Gunasekara, Gehan; Dillon, Erin --- "Data Protection Litigation in New Zealand: Processes and Outcomes" [2008] VUWLawRw 23; (2008) 39(3) Victoria University of Wellington Law Review 457

The branch of the law that governs the processing (the collection, use and disposal) of personal data is called "data protection" law. It is a part of the wider field of privacy law which covers everything from drug testing to the rights of citizens to keep facts concerning their private lives from being publicised (the latter may overlap in some instances with data protection). As indicated by its title, this article is concerned only with data privacy and not with the other aspects of privacy law. New Zealand's data protection statute is perhaps inaptly entitled the "Privacy Act 1993" (the Act).

	Home \| Databases \| WorldLII \| Search \| Feedback Victoria University of Wellington Law Review

In this article we examine New Zealand data protection litigation to date. When it was enacted, in 1993, the Act was relatively advanced by the standards of the time.^[1] It was seamless in application as it applied the same standards to both private and public sectors and applied to all personal data (with relatively few exceptions) regardless of the media in which the data was contained (the Act applies to electronic as well as to paper-based records). A relatively inexpensive dispute resolution procedure, underpinned by the Office of the Privacy Commissioner and avoiding the need to resort to the courts, has seen a large number of cases resolved since the Act has been in force. This article examines the history of dispute resolution thus far with particular attention being given to outcomes from the complainants' point of view. We have also undertaken a statistical analysis which sheds light on, amongst other things, the nature of defendants, and nature of the remedies achieved as well as the areas of data protection which generated the most disputes.

II The nature of data protection principles and the significance of process

The international instruments^[2] that provided the impetus for the development of national data protection laws and the laws themselves all have something in common: Instead of cast-iron rules they are structured as open-ended "principles", which have come to be known as "fair information practices" or "data/information protection principles". These are to be found, for example in the ten privacy principles contained in Canada's federal privacy law,^[3] in the twelve information privacy principles (IPPs) in New Zealand,^[4] and in the ten National Privacy Principles in Australia.^[5] In the words of Jennifer Stoddart, the Privacy Commissioner of Canada, the nub of the principles is that:^[6]

The fact that the principles are consistent across most jurisdictions enhances the opportunities for comparisons between them.^[7] While rules formulated as open-ended principles or guidelines have the advantage of flexibility, as they can be applied to new technologies as they emerge and are therefore less likely to become obsolete over time, they suffer from the disadvantage of uncertainty: consumers and businesses might be in doubt as to the scope of the principles and as to the manner in which they should comply with them: for example, how much detail needs to be conveyed as to the purposes for which information is collected and how securely should it be held (no system is completely immune to hackers and the like). In addition, a system of data protection principles on its own is meaningless unless data subjects have recourse to a meaningful remedy for infringements: voluntary or self-regulatory industry codes are no match for legally stipulated judicial remedies including the right of a data subject to receive compensation from a data controller for damage suffered as a result of breach of a data protection principle.

It is these two areas that are the focus of this article. To what extent have the bones that constitute the information principles been fleshed out by the rulings in actual cases? Which areas of data protection have generated the most litigation and what were the outcomes for litigants? One of the most useful tools by which the effectiveness or otherwise of a country's personal data protection regime may be assessed is the degree to which its privacy law provides real remedies in concrete instances affecting real people. In New Zealand such a tool exists in the reported case law of the tribunal that hears privacy complaints. Originally this was the Complaints Review Tribunal but it is now the Human Rights Review Tribunal (the Tribunal). Breaches of the Privacy Act ultimately end up here, not in the regular courts, and there now exists a body of decisions interpreting the IPPs.^[8]

In the research for this article we examined all the reported decisions of the Tribunal in New Zealand from its inception until the end of 2006. This allowed us to compile a statistical analysis of the cases from which we have ascertained, amongst other things, what percentage of defendants were from the private as opposed to the public sector, which of the IPPs were litigated the most, the range and average amount of compensation awarded, the number of plaintiffs that were represented by counsel and the effect of representation on outcomes for them. The small number of cases that were further appealed to the courts and their significance is also briefly examined.

It must be stressed that the present discussion does not purport to be a comprehensive overview of New Zealand's privacy law. Reference should be made to standard works on privacy in New Zealand which cover data protection as well as other privacy related areas.^[9] The aim here has been to concentrate on those areas which occasioned the greatest difficulties in interpretation and enforcement – in a significant proportion of cases before the Tribunal there was genuine argument as to what the IPPs meant. In addition, since only the Tribunal can hand down binding rulings concerning the interpretation of the IPPs, this case law is important from the standpoint of precedent: this is not to belittle the useful guidance given from time to time by the Privacy Commissioner, through its website,^[10] through issuing "selective" case notes^[11] and through various other publications. All these play a vital educative role and, in the case of the Privacy Commissioner's investigative function, form part of the enforcement and dispute resolution mechanisms of the Act in New Zealand. However the Tribunal marks the endpoint of the enforcement and dispute resolution process and is the focus for much of what follows.

III The dispute resolution process

As is the case with New Zealand's earlier freedom of information legislation^[12] the Act sets up an inexpensive dispute resolution procedure that avoids recourse to the courts.^[13] However it is underpinned by the backstop of the Tribunal, which has the power to grant legally enforceable remedies including the award of significant monetary damages, by New Zealand standards.

The starting point is the Privacy Commissioner: any person may complain to the Commissioner about an interference with privacy: this does not have to be the person who suffered the interference.^[14] Complaints can be made orally or in writing although in the former case the Commissioner will assist in putting them into written form (a downloadable form can be obtained from the Commissioner's website).^[15] The role of the Commissioner is both inquisitorial and conciliatory: in the former role the Commissioner is empowered to investigate the complaint in private^[16] and the powers include being able to obtain documents,^[17] to examine witnesses under oath^[18] and override any statutory secrecy requirements.^[19]

In the conciliatory role, on the other hand, the Commissioner has a statutory duty to use her best endeavours to secure a settlement where this is possible and is empowered to call a compulsory conference to this end.^[20] The duty to exert best efforts to secure a settlement exists even where the Commissioner finds that the complaint has substance.^[21]

The practice of the Privacy Commissioner indicates that settlement of complaints is the main priority. In recent years a three-person team (known as the Assessment and Conciliation Team) makes an initial assessment of all complaints, identifies issues, gathers any further information needed and makes an early decision on whether the complaint should proceed or not.^[22] Complaints not closed by the team are assigned to investigating officers for further action.^[23] Appendix I contains a table with the number of complaints in the period studied as well as the number of complaints closed. Since complaints can remain open from one year to the next the number of complaints closed can be greater or smaller than the number received in any year. Closed complaints reflect a range of outcomes from the Commissioner's deciding to take no further action through to the complainant being satisfied with the involvement of the Office and a voluntary settlement being reached, or a decision by the complainant not to proceed further with the complaint.^[24] Unfortunately, unlike other jurisdictions, no statistics exist for the remedies obtained on the settlement of complaints.^[25] It has been suggested that this omission is the result of a conscious policy that parties to a dispute should themselves decide on appropriate remedies rather than being influenced by previous outcomes.^[26]

The results thus far demonstrate the extremely high success rate of the conciliation process. Of the 11,610 complaints received in total, the vast majority, 9367 or 81 per cent, have been settled. It can also be seen from Appendix I that the great majority of complaints have been settled before either a provisional or final opinion by the Commissioner as to whether a contravention had occurred. This indicates that most agencies, when faced with a complaint, are either ready to accept their mistake or in any event prefer to settle privately rather than incur the adverse publicity that further litigation is likely to bring. The making of the complaint and the fact of being investigated have in most cases been sufficient to induce a settlement.

A finding that the complaint had substance and that there had been an interference with privacy resulted in just 29 per cent of cases where the Commissioner has given a final opinion. It is important to note that this does not signify the number of cases where complainants have succeeded in obtaining remedies: as explained above the majority of cases were settled where there were mutually acceptable outcomes which might have involved the payment of compensation to the complainants.

When a finding of interference with privacy has been made and the parties have not managed to settle the dispute the Commissioner has a discretion to refer the matter to the Director of Human Rights Proceedings (DHRP)^[27] for consideration whether to bring proceedings against the defendant in the Tribunal.^[28] The Commissioner has indicated there is now a presumption in favour of such referral unless other factors are present: for example all the information has been provided; there is no systemic issue that the agency has failed to address or where the complainant has not suffered a loss for which a remedy is required.^[29]

This undoubtedly accounts for the relatively few referrals to the DHRP by the Commissioner: 47 in all as opposed to the 173 complaints, pursued independently by the plaintiff (see Appendix II). However this pattern may be shifting as there is now a presumption for referral where a complaint has been upheld; this is reflected in the number of cases referred in the last two reporting years (13 and 12 respectively). It is however too early to draw any conclusions as to whether cases brought by the DHRP are likely to be more successful than those pursued independently by complainants or to predict whether referrals will become the norm rather than the exception that it has been historically.

When a complaint is referred to the DHRP it is considered afresh by the DHRP who has discretion as to whether to bring the complaint to the Tribunal in lieu of the complainant.^[30] The advantage, for complainants, is that when proceedings are brought by the DHRP, any adverse costs awards are borne by the Privacy Commissioner and not the individual. However the Act allows aggrieved individuals to bring proceedings before the Tribunal themselves where the Commissioner or the DHRP decides not to do so. As can be seen from Appendix II most of the cases that have been heard by the Tribunal were brought by the aggrieved individuals themselves.

The number of cases where the complainant has been successful (for present purposes where any interference with privacy is found to have occurred regardless of whether or to what extent any remedies are awarded as a consequence) is very small. Indeed in only 34 cases brought before the Tribunal has it found that an interference with privacy had occurred.^[31] This represents 0.3 per cent of the total number of complaints initiated which is a good indication as to how rare successful litigation is under the Privacy Act. However this is a very rough figure and does not indicate the nature of the complaints or the nature of the remedies obtained when an interference with privacy was found to have taken place. The remainder of this article will therefore focus on a more detailed investigation into the nature of outcomes for individual litigants before the Tribunal.

Finally, the number of cases that have been appealed to the courts (the basis for these appeals is explained below) is even smaller. In a few instances the courts have shown a willingness to interfere with the Tribunal's discretion in awarding remedies. In a case where the plaintiff had sought access to personal information in order to facilitate the prosecution of an employment dispute, the Tribunal was found to have made an error of law which allowed the Court to interfere with its findings.^[32] The plaintiff had suffered a loss of benefit of a non-monetary kind in not having the information necessary to fully cross-examine in the employment litigation; the Tribunal had been wrong to conclude that the complainant was merely using the Privacy Act to carry on his dispute with his former employer in another forum.^[33] This case may be contrasted with others where the plaintiff has been found to be using the Act to continue a dispute which concerned a non-privacy related matter.^[34]

There have been 14 appeals to the courts (including one to the Court of Appeal) of which (using the same methodology we employ in analysing the Tribunal jurisprudence) only 11 concerned substantive issues.^[35] Of these cases the original complainant was successful^[36] in only 3 whilst 8 were unsuccessful. Likewise only in three instances was the outcome in the Tribunal reversed on appeal (that is a successful appeal by either the plaintiff or the defendant). The relatively small size of the sample makes any attempt at analysis (considering, for example, whether the difference between different Tribunal chairpersons was a factor) hazardous. A comparison with other areas such as employment litigation has not been attempted for the same reason.

Litigants have a further right to appeal to the Court of Appeal; this is only allowed on questions of law and with the leave of the High Court and the issue involved must be one of general or public importance or there must be some other significant reason for the appeal.^[37] The only case to make it thus far is Harder v Proceedings Commissioner.^[38] Discussion of the merits of this and other decisions is beyond the scope of the present article.^[39]

IV Litigation in New Zealand

Data protection litigation should be set in the context of other litigation involving individual rights. While a detailed comparison (for instance with human rights or employment litigation) is beyond the scope of this article it can be observed that New Zealand is not generally a litigious society. Civil claims brought by individuals are few in number and usually do not involve exorbitant monetary amounts. This may be seen for example in New Zealand's no-fault scheme for accidents whereby the right to sue is replaced with State-guaranteed compensation for personal injury.^[40] Under the scheme a person who suffers a permanent impairment such as the amputation of a leg below the knee receives a maximum of $13,409 in lump sum compensation, whereas the maximum amount that may be claimed for substantial impairment such as paraplegia is $100,000.^[41]

It is against the background of such facts that the award of damages in data protection litigation should be assessed. It will be seen that the highest sum to date, $40,000, is at the high end of civil litigation involving individuals. Something of an exception in New Zealand are defamation proceedings which have frequently resulted in the award of much larger sums sometimes exceeding a million dollars.^[42] It can be observed, however, that the latter invariably involved plaintiffs who were celebrities or public figures of one kind or another. Data protection litigation, by comparison, is usually pursued by lesser mortals and concerns the occurrences of everyday life. Privacy litigation before the Human Rights Review Tribunal should therefore not be measured against defamation awards.

The Tribunal hears proceedings under the Privacy Act 1993, amongst other areas of the law.^[43] It is a specialist body and consists of three members.^[44] They are chosen by the Minister from a panel chosen for their experience in a variety of fields,^[45] only three of the 20 members being required to be legally qualified.^[46] Although it is therefore most often the case that two of the Tribunal's members will have no legal background, the chairperson is required to be a barrister and solicitor with at least five years' experience.^[47] The role played by chairpersons in the running of the Tribunal is indispensable as they are often called on to assist litigants in formulating their pleadings. It will be seen that this is a consequence of the fact that the majority of plaintiffs represent themselves and when representation does exist it is usually by lay people. The Commissioner is often represented as an interested observer and in practice plays a crucial role, acting as "de facto" counsel assisting the Tribunal.

As it is not strictly a court of law, the Tribunal is required to act according to the "substantial merits" of the case without regard to technicalities, although in exercising its powers and functions it must act in accordance with the principles of natural justice in a manner that is fair and reasonable and according to equity and good conscience.^[48] Despite these statutory injunctions an analysis of the Tribunal's decisions reveals that a great many cases are indeed determined on the basis of technicalities and that legal niceties routinely appear. On the other hand the normal rules of evidence are somewhat relaxed, although the practice of the Tribunal has been to follow evidentiary rules as close to those observed in court as possible.^[49] However, evidentiary issues have preoccupied the Tribunal in many cases and the outcome has hinged on them. Evidentiary difficulties have arisen where litigants have had to recall the content of conversations or where the Tribunal is faced with hearsay evidence.

For example, in one case the plaintiff alleged that the defendant, his doctor, had divulged sensitive health information to his mother (also one of the defendant's patients).^[50] The Tribunal stated that the plaintiff had to establish, on the balance of probabilities, that the disclosure took place: however even though it had the power to receive evidence which may not be admissible in a court of law it was nonetheless unable to reject the evidence given by the defendant (that no disclosure had occurred) in the absence of contrary evidence.^[51] The only person able to give contrary evidence was the plaintiff's mother and she chose not to do so, thus fatally compromising the plaintiff's case.^[52]

Thus evidentiary issues do exert an influence over the manner in which the Tribunal enforces the IPPs.

A case can be brought before the Tribunal if the Privacy Commissioner finds an interference with privacy has occurred and refers the case to the DHRP who then brings the case on the plaintiff's behalf. Alternatively, the Act allows plaintiffs to bring their cases before the Tribunal themselves:^[54]

In recent times it has been the practice for the Commissioner to provide a certificate of investigation and a final opinion to the complainant which may be used to assist the Tribunal in determining whether it has jurisdiction to hear claims brought before it, although this is not a prerequisite.^[55] The requirement that the Privacy Commissioner must first have investigated the claim for the Tribunal to have jurisdiction to hear it has, however, occasioned difficulty and there is a good deal of case law as to what constitutes an "investigation".^[56] Particularly troublesome have been issues of fact as to who the complaints brought before the Privacy Commissioner were against – can a complaint be brought against defendant A and a defendant B be added in proceedings before the Tribunal?^[57] Similar issues have arisen as to the IPPs with which the Privacy Commissioner's investigation was concerned.^[58]

In Lehmann v Radioworks Limited the Tribunal stated that questions as to whether what the Privacy Commissioner has done in any given case amounts to an investigation, and whether or not the investigation has been completed, are questions of fact which the Tribunal can determine.^[59] Section 83 also opens the gate to the Tribunal for an individual^[60] who is dissatisfied with the outcome of the Privacy Commissioner's investigation.^[61] Although this is unlikely to be the last word on the matter it is suggested that it must be the correct approach. It is a view supported by academic commentary. One commentator puts it as follows:^[62]

It has been seen that the number of cases that make it to the Tribunal is relatively few in comparison to the number of complaints made every year to the Privacy Commissioner's office. On average there have been fewer than 10 cases a year.

Table 1
(Source: CRT & HRRT Cases)

Year	No of cases brought to the Tribunal
1993	0
1994	1
1995	0
1996	4
1997	10
1998	4
1999	10
2000	10
2001	5
2002	9
2003	7
2004	6
2005	5
2006	10
Total	81

For the statistical analysis 140 decisions of the Tribunal were reviewed. From these the details of only 81 cases were used. Preliminary or interim decisions, cases that were struck out prior to a substantive hearing before the Tribunal, directions, or any cases with jurisdictional issues preventing the plaintiff from bringing the case before the Tribunal were not included in the statistics. Prior to any hearing the Chairperson of the Tribunal is empowered to convene a meeting of the parties to the proceedings and to give directions and do whatever is necessary in order that the proceedings may be dealt with fairly and efficiently.^[63] Where the directions are not complied with (for example to remove claims brought under statutes the Tribunal has no jurisdiction in respect of, to identify the defendants, the facts giving rise to the complaint and the remedy sought) the Tribunal is usually able to convene and strike-out the claim.^[64]

Also excluded from the study are decisions relating solely to costs – as they invariably followed a substantive ruling their inclusion would have resulted in a double counting of the cases. However a very few cases (mostly in the early period of operation of the Act) have been included that were decided "on the papers" (where parties did not appear but the substantive issues were dealt with by the Tribunal nevertheless). This study is therefore concerned only with substantive Tribunal decisions relating to breaches of privacy.

Despite excluding nearly half the decisions of the Tribunal from the statistical analysis it is worth commenting on these preliminary or interim rulings as well as those which were struck out. Examination of them is illuminating. Many strike-out applications were dealt with as would those before a court of law: the case as pleaded (on the basis of the facts as pleaded) must be so clearly untenable that the plaintiff cannot possibly succeed.^[65]

Thus many cases were disposed of on technical grounds: for example the defendant was not covered by the Act's definition of "agency" (when it was, for instance, a tribunal performing judicial functions).^[66] Other cases where jurisdictional issues arose did proceed to a substantive hearing before the Tribunal however. In one such case the publication of an annual "Rich List" with biographical details of the one hundred or so wealthiest individuals in New Zealand without their consent was found to fall within the "news activity" exclusion in the definition of "agency".^[67] In another it was argued that the Inland Revenue Department (IRD) was entitled to disclose the level of the plaintiff's income in the context of varying a child maintenance agreement as it was acting judicially.^[68] However it was held by both the Tribunal and the High Court that the IRD was acting administratively rather than exercising a judicial function.

Some strike-out decisions are significant from the standpoint of precedent. For example one such decision clarified the position that IPP 7 does not per se give persons a right to correct their personal information, merely a right to request it and to have a notice attached to it that correction was sought but not made.^[69] Another case held that proceedings can only be commenced by an aggrieved individual in respect of any action that is alleged to be an interference with the privacy of the aggrieved person and in respect of which the Privacy Commissioner's investigation was conducted: this line of authority holds that it is not possible to complain to the Privacy Commissioner about the breach of certain IPPs and then subsequently bring proceedings before the Tribunal in respect of the breach of altogether different IPPs.^[70] Likewise preliminary rulings have established that the Tribunal does not have a general power of review over what the Privacy Commissioner has or has not done.^[71]

On the other hand many strike-out applications were as a result of more mundane factors. A common deficiency was the plaintiff's failure to correctly identify the defendant (plaintiffs often being unaware whether to file proceedings against an individual or the organisation of which the individual is a member). Likewise many of the cases we have excluded were preliminary rulings involving procedural directions: often the application to strike out resulted in the issuing of notice requiring further information from the parties so that the pleadings can be more accurately stated. It will be seen that these may largely be a reflection of the lack of legally trained representation for plaintiffs – an aspect we have identified and which is examined below.

While the total number of cases used here seems small at only 81 over the fourteen years the Tribunal has been in operation, the number would be even smaller if not for the insistence of some plaintiffs to "have their day in court". Although the settlement process appears to be effective in most cases, for some complainants the only acceptable remedy is to appear before the Tribunal. This is even more evident when the remedies sought by plaintiffs are taken into account: it will be seen that vindication, rather than monetary compensation, is most commonly sought.

Although a few cases have the same name (such as two cases named Pamela and Anthony Mayes v Owairaka School Board of Trustees), they relate to different breaches of the Act and were brought separately and at different times. Such cases have been counted as separate and distinct from each other for this study.

A final aspect that needs comment is the potential for a single litigious complainant to skew the statistical data, given the relatively small number of cases in the sample. Fortunately it was rare for a large number of cases to be brought by a single litigant, except in one instance: this litigant brought over a dozen claims including one against the Commissioner herself! Most of the claims were struck out (and are therefore not part of the study) but we have included the four substantive decisions brought by the complainant as they were dealt with separately by the Tribunal and concerned distinct claims of privacy infringement.

A The Nature of Defendants

Analysis of the cases revealed that public sector defendants appeared in 50 cases, accounting for 62 per cent of the total number of defendants. For this study we have employed the statutory classification of public as opposed to private sector agencies.^[72] We have adopted the statutory classifications instead of, for example, a classification by sector (such as government, education, health, financial and insurance). This is because a classification by sector in New Zealand would span both public and private sectors: for example the health and education sectors as well as insurance (the biggest insurer in New Zealand is the Accident Compensation Corporation which is a statutory entity).^[73]

These public sector organisations account for 43 per cent of all cases brought to the Tribunal.

The private sector, by contrast, accounted for 41 per cent of defendants, appearing in 33 cases. These percentages do not quite add up as there was often more than one defendant, and in a few cases (such as Geoffry Ivan Hadfield v NZ Police and DJ Cartwright)^[74] one defendant was from the public sector and the other was from the private sector. In such cases the defendants were counted in both categories.

Out of the private sector defendants, 18 per cent were involved in the health sector; totaling six cases in all. Most of these defendants were private doctors or psychologists.^[75] The old doctrine that a doctor's notes on a patient were for the doctor's eyes only contributed greatly to this sector coming under the spotlight for breaches of privacy. Under the Act a patient has the right to review files a health practitioner holds on them, with some exceptions.

In delineating privacy claims against the health sector we have identified those cases brought under the Health Information Privacy Code, the assumption being that all such cases involved health sector agencies. Seven cases brought under the Code were against public sector health agencies; hence it will be seen that the defendants were evenly split between public and private sectors in the health sphere although, as was pointed out earlier, our use of the statutory demarcation between public and private is somewhat artificial. Of greater note is the fact that some 15 per cent of all claims before the Tribunal were brought under the Code and thus involved the health sector.

After removing defendants from the public and health sectors, twenty cases remain; meaning only 25 per cent of cases were brought against the commercial sector. However, this figure also includes the many defendants that were clubs or non-profit organisations. The true figure for the commercial sector is even lower, but is difficult to ascertain as private sector defendants in some cases have name suppression. Private sector defendants have included banks, insurance companies, individuals and even funeral directors!^[76]

B Areas Most Litigated

A major point of interest for our inquiry was which of the Information Privacy Principles (IPPs) were litigated the most frequently. For the purpose of this study the principles contained in the codes of practice^[77] are not distinguished from those of the Privacy Act: the rules contained in them mirror the IPPs themselves. For instance Rule 6 of the Health Code grants access to health information whilst Rule 11 prohibits improper disclosure of health information: similarly IPP 6 grants access to personal information under the Act and IPP 11 governs improper disclosure. Likewise Rule 7 of the Credit Reporting Privacy Code gives individuals the right to ask for correction of information held about them by a credit reporter; IPP 7 similarly applies to the right to seek correction of information held by other agencies. We have therefore treated claims brought under the code of practice rules as being part and parcel of breach of the IPPs themselves since they essentially cover the same subject matter.

As can be seen from the graph in figure 1, principles six (right to access personal information) and 11 (improper disclosure of personal information) generated the most litigation. Principles nine (retention of personal information for longer than necessary) and 12 (use of unique identifiers) were not litigated at all. Principle eight (ensuring accuracy before personal information is used) however generated a significant number of cases as did principle five (security of personal information). Apart from principles one (purposes of collection of personal information) and 10 (use of information for purposes other than those for which it was collected) the remaining principles were invoked in over five cases. These included principle two (collection of personal information directly from individuals), three (informing data subjects of the purposes of collection) and principle four (collection of personal information by unfair or intrusive means).

Since plaintiffs are able to complain about the breach of more than one principle to the Tribunal at a time the total number of principles shown on the graph does not correspond to the number of cases included in this study.

Figure 1
(Source: CRT & HRRT Cases)

The predominance of complaints relating to the failure to grant adequate access to personal information marks a point of distinction between New Zealand's data protection litigation and those of other jurisdictions. For example, in the Australian Commonwealth jurisdiction, claims regarding improper disclosure of personal information have tended to be the most prevalent.^[78] The explanation for this may well be the fact that access to much information in the public sector is managed under state as opposed to federal privacy laws.^[79] On the other hand in Hong Kong, a jurisdiction with a seamless regime not dissimilar to that of New Zealand's, disclosure is also the area most litigated.^[80]

The IPPs are themselves subject to a number of exceptions (for example where non-compliance is necessary for the purposes of law enforcement, the conduct of legal proceedings, to prevent serious and imminent health and safety threats^[81] or for statistical or research purposes where the individual will not be identified). Very few of these have been the subject of litigation in the Tribunal. The exception has been the grounds under which access to personal information can be denied, which have been the subject of a considerable proportion of the litigation before the Tribunal. In addition to health and safety and the maintenance of the law, the grounds include where disclosure would involve the unwarranted disclosure of the affairs of another individual, or where disclosure of the information or information identifying the person who supplied it is "evaluative material"^[82] which would breach an express or implied promise to the person that the information or their identity will be held in confidence.^[83] Examination of this rich and detailed jurisprudence is beyond the scope of the present article.

C Nature of Remedies Obtained

An area central to our inquiry was the nature of outcomes for plaintiffs from their claims before the Tribunal. The Tribunal is empowered to award one or more of five categories of remedy:^[84]

In most cases successful plaintiffs were awarded more than one remedy. The most common remedies were awards of damages^[85] and/or costs, orders for performance and orders for a declaration that a breach had occurred. The Tribunal is allowed to award other remedies at its discretion, although it is not clear if it has the power to order a formal apology.^[86] As is clear from Figure 2 the most popular remedies were damages and declarations.

Although specific remedies such as injunctions and orders requiring the defendant to perform obligations were rare, this is not surprising since a declaration that conduct constituted an interference with privacy, by an agency, was often sufficient to lead to a change in behaviour by it – the more so where a public sector agency was involved. The "other" category included instances where the defendant "agreed" to make a formal apology and one case where the plaintiff merely wanted an acknowledgment from the defendant that there had been an interference with privacy, no other remedy being sought.^[87] In one case the plaintiff was successful but no remedy was granted.^[88]

In the few cases involving an order for performance, remedies granted included being granted access to files, the destruction of files and the modification of files (including where individuals requested their rights under IPP 7 to have a request for correction noted). Case law is divided as to whether the Tribunal indeed has jurisdiction to order correction as a remedy. It has done so on occasion^[89] but the exercise of the power has been questioned^[90] and other decisions have referred to the scheme of IPP 7 which is that individuals have the right to request the correction of their personal information whilst organisations do not have the duty to comply – with the proviso that in the latter instance the individual has the right to request that a statement of the correction sought but not made be attached to the personal information.^[91] The rationale for the latter interpretation is that information of a subjective nature may be capable of different opinions as to its accuracy and an agency ought therefore to have the option of choosing to correct the information or to attach a statement of the correction sought but not made instead.^[92]

Due to more than one remedy being awarded to any plaintiff the percentage values as shown on the graph do not sum to one hundred. The percentages show the number of plaintiffs awarded a particular remedy regardless of whether they were also awarded another remedy. For example, 62 per cent of successful plaintiffs were awarded damages. Some of those plaintiffs would also have been awarded costs. Hence when these separate percentages are added they do not sum to one hundred.

Figure 2
(Source: CRT & HRRT Cases)

The maximum monetary award that the Tribunal may grant is equivalent to that of the District Court: currently this is $200,000.^[93] However the Tribunal has the power to refer a case to the High Court where a higher award of damages is warranted.^[94] Not only has such a referral not occurred but the highest amount of damages awarded to date has come nowhere close to the upper limit allowed.^[95]

Table 2 contains a break-down in dollar terms of the remedies awarded to the successful plaintiffs. The figures are skewed somewhat due to the distorting effect of an egregious case.^[96]

Table 2
(Source: CRT & HRRT Cases)

The awards of costs where the plaintiff has succeeded have been modest as can be seen from Table 3.

Table 3
(Source: CRT & HRRT Cases)

The reason plaintiffs' costs awards tend to be on the lower side becomes evident in the next section on the representation of plaintiffs: most plaintiffs were self-represented therefore attracting only disbursements whereas defendants tended to have counsel, thus making their costs awards higher.

Fifty-eight per cent of plaintiffs were unsuccessful in their claims of interference with privacy. Where the plaintiffs were unsuccessful in their claims the defendants had the opportunity to claim for costs. The Tribunal awarded costs against plaintiffs in 21 per cent of unsuccessful claims. Table 4 contains a break-down: it can be seen that considerably larger awards of costs were made in these circumstances.

Table 4
(Source: CRT & HRRT Cases)

Costs awards against unsuccessful plaintiffs represent the flip side of the equation in considering the extent to which the Act provides real remedies to complainants. In this regard they serve as a deterrent against vexatious claims as well as discouraging those with a litigious bent. On the other hand they may also deter many legitimate claims especially where the complainant has not had the benefit of legal representation, an aspect considered more fully below. There may also be a trend towards higher costs awards.^[97]

D Representation for Plaintiffs and Effect on Outcomes

An aspect of the research that proved somewhat elusive but nonetheless yielded unexpected results was the attempt to discover how many plaintiffs had legal representation. Unfortunately it proved impossible to ascertain how many plaintiffs were represented by persons who were legally qualified. This is because representation, for the most part, was by lay persons, albeit those who might have some expertise in the area.^[98]

Proceedings under the Act differ in this regard from those under the Human Rights Act 1993: in the latter case, whilst parties may appear in person, they may only be represented by legally qualified counsel.^[99] The Tribunal, in its other jurisdiction, also hears claims under this legislation. The restriction as to who may represent plaintiffs was not, however, adopted by the Privacy Act.^[100] Whether the distinction was deliberate or not, it might be subjected to critical scrutiny: although there are undoubted benefits, in terms of informality and lowering costs, of not granting the right of representation to lawyers alone, it is also the case that issues arising under the Act are at least as complex and technical as any relating to claims of discrimination under the Human Rights Act. Evidentiary difficulties have also been present as we have seen.

In at least some cases representation was by legal counsel, in some instances even by Queen's Counsel. Occasionally reference was made, in the Tribunal's ruling, as to whether representation was by lawyers^[101] or non-lawyer^[102] advocates. On occasion, legal counsel was retained at a late stage when the complexity of issues raised by the proceedings and evidentiary hurdles had become apparent: the lawyer who was briefed had not however been responsible for filing proceedings at the outset which imposed obvious constraints on the ability of the lawyer to argue the case to the best advantage of the plaintiff.^[103] However we estimate that in the majority of cases where the plaintiff had representation it was by advocates who were not legally qualified.

Since it is not possible to gauge the exact number of plaintiffs who retained legal counsel, we have instead differentiated those cases where the plaintiffs represented themselves (whether or not they had assistance in doing so) from where they retained lay or legal counsel: the key distinction being whether the persons thus designated were formally recognised as entitled to represent the plaintiffs by the Tribunal. In 68 per cent of cases plaintiffs represented themselves, while in 32 per cent of cases the plaintiff was represented by a lawyer or lay advocate.

From these figures it is clear that the majority of plaintiffs represented themselves. With regard to the efficacy of representation, there was no material difference in the percentage of successful plaintiffs with representation or without: the figure remains at about 42 per cent in both groups. Out of the 26 plaintiffs with representation, 11 were successful. Of the 55 plaintiffs without representation, 23 were successful. In percentage terms this is very close; 42.31 and 41.82 per cent respectively. It seems the outcome of a case is not affected by whether the plaintiff has representation or not.

However this does not tell the whole picture: there is a noticeable difference between the scale of remedies awarded to successful plaintiffs who had some form of representation and successful plaintiffs who had none. Table 5 contains a break-down:

Table 5
(Source: CRT & HRRT Cases)

	WITH (7)	WITHOUT (14)
*RANGE*	*$200 - $40,000*	*$500 - $20,000*
*MEAN*	*$12,885.71*	*$3,303.27*
*MEDIAN*	*$10,000*	*$3,000*

There is clearly a great disparity in the amounts of compensation awarded in favour of plaintiffs with representation. One explanation might be that these plaintiffs employed representation primarily because of the large sums of money involved. The case of Paula Christina Hamilton v The Deanery 2000 Ltd was one such high-profile case and involved such a serious breach of privacy that it would have been highly unusual for the plaintiff to have represented herself.^[104] In this case the plaintiff was awarded $40,000 in damages, the highest amount awarded to date.

Figure 3 compares the number of remedies awarded to successful plaintiffs with and without representation. For example, 78 per cent of successful plaintiffs with representation were awarded damages, while 56 per cent of successful plaintiffs without representation were awarded damages.

Figure 3

This inequality holds where the plaintiff has been unsuccessful and ordered to pay costs to the defendant. Of the unsuccessful plaintiffs with representation, 25 per cent had to pay costs to the defendant; whereas of the unsuccessful plaintiffs without representation, only 20 per cent had to pay costs to the defendant. As can be seen from Table 6, plaintiffs with representation, on average, were ordered to pay more in the way of costs than plaintiffs that had none. Representation, in this regard, proved to be a double-edged sword. The explanation for this is most likely that pre-hearing procedures such as discovery tend to be more detailed when counsel (as mentioned above even non-legally trained counsel usually had some familiarity with Tribunal processes) are involved.

Table 6
(Source: CRT & HRRT Cases)

	WITH (4)	WITHOUT (6)
*RANGE*	*$1,529.86- $12,500*	*$500 - $10,000*
*MEAN*	*$5,007.50*	*$3,998.30*
*MEDIAN*	*$3,000*	*$2,750*

It is also worth noting that in two cases the plaintiffs were successful, yet were ordered to pay costs to the defendant for various reasons. These cases were Pamela and Anthony Mayes v Owairaka School Board of Trustees (ordered to pay $500)^[105] and W v Christchurch Casinos Ltd (ordered to pay $12,500).^[106] There was also one early case in which the Privacy Commissioner was ordered to pay costs of $668.95 to the defendant.^[107] This case may be seen as an aberration. Being one of the first cases to be brought before the Tribunal the Privacy Commissioner's appearance lengthened proceedings thus adding to their cost.^[108] The Tribunal's statement that it was "an advantage to the Tribunal to have the Privacy Commissioner represented at the hearing and we do not want to discourage him from appearing in appropriate cases in the future"^[109] is somewhat perverse in light of the costs award. Lastly, in at least one case there is the suggestion that damages may be denied where the plaintiff is at least partially responsible for the cause of the complaint.^[110]

V Conclusion

New Zealand's "one size fits all" privacy regime, underpinned by the Office of the Privacy Commissioner and a dedicated specialist tribunal, has on the whole proved able to deal effectively with breaches of data protection principles. This study has highlighted the outstanding success rate of conciliation of disputes which has minimised the need for litigation.

Where litigation has nevertheless occurred, its rate of success is low (although this is probably the case with all litigation) and the monetary remedies obtained modest (although not necessarily so by New Zealand standards). A major function of litigation, though, has been to allow litigants their "day in court" and vindication has been at least as important as monetary compensation.

The majority of litigation has been against the public sector. The reasons for this may vary but they could include the fact that most private sector defendants choose to settle rather than risk the publicity associated with an adverse ruling whereas public sector organisations, more used to bureaucratic procedures, are prepared to test matters in the Tribunal. In Hong Kong, a comparable jurisdiction to New Zealand, complaints against the private sector outnumber those against the public sector by around 10 to one.^[111] Other reasons might be the disproportionate reliance by New Zealanders on the state, as well as their suspicion of government and its motives, but this is ultimately speculative. The study shows, at any rate, that businesses in New Zealand have not been the target of most data protection litigation.

Other points of differences with overseas experience have been the areas most litigated: denial of access to personal information has predominated and improper disclosure of personal information has been a close second. Overseas experience has been the other way around with disclosure being litigated more than the right to access personal data.^[112] The reasons for this are again obscure, but a factor at play might be the fact that a significant number of requests for access to personal information occur in the context of other litigation (frequently employment disputes) and access under the Act is a convenient alternative to the usual discovery process. The dynamics of disputes though often mean that a refusal to grant access results in this taking on a life of its own in substitution or in addition to the underlying or original dispute.

Most litigants in New Zealand have been lay litigants who represented themselves before the Tribunal. Where litigants employed representation this tended to be by non-lawyers. The study found that, while representation did not generally affect the result (a finding that an interference with privacy had occurred) it did substantially influence the monetary compensation awarded to plaintiffs as well as the award of costs. Unsuccessful plaintiffs had significantly higher costs awarded against them which may represent a further disincentive to litigate in New Zealand.

One aspect that emerged in this study is of concern. This is perhaps a direct consequence of the absence of legal representation for plaintiffs: it was evident that a great deal of the Tribunal's time was wasted with procedural directions and with assisting plaintiffs in reformulating their statements of claim. This is evidenced, for instance, in the disproportionate number of strike out applications. Evidentiary difficulties and technical issues such as jurisdictional questions also resulted in many claims not making it through the Tribunal's doors.

To some extent these difficulties are the result of the conceptual disconnection between the conciliatory and inquisitorial nature of the complaints process, on the one hand, and the adversarial nature of the litigation process before the Tribunal on the other. The complainant is assisted and guided throughout by the Privacy Commissioner and the DHRP until the moment when he or she "goes it alone" by opting to litigate the dispute once the former elect not to assist him or her further. The appearance of the Commissioner as an interested party in many cases brought by litigants often serves to bridge these differences but cannot ultimately be a substitute for independent representation for the plaintiff.

Several solutions are available to address this deficiency. We do not suggest that lay representation be removed (as is the case with the parallel Human Rights Act jurisdiction). This would only act as a further deterrent to litigation and, as we have seen, a large number of successful claims have been brought by those without representation or with non-legal representation.

On the other hand we think it is appropriate for assistance to be furnished to those who for one reason or another decide to take matters to the Tribunal on their own account. Such assistance could be from the office of the Commissioner or the DHRP. However this is probably inadvisable given the likelihood that the individual litigant is likely to be proceeding against the advice given by them in relation to the litigation.^[113] Rather, we suggest the creation of an independent officer (perhaps titled "counsel for the Tribunal") to vet the statements of claim of those in this situation.

At present the Secretary to the Tribunal acts in a purely administrative capacity. What is needed instead is someone with legal expertise to scrutinise the litigant's papers for obvious omissions: instances where the case is completely lacking in substance are one thing but often the case is struck out as it is deficient in some aspect that can be easily remedied. There is nothing to stop litigants filing a fresh claim rectifying the deficiency, but many litigants seem to give up at this point when they may have an arguable case. It is worth noting, in this context, that several cases where the plaintiff has succeeded in the Tribunal (where the DHRP and Commissioner have not referred the matter themselves) have been due to the Tribunal adopting a different interpretation of the law to that adopted by the Commissioner and the DHRP. This is all the more reason why litigants should have available to them a trained legal eye at the outset so that they can formulate their pleadings as accurately as possible. We are not suggesting that free legal representation be made available to litigants but rather that there should be a better screening mechanism than currently exists. Strike out applications can then be limited to those instances where the plaintiff's case has clearly no prospect of success, instead of at present where the plaintiff's case is unclear and the Tribunal is forced to "interrogate" the plaintiff.

The body of decisions of the Tribunal provides an invaluable tool for those seeking to understand the scope and enforceability of the information privacy principles. However this article has highlighted the fact that significant obstacles still exist for litigants in bringing their claims before the Tribunal. Serious consideration should be given in future to adopting reforms that will facilitate the dispute resolution process so that plaintiffs will not be deterred through legal niceties from having their "day in court".

Appendix I

	30 June 1996- 30 June 1997	30 June 1997- 30 June 1998	30 June 1998- 30 June 1999	30 June 1999- 30 June 2000	30 June 2000- 30 June 2001	30 June 2001- 30 June 2002	30 June 2002- 30 June 2003	30 June 2003- 30 June 2004	30 June 2004- 30 June 2005	30 June 2005- 30 June 2006
Number of Complaints Received	1200	1082	1003	798	881	1044	928	934	721	636
Number of Complaints Closed	870	804	895	956	806	1049	915	1168	970	752
Total no. of Complaints Settled	852	765	839	956	770	1033	892	Na	930	720
Settled with Provisional Opinion	184	158	165	181	159	180	175	Na	293	261
Settled Without Provisional Opinion	668	607	674	775	611	853	717	Na	637	459

Appendix II

	30 June 1998- 30 June 1999	30 June 1999- 30 June 2000	30 June 2000- 30 June 2001	30 June 2001- 30 June 2002	30 June 2002- 30 June 2003	30 June 2003- 30 June 2004	30 June 2004- 30 June 2005	30 June 2005- 30 June 2006
Privacy Commissioner held complaint had substance	42	44	49	47	52	Na	63	62
Final opinion issued	131	146	116	132	145	Na	247	220
Final opinion: complaint had substance	42	44	49	47	52	Na	184	158
Final opinion: complaint had no substance	89	102	67	85	93	Na	184	158
No of Referrals to DHRP	2	4	0	0	3	0	13	12
No Taken to HRT by plaintiff	13	27	28	22	23	19	9	Not clear
No of cases HRT found breach	1	2	2	0	3	2	3	5

^[**] Researcher, Department of Commercial Law, University of Auckland. We are grateful for the assistance given to us by the Office of the Privacy Commissioner especially for the helpful comments of Blair Stewart and Katrine Evans, Assistant Privacy Commissioners. The responsibility for all errors rests with the authors.

[1] Modernization has been in the pipeline for a decade: see Office of the Privacy Commissioner Necessary and Desirable: Privacy Act 1993 Review (Office of the Privacy Commissioner, Wellington, 1998).

[2] The two most influential instruments have been first, the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (1980), and secondly, the Council Directive (EC) 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L281/21 (24 October 1995).

[3] Personal Information Protection and Electronic Documents Act (PIPEDA) SC 2000 c 5.

[6] Privacy Commissioner of Canada Annual Report to Parliament 2003-2004 (Office of the Privacy Commissioner of Canada, Ottawa, 2005) available at: www.privcom.gc.ca (accessed 1 October 2008).

[7] There are also slight differences though between jurisdictions which necessitate caution when making comparisons. For example New Zealand separates the use of personal information (IPP 10) from its disclosure (IPP 11) unlike National Privacy Principle 2 in Australia. Definitions also differ; for example the Australian definition of "personal information" avoids many of the issues that have concerned the courts in New Zealand.

[8] All cases from 2002 are available on the NZLII database at www.nzlii.org (accessed 2 October 2008).

[9] See for example Paul Roth Privacy Law & Practice (Butterworths, Wellington, 1994)

[12] Official Information Act 1982 and the Local Government Official Information and Meetings Act 1987: see generally Ian Eagles and others Freedom of Information in New Zealand (Oxford University Press, Auckland, 1992).

[13] Privacy Act 1993, s 11(2); despite s11(1) providing that IPP 6 (access to personal information) held by the public sector is a legally enforceable right, in only a handful of cases has this right been exercised and all were in the context of other litigation.

[22] Office of the Privacy Commissioner Report of the Privacy Commissioner Year Ended 30 June 2006 (Privacy Commission, Wellington, 2006) 19 [2006 Annual Report].

[25] For example in the Australian Commonwealth jurisdiction in the 2005-2006 period compensation was a feature in 27% of complaints following conciliation and a table records that 8 complaints resulted in compensation between A$2000 and A$20,000: see Office of the Privacy Commissioner The Operation of the Privacy Act Annual Report 1 July 2005-30 June 2006 (Office of the Privacy Commissioner, Sydney, 2006) 33-34.

[26] Katrine Evans "Show Me the Money: Remedies Under the Privacy Act" (2005) 36 VUWLR 475, 479; reported settlements include a bunch of flowers, the gift of an overseas holiday to a couple, and the payment of several thousand dollars in compensation, see Case Note 55528 [2003] NZ Priv Cmr 8; and Case Note 51765 [2003] NZ Priv Cmr 13.

[31] This figure is drawn from our own research as the numbers reported in the annual reports may not be completely accurate.

[33] Ibid, paras 83-87 Smellie J, G J Cook and R D McCallum: damages of $8,000 and costs of $5,500 were awarded.

[34] For example in Smits v Santa Fe Gold Ltd (1999) 5 HRNZ 593 (HC) the appellant had been pursuing a crusade against the adult entertainment industry and the nub of the complaint did not concern any breach of privacy: unsurprisingly significant costs were awarded against the unsuccessful plaintiff on account of this.

[35] Smits v Santa Fe Gold Ltd, ibid, was an unsuccessful appeal against an order for costs in the Tribunal but we have included it even though we have excluded costs decisions by the tribunal itself.

[39] It is worth noting that the decision of the Court of Appeal in Harder has been subjected to criticism. See Roth, above n 9, 201,801 (PVA 6.6 (d)).

[45] These include knowledge of cultural matters, public administration and socio-economic experience.

[52] In Dombroski v Group 4 (NZ) Ltd (25 February 2000) CRT 32/99, the Tribunal stated, in the context of an application to strike out, that "Hearsay evidence with respect to a minor issue might be able to be accepted but hearsay evidence about all of the facts on which a proceeding is based will rarely be able to be accepted".

[56] For instance in Steele v Department of Work and Income (21 October 2002) HRRT 4/02, the Tribunal held that it had jurisdiction even where the Privacy Commissioner had not investigated a complaint due to the unavailability of a key witness.

[58] Waugh v New Zealand Association of Counsellors Inc (17 March 2003) HRRT 5/02.

[60] This need not be the same person who initiated the process by complaining to the Privacy Commissioner.

[64] As occurred for example in Flynn v Work & Income / Ministry of Social Development & ors (10 August 2004) HRRT 27/04.

[65] Attorney-General v Equiticorp Industries Group Ltd and Ors [1996] 1 NZLR 528, 533 (CA).

[70] Waugh v New Zealand Association of Counsellors Incorporated (17 March 2003) HRRT 5/2002; however as we have seen this view has been challenged: see Roth, above n 9, 503,008 (PVA 83.3).

[71] See O'Neill v Health and Disability Commissioner (12 February 2003) HRRT 2/02 and O'Neill v Auckland District Health Board & ors (12 February 2003) HRRT 45/02; any such challenge can of course be brought through exercising the right of judicial review in the High Court.

[72] The Privacy Act 1993, s 2 (1) defines "Public Sector Agency" as: "(a) an agency that is a Minister, a Department, an organisation, or a local authority; and (b) includes any agency that is an unincorporated body (being a board, council, committee, or other body) which is established for the purpose of assisting or advising, or performing functions connected with any public sector agency within the meaning of paragraph (a) and; which is so established in accordance with the provisions of any enactment or by any such public sector agency." The definition also includes Hospital Boards and School Boards of Trustees amongst others.

[73] Responsible for administering New Zealand's pioneering "no fault" accident insurance scheme which covers every individual in New Zealand at work or play.

[75] In one case (Christopher Joseph O'Neill v Dispute Resolution Services Ltd (10 April 2006) HRRT 16/05) the defendant corporation although acting on behalf of the ACC was sued in its own capacity. Since the dispute related to the health sector it has been included in the private sector health category rather than in the public sector.

[77] These are issued by the Commissioner and may modify the operation of the Act for specific industries, agencies, activities or types of personal information: they often modify one or more of the IPPs with rules that can be more stringent or less so than the IPPs they replace. Codes of practice give the Act flexibility and there are at present six in operation, the most important of which is the Health Information Privacy Code which has accounted for around fifteen per cent of litigation before the Tribunal.

[78] See Office of the Privacy Commissioner The Operation of the Privacy Act Annual Report 1 July 2004-30 June 2005 (Office of the Privacy Commissioner, Wellington, 2005) 46 and Office of the Privacy Commissioner Annual Report 1 July 2005-30 June 2006 (Office of the Privacy Commissioner, Wellington, 2006) 38.

[80] Office of the Privacy Commissioner for Personal Data (Hong Kong) Annual Report 2004-2005 (Office of the Privacy Commissioner for Personal Data, Hong Kong, 2005) 8.

[81] The provisions of New Zealand's whistle-blowing legislation, the Protected Disclosures Act 2000, also override all other provisions where its mechanisms are employed.

[85] For a detailed discussion as to the basis on which damages have been awarded see Evans, above n 26.

[91] Macdonald v Healthcare Hawkes Bay and Morrison (6 December 2000) CRT 42/00.

[95] For a discussion on awards to date and suggestions as to reform see Evans, above n 26.

[96] Hamilton v The Deanery 2000 Ltd (13 May 2003) HRRT 36/02; a private alcohol treatment clinic where an overseas model had sought confidential treatment "went public" with details of her treatment as well as making allegations of criminality against her in local and overseas news media. Although the plaintiff sought the maximum amount of damages on account of the deleterious effects of the disclosures on her future career prospects, the Tribunal awarded only $40,000 for "humiliation, loss of dignity and injury to feelings" since the other bases of her losses could not be established (she had already recovered separately from the news media overseas). Although this remains the highest award thus far it is hardly likely to serve as a deterrent.

[97] Recent costs awards handed down after the period under study in this article have been in excess of $20,000. See for instance Herron v Speirs Group Ltd (Decision Quantifying Costs) (21 December 2006) [2006] NZHRRT 49 where costs in excess of $30,000 were awarded against the plaintiff.

[98] For example see Lehmann v CanWest Radioworks Ltd (21 September 2006) [2006] NZHRRT 35 where the plaintiff was represented by Justin Harder.

[100] The Privacy Act 1993, s 89 only applies ss 92Q to 92W and Part 4 of the Human Rights Act 1993 to Privacy Act proceedings.

[102] Hamilton v The Deanery 2000 Ltd, above n 96, para 55 R D C Hindle, A Knowles, J McIntyre.

[107] O and others v N (14 November 1996) CRT 19/94; [1993-97] Complaints Review Tribunal Cases 42.

[108] The plaintiffs, by contrast were in the Tribunal's view "most capably" represented by a law student who only incurred expenses such as airfares to the hearing: Ibid, 61 D J Orchard, G D S Taylor and D B Emery.

[111] Office of the Privacy Commissioner for Personal Data (Hong Kong), above n 80, 8.

[113] One possibility would be for the Commissioner and/or the DHRP to be able to "state a case" for appeal to the Tribunal even where they believe it is not warranted.

Victoria University of Wellington Law Review