Remind people about their rights

The Data Protection and Use Policy (DPUP) Transparency and Choice Guideline describes what agencies should tell service users when collecting their information, including their rights in relation to information held about them.

These can be summarised as the right to:

• understand what personal information is collected and stored
• access that information
• request correction of that information, bearing in mind the purposes for which it may be used.

Transparency and Choice Guideline

Accessing and correcting personal information

The Access to Information Guideline focuses on helping people to understand what personal information is held about them, to access it, to request correction of it and, where possible, to correct it themselves.

A range of factors can affect people’s understanding of their rights, or their motivation to exercise them. For example:

• people will not always think about their information being collected or held when they initially seek help — they may be stressed in some manner and more focused on getting the help they need
• over time, more information about them may be gathered or created without their knowledge, such as information lawfully obtained from other agencies or information that is recorded about them when they are not present (for example, case notes)
• people often engage with several agencies on related topics — over time they may become uncertain about which agencies hold what personal information, what the personal information covers and what those agencies are doing with their information.

Information collection can create concerns

It is important when recording information about a person to ensure that it is accurate, clear and well-written, both as a matter of respect and because the person can request access to, and view, what has been written about them.

It is especially important to make sure that staff and other people’s comments are carefully weighed, respectful and professional.

Agencies cannot refuse a person’s request for personal information merely because the information was poorly written or expressed with insufficient care. However, an organisation can withhold personal information from a requester if the information is evaluative material.

Evaluative material — Office of the Privacy Commissioner

People may eventually have concerns about:

• where their sensitive information is held
• if any of their information is out of date or could be misunderstood
• if their information may not be helpful in terms of the services they need.

In addition, sometimes people become concerned about how their sensitive information is recorded. The act of recording a person’s story can involve interpretation and adverse judgements that may include stigmatising, generalising or stereotyping.

If someone has these concerns and also does not know how to access or request corrections to their personal information, this can have a negative impact on their sense of wellbeing.

Giving people access to their information

There are grounds to deny people access to their personal information, but these need to be considered on a case-by-case basis. They do not justify a general denial of a person’s right to access their information.

The default approach is to grant people access to their personal information when requested unless one of the grounds to deny applies. For this reason, the existence of these grounds does not affect the importance of reminding people about their rights in relation to their personal information.

Note also that, if an agency refuses a person’s request to access their personal information when no grounds for refusal applies, the Privacy Commissioner can require the agency to give the person access to their personal information.

When agencies can deny access to personal information

The grounds for an agency being able to say no to someone requesting access to their personal information are in Part 4 of the Privacy Act 2020. These recognise that other interests may be harmed if someone is allowed access to their personal information.

The most relevant grounds concern situations where disclosure would likely prejudice the:

• safe custody or rehabilitation of people convicted of an offence or detained in custody
• physical or mental health of an individual — if the agency is satisfied of this after, where practicable, consulting the individual’s health practitioner
• maintenance of the law, including the prevention, investigation and detection of offences, and the right to a fair trial.

Disclosure may also:

• be likely to endanger either the safety of any individual or public health or public safety
• create a significant likelihood of someone being seriously harassed
• include information about another person who is the victim of an offence or alleged offence and the disclosure would mean they suffer significant distress, loss of dignity or injury to their feelings
• in the case of an individual under 16 years of age, be contrary to that individual’s interests
• interfere with the privacy of others
• breach confidentiality or legal or professional privilege.

Part 4 of the Privacy Act 2020: Access to and correction of personal information — Parliamentary Counsel Office

An agency may also refuse a person’s request to access their information if the information cannot be found, does not appear to exist or is not readily retrievable.

How to help people understand their rights

Agencies should consider these questions when helping service users learn what rights they have regarding their personal information, and how to exercise them.

• Will service users be asked how they want to be involved in managing their information?
• What needs to happen to enable service users to ask about their information from time to time and to feel comfortable and safe in doing that?
• How much support might they need to understand or exercise their rights?
• What steps can be taken to confirm that a person is aware of their rights?

Agencies should make the process easy by having:

• a process in place to deal with requests from an individual’s representative
• operational practices that emphasise telling service users up front what is recorded and how they can access it — this may be in general terms or specific to the person in question.

Agencies need to be clear about limits.

• If there are limits, why do those limits exist, and are they lawful?
• What limits should there be on access, and how can service users be told about them up front?
• Is there anything that can reasonably be done to reduce or remove such limits safely to enable access to the information?

Exceptions to people only accessing personal information about themselves

Under the Privacy Act 2020, people can only request access to personal information about themselves. There are 2 main exceptions to this.

1. If an individual has authorised someone else to act as their agent or representative, that other person can make requests on behalf of the individual
2. If a child is too young to act on his or her own behalf or if a child has consented, a parent or guardian can request access to information for the child.

For the first situation, and as noted on the Office of the Privacy Commissioner’s website, “[w]hen an access request is being made by a representative acting for an individual, the agency should ensure that the representative has the written authority of the individual to obtain the information. This can be done in a letter or email.”

Find more information in section 57 of the Privacy Act 2020, and ‘Can I request someone else's information?’

• Section 57 of the Privacy Act 2020 — Parliamentary Counsel Office
• Can I request someone else's information? — Office of the Privacy Commissioner