As the party responsible in this latest instance for leaking the information, EQC has certain rights to prevent its misuse by the recipient. But EQC is first and foremost a culprit: by releasing confidential information to an unauthorised person without proper authority, it has acted unlawfully. In principle, it could be liable for damages to every single person whose details were released. In practice, any such liability is likely to be nominal at most - it is hard, at this point, to see how any individual client of EQC has suffered any loss or harm as a consequence of the disclosure. In this context, it makes no difference that the disclosure was accidental.
The law is firmly on the side of the individual clients whose details were disclosed: they have a right to expect that EQC will keep their information confidential, and a right to be compensated if it does not and there is harm sufficient to constitute an interference of privacy (which is a breach plus harm) under section 66 of the Privacy Act.
Having realised its error, EQC sought to have the information secured and returned. Here, the law is of more assistance, because a person who receives confidential information in such circumstances will usually be expected to keep it confidential, and to return it. These obligations are binding and enforceable, even though the recipient did not ask for the information and has done nothing wrong in receiving it. Again, if these obligations are breached, the usual outcome is a claim for damages.
However, the duty to keep information confidential is not absolute. There are a range of circumstances in which a person who innocently receives confidential information can use it without acting unlawfully. If, for example, the confidential information discloses serious misconduct of some sort, disclosure may be in the public interest.
Confidentiality cannot be used to conceal wrongdoing, and the person who discloses confidential information in the public interest will have a good defence if he or she is sued.
Similarly, there is little to prevent the person who receives confidential information using it for his or her own benefit in the context of a dispute or litigation against the person who leaked it.
The confidential information cannot be leaked or published, but it can be used as evidence in court, and is also subject to the duty of discovery. In that sense, the cat is out of the bag: even if the recipient has returned or destroyed the information, you cannot prevent him or her from exploiting the knowledge of that information, provided this is done in the course of civil litigation.
EQC has now complained to the police, and it remains to be seen whether they will take any action, or declare the problem to be a purely civil matter. But the moral of the story is nevertheless clear: the law doesn't offer free passes for people who accidentally disclose confidential information.
This clearly presents a formidable challenge for government departments, which have repeatedly fallen short when it comes to protecting information entrusted to them by the public. The collection and use of confidential information lies at the heart of their work. That work could become impossible if they were unduly limited in their ability to collect and use information.
This is not in anyone's interests: to take EQC as an example, nobody would benefit if EQC were unable to collect and use information about insurance claimants. So the need for confidentiality has to be weighed against other considerations. But that is not a good reason to do nothing: the protection of confidential information cannot be left to chance.
The decision to take all of EQC's systems offline to prevent further breaches of confidence over Easter shows that message has now been driven home, albeit belatedly. Full IT services will not resume until the Government Chief Information Officer confirms that the systems to protect privacy are "appropriate and robust", says the minister, Gerry Brownlee.
But sooner or later EQC will need to get back to the work of rebuilding Christchurch and when it does, the public will be expecting answers about how it intends to prevent any further breaches of confidence.
Central and local government agencies should take the EQC breach as the latest warning and if they haven't gotten the message by now, they need to. The worrying fact is that EQC itself did not check as they went public about the breaches, thinking there were only 9700 when it turned out to be 98,000 - the entire client list for the EQC Canterbury Home repair programme.
The Government needs to do better when you reflect on what another minister, Chris Tremain, said last month about online transactions. "Figures released today show 38.6 per cent of New Zealanders used secure online government services during the October to December quarter, up from 32.4 per cent for the first quarter. When measurements started in June the figure was 29.9 per cent."
The target is 70 per cent by 2017. The Government has to lift its game if it is going to make New Zealanders increasingly engage with public departments and agencies through digital channels.
Mai Chen is a partner at Chen Palmer and adjunct professor at the University of Auckland business school.
