Banking giant Westpac is coming under public scrutiny for giving police information about journalist Nicky Hager's accounts.
Mr Hager said 10 months of banking transactions from all of his accounts were handed over to the police without a court order. The details were released to detectives investigating the hacking of blogger Cameron Slater's computer a year ago.
The associate head of Massey University's School of Economics and Finance, David Tripe, said a Westpac staffer probably released the data.
"It's probably come through to somebody, not especially senior, maybe not tremendously experienced, and they've done what they thought was the right thing.
"It just turns out, with the benefit of hindsight, it doesn't look like it was the right thing that was done, but that probably wasn't evident to somebody at the time."
Mr Tripe said, under some parts of legislation, banks may be required to hand information over even without waiting for a court order to do so.
He said Westpac needed to come out and say they made a mistake and change procedures to avoid a repeat of the situation.
"He's probably embarrassed some people at Westpac," he said. "Certainly if that sort of thing had been done to me I would probably make sure I took my banking business somewhere else."
Mr Tripe said it was the first time this kind of publicity had surrounded a bank in New Zealand for handing details to police without a court order - but he would be very surprised if it was the first time a bank had done it.
"It's something I would expect happens relatively frequently and that's probably why somebody at Westpac went ahead and did it without waiting for the court order."
Westpac refused to be interviewed, but released a statement on Tuesday that said it had made changes to its policy and that it took the privacy of its customers seriously.
"Our terms and conditions allow us to disclose information to agencies where we consider it will assist them with the investigation of criminal offences," it said.
"There is an internal policy to ensure the request is appropriate and that was followed on this occasion.
"We have today modified the policy so the request process is clearer for both police and staff.
"We will continue to work with the Privacy Commission to ensure they are comfortable with our approach."
New Zealand Bankers Association chief executive Kirk Hope said it was important to remember that Westpac's actions were still just an allegation of a breach of privacy.
He said banks took their obligations under the Privacy Act seriously and they did not release the personal information of their customers lightly.
"What we would suggest is if customers think that they have had their information disclosed unreasonably that they talk to either the Banking Ombudsman or the Privacy Commissioner."
Privacy Commissioner John Edwards said in a statement that Mr Hager could make a complaint to his office.
Mr Edwards said, when an agency disclosed personal information based on one of the exceptions in the Privacy Act, it was answerable to the Privacy Commissioner for its decision.
He said it may also need to defend its decision in the Human Rights Review Tribunal in a way that would not be required if they had provided information in response to a production order or search warrant.
Trade Me was also approached by police and asked to release information on Mr Hager.
Trade Me manager of trust and safety Jon Duffy said the company had "pushed back" on initial requests for information, as part of the broader investigation, and asked for a production order.
He said they had not received a production order relating to Hager's details so did not release the information, but had received other production orders related to other individuals.
He said that they were legally obliged to release information when supplied with a production order by police.
Mr Duffy said it was difficult to comment on Westpac's information release as he did not know what police had presented to the bank.
"The information provided to us wasn't necessarily the information supplied to Westpac.
"It's unclear to me that Westpac have done anything illegal here. It really depends on the information that police supplied to them," he said.
Trade Me released some electronic data as part of the investigation.
"We had a request made to us as to whether a certain IP address had been used to access TradeMe, and we were able to supply information [about that] to police," Mr Duffy told Radio New Zealand.
The Office of the Banking Ombudsman declined to be interviewed.