It has been just shy of three years since the Privacy Act 2020 (Act) came into force, replacing the 1993 legislation of the same name. The Act provides for, amongst other things, enhanced obligations and consequences for employers dealing with information requests and privacy breaches more generally.
We have seen that the information request provisions of the Act are being used by some employees in the course of disciplinary and investigation processes, presumably to delay and create risk for the employer, rather than as a means to obtain assurances as to the protection of their privacy. This approach is not unheard of, as it was used often under the previous legislation. In this article, we examine this recurring issue and ways to mitigate risk.
What does the Act require?
Broadly speaking, the Act governs the collection, storage, use, disclose, access and correction of ‘personal information’ by ‘agencies’ through various Information Privacy Principles (IPPs) and sections of the Act. The key terms are of course ‘personal information’ and ‘agency’, which are defined as:
Personal information: Information about an identifiable individual, being a natural person (not a corporate) that is alive.
Agency: Any person (which includes an individual, corporation, body corporate or unincorporated body), that collects or holds personal information. Notably, this can include overseas persons who are carrying on business in New Zealand.
The two terms are intentionally broad. Really, any information that directly identifies, or identifies by reasonable inference, an individual is considered personal information. Any party that has collected or holds that information is considered an agency.
Another article could feasibly be written on the requirements of the IPPs and the Act as to collection, storage, use, disclosure, and correction of personal information. For the purposes of this article, however, we focus on how the Act governs access to personal information. To summarise:
- Any person can make a request for personal information from an agency.
- Once a request is made, the agency must ‘respond’ as soon as reasonably practicable, but no later than 20 working days.
- ‘Responding’ to the request is letting the requestor know whether the agency will grant or refuse access (or in some cases neither confirm or deny that the information is held).
- If the agency decides to refuse access, for whatever reason, it must tell the requestor on what grounds it is making that decision and inform them that they can complain to the Privacy Commissioner.
- If the agency needs more time to respond to a request, it must (within the 20 working day period) inform the requestor of the period of extension, the reasons why and of their right to complain to the Privacy Commissioner.
How the Act is used as a sword
The reason for providing a pathway for individuals to access their personal information is sound. The information is about them, and they should have access equal to the agency that holds it. While most individuals will utilise the access pathway for genuine reasons that are consistent with the purposes of the Act, we often see instances where requests are made for other motives.
The most common example occurs during an employer-run investigation or disciplinary process. During that process, the employee that is the subject of the investigation or process may request information under the Act, often about matters that have nothing to do with the subject of the process the employer is running. Concurrent to making the request, the employee may refuse to engage in the employer’s process until they have received their requested information.
The above approach puts the employer in a difficult position – whether it continues the process (and deals with the information request separately) or halts until it has met the employee’s demand. Related to this question, other risks can often be front of mind for employers:
- If it proceeds without first addressing the request, are any resulting decisions (termination, for example) potentially unjustified?
- On the other hand, by halting the process and providing requested information, will that just lead to more information requests and more delay from the employee?
- If information is provided, is there potentially something in there that is problematic and may assist the employee in raising a personal grievance?
- Is the potential scope of information so wide that it would take weeks to comply with?
The effect of such a request is disarray and often delay. It somewhat shifts the focus from being solely on the employee, to now shining on the employer as well. The prescriptive nature of the Act can often trip employers up when faced with this issue.
How employers can mitigate risk
The first and most important way to mitigate risk is to take care when recording information, be that in emails, texts, notes or anything else written. The guiding principle is that any information about an individual is accessible. There are, however, limited exceptions to that principle. For example, if information is genuinely evaluative and is provided in confidence, it may be withheld.
As to dealing with a request for information during an employer-run process, there is no blanket ‘correct’ approach. Employers can, however, make the issue easier for themselves:
- If the request concerns information that ought to be provided to the employee to enable them to participate in the process, then that information should be provided before the process continues. For example, an employee being disciplined should already have information relevant to the allegations.
- If the request concerns information irrelevant to the process, then it is permissible to continue the process and deal with the request in accordance with the Act.
- Most requests will contain a mix of the above two categories. Employers can therefore elect to separate the categories and deal with them as set out above. It is advisable, and consistent with good faith obligations, to tell the employee why the request is being handled this way.
Approaching the request as above will assist where the request is broad and covers a wide range of information. Generally the majority of the requested information will not be relevant to the employer-run process, so separating that aspect of the request out early is essential. Separation, however, only ensures that the employer can proceed with the process. It does not mean the employer is absolved from actually addressing the request.
An employer can extend the timeframe for responding to a request. There is no absolute limit to how long an extension can be for, but it is generally common sense how long assessing a request will take. When considering an extension, think about the amount of information sourced, the potential storage areas for that information and the internal resources to collate and review information. If it is likely that a large extension is necessary, it is entirely reasonable to write to the employee and offer them the opportunity to refine their request. If the employee is keen to obtain their information sooner, they will be motivated to make their request more specific.
Finally, employers need to be mindful about what they provide to employees in response to a request. Any information that concerns other individuals may well be necessarily withheld or redacted, otherwise risking unwarranted disclosure of someone else’s personal information. Further, any privileged or commercially sensitive information may also need to be withheld.
Special thanks to Associate Matt Hutcheson for preparing this article. For more information, or for specialist advice on any employment issues, please contact a member of our Employment or Data Protection & Privacy teams.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.