle or rule 11 is objectively made and evidence based. This isn’t always an easy task of course, especially when decisions are being made under pressure or in the context of a wider issue, but it shows the need to pause and establish facts before making a final call. Any subsequent challenge to that decision will require justification, so making a record at the time of the reasons and evidence relied on is always a wise idea.
The principles of Te Tiriti
WOCA also argued that MoH, having committed to upholding Te Tiriti in the Covid-19 vaccination roll out, did not do so when it made the decision not to provide the requested information. WOCA’s argument rested on three key principles of Te Tiriti – the principles of options, tino rangatiratanga, and active protection. Drawing on the recent Trans-Tasman Resources case, WOCA argue that these principles must be considered and applied through the lens of tikanga, not just a Pākehā legal lens.
The Court agreed that WOCA had, in public law terms, a legitimate expectation that MoH would apply Te Tiriti and its principles in its Covid-19 response, but that it had failed to do so when it made its decision on WOCA’s request for data. Specifically, that in exercising its discretion under rule 11(2)(d) of the HIPC not to disclose the requested information it did not have adequate regard to Te Tiriti and its principles, as informed by tikanga. The Court ordered MoH to reconsider its decision, which it did, again declining to provide the information. At the time of writing the final outcome was uncertain, with WOCA heading back to court to challenge this second refusal.
Cultural perspectives and privacy
This aspect of the case is a further affirmation of the approach NZ’s courts, and particularly the Supreme Court, have been developing to recognise tikanga as a source of law in itself (most recently in the Ellis and Trans-Tasman Resources cases) – seen by many as movement towards a bijural legal system. It also makes it clear that government decisions about data use are no different to other types of decisions, and must be made in accordance with Tiriti principles and obligations.
For privacy, this approach is explicitly supported by the introduction in the Privacy Act 2020 of the requirement for the Commissioner to take into account cultural perspectives on privacy when exercising her or his functions, duties or powers under the Act (s21(c)). Other privacy relevant legislation that also includes a focus on Te Tiriti obligations, Te Ao Māori concepts and obligations around increased engagement with Māori is either currently in force or on the horizon. Examples include the Public Service Act 2020, the Data and Statistics Bill, the Digital Identity Trust Framework and the Consumer Data Right.
These legislative and judicial changes are taking place against a background of an increased visibility and discussion of concepts such as Māori data sovereignty in both the public and private sectors. The Office of the Privacy Commissioner has declared that better understanding of Te Ao Māori perspectives on privacy is a priority for it, and has recently appointed a Principal Adviser (Māori).
Ultimately, privacy is about people, and when done well is always contextual. Managing individual privacy rights in the context of data use for the collective good is not a new challenge for privacy professionals, and good, sustainable privacy practices are informed by genuine engagement with the people whose personal information you are processing. This decision should be seen by privacy professionals as both an affirmation that individual privacy rights are not absolute and as a contributor to the development of an Aotearoa/New Zealand approach to privacy that reflects our unique identity and cultures, and specifically our bicultural foundation.