Report slams spy agency’s ‘intrusive requests’ about customer data
New Zealand’s spies have effectively been told to stop asking banks to ‘‘voluntarily’’ release personal information about people’s banking transactions.
But Security Intelligence Service director Rebecca Kitteridge said she was happy with alternative arrangements put in place last year that instead allow the service to demand certain types of information without a warrant.
A report published by the Inspector-General of Intelligence and Security, Cheryl Gwyn, said the SIS had in the past frequently asked banks to disclose private information about their customers.
But she said those requests ‘‘did not sufficiently recognise’’ the Bill of Rights Act, which outlaws ‘‘unreasonable search and seizure’’.
Gwyn said she examined in detail 13 such requests during a three-month period in 2016.
‘‘I found that very intrusive requests were made at times when the service should have endeavoured to obtain an intelligence warrant,’’ she said.
In some cases the SIS asked for transactions stretching back over two years, and had kept that information with no arrangements for it to be deleted, she said.
Data held by banks often went to people’s ‘‘biographical core’’, shedding light on their day-to-day activities, relationships, employment history and health issues, she said.
The rules changed with the passage of the Intelligence and Security Act in 2017. The act allows the SIS to ask for information from businesses that it can’t legally demand, so long as it is clearly a request only.
The act also created a new Business Records Approval regime, under which the SIS can demand certain business records from telecommunications and financial services firms without a warrant. It needs to have them approved by the Minister Responsible for the SIS, currently Andrew Little.
Gwyn said in her report some Business Records Approval applications had been ‘‘too broad’’ in their scope, but the SIS had addressed most of her concerns in that regard since September.
Kitteridge said the SIS was happy with the regime and thought it would work ‘‘much better’’.
If the SIS did still issue voluntary requests to banks, it would be along the lines of ‘‘Does this person have a bank account with you?’’, she said.
Kitteridge said the SIS had yet to destroy all the personal information sought from banks prior to the passage of the Intelligence and Security Act, as it had to check its obligations under the Public Records Act.