Thursday, October 04, 2018

A wrongful release

Yesterday the Herald carried a story about the Taxpayer's Onion using fake names to lodge OIA requests. They uncovered this by learning the names and emails of people who had made OIA requests to Callaghan Innovation, then hitting the "password reset" button on those accounts - a crude form of hacking - to uncover the recovery addresses. So how did they get the requester emails in the first place? Callaghan Innovation provided them in response to an OIA request.

This is... unusual, to say the least. And it seems to me to be a prima facie case of wrongful release. Someone's contact information and the fact that they made a particular OIA request is personal information about them. The privacy withholding ground is then immediately engaged. That withholding ground must always be balanced against the public interest, but it usually requires an extremely good reason to overturn where contact information is concerned. Most public interest factors are concerned with official actions, not private ones. Where personal information of members of the public are released (e.g. Peter Thiel's immigration files), the justification is around ensuring the accountability of officials for their decision-making, not the accountability of private individuals.

("But the identities were fake!" you say. That doesn't really change the issue. Whether a person used a false identity to lodge an OIA request is itself personally identifying information about that individual, and so the privacy ground is still engaged. Except arguably, more strongly, because the potential for embarrassment from release is higher)

I've done a lot of OIA requests over the years, and the identities (let alone contact details) of low-level staff and members of the public are almost always withheld (and where they're not, its usually due to error, not deliberate). And you can see that Callaghan does exactly that with its staff. Obviously, the Herald specifically requested names and contact details, but there are serious questions to be asked about why they were released, and whether a proper process around the decision was followed. I've filed an OIA to get to the bottom of that; we'll see what it turns up in 20 working days.

Meanwhile, there is one takeaway lesson from this: you should always use a false identity when requesting information from Callaghan Innovation. Because they have just demonstrated that they will not respect your privacy, and therefore can not be trusted with your personal information.