If yours is a small business or organisation, there’s every chance you may be fairly inexperienced in what to do if you receive a request for personal information. But we hope you are at least aware that the Privacy Act gives people the right to make a request for information that is about them.
Under the Act, your business or organisation is legally obligated to respond to that request within 20 working days and to provide the information requested, although the law does allow reasons for withholding the information.
Giving access to information can take several forms. It can mean giving a copy of a document; giving a reasonable opportunity to look at a document or listen to or view a recording; giving a summary of the information; providing a transcript; or giving the information orally – depending on the requester’s preference.
Pointers for responding to a complaint
But here’s the thing. Failure to respond to or comply with a request for personal information can result in a complaint from the requester to the Privacy Commissioner. We hope this never happens to you but in case it does, here are some pointers on how best to respond.
The first thing to do is talk to us and to tell us what you know about the complaint and the information that’s requested. Our aim is to try and resolve the matter to the satisfaction of both parties – the complainant and the respondent (your business or organisation). Be nice to us because we’re only doing our jobs. We are not advocates for the complainant.
The second thing to observe is timeliness. Respond as quickly as you can to our requests for information. No one wins in a protracted complaints dispute. If a complaint drags on, it can become stressful, tiring and expensive for your organisation or business and the complainant. There are also many benefits in resolving a complaint to prevent it becoming a case for the Human Rights Review Tribunal to decide. This can be an even longer and more costly process and, in the end, the Tribunal could well decide in favour of the complainant and against your organisation.
The third point is to remember that our goal is to resolve, not to punish. We’re here to mediate and we do this in a number of ways in our efforts to reach an agreement. One of the techniques we use is to call conferences between both parties, but we’d rather keep things less formal and resolve them quickly, without a situation escalating out of hand.
Tell us in confidence
In order for us to review your decision to withhold information from a complainant, we will almost always need to see the information. This worries some organisations sometimes because they fear that we will give the information to the complainant to see. But we are not allowed to disclose the information that is being reviewed and we do not disclose the information. So when you send us the information, what we are doing is reviewing it to see if we agree with your reasons for not handing it over to the complainant.
However, when you give us information to review, it will help us if you can tell us clearly what information is being withheld and the reasons why your organisation wants to withhold the information.
We have many resources to help organisations and businesses like yours comply with the Privacy Act. Our website has tools such as AskUs, Priv-o-matic and free online privacy training modules and they are designed to be used to help make privacy easy.
Perhaps a starting point is to familiarise yourself with a quick tour of the Privacy Act's information privacy principles. It may also be a good idea to display it in the administrative area of your organisation to help you and your colleagues or employees understand the obligations and responsibilities that come with holding personal information. This way, when you have an encounter with a privacy issue, you’ll know where to start.
Image credit: Solitary sandpiper via John J Audubon's Birds of America.