Author: MIL-OSI Publisher

Source:

Privacy authorities typically perform regulatory and enforcement functions on their own – or occasionally with another public body – within their domestic jurisdiction. They know the domestic law they enforce. The law will clearly lay out the authority’s role and provide a clear pathway to the intended outcomes.

By contrast, cross-border cases offer none of these certainties.

We were recently asked the question: “What international privacy enforcement cooperation initiatives are in operation and what practical tools are available to facilitate cooperation?”

There are several difficulties:

• It may not be clear what authorities might or should be involved.
• The applicable law may be uncertain or unknown to authorities contemplating involvement in a case.
• The roles may not be clear or may be contested.
• The possible outcomes may not be known and the pathway to any outcome may not be clear.

For the past 10 years, much effort has been expended at an international level to create conditions whereby the chances of successful cross-border cooperation amongst regulators are improved. Here are some of those efforts and examples of the practical tools that now exist.

Building the right environment

Before turning to precise enforcement cooperation tools, it may be helpful first to canvas cooperation more widely.

It is probably unrealistic to expect instant success in cross-border enforcement, if an authority remains entirely domestically focused until it encounters its first case with a cross-border element.

Where would such a domestically focused authority turn? How would they know who to approach for assistance in a foreign jurisdiction? What would they know of the other jurisdictions law and how would they find out? What would an authority in another jurisdiction think of a request for assistance arriving ‘out of the blue’ from an authority it had never heard of?

Three approaches to creating cooperation might briefly be mentioned:

1. Networking with peers.
2. Connecting with stakeholders.
3. Access to law.

1. Networking with peers

The likelihood of successful cooperation across borders may be enhanced if you know your counterpart before that first case arises.Privacy authorities have networked with their peers for four decades through the International Conference of Data Protection and Privacy Commissioners.

Privacy authorities also network at a regional level. In our region this happens through the Asia Pacific Privacy Authorities Forum. Our French and Spanish speaking counterparts also have networks of their fellow-linguistic colleagues. 

There are also two specialised enforcement cooperation networks set up in 2010:

• APEC has established the Cross-border Privacy Enforcement Arrangement (CPEA), with 25 participating authorities.
• Global Privacy Enforcement Network (GPEN) was set up with the assistance of OECD, and now has participating authorities from 46 countries.

More information on these networks is available at the ICDPPC website.  

2. Connecting with stakeholders

Regulators and privacy enforcement bodies should engage with stakeholders such as global business, privacy professionals and civil society to build an environment for successful cooperation. Efforts by groups such as IAPP and iappANZ to build compliance capacity are positive steps that create an environment for cooperation.

3. Access to law

While no regulator has the time or inclination to become an expert in every other economy’s law, there are clearly benefits in some general information sharing about laws and legal interpretations. There is also benefit in being able freely to access legal information in greater detail as needed. In the area of privacy law, many of the key interpretations are issued by regulators rather than in court decisions, and may not be available through mainstream law reports.

There have been various efforts to address these deficits in legal information. Three examples from our own region are:

• APEC has each economy describe its privacy laws in a structured standardised way called an Individual Action Plan or Data Privacy IAP.
• The APPA Forum has issued standards for privacy authorities on citation and dissemination of case reports.
• The World Legal Information Institute (maintained in Australia) operates a huge free access repository of case reports and laws known as the International Privacy Law Library.

Tools for cooperation

The following are a selection of the practical tools developed in the last 10 years to promote enforcement cooperation:

• Policy guidance for updating existing privacy laws
• Cooperation networks
• Templates for requesting cross-border assistance
• Directories of enforcement contact points
• Standard statements of enforcement cooperation practices
• Discussion networks
• Templates for information sharing agreements
• Secure information exchange platforms
• Published guides

Updating existing laws

The OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (2007) provides a blueprint for upgrading privacy laws more effectively to deal with cross-border cooperation.

Cooperation networks

The OECD Recommendation on Cross-border Cooperation suggested a need for cooperation networks of privacy authorities. Several networks have accordingly been established since 2007:

Templates for cross-border assistance

Both the OECD and APEC have released Request for Assistance templates for seeking assistance from authorities in other member economies.

Directories of enforcement contacts

The OECD, APEC and Council of Europe have each established processes for nominating and listing national or economy contact points. These three international organisations have cooperated in maintaining a combined directory which is maintained for access by authorities through the GPEN website.

Standard statements

APEC has established a requirement for authorities that participate in the CPEA to publish standard statements of enforcement cooperation practices. This is published both on the authority’s own website and centrally on APEC’s system.

Discussion networks

GPEN has a facility for general discussions amongst enforcement staff on its password-protected forum pages. It also hosts 20 discussion teleconferences each year. These are split into two regions – Pacific and Atlantic.

Information sharing agreements

GPEN has a standard information sharing agreements applicable to the GPEN Alerts System. ICDPPC’s Enforcement Cooperation Arrangement also features an optional template for an information sharing agreement.

Information exchange platforms

GPEN has established the secure GPEN Alerts System.

Published guides

The EU’s PHAEDRA Project produced several reports useful to enforcement cooperation. The ICDPPC has produced an enforcement cooperation handbook. In 2016, an Enforcing Privacy textbook was published.

Conclusion

In the past 10 years, and particularly since the publication of the OECD’s 2007 Recommendation, considerable progress has been made in creating conditions conducive to cross-border cooperation and to provide privacy authorities with the tools they need.

Cross-border cooperation remains difficult and the greatest progress will probably only been made when all privacy laws are upgraded, as recommended by the OECD, with cross-border action in mind.

Image credit: Wagah border ceremony – Wikipedia

Asia Pacific Privacy Authorities (APPA), Global Privacy Assembly (GPA), International Association of Privacy Professionals (IAPP), OECD, International, Europe, legal, Asia Pacific

Back

Source:

Reviewed for relevance April 2025.

As parents, we expect to be told everything about our infants when we take them to the doctor. The same with our toddlers. By the time they get to their teens, it gets a little more complicated. Should parents have the right to know about all about their under 16-year-old’s healthcare?

That issue was the subject of a recent petition to Parliament. It asked:

That the Parliament pass legislation providing that a parent of a woman under the age of 16 years has the right to know if that woman has a pregnancy confirmed before she is referred for any resulting medical procedure, and that any consent sought for the medical procedure be fully informed as to procedure, possible repercussions, and after-effects.

The Select Committee that considered that petition has just made its report. Read the report, ‘Petition 2014/11 of Hillary Kieft and six others‘. We were asked to make a contribution to the debate and we made a submission to the Select Committee. You can read our submission where we set out how the law currently works and how the Privacy Act applies.

Medical information is universally understood to be sensitive information. Reproductive health information is generally accepted as being particularly so.

The Privacy Act’s Health Information Privacy Code says a health agency is entitled to disclose information to a parent or representative if a patient is unable to consent. If a young person objects or specifically requests privacy, it is open to the health agency to make an assessment of the young person’s ability to make that request. A test called ‘Gillick competence’ is used by doctors to evaluate a patient’s competency in this regard.

If a young person, a minor, wants to keep her request for reproductive health advice or services secret from her parents, a health agency is not automatically required to tell her parents. Under the Privacy Act, anyone has the right to protect the privacy of their personal information.

Other laws also need to be considered. In general, doctors cannot treat any person without obtaining their informed consent. Anyone over the age of 16 can refuse or consent to medical treatment but legislation is silent on the consent of minors. Section 22F of the Health Act permits a parent or representative of a child to request information about that child. But section 22F also says a doctor must still consider whether it could be contrary to a minor’s interests to disclose the information.

Our submission to the Justice and Electoral Committee says if a girl, who has been found to be mentally competent, is able to give or refuse consent for a termination, she also has the right to keep their personal medical information private from her parents. Current privacy laws protect a minor’s right to privacy while also giving an appropriate level of discretion to doctors when faced with whether or not to disclose their personal information.

Such an approach is consistent with the United Nations Convention on the Rights of the Child which recognises that children and young people have legal and social rights when seeking consent to healthcare. 

children, health, Health Information Privacy Code

Back

Source:

Mrs Patel was outraged. She’d visited her GP for a follow-up check after her hand surgery, and he’d asked her about her history of depression. She didn’t think she’d had anything of the sort, and decided to ask the receptionist for a copy of all her medical notes to see what else was in there. The young receptionist assured her that the doctor owned the notes so she couldn’t have them. 

“But they are about me and I have never seen them!” Mrs Patel protested. 

The receptionist paused for a moment. “Well,” she said, “put your request in writing and your doctor might let you see some of the notes. Our administrative charge for dealing with your request is $50. Now, shall we make an appointment to see your doctor about this?” Mrs Patel looked at her writing hand, which was still feeling tender, and decided to call the Privacy Commissioner.

The above (fabricated) scenario is an example of the sort of enquiries I receive. Just in March this year we had 145 enquiries from individuals and agencies for guidance about access requests. Medical centres in particular are often keen to understand their obligations around access requests.

Access to personal information

Individuals have a fundamental right to ask for access to any health information held about them. This right also extends to a “representative”: a parent or guardian of a child under the age of 16 years, an executor or administrator of a deceased individual’s estate or the person who has an activated enduring power of attorney for the individual concerned or someone acting in the individual’s best interests. 

We encourage individuals to put their request in writing – this way there is a record of the request and the health agency knows exactly what information is required – but there is no prescribed way to make an access request. Many health agencies have their own forms to make sure all the necessary details are collected. However, since Mrs Patel has an injured hand, she could make a verbal access request and the health agency should give her any assistance she needs to do that. Mrs Patel definitely doesn’t need to pay for an appointment with the doctor to make her request.

From the day after the health agency receives an access request, it has 20 working days to decide if it will release the information. Once it’s decided to release the information, it should do so without undue delay, and if it wants to withhold anything, it should specify the withholding grounds set out in the Privacy Act it is relying upon to do so.

What about information ownership?

Who owns the information is irrelevant. A health agency can’t refuse an access request because it owns the information. Nor can it refuse an access request because the requester owes a debt.

Information should be made available to individuals in the way they prefer. If Mrs Patel has asked for a copy of her health information that’s what she should get unless it would impair the efficient administration of the health agency. 

Charging

Because this is the first time that Mrs Patel has asked for her notes it’s not permissible to charge. But if copying her medical file requires copying an x-ray, video recording, MRI, PET or CAT scan photograph, the medical centre can levy a reasonable charge. 

Verifying identity

But a word of caution: before handing over the information to the requester, the health agency must be satisfied concerning the identity of the requester. Don’t hand sensitive health information over to the wrong person.

Sometimes requesters confuse making an access request for their information with wanting their physical file instead. What matters is the information itself – ownership of the health information is irrelevant. That said, a health provider can release the physical copy of the information to the individual the information relates to even though they don’t have to. Sometimes a doctor will hand over her notes to the patient, say, when the patient is moving permanently overseas or to a different region in New Zealand. This means the patient has possession of their health information and can immediately give their medical file to their new health provider. 

It can be difficult remembering all the procedural aspects, both for the busy health agency and the mystified requester. The Privacy Commissioner recognises this and is determined to make privacy easy. 

New tool: AboutMe

To this end, we have developed an online tool to help called “AboutMe”. This online tool helps you make an access request. The request is then emailed to the agency you choose. We never see what is being requested, we just provide the mechanism. The request includes a standard note from us about what the agency needs to do to respond to the request and by when. 

Returning to Mrs Patel – she made a verbal request to the medical centre which was noted down by the privacy officer (every agency should have one). Mrs Patel received the information promptly and immediately saw the inaccuracy. Her doctor agreed with her and made an appropriate correction in her medical file. Furthermore, Mrs Patel is thrilled that she has full use of her hand again, her trust in her doctor is restored, and she is back playing tennis and tending her roses!

First published in NZ Doctor on 25 May 2016

Image credit: Artist Paul Holmes via Vincents Art Workshop.

IPP6 – access, health, Health Information Privacy Code

Back

Source:

Complaints are valuable assets for every organisation. There is no better way to highlight and fix problems in an organisation’s systems and processes. This is what we tell the agencies we investigate, and many of them take the opportunity to learn from complaints to improve their practices. It’s also a view that was echoed in an excellent Auditor-General report about ACC’s complaint’s processes.   

But how do we practice what we preach? How do you give us the opportunity to fix inadequacies in the way we do things? In other words, how do you complain about the Privacy Commissioner?

Give us a chance

If you’re unhappy with any stage of your privacy complaint, you should let us know first. We will almost always escalate your concerns to a more-senior staff member for a second look. While you don’t necessarily have to do this, it is faster and involves less paperwork than going through formal oversight channels – and it certainly doesn’t stop you from using those channels in the future!  

If you do this, the decision may be changed in your favour; and if not, you’ll at least get a more detailed explanation of our decision.

We appreciate complainants who do this because it gives our investigators the opportunity to learn in a hands-on way.

The Ombudsman and the assessment

When you make a Privacy Act complaint, our first move is to assess your complaint and determine whether or not to launch a full investigation. There are a number of reasons we may decline to investigate. For example, the case may not be covered under the Privacy Act, the breach may have been a long time ago or the issue may be too minor to merit an investigation.

Sometimes we will suggest that complainants take up another avenue for their concerns, such as in the courts, or an industry specific dispute resolution scheme.

If we decide not to investigate, we are exercising a discretion. We are answerable in the way we exercise that discretion to the Ombudsman. So if you disagree with our decision not to investigate, you can ask the Ombudsman to investigate our decision. If the Ombudsman thinks we have not taken into account all relevant factors, or have otherwise acted unreasonably, they can suggest we reconsider our decision. In most cases we would accept a Ombudsman’s recommendation.

You can file your complaint to the Office of the Ombudsman online:

Complain to the Ombudsman.

Settling your case

If, after beginning an investigation it seems as though there is some basis for the complaint, we will try and identify opportunities to help the parties resolve the problem. When the parties agree to a settlement, that is the end of the story. Each party gives up their right to pursue a full legal determination, for the sake of an early settlement.  

The Investigation and the Tribunal

If the case doesn’t settle, there are three different possible outcomes:

1) We may find an interference with your privacy and refer your case to the Director of Human Rights Proceedings, who may choose to represent your case before the Human Rights Review Tribunal.  

We don’t exercise this right very often. We reserve it for ‘edge cases,’ such as cases where a privacy breach has caused significant harm, where new legal precedents need to be set, or where we suspect there are other people suffering from the same privacy breach.  Further, a referral to the Director doesn’t guarantee that you’ll be heard in front of the Human Rights Review Tribunal, as the Director may choose not to take your case.

2) We may find that your privacy has been breached, but choose not to refer the case to the Director of Human Rights Proceedings.  

3) We may find that there has been no interference with your privacy, and close the case.

All three of these circumstances have the same recourse if you are dissatisfied: take the case to the Human Rights Review Tribunal yourself. The Tribunal will hear evidence afresh, and make up its own mind, independent of any finding we might have made.

A recent example of this practice in action was Taylor v Orcon. Mr Taylor complained to our office about telecommunications company Orcon disclosing inaccurate information about his credit history. We concluded our investigation on the basis that the breach by Orcon did not cause all the harm Mr Taylor claimed to have suffered.

Mr Taylor, dissatisfied with this outcome, took Orcon to the Tribunal and won $25,000. The Tribunal disagreed with the way we had applied the legal tests, and not only did he get the outcome he wanted, he also provided us with valuable guidance for the future (although he’s probably happier with the $25,000).

So, the Privacy Commissioner, like all public sector organisations, functions in a world of checks, balances and oversight. If you think we’ve made the wrong call, we encourage you to avail yourself of these mechanisms. Otherwise, how will we get it right next time?  

Image credit: Upset Lion by Toby Oxborrow via Flickr

Back

Source:

Our office is proud of the work we do in the area of dispute resolution. Where it is appropriate, we try and bring complainants and respondents together, in person or by phone, to resolve privacy disputes. Last year, we closed 827 complaint files and of these, nearly half were achieved with a settlement between the parties involved.

We’re therefore pleased to have been included in a pilot project aimed at leading and strengthening the use of dispute resolution by government services and agencies.

Dispute resolution works!

Dispute resolution is about trying to resolve disputes between parties so that they don’t end up in court. We’ve found that a resolution might include an apology or an acknowledgement, a promise of confidentiality, a change in an agency’s processes, staff retraining, or a compensatory payment. 

Many New Zealanders have learned the hard way of the time, cost and emotional drain of litigation, and the substantial delays inherent in the court process.

And for some time now, the government has recognised the benefits of dispute resolution, and that it should be doing more of it.

As a result, the Ministry of Business, Innovation and Employment has established the Government Centre for Dispute Resolution (GCDR), a two year project to support the further development of dispute resolution.

Making better policy

Last year, our investigations and dispute resolution team leaders were selected to participate as members of the centre’s Officials’ Advisory Group – a panel made up of representatives of government agencies with dispute resolution expertise.

Before it established the advisory panel, the GCDR reviewed all of the statutes in New Zealand that allow for the use of dispute resolution, in some form or other. It discovered at least 60 statutes provide for dispute resolution services, and up to 200 contain some kind of reference to it.

It also found a wide variability in the way these provisions were interpreted and applied by government agencies (if they were even being used at all). The GCDR is now focused on helping New Zealand agencies achieve a level of consistency in this area.

Our input

Our participation in the advisory panel was concentrated largely on the development of the best dispute resolution principles. These are a set of key criteria that any good dispute resolution service should take into account.

The principles are based on common sense (such as being objective and fair, being client focused and ensuring you are accountable for what you do), and come with guidance about how to achieve these objectives at policy, service design, service delivery and practitioner levels.

We support the work being done by the GDCR and look forward to seeing what comes next for New Zealand and its dispute resolution services.

Image credit: Created by Ruth Suehle for opensource.com.

Back

Source:

Pieter, a visitor from Belgium, witnessed a car accident in a remote area. The accident left a young woman unconscious and seriously injured. Pieter acted quickly and phoned the emergency line from his mobile phone to get help to the woman as soon as possible.

However, Pieter was in shock and was unfamiliar with his surroundings, so he was unable to tell the 111 call taker exactly where he was. Pieter was able to describe a few of the landmarks around him – a small bridge and an interesting grove of Kauri trees – but he couldn’t recall the road name or the nearest town. With only vague descriptions to help them, the Police and ambulance experienced significant delays locating the scene of the accident. As a result, they were delayed in reaching the young woman who remained in pain for some time.

This is an alarming story but one which has repeated a number of times in New Zealand, due to the unavailability of timely and accurate information about the location of mobile emergency callers.

New system

In response to these concerns, the Ministry of Business, Innovation and Employment, after researching various options, has developed a system suitable to NZ conditions that will generate location information on mobile callers and make this available to the emergency services on 111 calls. The Privacy Commissioner proposes to amend the Telecommunications Information Privacy Code to create a clear and lawful basis for this system.

The new system enabled by the amendment will involve the gathering and sharing of automated location information – either directly from a caller’s mobile phone if they have an enabled device, or in the form of a report generated by the network operator showing the nearest cell tower to the caller. Access to this information, in real time, will help the emergency services to locate a caller and thereby an incident.

In Pieter’s case, his mobile phone could have sent location information to the system which would have provided the 111 call taker with his coordinates. With this system in place, it would have mattered less that Pieter could not recall the road name or nearest town. The emergency services may have reached the accident sooner.

Submissions invited on amendment

The proposed code amendment recognises that this information sharing serves a very important public good. Systems similar to this operate in other countries, and there is a general consensus among telecommunications and privacy regulators overseas that this is beneficial to individuals and the public more generally. Public confidence that location information is properly protected is important, and so the amendment sets boundaries on the use and retention of the location information and requires the agencies involved to be as open and transparent as possible about the system.

We’re seeking the views of the wider public on this proposal, to make sure we’ve got the balance right. Click here to view the proposal and email your submission to submissions@privacy.org.nz by 23 December 2016. 

Image credit: In case of emergency sign.

Telecommunications Information Privacy Code (TIPC)

Back

Source:

As a result of a complaint, Police began an investigation into a woman who worked at a district health board. The complaint alleged that she may have accessed DHB health records in order to locate children who had been the victims of crimes committed by her brother.

In the investigation, Police disclosed sensitive personal information about the woman’s brother to the woman’s employer. The woman complained to our Office, and subsequently took her case to the Human Rights Review Tribunal, claiming there had been an interference to her privacy.

The matter had become a Police investigation after someone claiming to be the woman in a letter attempted to contact the children through the school they attended. The family were living at a secret address because they were fearful for their safety. Police suspected the woman might have tried to contact the children on behalf of her brother.

The police officer assigned to the investigation contacted the woman’s manager at the DHB where she worked. He disclosed detailed background information to the manager including information of the woman’s brother and his convictions for child sexual and physical abuse, and earlier convictions for possession of child pornography.

The police officer suspected the woman may have committed an offence under the Crimes Act 1961 – if she had inappropriately accessed the National Health Index (NHI) database through her role at the DHB to try and locate the family members.

The woman complained to our Office because the information disclosed by Police to her employer about her brother’s convictions had caused her hurt and humiliation. She said she should have been told first, and Police should have had a search warrant or production order to get her employer to look for evidence against her.

The DHB’s internal investigation showed the woman had not accessed the NHI or DHB databases.

Our investigation

The woman complained to us under principles 1-4 and 11 of the Privacy Act.

We found no breach of the collection principles (1-4). Neither did we find a breach of principle 11 which says an agency that holds personal information is able to disclose it in order “to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences”.

After we found the woman had suffered no interference with her privacy, she took the case to the Tribunal.

Tribunal case

The woman claimed after the police officer had contacted her manager, she was subjected to further audits and was harassed by the manager. She withdrew from her friends and her drinking increased. She also gained weight, slept badly and suffered anxiety attacks at work. She later resigned from the DHB.

But the Tribunal noted the woman “did not impress as a witness. Unfortunately, she has become blind to any point of view other than her own. She hears only what she wants to hear and sees only that which she wants to see.” The Tribunal said it preferred the evidence given by the police officer and the woman’s manager.

Search warrant

The police officer testified that Police did not have enough information to obtain a search warrant or a production order, and this was why Police used the Privacy Act’s principle 11 to request evidence from the DHB.

The Tribunal agreed with the view of Police. It said if there was insufficient evidence to obtain a compulsory order, it would be absurd if Police were not able to rely on using the Privacy Act. The Act’s privacy principles were flexible enough for this kind of request to be made by law enforcement agencies.

Meaning of ‘necessary’

The Tribunal found Police was able to satisfy the criteria needed to rely on the maintenance of the law exceptions and it considered the collection of the information was necessary for the purpose of maintaining the law. Like our Office, the Tribunal found no breach of the collection principles.

The Tribunal found Police had reasonable grounds to believe that disclosure of the brother’s offending, conviction and sentence was necessary because it gave the DHB the basis for agreeing to their request.

If the information was not provided, the DHB could justifiably have declined the request and this would also be in accordance with the Privacy Act. The disclosure of the woman’s connection to her brother, along with her brother’s offending, was necessary – and was not merely desirable or expedient.

The Tribunal dismissed the woman’s claim and upheld the original decision by our Office.

Image credit: Michael Kumm via Flickr

Read the full text of the decision.

Human Rights Review Tribunal, health, law enforcement

Back

Source:

Applying for a job can be a nerve-wracking ordeal and, more likely than not, it ends in disappointment. It can be devastating to miss out on that dream job and not knowing why you missed out can be incredibly frustrating.

One common part of applying for a job is nominating your referees. Confusion about this process can raise privacy concerns which sometimes ends up in our Office. There are specific parts of the Privacy Act which address these matters and it is important both parties are aware of them.

Firstly, among other important obligations, a potential employer must only contact the referees the applicant has listed. Please see our blog post on recruitment for more advice.

When you don’t get the job

What if you don’t get the job, and you are worried your referees let you down? What are your rights if you want to know what they said about you? Or, what if you want to protect a referee from a disgruntled applicant who might be threatening to sue?

Principle 6

Under principle 6 of the Privacy Act, you are entitled to access personal information an agency holds about you – but not always.

A potential employer may be able to withhold this information. Section 29(1)(b) says an agency may refuse to disclose personal information that is evaluative material, if disclosing it or information identifying its source (or both) would breach a promise to keep the information or the identity of the source confidential.

Evaluative material

Evaluative material is described in section 29(3) as information “compiled solely” for a range of purposes, and where there is a common purpose in the supply and receipt of that information. In other words, the information needs to be gathered solely for that purpose.

There needs to have been a promise made to the referee about withholding their identity or the information in confidence, and that promise must have been clear to the referee when they make the decision whether or not to supply the information. This typically applies where an employer requests a letter of reference from a referee nominated by a job applicant.

It is important to be aware that this does not apply to unsolicited information. For example, unsolicited complaints about an employee by a disgruntled client cannot be withheld under this provision.

Section 29 of the Privacy Act allows for people to be able to give free and frank references about people. It also means potential employers are more likely to value the information they hear. This can protect people from possible repercussions, awkwardness, and protects current and future relationships. Many people would also refuse to give references if they did not have confidentiality, or the ability to speak honestly. 

Disappointed applicants

But some disappointed applicants will speculate on the potential reasons they were denied a job, and unfortunately this feeling of frustration can be reinforced when information about them is withheld. Sometimes this sense of grievance arises from the way they are treated or how the application was handled. In these cases, it may be beneficial to get the referee’s permission to release the information or to give summary feedback on why an applicant was declined.

Here’s a couple of tips:

• If you are applying for a job, be careful who you use as a reference, and pick someone who is professional (and who hopefully likes you!).
• It’s also good to advise the recruiters you would like to be contacted before the referees are contacted, just in case circumstances changed in the meantime.

Here’s another thing to think about. If you really want a job somewhere, is lodging a complaint about how your application was handled going to bring you any benefit? There may be variety of reasons why you didn’t get a job and often references are only a minor factor.

If you have further questions about privacy and recruitment, try using our AskUs tool to get the answers.

Image credit: Massimo Busacca, referee, Switzerland via Wikimedia Commons

IPP6 – access, employment

Back

Source:

Callers to our Enquiries service often start with “I need some legal advice”. If the caller means guidance on his or her Privacy Act rights or the obligations of an agency, then we can help. But if by “legal advice” he or she means a legal “opinion” about how the Privacy Act might apply, then this is something our Enquiries service can’t do.

Guidance on the Privacy Act

Distinguishing between guidance on the law and legal opinion might seem like hair-splitting, but it is an important difference. Take access, for example. Our Enquiries service can tell you that you have the right, under principle 6 of the Privacy Act, to ask for any personal information that an agency holds about you.

We can advise you how an agency must respond to your request, and that the law allows for information to be withheld in certain circumstances. We can discuss the circumstances for withholding information and tell you that you have the right to complain to us and have that agency’s decision reviewed.

What we can’t tell you is whether you have the right to see particular information, because the agency may have a legitimate reason to withhold it. The reasons to withhold depend on the specific circumstances of a case.

Legal opinion

To provide a legal opinion, our Office would need to gather all the relevant information. We might, for instance, need our investigators to obtain the information that has been withheld from you. We could then weigh it up against the Privacy Act’s withholding grounds.

Only then would we be able to give you and the agency a legal opinion on whether you should have access to the information or not.

Is it a breach of my privacy?

We are also often asked “has my privacy been breached?” What if, for instance, your employer has put a GPS device in the work car, and is collecting information about where you’ve been going outside work hours. Or what if personal information has been disclosed against your wishes?

Agencies must have legitimate reasons for collecting, storing, and disclosing information. They must advise people of certain things when they collect information, like what they are collecting, why they are collecting it, how they intend to use it, and if there are any possible consequences to you for not giving it.

Agencies must also take reasonable steps to ensure the information is accurate before they use it, and they must keep it safe. They can only use or disclose it in certain circumstances.

This is set out in the Privacy Act’s 12 information privacy principles. If you think an agency is not complying with the Act, and it is unable to resolve your concerns when you ask them about it, you can complain to us.

Complaints

In most cases, we will be able to tell you if your complaint is outside our jurisdiction. There are a few no-go areas.

For example, we are unlikely to be able to investigate if your ex-boyfriend is saying stupid – but not highly-offensive – things about you on Facebook. This is because personal or domestic affairs are outside our jurisdiction under section 56 of the Privacy Act. The exception is if the information could be considered highly offensive to an ordinary person.

We are also not able to investigate if the information you are concerned about is the subject of court proceedings. The courts in their judicial function are outside the Privacy Act.

If you believe an agency has breached your privacy, and that you have suffered harm as a result, you can lodge a complaint and our investigators will look into it.But until then, our Enquiries service can give you guidance, but not a legal opinion.

Advisory opinions for agencies

Note that we do have a separate advisory service for agencies. Our Office offers advisory opinions to help agencies understand how the Privacy Act might apply in a situation they are exploring or considering. The process is intended to promote understanding of the information privacy principles and give greater certainty to agencies in relation to the Act’s operation. You can find out more about our advisory opinions here.

Image credit: Creative Commons via smlp.co.uk

complaints, enquiries

Back

Source:

A chiropractor being investigated by ACC made numerous requests for information about the investigation. When ACC withheld some of the information, he complained to the Privacy Commissioner, and then took his case to the Human Rights Review Tribunal.

Dr L is a chiropractor and acupuncturist from the United States who moved to New Zealand in 2009. He opened a clinic in Tauranga in 2010. After closing that business, he opened another clinic in Wellington in 2013.

In 2011, ACC began an investigation into Dr L’s business to determine whether a number of ACC claims submitted by him were genuine. ACC had concerns over the possible duplication of claims and other issues.

Requests to ACC

To find out more about the allegations against him, Dr L made a large number of requests to ACC for information under both the Privacy Act and the Official Information Act. He hoped that if he found out what was behind the investigation, he would be able to correct what he believed was misinformation held by ACC.

However, after ACC discontinued its investigation in 2014, it decided to give Dr L almost all the information previously withheld from him. But it withheld information about:

• ACC’s investigative techniques and the names of the informants; and
• information that would involve the unwarranted disclosure of the affairs of other people.

The Tribunal

The Human Rights Review Tribunal recently published its decision on Dr L’s Privacy Act complaints. The complaint centred on information privacy principle 6 of the Privacy Act which gives individuals the right to request their personal information from an agency.   

When the case went before the Tribunal, both parties initially could not agree on what the Tribunal was there to decide. Dr L wanted any and every one of ACC’s withholding decisions leading up to the eventual release of his information reviewed by the Tribunal. He also wanted the Tribunal to review whether ACC acted properly during its entire investigation.

On the other hand, ACC said the only issue the Tribunal needed to decide was whether ACC was right to withhold a list of clients spoken to by the agency during its investigation, because it had already released almost all the previously withheld information.

The Tribunal decided that the core of the case lay in whether ACC had properly continued to withhold the two restricted types of information. The issue was whether, when releasing the information it had previously withheld, ACC was right to hold on to some information. That information related to its investigative techniques, and information which would involve the affairs of other persons.

Duty to investigate

In its decision, the Tribunal said ACC, like other agencies that spend public money, had a duty to prevent, investigate and detect offences concerning its payments. To be able to carry out this duty, ACC must encourage members of the public to provide relevant information. The detection and investigation of fraud is particularly reliant on public information.

The Tribunal said the Privacy Act’s maintenance of the law reasons for withholding information specifically concerning the “prevention, investigation and detection of offences” were justified when related to its investigative techniques.

The Tribunal said ACC’s use of section 27(1)(c) of the Act in this case was proper – “that is, the information relates to ACC’s investigative techniques and methodologies and includes the names of confidential informants”.

Affairs of another

On the second withholding ground – the unwarranted disclosure of the affairs of another individual – the Tribunal said it was clear the information did indeed contain the names and contact details of people who provided information to the ACC investigators, including employees and patients.

“The salient point is that information about Dr L was provided to ACC by a range of persons, but particularly by those working with him and by patients. It is clear from what we have seen and heard the information was provided in expectation the identity of the informants would be withheld from Dr L.”

The Tribunal concluded the disclosure of the information about the identities of informants and others would have been unwarranted. The information had little direct relevance to the issue between Dr L and ACC. It added there was a real risk the information would be misused, including being published on the internet.  

The Tribunals said ACC had properly withheld the information and dismissed Dr L’s claim.

Image credit: Creative Commons via Pixabay.

Human Rights Review Tribunal, health, ACC, IPP6 – access

Back