Privacy requests: How to respond to a request for personal information?
Organisations and businesses are obtaining and retaining more and more personal information from customers, employees and third parties.
Requests for access and disclosure of personal information are also becoming more common. If you receive a request for access to personal information held in your systems, either by a third party, or by the person themselves, multiple factors will need to be considered to ensure compliance with the Privacy Act 2020.
If an organisation receives a request for personal information, it needs to move quickly as there are statutory time limits. It should quickly evaluate whether the information sought is held, whether disclosure is required, and how it should be disclosed.
Complying with the Privacy Act, requests and association obligations can be complex. This is especially the case where the request is unwelcome. The Privacy Commission publishes general guidance for organisations and individuals. We are available to assist in providing specific advice on privacy obligations, privacy policies and responding to requests for personal information.
Timeframes and Extensions
Organisations have time frames they must meet under the Privacy Act when responding to requests.
Once a person has made a request for personal information, the organisation has 20 working days to respond. At a minimum, the decision as to whether the information will be released must be communicated within this period.
If you believe that the request is more appropriately directed to another organisation, as you do not hold the information, you must advise the requestor within 10 working days.
Extensions may be available in some circumstances, for example if there is a large quantity of information requested.
Grounds to withhold private information
The Privacy Act limits the ability to disclose information held about individuals. It may be necessary to withhold personal information for the following reasons:
- You did not collect the information in question for the reason you are being asked to disclose it.
- There are readily identifiable people in the information.
- The individual concerned has not authorised disclosure.
- Disclosure is unnecessary, in that there is no reason, such as to prevent serious threat to public safety or to assist in the conduct of proceedings before the Court.
- The information is being sent overseas, and that country does not have adequate privacy laws.
Information disclosed should be limited to only that which was requested. Where the information sought does include identifiable information, or information irrelevant to the request, it may be appropriate to remove, redact or blur that information before disclosing.
When redacting information, only redact information which actually needs to be with-held. Provide a clear explanation as to why this has been done.
Organisations should be wary of breaches, as they are obligated to report any potential breaches that have caused or are likely to cause serious harm. Notification to the Privacy Commissioner should occur as soon as possible after becoming aware of the breach. This includes incorrect or inadvertent disclosure of personal information.
Privacy breaches can be investigated by the Privacy Commissioner and the Human Rights Review Tribunal. The decision will be published. Financial penalties and negative publicity can occur.
Can you claim your costs for this process?
In some circumstances organisations can charge for the costs incurred in assessing and providing information. This should be the exception, not the rule. Organisations should advise the person requesting the information of the cost prior to conducting the work.