What checks and balances are there on spy agencies demanding private information such as banking or library records from private bodies? According to Michael Cullen and Privacy Commissioner John Edwards, none whatsoever:
New Zealand's spy agencies have "open slather" access to Kiwis' personal information through government agencies as well as private companies including banks.
Privacy Commissioner John Edwards agreed with Sir Michael's assessment, saying no one was keeping track of personal data collection and the rules should be tightened.
Intelligence agencies were free to access individuals' personal information without a warrant, and without having to report it, he said, thanks to a specific exemption for GCSB and the SIS under the Privacy Act.
The exemption in question is section 57 which states that:
Nothing in principles 1 to 5 or principles 8 to 11 applies in relation to information collected, obtained, held, used, or disclosed by, or disclosed to, an intelligence organisation.
You might think that that is appropriate for information directly collected and held by spies (though exempting them from having to have a lawful purpose for collection, or from having to keep information secure and protect it from loss or unauthorised disclosure? Really?) - but there's certainly no need for it to apply to information disclosed to those agencies. Bluntly, if spy agencies want people's private information, then they should be required to get a warrant, and to track and report on how often they do it. Anything less is inviting them to abuse our privacy for no lawful purpose.