Access to Information: Make it easy to access and request corrections to information
Help service users to exercise their rights to see their personal information and request corrections to it.
How people can access information in person
Service users’ personal information will be held either by:
- your agency for your agency’s purposes or collected on behalf of another agency
- another agency.
If your agency holds the information
- Consider sharing your screen, showing people what’s recorded about them, and asking them to identify any inaccuracies or voice any concerns they may have about that information.
- Provide printouts of your screen, or other pre-prepared reports your information and communications technology (ICT) system may offer, or allow them to take a photo if their phone has a camera. Ask them to highlight any areas they might wish to change.
- Email a screenshot to them, taking care to double-check email addresses, making sure they want to receive this information by email.
- Provide photocopies of relevant information.
- Supply the information in an accessible format that is appropriate to the needs of the person, such as for children, people with low literacy levels, sight-disabled people and those with English as a second language. What timing, language, format, visuals, flowcharts, pictures or other things could be helpful?
- Talk through the information to help with the person’s understanding.
- Use a support person who can speak the person’s first language to translate for them.
If another agency holds the information
- If a person asks your agency for their information but you believe another agency holds it, the Privacy Act 2020 requires your agency to transfer the request to the other agency promptly, within 10 working days, and to inform the person you’ve done so.
- Offer to help them fill out the Privacy Commissioner’s AboutMe form or connect them to the other agency to help them ask directly.
- Fill out the AboutMe form on their behalf and act as their representative if, for example, they share an email address with a spouse or partner and would rather the information is kept private.
- If you have established relationships at an operational level with the agencies in question, contact them and ask on behalf of the service user, or with the service user present.
- Consider establishing a protocol with other agencies about access which will make it easier and more convenient for agencies and service users.
Help other organisations act on behalf of service users
Your agency may hold information that is useful and relevant for a non-governmental organisation (NGO) or other organisation to provide effective support for service users.
Service users may not remember or wish to recount relevant information when seeking a service. Instead, they may want the NGO providing the service to act as their representative and request the relevant information from the appropriate agencies.
- confirming details of benefits and entitlements
- information about health or wellbeing
- information about a person’s overall situation that they may prefer not to repeat, given that doing so repeatedly can have negative impacts on their wellbeing.
Having an NGO acting as their representative can reduce stress for the person seeking support, improve timeliness and the quality of the service they receive.
It is also efficient for the agencies that are asked for an individual’s personal information, as it provides clarity about what is needed and establishes channels and processes on how to best meet these requests.
To make it easier for people to access their information through others, agencies can:
- identify the organisations and types of services where it’s practical and makes sense to act on behalf of service users — noting that expectations of volume and timeliness that are mutually agreeable will have to be worked through
- establish local or regional relationships between agency staff providing the information and the organisation acting as the service user’s representative
- agree on appropriate processes (such as signed permission forms) to allow information to flow for lawful and agreed purposes when service users wish to access and check their records and want others to act as their agent or representative
- agree on who is the appropriate agency contact, how to contact them and what their responsibilities are, and identify who can do the work
- understand what information is typically useful and how it can be readily retrieved
- determine response times that can be reasonably achieved for typical requests, and agreed criteria for when a request is urgent
- have support in place when needed for urgent cases — for example, a mobile or direct dial number to call.
When establishing such channels, agencies may need to clarify general expectations about how people’s information will be managed, who can see it, and so on, including aligning with relevant advice in the Data Protection and Use Policy (DPUP) itself.
Using digital or other channels
When deciding to deliver your service digitally, consider the following.
- Digital access — service users may not always be able to access digital channels for a range of reasons, including language, technical confidence, access to technology, time or disability. Knowing that digital channels exist, but are not accessible, can be frustrating. Consider making it easy for service providers or others to be a representative for service users, or to complement digital channels with suitable alternatives.
- Setting up access to digital channels — the most immediate hurdle for people may be understanding what digital channels exist, what they do and how to access them. Consider enabling providers to help service users establish access to these channels.
Provide access to a person’s information in the form they prefer
The Privacy Act 2020 states that, where a person’s requested personal information is contained in a document of any sort (which could be hard copy or electronic), the agency can make the information available by:
- allowing the person to look at the document
- giving the person a copy of the document
- giving the person an excerpt or summary of the contents
- telling the person what is in the document.
At the same time, the Privacy Act 2020 requires the agency to “make the information available in the way preferred by the requestor, unless doing that would be administratively burdensome, contrary to a legal duty over the document or prejudice a reason in the Act for denying a request”.
Things to consider to improve processes and systems
- How can service users be involved in creating records, for example, writing or reviewing case notes or filling out forms?
- For larger agencies, can technology plans include providing online portals such as myMSD and ManageMyHealth to allow people to access and update some information?
- Can processes or practices help service users avoid having to make formal requests for their personal information. For example, can your agency automatically provide copies of core information such as referrals, assessments and forms?
- Does your agency have simple, well-understood business practices for staff to retrieve and provide information in response to Privacy Act 2020 requests?
- What are simple ways for service users to ask for changes or corrections, for example, in similar ways to the AboutMe tool on the Office of Privacy Commissioner's website?
- How can service users’ ideas and suggestions be included in regular planning processes to help define simple and efficient processes for them to access their information?
- Does your agency have simple and clear processes for service users to talk about their concerns or make a complaint?
Only give people their own information
When helping people to access their personal information, it’s important to check they’re only accessing their own information and it does not contain or refer to other people’s personal information. Allowing someone to view another person’s information could breach that other person’s privacy.
If someone requests personal information that is combined with information relating to others, it may be necessary to separate or redact the other information before granting access.