Netsafe has learnt, the hard way, the cost of getting privacy responses wrong and, ironically given its role, the ramifications when the Harmful Digital Communications Act is ‘weaponised’.
Netsafe has recently lost a case brought before the Human Rights Tribunal, and was ordered to pay $100,000 for breaching three people’s privacy, and provide complete disclosure of the information it was trying to withhold.
Briefly, the Harmful Digital Communications Act (HDCA) sets out several principles requiring digital communications to be reasonable, safe and non-offensive. It also provides a valuable mechanism for victims of online abuse or harm to identify the perpetrators, have those harmful communications removed and address the harm caused. Netsafe is tasked with initially receiving and investigating complaints under the HDCA, and using alternative dispute resolution principles to try and resolve those complaints.
The HDCA was enacted to prevent or alleviate online harm, but it is unlikely that Parliament considered it could be weaponised when it was enacted. However, that is exactly what one man, Mr Z, has done, managing to drag Netsafe down in the process.
Ms A and B previously had tumultuous relationships with Mr Z. After being harassed by him both obtained protection orders, which he subsequently breached. Mr Z, somehow, obtained private communications which he used to make a complaint to Netsafe against Ms A. Netsafe undertook and initial investigation and issued a case summary identifying some potential breaches by Ms A which it believed were likely to cause harm. Mr Z used that case summary to commence proceedings against Ms A, Ms B and a support person Ms C obtaining ex parte interim orders from the District Court.
After being served with the interim orders, Ms A and Ms B contacted Netsafe requesting it provide copies of Mr Z’s complaint urgently. There were several interactions between Netsafe and the three women seeking information regarding Mr Z’s complaint against them. They tried different avenues, including the Official Information Act, non-party discovery and Privacy Act, but ultimately Netsafe refused for provide the information sought, believing disclosure would be likely to prejudice the maintenance of the law and/or be an unwarranted disclosure of the affairs of another.
They complained to the Privacy Commissioner who found Netsafe interfered with their privacy in breach of IPP 6. However, even after that finding, Netsafe released some additional, but not all, information.
Ultimately the dispute was taken to the Human Rights Tribunal, which found Netsafe had in fact breached IPP 6 and ordered Netsafe to pay the three victims $100,000 and provide complete disclosure.
Netsafe’s responses appeared to be a well meaning, but misguided, attempt to protect a complainant’s privacy. Rather than considering each privacy request on its merits, it appeared to begin with the outcome it wanted and then looked for reasons to justify that outcome, ultimately providing limited responses and material.
Netsafe’s actions should be a cautionary tale, as its responses appear to reflect a ubiquitous attitude towards privacy requests where organisations use the Privacy Act as a shield to avoid providing information. Granted it was exacerbated by Netsafe’s unique position as approved agency under the HDCA, but it exposed many process failings.
Ultimately, organisations need to assess each request for personal information on its merits, and have appropriate processes in place to support privacy officers (if you don’t have one you should) to make good decisions.