Improving information sharing between NZSIS and GCSB and others
What the Act does
- Gives the Government Communications Security Bureau (GCSB) and New Zealand Security Intelligence Service (NZSIS) direct access to certain government databases.
- Allows GCSB and NZSIS to seek access to restricted information such as drivers licence photographs and tax information on a case-by-case basis.
- Expressly acknowledges that GCSB and NZSIS, like any government agency, can ask for information from individuals and other organisations on an ad hoc basis.
- Makes GCSB and NZSIS subject to more of the Privacy Act’s information privacy principles.
Why share information?
A range of individuals and organisations (both public and private sector) hold information necessary to help NZSIS and GCSB protect New Zealand from security threats.
Sharing information with GCSB and NZSIS, however, is different from sharing with other government agencies, because of the intrusive nature of their work. It’s therefore especially important that the law is clear, robust, and accessible.
Access to certain government databases
As recommended by the Reviewers, the Act gives NZSIS and GCSB direct access to specific government databases. This is conditional on the written agreement of the relevant ministers.
|Information||Examples of why access may be needed|
|NZ Customs Service: Border-crossing craft, goods, and people||To detect the arrival of foreign intelligence officers or other persons of interest (such as suspected terrorists).|
|Immigration NZ: Data||To track the movements of a person of interest. See Factsheets 6, 7 and 8 for more information.|
|Department of Internal Affairs: Births, deaths, name changes, marriages and relationships, and citizenship registers||To cross-check information to confirm identities or associations between persons of interest, or to confirm nationality.|
New Zealand Police: Financial intelligence information and (NZSIS only) information about people and locations that present a physical threat to NZSIS or GCSB staff
To access financial information, including suspicious transaction reports made under anti-money laundering legislation, to assist with national security investigations (such as financing of terrorist organisations from New Zealand).
To access real-time information about people and places to help NZSIS better protect employees of the agencies.
Access to other restricted information
The Act provides for NZSIS and GCSB to seek access to restricted individual information on a case-by-case basis, but they must seek permission. Permission is granted through a process similar to the process for obtaining a warrant. Access requires the approval of the Minister responsible for the relevant intelligence and security agency and, if the information involves a New Zealander, the Chief Commissioner of Intelligence Warrants.
Restricted information means:
- Tax information held by the Inland Revenue Department
- Driver licence photographs held by NZTA
- National Student Identification Numbers and linked information
- Adoption information held by the Department of Internal Affairs.
Access to business records
NZSIS and GCSB regularly obtain information from telecommunications providers and banks on a voluntary basis. Such requests tend to occur in the early stages of an investigation when there is likely to be insufficient information to obtain a warrant. The Act maintains the intelligence and security agencies’ current access to this type of information by creating a new framework to compel banks and telecommunications providers to produce ‘business records’. This framework increases the transparency and oversight of access to business record information. ‘Business records’ is defined in the Act to include information such as customer names and contact details, IP addresses and bank account and credit card numbers, but excludes the content of any telecommunications.
The Directors-General of the NZSIS and GCSB can only compel production of specified business records in accordance with a business records approval, granted by the Minister responsible for that agency and a Commissioner of Intelligence Warrants. A business records approval will set out, in general terms, the circumstances in which an agency can require business records, the kinds of records it can obtain, and any conditions. Approvals can be amended or revoked at any time, and have a maximum term of six months (meaning they must be reviewed regularly).
An agency can only request specific information on a case-by-case basis by reference to an identified individual or thing (such as a phone number or IP address). The regime does not permit ‘bulk’ data access.
The NZSIS and GCSB must keep a record of all requests for business records made, which can be reviewed at any time by the responsible Minister and the Inspector-General of Intelligence and Security. Each agency will also need to include the number of reports made to it pursuant to a request for business records in their annual reports. These mechanisms will enable effective monitoring and auditing of business records procedures and the exercise of the power to request business records.
NZSIS and GCSB can request information
To avoid any doubt, the Act recognises that GCSB and NZSIS have the same power as any other government agency to request information from other public and private entities.
It also acknowledges that those individuals and organisations may ordinarily disclose information to GCSB and NZSIS.
Expanding coverage under the Privacy Act 1993
The Act amends the existing general exception to the information privacy principles in the Privacy Act provided to GCSB and NZSIS. The intelligence and security agencies are now subject to more of the information privacy principles, with some specialised exceptions in light of their functions.