ORDER OF THE PENCIL PUSHERS
Now that Kevin McKernan has been granted back access to his Mega account, it is time to dive into the order that led to the temporary suspension, and how can the whistleblower & others can defeat it.
Yesterday I was delighted to hear that Kevin McKernan’s mega account has been reinstated, excluding, of course, the dataset which he shared, which an order has been made to take it down, and which I’ve written about in my previous post.
Now that we got Kevin out of the stormy water, let’s try to help everyone else who has impacted by the order, including Barry Young and Steve Kirsch.
The order
Let’s first look at the order itself.
Take a look at the first and last page. The order has been given by Shane Kinley, Member of the Employment Relations Authority. Yes, folks, you got it right - THIS WAS NOT A COURT ORDER!
Bei Mir Bistu Shane
Shane Kinley, pictured above, was in 2020 the “Policy Director, Workplace Relations and Safety” in New Zeeland’s Ministry of Business, Innovation, and Employment. As was stated in the “Employment Relations Authority Annual Report 2022” which was published in May 2023, “The Chief and Members of the Employment Relations Authority are appointed by the Governor-General on the recommendation of the Minister for Workplace Relations and Safety”.
The first question anyone should ask themselves is: how exactly does Shane, a director in a government is not the privacy commissioner office, creates an order that has ANY meaning when it comes to data breach?
Alas. Bei Mir Bistu Shoin, Please let me explain (It’s funnier in Yiddish):
(source)
Order! Order???
This is what we have:
A pencil pusher in a regular government office DOES NOT have the power (authority) to create orders that would have any legal meaning when it comes to data privacy. In a democracy it is supposed to be the courts that have such capacity, OR the authority which has been created to handle privacy related issues, which in NZ is the privacy commissioner office.
The case was presented in front of the pencil pusher (Shane) who works for the NZ employment relations authority. A pencil pusher who works for the NZ employment relations authority cannot make an unbiased decision on this case, because, as I stated above, he was appointed by the Governor-General on the recommendation of the Minister for Workplace Relations and Safety, and this data breach has implications on the office he works for.
One must remember that when it comes to the data, the NZ employment relations authority is not the data controller, not even the data processor of the information leaked, thus it has no authority of discussing this subject.
The data controller should be the NZ Health Ministry. The NZ employment relations authority are not a side, and cannot represent the NZ Health Ministry. In the order itself I saw no mentioning of NZ Health Ministry. In fact, the only one that was present in the meeting in which the pencil pusher (Shane) decided to make an order was Rebecca Rendle, a partner at a law firm called “Simpson Grierson”, who represented Te Whatu Ora, the company where Barry Young worked for. According to Wikipedia, “Te Whatu Ora Health New Zealand is a public health agency established by the New Zealand Government to replace the country's 20 district health boards (DHBs) on 1 July 2022. Te Whatu Ora is charged with working alongside the Public Health Agency and Te Aka Whai Ora (the Māori Health Authority) to manage the provision of healthcare services in New Zealand”. When it comes to the order, the problem is that Rebecca Rendle’s areas of expertise are Areas of Expertise are employment, health & Safety, and Health & Aged Care, NOT a privacy! She is not fit or qualified to make any assessment or provide a legally informed opinion on the nature of a data breach! How come a pencil pusher and an attorney who has no knowledge about data privacy law sit together and come up with an order about a data breach? Based on what authority? (I’ll come to that later)
The NZ Health Ministry was required to conduct a Privacy Impact Assessment (PIA) according to the NZ Privacy Act 2020 prior to establishing the database. The full process is described here. Also, as the guidelines states, "Public-sector agencies in particular should seriously consider publishing their PIAs to demonstrate accountability, and as a proactive release of official information". Any action that should have been taken as a result of a data breach should have been based on the privacy impact assessment. Did Shane, the pencil pusher, has any knowledge whatsoever about the Privacy Impact assessment? Even if he was the privacy officer of the The NZ employment relations authority which I am pretty sure he wasn’t, based on the language of the “order” which demonstrated total lack of understanding to the key principles of privacy, he would not have been involved in the privacy impact assessment, thus has no capacity to make an informed decision on the matter.
The NZ Health Ministry was required to follow the privacy breach guidelines. The criteria for assessing the likelihood of serious harm stemming from a privacy breach is laid out in section 113 of Privacy Act 2020. This assessment should be based on the Privacy Impact Assessment. The NZ employment relations authority had no responsibility nor capacity nor authority to create the breach assessment. How exactly does Shane, the pencil pusher, make a judgement on the nature of the breach if he didn’t perform the assessment?
If the request for the order was done because of a data breach that had personal data in it, both the privacy impact assessment and the data breach assessment should have been presented and any decision should have been based on them. Instead we got Shane, the pencil pusher, writing that "the release of the Database and any copies, extracts or information derived from it (the Information) may cause individuals, their whanau and the wider community to suffer stress, anxiety or harm" (clause 13) which is a statement in which he demonstrated that he knows little to nothing to the requirements stipulated in the NZ privacy act 2020. How exactly did he reach the conclusion that the exposure of this information will cause “stress, anxiety or harm”? Based on what assessment, on a dataset which he was never its data controller not its data processor?
In clause 4 of the order the pencil pusher (Shane) has written that “This is one of those very rare cases where I have been persuaded by the affidavit evidence that urgent intervention was necessary.”, and in clause 8 he wrote “The Authority is required to consider and apply the tests for an interim injunction.” and reference a known case called “American Cyanamid v Ethicon [1975] AC 396”, which is a case that highlighted the “Guidelines and the issues to be taken into account by the court for the grant of an interim injunction”, BY A COURT, NOT BY A PENCIL PUSHER! In which democracy does a manager in a government office has the capacity to act as a judge???
Clause E of the orders section stated that “SIP and SXY and any Unknown Respondents are ordered to permanently delete and not publish the Database, the Information or any other unlawfully obtained information, including, but not limited to extracts referred to at the following URLS:”, which again shows total ignorance to privacy regulation, as there is no mentioning at all what is the reason to call for a takedown of “extracts”, if they do not include any personal data.
For the love of God I cannot understand why Mega decided to follow this order. Don’t they have a legal department? Don’t they have a privacy officer? I simply cannot understand why mega privacy officer and someone from the legal department has accepted this “order” and followed it. Even if it was a real order from a judge, the people in mega should have understood that this is not a final judgement. The order stated that "overall justice favours the making of orders for a reasonably limited period until the Authority can hear from all parties and determine matters". This (extremely not valid) order was issued as preventive order, temporary by nature until A REAL legal proceedings will take place to decide about the case. The measures which mega has taken (taking down Kevin’s account) were extremely disproportionate to the stage of a proceedings, EVEN if it was a result of a judge order, WHICH AGAIN THIS WAS NOT THE CASE!
Afterthoughts
Kevin WAS HARMED, because he experienced unavailability to his personal information due to a decision by his data processor (mega) which decided to prevent him from having access to his information based on an order which should never have been written nor should never have been respected by any data processor.
I hope that Barry Young and Steve Kirsch will find this article useful to take actions against the pencil pusher who created the order, and against any data processor who followed it.
Is the New Zeeland government aware that government pencil pushers have the right to make orders that lead to harm people and which they have no right to make at the 1st place? What is the government going to do about it?
Looking forward to your comments and thoughts.
Ehden