NauMai September 2021
Changes to the Privacy Act, which came into effect on 1 December 2020, have wide-ranging implications in the Catholic Church of Aotearoa, New Zealand. Matthew Balm, Privacy Officer for the Diocese of Palmerston North, explains.
‘Privacy’ is a bit of a buzzword in certain circles, conjuring emotions from disinterest to concern in many people. These are perfectly understandable responses to complex transactions of law and commerce, in an increasingly complex and digitally-connected global community. The corresponding increase in bureaucracy is driven by the ‘value’ of our personal information, which has never been higher.
In this environment, it is imperative we all understand the relevance of protecting our own personal information, and the personal information of others.
Changes to the Privacy Act, which came into effect on 1 December 2020, have wide-ranging implications in the Catholic Church of Aotearoa, New Zealand. These considerations affect both how the Church collects and views personal information, and the rights we each have to the protection of our own personal information.
In The Code of Canon Law, Book II: The People of God, Part I, Title I: The Obligations and Rights of all Christ’s Faithful, Canon 220 states:
“No one may unlawfully harm the good reputation which a person enjoys, or violate the right of every person to protect his or her privacy.”
This is the crux of the Church’s mandate to educate our communities in the use, and misuse, of personal information. This ethos should be reflected in all our policies, documents, communications and procedures.
Both canon law and civil law in New Zealand now protect the personal information of individuals who choose to share it with an organisation. The organisation holding the personal information has legal responsibility to protect it, and the owner has rights to request and amend their own information, and to make a complaint of a breach of privacy if their personal information is shared without permission.
What is ‘personal information’ and why does it need to be protected?
Personal information is any information that can be used to identify you. This includes, but is not limited to, your name, date of birth, place of birth, phone number, email address, physical address, signature, voice recording, picture, or video recording of you. These are valuable to criminals who can use this information to steal from you, or to steal your identity and commit crimes in your name. In 2020, according to estimates by the Department of Internal Affairs, identity theft cost our economy $200 million.
The Office of the Privacy Commissioner (OPC) is an independent Crown Entity established to support the Privacy Commissioner, John Edwards, who was appointed in 2014. The OPC role is to monitor and enforce compliance with the Privacy Act (2020), and to investigate breaches of the Act that cause serious harm. The Privacy Commissioner has new powers to issue compliance notices, and fine individuals and organisations for non-compliance. It is now a criminal act to mislead an organisation by impersonating someone or pretending to have their authority in order to gain access to their personal information. It is also a criminal act to destroy documents relevant to any request for personal information held by an organisation. Fines of up to $10,000 may be issued by the OPC.
Individuals also have the right to take breaches that cause serious harm to the Human Rights Review Tribunal, as individuals or in class action. The Tribunal may recommend damages of up to $100,000 per member of a class action.
The spirit of the changes to the Act is to deter identity theft by reducing the amount and type of personal information held by organisations, and how long that information is held. Best practice for all organisations is delineated by the 13 Privacy Principles enshrined within the Act. These principles state no person should provide (or be asked to provide) personal information to an organisation without informed consent. This means before you provide your personal information, you should be told your personal information is being held by the organisation; why they need it, and what will happen if you don’t provide it; how long they will keep it for; who they will share it with, and why; assurance they will keep it secure and dispose of it securely; and assertion of your right to request to view and amend your information, and your right to make a complaint if you feel your privacy has been breached by the organisation.
Organisations also have a duty of care to ensure if they are sharing personal information with overseas organisations, they do so with complete assurance these organisations are bound by the same degree of privacy protection the information would have in New Zealand.
The New Zealand Catholic Bishops Conference (NZCBC) has appointed a National Privacy Officer, lawyer Elizabeth Ong of the Tribunal of the Catholic Church for New Zealand. The NZCBC has also mandated that every diocese has its own privacy officer.
As best practice, the Diocese of Palmerston North requires every parish to have a privacy officer. Information requests and complaints of breaches can be addressed directly to this person, and the organisation has a legal requirement to notify the OPC of a breach if it is assessed as causing serious harm.
For the Church, there are also implications for shared documents such as Baptism Certificates and Marriage Certificates. When copies are requested, they can only be released in full if all persons who have personal information recorded on them have given express (usually written) permission for the document to be shared. If one party chooses not to share their personal information, the document may be released in part or with sections redacted.
Another consideration is the public display of personal information in the form of community rosters or group listings. This is personal information. If it is posted without gaining permission of the owner when they provide it, this could lead to a breach of privacy.
This extends to community events where photographs and videos are taken of large gatherings or of individuals. These may not be displayed or posted to social media without the express permission of the individuals if they are identifiable in the image. This has big implications for how we use technology, especially smart phones with built-in cameras and recording hardware, and easy sharing options.
It is now general practice to notify attendees of our church events they have the right to request their personal information is not shared. Those recording the event will then ensure the image is not used, or that the individual cannot be identified in any media shared.
Our staff and volunteers are being trained to observe the privacy principles in their daily routines. If you think someone is being unreasonable when you request another person’s information, or make you jump through hoops to verify your own identity, you can understand they are protecting you, or the owner of the information, in observance with the law.
Our goal is to encourage people to continue to do what they have always done within our communities. However, now this must be done with the understanding personal information is a valuable commodity to be protected.
Archdiocese of Wellington
Each diocese in New Zealand has a privacy officer whose role is to:
- oversee how personal information may be collected, used and stored;
- manage requests for personal information; and
- manage the requirements around privacy breaches.
The archdiocese privacy officer, Catharina Vossen, has been working with staff and parishes to ensure guidance and support are in place to meet the Privacy Act 2020 information privacy principles. This work will involve having a privacy officer appointed in each parish. It will also enable the archdiocese to work consistently when personal information is collected, used and stored; to respond to questions and concerns about personal information; and to have appropriate processes in place to manage concerns or instances of privacy breaches.
Our faith teaches us in Canon 220 (see above) – as each of us intends to uphold and maintain an individual’s right to privacy in our work and lives, we also seek to encourage our responsibility and accountability to protect each individual’s rights to privacy.
For further information, please email the privacy officer at firstname.lastname@example.org
On 1 December, the Privacy Act 2020 came force and became New Zealand’s main privacy law, replacing the Privacy Act 1993. The Act primarily governs personal information about individual people, but the Privacy Commissioner can consider developments that affect personal privacy more widely.
Separately, the courts have developed a privacy tort – that is, the right for one person to sue another for breach of privacy – while many statutes set out specific rules to protect privacy or confidentiality in particular situations.
Some statutes or other rules allow personal information to be shared. For example, personal information on the electoral roll is publicly available.
The New Zealand Media Council is an independent forum that hears privacy complaints about the press and digital media platforms which are not covered by the Privacy Act.
In addition, the Broadcasting Standards Authority hears privacy complaints in relation to broadcast material.