Access to personal information
Employers often receive requests for personal information from their employees in the context of a personal grievance or disciplinary process. Sometimes the requests are very broad and involve a lot of information that takes a considerable amount of time to compile, or that the employer does not think is relevant or helpful to resolving the issue at hand. Even if that is so, or if the employer suspects that the request is more tactical than genuine, the employer needs to ensure it complies with the technical requirements of the Privacy Act 1993 and Official Information Act 1982 (where applicable), as well as the more general requirements of good faith.
Outlined in a previous legal update, the proposed privacy law reform will (if passed, and among other things) enable the Privacy Commissioner to make binding decisions on complaints relating to requests to access personal information. The Commissioner has indicated informally that binding decisions will be the exception, not the norm, and will most likely be made in relation to specific pieces of information or documentation. Even so, this new power will increase the focus on compliance with access requests.
Sometimes an organisation will have good reason to refuse a request for personal information, and there are a number of grounds in the Privacy Act that organisations can rely on. 'Relevance' is not one of them, and neither is 'it will take a lot of time', unless it meets the high thresholds set by the Act. Employers can use these reasons - alongside good faith - to try to negotiate refinements to requests, but it is up to the employee ultimately.
A recent case note from the Commissioner clarifies when an organisation may be able to refuse a request on the ground that it is 'vexatious'. While rare, this may assist some employers.
Passenger makes vexatious requests – Case note 285353 [2018] NZPriv Cmr 3
A passenger telephoned an airline requesting all information it held about him relating to a ticket dispute. The airline told the passenger he had to make his request in writing. Over a month later, the passenger emailed the airline's CEO as he had not received the information. The airline tried to reach him several times, apologised and asked for clarification on the information he wanted. The passenger did not respond. Instead, he emailed the CEO expressing frustration and asking for recordings of the phone calls he made. The airline offered transcripts and audio files of some of the calls and an opportunity to listen to the calls by phone.
The passenger kept trying to engage with the CEO by email while also continuing to contact the call centre. The airline found it difficult to manage and understand his requests, described many of his calls as abusive and threatening and eventually decided to refuse his requests for recordings of phone calls, citing section 29(1)(j) of the Privacy Act. This section allows agencies to withhold personal information if the request is frivolous or vexatious or if the information requested is trivial.
Privacy Commissioner's decision
The Privacy Commissioner concluded that the first request was not vexatious, but his later requests were. The Commissioner looked at:
- The frequency and method of contact
- The individual's behaviour
- The nature and volume of requests
- The stated purpose for requesting information.
The Commissioner found that the passenger made it difficult for the airline to manage and understand his requests, yelled, spoke over staff, refused to listen to attempts to resolve issues and engaged in name calling. The Commissioner believed this was to intimidate staff and make it difficult for the airline to respond. Further, the passenger was unwilling to clarify or resolve older requests as he kept making more, and, in one call, the passenger stated that he wanted to edit a call and spread it through the media and social media to make the airline "look as bad as possible". While the Privacy Act does not require requesters to specify the purpose of their request, in some cases the reason can indicate bad faith.
In addition, organisations cannot refuse a request simply because the requestor is difficult, annoying or made numerous requests one after another. The particular request needs to be vexatious (or frivolous). Things that can suggest a vexatious request include:
- Many requests for the same information without any clear reason
- Using information from one request to demand more information – one request leading to another, and another
- Abusive or aggressive behaviour and no clear need for the information
- A clear intent to use the request to divert the agency's resources or upset people.
Agencies should take care before relying on this ground and should not rely on it as a matter of course. For further information or guidance, speak to one of our team or contact the Privacy Commissioner's office directly.
The GDPR
The European Union's General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The GDPR applies not only to EU Member States, but to New Zealand agencies that offer goods or services to EU residents, monitors the behaviour of EU residents or processes personal data of EU residents.
If your organisation falls into one of these categories, we recommend reviewing your current privacy and data protection practices. The GDPR introduces a number of requirements that do not currently apply in New Zealand, including the requirement to demonstrate explicit consent to the collection of information and mandatory breach notifications.
We are happy to advise further if you are concerned or have any questions regarding the application of the GDPR and what steps you may need to take to prepare.
This update was written by Hamish Kynaston and Jennifer Howes (Senior Solicitor).
