Two critical reports by the Inspector-General of Intelligence and Security (IGIS), Cheryl Gwyn, have focussed on the practice of New Zealand’s intelligence agencies acquiring personal information about customers by seeking voluntary disclosure from NZ banks.
The IGIS’s role is to ensure NZ’s two dedicated intelligence and security agencies, the NZ Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB), act lawfully and properly.
Until Parliament enacted a new law in 2017, the Intelligence and Security Act, the intelligence agencies could seek “voluntary” disclosure from banks of customers’ personal data.
Under the 2017 legislation the intelligence agencies are required to seek this kind of information under warrants of which there are two types.
- To carry out activities for the purpose of collecting information about New Zealanders a Type 1 Warrant is required. Type 1 Warrants are issued by the Minister responsible for the GCSB and a Commissioner of Intelligence Warrants (a retired High Court Judge).
- Type 2 warrants are sought when type 1 warrants are not required – for example, activities carried out for the purpose of collecting information about a foreigner. Type 2 warrants are issued by the Minister responsible for the GCSB alone.
What is intriguing is a clash of interpretation between the Inspector-General and the GCSB around the circumstances whether a Type 1 or Type 2 warrant is required.
A statement from GCSB director-general Andrew Hampton said that – on this issue – the Inspector-General and the GCSB hold different interpretations of the law.
“As the Inspector-General states in her report, the GCSB’s reasoning is carefully thought through and articulated.Like all government departments, where there is a lack of clarity around the law, we rely on Crown Law for a definitive view. We have sought advice from Crown Law on this issue and will share it with the Inspector-General once it is ready.
As the report notes, fully implementing the Intelligence and Security Act and developing the supporting policies, procedures, training and legal interpretations has been a significant effort. This work has had an impact on how quickly we have responded to the Inspector-General’s queries, but is now largely complete,”
New Zealanders are left in the dark over just what this clash of interpretations means.
Perhaps there is a clue in the IGIS’s statement:
“The framework should expressly recognise that the business records regime was not intended to allow access to ‘bulk’ or ‘class-based’ requests for information. In my view Parliament envisaged that if large volumes of personal information, or non-specific information, is needed that should be obtained under a warrant”.
Or perhaps not.
However there is speculation over what bulk or class-based business records the spy agencies are demanding. All financial transactions to particular countries would be one obvious answer. Possibly it could be telecommunications and internet metadata.
Let’s turn to the report titled: Review of NZSIS requests made without warrants to financial services providers.
The report looks at a snapshot of three months and captured 13 case studies in 2016/17 before the NZSIS’s new legislation came into force.
Cheryl Gwyn says:
“The frequency of the Service’s use of voluntary disclosure, the fact that it was not authorised by a warrant or other independent process, and the nature of personal information held by banks made this an obvious area for review. From the customer’s perspective banking information is likely to be considered to be reasonably confidential, if not sensitive.”
Until 2017 the NZSIS was exempted from most of the information privacy principles in the Privacy Act. The exemption meant that personal information could be disclosed to NZSIS by another agency, such as a financial institution, without breaching the Privacy Act. This position was confirmed by the Privacy Commissioner. Now the process by which NZSIS can obtain information for the purposes of its national security functions has been addressed through implementation of the ISA.
NZSIS accepts the IGIS recommendations and has either implemented them or is working on completing them. Director-General of Security Rebecca Kitteridge says the NZSIS values the constructive working relationship it has with financial service providers.
“We couldn’t do our work to protect NZ’s national security without the assistance we receive. The issues identified in the report are historical and relate to cases where the NZSIS was pursuing its functions in respect of matters relevant to NZ security. The responses provided by the financial service providers gave valuable information and informed a range of security investigations and operations”.
Kitteridge says the process by which the NZSIS can obtain information for the purposes of its national security functions has been addressed through implementation of the ISA.
“The ISA provides a sound and transparent mechanism, the Business Records Approval and Directions regime, by which NZSIS can compel companies to provide information for the purposes of NZSIS’s national security functions. The NZSIS has undertaken a significant amount of work to implement the ISA, and I welcome the Inspector-General’s recognition of this work in her report. The Inspector-General has acknowledged that improvements in terms of the legal issues identified in her report are already visible.
“I also welcome the Inspector-General’s positive comments in this report about the way the NZSIS has worked with her in regard to this matter, noting that she had an open and constructive discussion with the NZSIS about all the matters covered by this report.
“She added that it was to the NZSIS’s credit that it has been willing to reconsider its position on matters, discuss developing policies, and make change to many of its processes as this report has progressed. Our work must often be carried out in secret, but I am a big believer in transparency where possible. It is worth noting that for the first time our 2018 Annual Report will also state how many Business Record Directions we have issued to financial services providers, as well as telecommunication network operators.”
So where does this leave us?
On the one hand the GCSB has a different idea of how it should operate than the IGIS, but for the NZSIS everything is hunky-dory, even though under the old regime it was scoring bags of data from banks’ “voluntary” disclosure.
Is there now a hole in NZ’s security network?
Let’s look again at what the IGIS said about the NZSIS under the old system:
“The 13 cases examined and the agency’s practices disclosed issues relevant to NZSIS’s compliance with the law. Very intrusive requests were at times made when the Service should have tried to obtain a warrant to require the banks to provide the information.
“Many of the letters sent to banks should have been clearer that they were requests for ’voluntary’ disclosure. Some of the past collection by the NZSIS would have constituted unreasonable searches contrary to the Bill of Rights.”
If security is the issue, wouldn’t one want the SIS to be “intrusive”?
After all, gathering intelligence which helps keep New Zealanders safe is a vital sort of job.