Report slams ‘intrusive’ requests for data
New Zealand’s spies have effectively been told to stop asking banks to ‘‘voluntarily’’ release personal information about people’s banking transactions.
But Security Intelligence Service director Rebecca Kitteridge said she was happy with alternative arrangements put in place last year that instead allow the service to demand certain types of information without a warrant.
A report published by the Inspector-General of Intelligence and Security, Cheryl Gwyn, said the SIS had in the past frequently asked banks to disclose private information about their customers.
But she said those requests ‘‘did not sufficiently recognise’’ the Bill of Rights Act, which outlaws ‘‘unreasonable search and seizure’’.
Gwyn said she examined in detail 13 such requests made by the security service during a threemonth period in 2016.
‘‘I found that very intrusive requests were made at times when the service should have endeavoured to obtain an intelligence warrant,’’ she said.
In some cases the SIS asked for transactions stretching back over two years, and had kept that information with no arrangements for it to be deleted once its investigations were over, she said.
Data held by banks often went to people’s ‘‘biographical core’’, shedding light on their day-to-day activities, relationships, employment history and health issues, she said.
The rules surrounding voluntary disclosures changed with the passage of the Intelligence and Security Act in 2017.
The act still allows the SIS to ask for information from businesses that it can’t legally demand, so long as it is clearly a request only.
The act also created a new Business Records Approval regime, under which the SIS can demand certain business records from telecommunications and financial services firms without a warrant.
It needs to explain why applications are justified and have them approved by the Minister Responsible for the SIS, currently Andrew Little. They are also subject to review by the Inspector-General of Intelligence and Security.
Gwyn said in her report some Business Records Approval applications had been ‘‘too broad’’ in their scope, but the SIS had addressed most of her concerns in that regard since September.
Kitteridge said the SIS was happy with the new regime, which she thought would work ‘‘much better’’ than the old one.
If the SIS did still issue voluntary requests to banks, it would be along the lines of ‘‘Does this person have a bank account with you?’’, she said.
Kitteridge said the SIS had yet to destroy all the personal information sought from banks prior to the passage of the Intelligence and Security Act, as the agency had to check its obligations under the Public Records Act.