In a recent case the Privacy Commissioner has found that there is a breach of the Act, and an interference with privacy, when a time limit to respond to a request was not complied with.

The majority of privacy principles require there to be harm to a person for there to be an interference with their privacy. However, there are two principles that do not require any harm before there has been a breach.

Under the Privacy Act a person has the right to request access to their personal information, and to request corrections to be made to their personal information.

When a person makes such a request to an agency, the agency must respond to the requester within 20 working days providing information on:

  1. Whether the agency agrees with or declines the request, and, if declined, the reasons why;
  2. How the access or correction will be undertaken; and
  3. Whether there will be a charge associated with access (public sector agencies cannot normally charge for access).

If the agency fails to do this within 20 working days, the request for access or correction is deemed to have been refused. If the agency does not have a legitimate reason for refusing the request for personal information, it is automatically an interference with the requester’s privacy.

If this is the case, and the Privacy Commissioner investigated and issued a certificate of investigation, the case can be taken to the Human Rights Review Tribunal.

If the Tribunal agrees that there has been an interference of privacy, a number of remedies may be ordered, including:

  1. A declaration that the agency interfered with the person’s privacy;
  2. An order restraining the agency from continuing to interfere with the person’s privacy;
  3. Damages;
  4. An order to perform  any acts it specifies to remedy the interference, or redressing any loss or damage suffered (or both); and
  5. Other relief that the Tribunal thinks fit.

In the past, where an agency has failed to provide access to personal information, and the requester has suffered harm as a result, the Tribunal has awarded damages of over $20,000, and in one case, $90,000, for hurt and humiliation and the loss of a benefit that having access would have provided.

It is clear that requests for access or correction of information must be taken seriously. To ensure that information requests are handled appropriately, employers should:

  1. Ensure employees are trained how to handle information requests, and the timeframes involved;
  2. Have a workplace procedure in place for addressing information requests,
  3. If necessary, request an extension to the 20 working day time limit if the situation qualifies; and
  4. Understand in which circumstances a request can lawfully be declined.

Where robust policies and adequate training are in place, employers can ensure that information requests are responded to adequately, and prevent any expensive consequences and potential bad publicity.

If there are concerns that your business is not prepared to adequately handle information requests it is wise to speak with a professional experienced in the area.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-priced Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.