Avoiding Privacy Breaches When Publishing Resource Consent Information
Avoiding Privacy Breaches When Publishing Resource Consent Information
Wednesday 5 February, 2025
Background
Councils should take note of privacy considerations raised in a recent case note from the Privacy Commissioner (see here) about resource consent information published by a council.
As part of a resource consent application, a woman had engaged in email correspondence with her local council. These emails contained personal information about the woman, notably, that she was on a disability benefit. The council published this correspondence on their website alongside the resource consent application. Upon discovering this, the woman made a complaint to the Privacy Commissioner.
Argument from the council
The council pointed out that section 35 of the Resource Management Act 1991 (RMA) required it to publish information relating to consent applications, specifically the “records of all applications for resource consents”. The application form also stated that details about the consents applied for, along with information “on the form”, would be published.
The Privacy Commissioner’s finding
The Commissioner did not consider that the application form properly informed the woman that, in addition to the application itself, the email correspondence would also be published. They also noted that the application was submitted three months after the email correspondence had already been published, meaning the notice on the application form could not reasonably apply to information collected outside of the application.
This meant the council had breached Information Privacy Principle (IPP) 3 of the Privacy Act 2020 (the Privacy Act). IPP 3 requires agencies to be transparent about why personal information is being collected and how it will be used.
Also at issue was whether IPP 11 had been breached. IPP 11 prohibits the disclosure of personal information other than for a purpose for which it was originally obtained. The Commission acknowledged that section 35 RMA contained an override to the effect that the application and associated information could be published, but this this did not extend to the sensitive details in the prior correspondence. On this basis, the council had also breached IPP 11.
Key message to councils
This case note highlights two important messages for councils. Firstly, councils should make sure that they are familiar with the scope of information the RMA requires them to publish. Publishing information which does not fall within this scope may be a breach of the Privacy Act.
Secondly, councils must give clear notice whenever personal information may be published. It is also important that this notice is given at the outset, before the information is received.
There may be instances where this interplay between the RMA and the Privacy Act is unclear. Our team is happy to provide assistance—get in touch with one of our experts below.
