Following the first court case (you can read our take on it here), and the subsequent failure of the Ministry of Health (MOH) to again release all the requested vaccination data, the Whānau Ora Commissioning Agency (WOCA) took further judicial review proceedings in the High Court. The resulting decision looked closely at the process the MOH had undergone in reaching this second decision to release some, but not all, of the requested personal information
For privacy professionals, this sequel provides further rare High Court precedent on the interpretation of the Privacy Act 2020, and in particular rule 11(2)(d) of the Health Information Privacy Code 2020. This rule provides agencies with a discretion to share identifiable health information where this is necessary to prevent a serious threat to public health.
Both this decision, and the previous one, are absolutely worth a close read over the summer break, but for the sake of pre-Xmas expediency our key takeaways are:
- The MOH’s decision to only release data relating to areas where there was at the time an ongoing Delta outbreak incorrectly introduced a threshold of ‘imminence’ into the application of rule 11(2)(d). The Court found that there is no such requirement – the test is whether the threat is serious, not serious and imminent.
- The Court found that the MOH incorrectly introduced an authorisation requirement into the application of rule 11(2)(d) when it carried out an overly detailed consultation process with iwi prior to making its decision about what data to release to WOCA.
- The decision discussed what tikanga, as part of New Zealand’s common law, would require in terms of the release of the requested data. The Court heard from tikanga experts who gave evidence to the effect that the taonga of health had particular primacy in a pandemic, and in this context the control of data by individual iwi and hapū was of a lesser priority than protecting health. The Court accepted this evidence, finding it supported its observation in the first judgment that rights to privacy and health are not incompatible.
- Lastly, the decision addressed WOCA’s submission that while rule 11(2)(d) provided MOH with a discretion about releasing the requested data, in the circumstances MOH was also under a corresponding duty to exercise that discretion and release the data. While the Court found that MOH still had some discretion about whether to release, it did find that the MOH had failed to interpret and apply rule 11(2)(d) properly, and that this had affected its ability to properly exercise that discretion. The Court directed the MOH take steps to review its refusal decision within three days.
The immediate practical outcome of this decision was that MoH subsequently released the bulk of the data sought to WOCA. The long term impacts are yet to be seen, but these decisions have brought to the surface significant issues around the relationship between individual and collective rights, both in terms of how the Privacy Act operates and the context of Te Tiriti and Māori data sovereignty.
Similar issues about the vital importance of data in Māori health were also referenced by the Waitangi Tribunal in one of the recommendations contained in its very recent Haumaru: The COVID-19 Priority Report, stating that “the Treaty standard is that if Māori health providers and whānau ora providers are to be effective, the Crown must adequately resource them to carry out their job. This includes, where practicable, providing them with data that would assist them with their efforts.”
Lastly, we think it is worth noting that the Court affirmed the Privacy Commissioner’s submission that the Privacy Act 2020 is concerned with both protection and use of personal information – it is a “how to”, not a “do not do”. We absolutely agree with this approach to privacy and the Privacy Act 2020, and it’s fantastic to see this supported by the High Court.
[Update – there may be a third case taken re access to vaccination data about Māori children, now that 5+ years are eligible – see this story]