One of the trickiest aspects of being a Privacy Officer can be dealing with requests made for access to personal information under Information Privacy Principle 6 (IPP6) of the Privacy Act (or rule 6 of the Health Information Privacy Code for health agencies).
This is often because such requests don’t usually come out of the blue – instead, they tend to be made in the context of a dispute or some other unhappy situation, such as a customer complaint or a staff disciplinary issue.
In this broader context a request for access to personal information can often be missed, or even worse, mishandled. The difficulty of dealing with information requests can also be seen in the fact that year after year this is the biggest source of complaints made to the Office of the Privacy Commissioner (OPC) – and onwards, in terms of cases filed in the Human Rights Review Tribunal (HRRT).
So what can you as Privacy Officer do to make sure your organisation is ready to respond well to an information request? Here are our top tips:
- Educate your staff so that they understand that people are entitled to access the personal information your organisation collects and creates about them. And yes, this means that less than professional stuff they said in that Teams chat to let off steam about a difficult customer (as per this recent news story).
- Know where your personal information is so you can locate it when you get a request for it. Making sure your staff know to store personal information in designated systems avoids duplication and is a key step to being able to comply with an information request efficiently and comprehensively.
- On a related note, only retain the personal information you need – if you don’t need it, personal information goes from being an asset to being toxic waste. Hanging on to stuff you don’t need just makes responding to an information request tougher (as well as unnecessarily increasing your risk if you suffer a privacy breach).
- Think about how you will be able to meet your IPP6 obligations when procuring a new system or service provider. Make sure your contracts make it clear that your service provider has to help you respond to any requests for personal information they are holding on your behalf, and that the technology involved will facilitate this. For example, if you want to get a new CCTV system, check it let you extract footage easily and edit/redact it as needed.
For more guidance on responding to information requests check out the new guidance from the OPC, Poupou Matatapu. The section on information requests provides clear guidance on the OPC’s expectations about other important aspects of responding to such requests.
And if you want to get stuck into the nitty gritty a bit more then we offer a two hour interactive online training on all things IPP6 related on 15 October – details here.