Report slams spy agency’s ‘intrusive requests’ for data
New Zealand’s spies have effectively been told to stop asking banks to ‘‘voluntarily’’ release personal information about people’s banking transactions.
But Security Intelligence Service director Rebecca Kitteridge said she was happy with alternative arrangements put in place last year that instead allow the service to demand certain types of information without a warrant.
A report published by the Inspector-General of Intelligence and Security, Cheryl Gwyn, said the SIS had in the past frequently asked banks to disclose private information about their customers.
But she said those requests ‘‘did not sufficiently recognise’’ the provisions of the Bill of Rights Act, which outlaws ‘‘unreasonable search and seizure’’.
Gwyn said she examined in detail 13 such requests made by the security service during a threemonth period in 2016.
‘‘I found that very intrusive requests were made at times when the service should have endeavoured to obtain an intelligence warrant to require the banks to provide the information,’’ she said.
In some cases the SIS asked for people’s banking transactions stretching back over two years, and it had kept that information with no arrangements in place for it to be deleted once its investigations were over, she said.
Data held by banks often went to people’s ‘‘biographical core’’, shedding light on their day-to-day activities, relationships, employment history and health issues, she said.
Kitteridge said transaction records could be useful to the security services.
‘‘If we hear someone is intending to join Isis in Syria a question might be: ‘Do they have enough money in their bank account to buy a ticket?’ ’’
But she said banks had been clear they would rather be ‘‘compelled’’ to release customer information, rather than being asked to do so by the SIS.
The rules surrounding voluntary disclosures changed with the passage of the Intelligence and Security Act in 2017. The act still allows the SIS to ask for information that it can’t legally demand, so long as it is clearly a request only.
But Gwyn said there was ‘‘limited scope’’ for such requests to be issued to banks, given that the nature of the information they held meant such requests would almost always constitute a ‘‘search’’ under the Bill of Rights.
The act also created a new Business Records Approval regime, under which the SIS can demand certain business records from telecommunications and financial services firms without a warrant.
It needs to explain why applications are justified and have them approved by the Minister Responsible for the SIS, currently Andrew Little. They are also subject to review by the Inspector-General of Intelligence and Security.
Gwyn said in her report some Business Records Approval applications had been ‘‘too broad’’, but the SIS had addressed most of those concerns since September.
Kitteridge said the SIS was happy with the regime and thought it would work ‘‘much better’’.
If the SIS did still issue voluntary requests to banks, it would be along the lines of ‘‘Does this person have a bank account with you?’’, she said.
Bankers’ Association acting chief executive Antony BuickConstable said it supported the 2017 law change.
Kitteridge said the SIS had yet to destroy all the personal information sought from banks prior to the passage of the Intelligence and Security Act, as it had to check its obligations under the Public Records Act.