Access to Information: Help people understand their rights
Help service users learn what rights they have with their personal information and how to use them.
Remind people about their rights
The Data Protection and Use Policy (DPUP) Transparency and Choice Guideline describes what agencies should tell service users when collecting their information, including their rights in relation to information held about them.
These can be summarised as the right to:
- understand what personal information is collected and stored
- access that information
- request correction of that information, bearing in mind the purposes for which it may be used.
Accessing and correcting personal information
The Access to Information Guideline focuses on helping people to understand what personal information is held about them, to access it, to request correction of it and, where possible, to correct it themselves.
A range of factors can affect people’s understanding of their rights, or their motivation to exercise them. For example:
- people will not always think about their information being collected or held when they initially seek help — they may be stressed in some manner and more focused on getting the help they need
- over time, more information about them may be gathered or created without their knowledge, such as information lawfully obtained from other agencies or information that is recorded about them when they are not present (for example, case notes)
- people often engage with several agencies on related topics — over time they may become uncertain about which agencies hold what personal information, what the personal information covers and what those agencies are doing with their information.
Information collection can create concerns
It is important when recording information about a person to ensure that it is accurate, clear and well-written, both as a matter of respect and because the person can request access to, and view, what has been written about them.
It is especially important to make sure that staff and other people’s comments are carefully weighed, respectful and professional.
Agencies cannot refuse a person’s request for personal information merely because the information was poorly written or expressed with insufficient care. However, an organisation can withhold personal information from a requester if the information is evaluative material.
People may eventually have concerns about:
- where their sensitive information is held
- if any of their information is out of date or could be misunderstood
- if their information may not be helpful in terms of the services they need.
In addition, sometimes people become concerned about how their sensitive information is recorded. The act of recording a person’s story can involve interpretation and adverse judgements that may include stigmatising, generalising or stereotyping.
If someone has these concerns and also does not know how to access or request corrections to their personal information, this can have a negative impact on their sense of wellbeing.
It’s important to proactively remind people of their rights from time to time. This gives people an opportunity to think about their information and exercise their rights if they want to. Making sure that people know what they can do and how helps them to feel more empowered in relation to their personal information.
Giving people access to their information
There are grounds to deny people access to their personal information, but these need to be considered on a case-by-case basis. They do not justify a general denial of a person’s right to access their information.
The default approach is to grant people access to their personal information when requested unless one of the grounds to deny applies. For this reason, the existence of these grounds does not affect the importance of reminding people about their rights in relation to their personal information.
Note also that, if an agency refuses a person’s request to access their personal information when no grounds for refusal applies, the Privacy Commissioner can require the agency to give the person access to their personal information.
When agencies can deny access to personal information
The grounds for an agency being able to say no to someone requesting access to their personal information are in Part 4 of the Privacy Act 2020. These recognise that other interests may be harmed if someone is allowed access to their personal information.
The most relevant grounds concern situations where disclosure would likely prejudice the:
- safe custody or rehabilitation of people convicted of an offence or detained in custody
- physical or mental health of an individual — if the agency is satisfied of this after, where practicable, consulting the individual’s health practitioner
- maintenance of the law, including the prevention, investigation and detection of offences, and the right to a fair trial.
Disclosure may also:
- be likely to endanger either the safety of any individual or public health or public safety
- create a significant likelihood of someone being seriously harassed
- include information about another person who is the victim of an offence or alleged offence and the disclosure would mean they suffer significant distress, loss of dignity or injury to their feelings
- in the case of an individual under 16 years of age, be contrary to that individual’s interests
- interfere with the privacy of others
- breach confidentiality or legal or professional privilege.
Legal professional privilege means protecting confidential communications between a lawyer and a client. If legal advice is protected by legal professional privilege, it may be protected from disclosure under the Official Information Act 1982 and the Privacy Act 2020, and does not need to be produced for inspection during discovery in legal proceedings. There are 2 categories of legal professional privilege.
- ‘Solicitor / client privilege’ which applies to communications between a lawyer and a client, where the lawyer is acting in his or her professional capacity, the communication is intended to be confidential, and communication is for the purpose of obtaining legal advice
- ‘Litigation privilege’ which applies to communications or information compiled for the dominant purpose of preparing for a proceeding or an apprehended proceeding.
An agency may also refuse a person’s request to access their information if the information cannot be found, does not appear to exist or is not readily retrievable.
How to help people understand their rights
Agencies should consider these questions when helping service users learn what rights they have regarding their personal information, and how to exercise them.
- Will service users be asked how they want to be involved in managing their information?
- What needs to happen to enable service users to ask about their information from time to time and to feel comfortable and safe in doing that?
- How much support might they need to understand or exercise their rights?
- What steps can be taken to confirm that a person is aware of their rights?
Agencies should make the process easy by having:
- a process in place to deal with requests from an individual’s representative
- operational practices that emphasise telling service users up front what is recorded and how they can access it — this may be in general terms or specific to the person in question.
Agencies need to be clear about limits.
- If there are limits, why do those limits exist, and are they lawful?
- What limits should there be on access, and how can service users be told about them up front?
- Is there anything that can reasonably be done to reduce or remove such limits safely to enable access to the information?
Exceptions to people only accessing personal information about themselves
Under the Privacy Act 2020, people can only request access to personal information about themselves. There are 2 main exceptions to this.
- If an individual has authorised someone else to act as their agent or representative, that other person can make requests on behalf of the individual
- If a child is too young to act on his or her own behalf or if a child has consented, a parent or guardian can request access to information for the child.
For the first situation, and as noted on the Office of the Privacy Commissioner’s website, “[w]hen an access request is being made by a representative acting for an individual, the agency should ensure that the representative has the written authority of the individual to obtain the information. This can be done in a letter or email.”
Find more information in section 57 of the Privacy Act 2020, and ‘Can I request someone else's information?’