Part 5 Procedural provisions relating to access to and correction of personal information

Thu, 20 Nov 2008 10:32:52 +1300

33 Application
This Part of this Act applies to the following requests (in this Act referred to as information privacy requests):
(a) A request made pursuant to subclause (1)(a) of principle 6 to obtain confirmation of whether or not an agency holds personal information:
(b) A request made pursuant to subclause (1)(b) of principle 6 to be given access to personal information:
(c) A request made pursuant to subclause (1) of principle 7 for correction of personal information.

34 Who may make requests
An information privacy request may be made only by an individual who is—
(a) A New Zealand citizen; or
(b) A permanent resident of New Zealand; or
(c) An individual who is in New Zealand.

35 Charges
(1) Subject to section 36 of this Act, a public sector agency shall not require the payment, by or on behalf of any individual who wishes to make an information privacy request, of any charge in respect of—
(a) The provision of assistance in accordance with section 38 of this Act; or
(b) The making of the request to that agency; or
(c) The transfer of the request to any other agency; or
(d) The processing of the request, including deciding whether or not the request is to be granted and, if so, in what manner; or
(e) The making available of information in compliance, in whole or in part, with the request; or
(f) In the case of a request made pursuant to subclause (1) of principle 7,—

(i) The correction of any information in compliance, in whole
 or in part, with the request; or
(ii) The attaching, to any information, of a statement of any
 correction sought but not made.

(2) Subject to subsection (4) of this section, an agency that is not a public sector agency shall not require the payment, by or on behalf of any individual who wishes to make an information privacy request, of any charge in respect of—
(a) The provision of assistance in accordance with section 38 of this Act; or
(b) The making of the request to that agency; or
(c) The transfer of the request to any other agency; or
(d) The processing of the request, including deciding whether or not the request is to be granted and, if so, in what manner.

(3) An agency that is not a public sector agency may require the payment, by or on behalf of any individual who wishes to make a request pursuant to subclause (1)(a) or subclause (1)(b) of principle 6 or pursuant to principle 7, of a charge in respect of—
(a) The making available of information in compliance, in whole or in part, with the request; or
(b) In the case of a request made pursuant to subclause (1) of principle 7,—

(i) The correction of any information in compliance, in whole or in
 part, with the request; or
(ii) The attaching, to any information, of a statement of any
 correction sought but not made.

(4) Where an agency that is not a public sector agency makes information available in compliance, in whole or in part, with an information privacy request, the agency may require the payment of a charge in respect of the provision of assistance, by that agency, in accordance with section 38 of this Act, in respect of that request.

(5) Any charge fixed by an agency pursuant to subsection (3) or subsection (4) of this section or pursuant to an authority granted pursuant to section 36 of this Act in respect of an information privacy request shall be reasonable, and (in the case of a charge fixed in respect of the making available of information) regard may be had to the cost of the labour and materials involved in making information available in accordance with the request and to any costs incurred pursuant to a request of the applicant for the request to be treated as urgent.

(6) The provisions of subsections (3) to (5) of this section, in so far as they relate to the fixing, by any agency that is not a public sector agency, of any charge in respect of any information privacy request, shall apply subject to any provisions to the contrary in any code of practice issued under section 46 of this Act and for the time being in force.

Compare: 1982 No 156 ss 15(1A), (2), 24(1); 1989 No 122 s 2

36 Commissioner may authorise public sector agency to charge
(1) Where a public sector agency satisfies the Commissioner that the agency is commercially disadvantaged, in comparison with any competitor in the private sector, by reason that the agency is prevented, by subsection (1) of section 35 of this Act, from imposing a charge in respect of any of the matters referred to in paragraph (e) or paragraph (f) of that subsection, the Commissioner may authorise that agency to impose a charge in respect of either or both of those matters.

(2) The Commissioner may impose in respect of any authority granted pursuant to subsection (1) of this section such conditions as the Commissioner thinks fit.

(3) The Commissioner may, at any time, revoke any authority granted to an agency pursuant to subsection (1) of this section, but shall not revoke any such authority without giving the agency an opportunity to be heard.

37 Urgency
If an individual making an information privacy request asks that his or her request be treated as urgent, that individual shall give his or her reasons why the request should be treated as urgent.

Compare: 1982 No 156 s 12(3); 1987 No 174 s 10(3)

38 Assistance
It is the duty of every agency to give reasonable assistance to an individual, who—
(a) Wishes to make an information privacy request; or
(b) In making such a request, has not made the request in accordance with the requirements of this Act; or
(c) Has not made his or her request to the appropriate agency,—
to make a request in a manner that is in accordance with the requirements of this Act or to direct his or her request to the appropriate agency.

Compare: 1982 No 156 s 13; 1987 No 174 s 11

39 Transfer of requests
Where—
(a) An information privacy request is made to an agency or is transferred to an agency in accordance with this section; and
(b) The information to which the request relates—

(i) Is not held by the agency but is believed by the person dealing with
 the request to be held by another agency; or
(ii) Is believed by the person dealing with the request to be more
 closely connected with the functions or activities of another agency,
 — the agency to which the request is made shall promptly, and in
 any case not later than 10 working days after the day on which the
 request is received, transfer the request to the other agency and
 inform the individual making the request accordingly.

Compare: 1982 No 156 s 14; 1987 No 174 ss 12, 57(1)

40 Decisions on requests
(1) Subject to this Act, the agency to which an information privacy request is made or transferred in accordance with this Act shall, as soon as reasonably practicable, and in any case not later than 20 working days after the day on which the request is received by that agency,—
(a) Decide whether the request is to be granted and, if it is to be granted, in what manner and, subject to sections 35 and 36 of this Act, for what charge (if any); and
(b) Give or post to the individual who made the request notice of the decision on the request.

(2) Where any charge is imposed, the agency may require the whole or part of the charge to be paid in advance.

(3) Where an information privacy request is made or transferred to a Department, the decision on that request shall be made by the chief executive of that Department or an officer or employee of that Department authorised by that chief executive, unless that request is transferred in accordance with section 39 of this Act to another agency.

(4) Nothing in subsection (3) of this section prevents the chief executive of a Department or any officer or employee of a Department from consulting a Minister or any other person in relation to the decision that the chief executive or officer or employee proposes to make on any information privacy request made or transferred to the Department in accordance with this Act.

Compare: 1982 No 156 s 15; 1987 No 8 s 8(1); 1987 No 174 ss 13, 57(1)

41 Extension of time limits
(1) Where an information privacy request is made or transferred to an agency, the agency may extend the time limit set out in section 39 or section 40(1) of this Act in respect of the request if—
(a) The request is for a large quantity of information or necessitates a search through a large quantity of information, and meeting the original time limit would unreasonably interfere with the operations of the agency; or
(b) Consultations necessary to make a decision on the request are such that a proper response to the request cannot reasonably be made within the original time limit.

(2) Any extension under subsection (1) of this section shall be for a reasonable period of time having regard to the circumstances.

(3) The extension shall be effected by giving or posting notice of the extension to the individual who made the request within 20 working days after the day on which the request is received.

(4) The notice effecting the extension shall—
(a) Specify the period of the extension; and
(b) Give the reasons for the extension; and
(c) State that the individual who made the request for the information has the right, under section 67 of this Act, to make a complaint to the Commissioner about the extension; and
(d) Contain such other information as is necessary.

Compare: 1982 No 156 s 15A; 1987 No 8 s 9(1); 1987 No 174 s 14

42 Documents
(1) Where the information in respect of which an information privacy request is made by any individual is comprised in a document, that information may be made available in one or more of the following ways:
(a) By giving the individual a reasonable opportunity to inspect the document; or
(b) By providing the individual with a copy of the document; or
(c) In the case of a document that is an article or thing from which sounds or visual images are capable of being reproduced, by making arrangements for the individual to hear or view those sounds or visual images; or
(d) In the case of a document by which words are recorded in a manner in which they are capable of being reproduced in the form of sound or in which words are contained in the form of shorthand writing or in codified form, by providing the individual with a written transcript of the words recorded or contained in the document; or
(e) By giving an excerpt or summary of the contents; or
(f) By furnishing oral information about its contents.

(2) Subject to section 43 of this Act, the agency shall make the information available in the way preferred by the individual requesting it unless to do so would—
(a) Impair efficient administration; or
(b) Be contrary to any legal duty of the agency in respect of the document; or
(c) Prejudice the interests protected by section 27 or section 28 or section 29 of this Act and (in the case of the interests protected by section 28 of this Act) there is no countervailing public interest.

(3) Where the information is not provided in the way preferred by the individual requesting it, the agency shall, subject to section 32 of this Act, give to that individual—
(a) The reason for not providing the information in that way; and
(b) If that individual so requests, the grounds in support of that reason, unless the giving of those grounds would itself prejudice the interests protected by section 27 or section 28 or section 29 of this Act and (in the case of the interests protected by section 28 of this Act) there is no countervailing public interest.

Compare: 1982 No 156 s 16; 1987 No 8 s 4(2); 1987 No 174 s 15

43 Deletion of information from documents
(1) Where the information in respect of which an information privacy request is made is comprised in a document and there is good reason for withholding some of the information contained in that document, the other information in that document may be made available by making a copy of that document available with such deletions or alterations as are necessary.

(2) Where a copy of a document is made available under subsection (1) of this section, the agency shall, subject to section 32 of this Act, give to the individual—
(a) The reason for withholding the information; and
(b) If the individual so requests, the grounds in support of that reason, unless the giving of those grounds would itself prejudice the interests protected by section 27 or section 28 or section 29 of this Act and (in the case of the interests protected by section 28 of this Act) there is no countervailing public interest.

Compare: 1982 No 156 s 17; 1987 No 8 s 4(2); 1987 No 174 s 16

44 Reason for refusal to be given
Where an information privacy request made by an individual is refused, the agency shall,—
(a) Subject to section 32 of this Act, give to the individual—

(i) The reason for its refusal; and
(ii) If the individual so requests, the grounds in support of that
 reason, unless the giving of those grounds would itself
 prejudice the interests protected by section 27 or section 28
 or section 29 of this Act and (in the case of the interests
 protected by section 28 of this Act) there is no countervailing
 public interest; and

(b) Give to the individual information concerning the individual's right, by way of complaint under section 67 of this Act to the Commissioner, to seek an investigation and review of the refusal.

Compare: 1982 No 156 s 19; 1987 No 8 s 4(2); 1987 No 174 s 18

45 Precautions
Where an information privacy request is made pursuant to subclause (1)(b) of principle 6, the agency—
(a) Shall not give access to that information unless it is satisfied concerning the identity of the individual making the request; and
(b) Shall ensure, by the adoption of appropriate procedures, that any information intended for an individual is received—

(i) Only by that individual; or
(ii) Where the request is made by an agent of the individual,
 only by that individual or his or her agent; and

(c) Shall ensure that, where the request is made by an agent of the individual, the agent has the written authority of that individual to obtain the information or is otherwise properly authorised by that individual to obtain the information.

Compare: 1982 No 156 s 25; 1987 No 174 s 24

Part 4 Good reasons for refusing access to personal information

Thu, 20 Nov 2008 10:13:07 +1300

27 Security, defence, international relations, etc
(1) An agency may refuse to disclose any information requested pursuant to principle 6 if the disclosure of the information would be likely—
(a) To prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand; or
(b) To prejudice the entrusting of information to the Government of New Zealand on a basis of confidence by—

(i)  The government of any other country or any agency of such a government;
 or
(ii) Any international organisation; or

(c) To prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial; or
(d) To endanger the safety of any individual.

(2) An agency may refuse to disclose any information requested pursuant to principle 6 if the disclosure of the information would be likely—
(a) To prejudice the security or defence of—

(i)    The self-governing state of the Cook Islands; or
(ii)   The self-governing state of Niue; or
(iii)  Tokelau; or
(iv)   The Ross Dependency; or

(b) To prejudice relations between any of the Governments of—

(i)   New Zealand:
(ii)  The self-governing state of the Cook Islands:
(iii) The self-governing state of Niue; or

(i)  The self-governing state of the Cook Islands; or
(ii) The self-governing state of Niue.

Compare: 1982 No 156 s 27(1)(a); 1987 No 8 s 4(2); 1987 No 174 s 26(1)(a)

28 Trade secrets
(1) Subject to subsection (2) of this section, an agency may refuse to disclose any information requested pursuant to principle 6 if the withholding of the information is necessary to protect information where the making available of the information—
(a) Would disclose a trade secret; or
(b) Would be likely unreasonably to prejudice the commercial position of the person who supplied or who is the subject of the information.

(2) Information may not be withheld under subsection (1) of this section if, in the circumstances of the particular case, the withholding of that information is outweighed by other considerations which render it desirable, in the public interest, to make the information available.

Compare: 1982 No 156 s 27(1)(a); 1987 No 8 s 4(2); 1987 No 174 s 26(1)(a)

29 Other reasons for refusal of requests
(1) An agency may refuse to disclose any information requested pursuant to principle 6 if—
(a) The disclosure of the information would involve the unwarranted disclosure of the affairs of another individual or of a deceased individual; or
(b) The disclosure of the information or of information identifying the person who supplied it, being evaluative material, would breach an express or implied promise—

(i)  Which was made to the person who supplied the information; and
(ii) Which was to the effect that the information or the identity of 
 the person who supplied it or both would be held in confidence; or

(c) After consultation undertaken (where practicable) by or on behalf of the agency with an individual's medical practitioner, the agency is satisfied that—

(i)  The information relates to that individual; and
(ii) The disclosure of the information (being information that relates
 to the physical or mental health of the individual who requested it)
 would be likely to prejudice the physical or mental health of that
 individual; or

(d) In the case of an individual under the age of 16, the disclosure of that information would be contrary to that individual's interests; or
(e) The disclosure of that information (being information in respect of an individual who has been convicted of an offence or is or has been detained in custody) would be likely to prejudice the safe custody or the rehabilitation of that individual; or
(f) The disclosure of the information would breach legal professional privilege; or
(g) In the case of a request made to Radio New Zealand Limited or Television New Zealand Limited, the disclosure of the information would be likely to reveal the source of information of a bona fide news media journalist and either—

(i)  The information is subject to an obligation of confidence; or
(ii) The disclosure of the information would be likely to prejudice the
 supply of similar information, or information from the same source; or

(h) The disclosure of the information, being information contained in material placed in any library or museum or archive, would breach a condition subject to which that material was so placed; or
(i) The disclosure of the information would constitute contempt of Court or of the House of Representatives; or
(j) The request is frivolous or vexatious, or the information requested is trivial.

(2) An agency may refuse a request made pursuant to principle 6 if—
(a) The information requested is not readily retrievable; or
(b) The information requested does not exist or cannot be found; or
(c) The information requested is not held by the agency and the person dealing with the request has no grounds for believing that the information is either—

(i)  Held by another agency; or
(ii) Connected more closely with the functions or activities of 
 another agency.

(3) For the purposes of subsection (1)(b) of this section, the term evaluative material means evaluative or opinion material compiled solely—
(a) For the purpose of determining the suitability, eligibility, or qualifications of the individual to whom the material relates—

(i)   For employment or for appointment to office; or
(ii)  For promotion in employment or office or for continuance in
 employment or office; or
(iii) For removal from employment or office; or
(iv)  For the awarding of contracts, awards, scholarships, honours,
 or other benefits; or

(b) For the purpose of determining whether any contract, award, scholarship, honour, or benefit should be continued, modified, or cancelled; or
(c) For the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property.

(4) In subsection (1)(c), medical practitioner means a health practitioner who is, or is deemed to be, registered with the Medical Council of New Zealand continued by section 114(1)(a) of the Health Practitioners Competence Assurance Act 2003 as a practitioner of the profession of medicine.

Compare: 1982 No 156 ss 18(c)(ii), (e), (g), (h), 27(1)(b) to (h), (2); 1987 No 8 s 15(1); 1987 No 174 ss 17(c)(ii), (e), (g), (h), 26(1)(b) to (h), (2)
Subsection (1)(g) was amended, as from 1 December 1995, by section 20 Radio New Zealand Act 1995 (1995 No 52) by substituting the words “Radio New Zealand Limited, The Radio Company Limited, or” for the words “Radio New Zealand Limited or”. See regulation 2 Radio New Zealand Act Commencement Order 1995 (SR 1995/226).
Subsection (1)(g) was further amended, as from 5 July 1996, by section 2 Radio New Zealand Act (No 2) 1995 (1995 No 53) by substituting the words “Radio New Zealand Limited or” for the words “Radio New Zealand Limited, The Radio Company Limited, or”. See clause 2 Radio New Zealand Act (No 2) Commencement Order 1996 (SR 1996/182).
Subsection (4) was inserted, as from 18 September 2004, by section 175(1) Health Practitioners Competence Assurance Act 2003 (2003 No 48). See sections 178 to 227 of that Act as to the transitional provisions.

30 Refusal not permitted for any other reason
Subject to sections 7, 31, and 32 of this Act, no reasons other than one or more of the reasons set out in sections 27 to 29 of this Act justifies a refusal to disclose any information requested pursuant to principle 6.

Compare: 1982 No 156 s 27(1A); 1987 No 8 s 15(2); 1987 No 174 s 26(2)

Private Word Issue 68, November 2008

Mon, 17 Nov 2008 09:30:22 +1300

Cloud computing - a vast reservoir of computing storage and processing power that is accessible over the internet. Read Private Word to find out more.

Also in this Private Word:
Guthrie Cards
Case Note 10318
Mosley v News of the World
Protecting World Privacy
DNA databases shut
Using offshore ICT providers
Australian Privacy law reform
Screening programmes and genetic research
News around the World
Privacy Awareness Week 2009
International links for privacy professionals
Security breach workshop
Privacy Commissioner reappointed

Security Breach Workshops

Mon, 03 Nov 2008 11:59:58 +1300

This workshop will provide participants with an overview of the Privacy Commissioner's breach guidance material. Participants will also work through several breach scenarios, determining how to apply the guidance material to each.

It will be particularly useful for Risk Advisers and Privacy Officers of organisations who collect and retain personal information.

Topics covered include:

Overview of the guidance material
Interface with the Privacy Act
Case studies of breaches of personal information
Development of notification letters

Time/Venue: Please pre-register your interest as workshops will be planned based on interest and numbers.

Email: enquiries@privacy.org.nz or ring (04) 494 7080.

Information Matching Workshops

Mon, 03 Nov 2008 11:53:58 +1300

The Privacy Act and developing an information matching programme

This workshop is specifically aimed at people who are or may be involved in developing an authorised information matching programme in a public sector organisation.

Topics covered include:

Information matching today – size and scope
Information matching and privacy
The Commissioner and information matching
The project lifecycle and the Privacy Act
Information matching privacy impact assessments (IMPIA)

Time/Venue: Please pre-register your interest as workshops will be planned based on interest and numbers.

Fee: $175 (Includes GST)

Email: enquiries@privacy.org.nz for enquires or to request a registration form or phone (04) 494 7087

The Health Information Privacy Code

Mon, 03 Nov 2008 11:53:36 +1300

This workshop provides participants with an overview of the Health Information Privacy Code and is particularly suited to people employed in the health sector or interfacing with the health sector.

This session also incorporates examples and issues particular to the mental health sector.

On request the workshop may be extended to discuss privacy and the mental health area specifically.

Topics covered include:

Key concepts and definitions
Applying the health information privacy rules
Practical compliance with the Code and relevant legislation
Access to information and disclosing health information
Dealing with difficult access/correction requests and complants
Health Act and children's rights
Interface with the Official Information Act
Security of information

Time: 9.00 am - 1.00 pm
Fee: $195 (includes GST)

Dates for 2008: Wellington

13 February; 9 April; 11 June; 6 August (now full); 8 October (now full)

Auckland

14 February; 10 April; 12 June; 7 August; 9 October

Christchurch

11 April; 10 October (now full)

Venues

Auckland: Seminar Room, Level 13, WHKGosling Chapman Tower, 51-53 Shortland Street
Wellington: Level 4, 109-111 Featherston Street
Christchurch: Raymond Donnelly & Co, Level 5, Amuri Courts, 293 Durham Street

To register for a workshop contact us on (04) 474 7590 or email sharon.newton@privacy.org.nz or download a registration form below.

An Introduction to the Privacy Act

Mon, 03 Nov 2008 11:51:38 +1300

This workshop provides participants with an overview of the Act for those who are not familiar with it.

It is particularly suitable for new Privacy Officers and others wishing to develop their understanding of the Privacy Act.

Topics covered include:

Key concepts and definitions
Understanding the information privacy principles
Applying the information privacy principles
Interface with the Official Information Act
The complaints process
Sound work practices

Time: 9.00 am - 12.30 pm
Fee: $170 (Includes GST)

2008 dates:

Wellington

12 March; 7 May; 16 July (now full); 10 September; 12 November (now full)

Auckland

13 March (now full); 8 May; 17 July (now full); 11 September; 13 November

Christchurch

9 May; 12 September

Venues

To register for a workshop contact us on (04) 474 7590 or email sharon.newton@privacy.org.nz or download a registration form below.

Justice Sector Unique Identifier Code 1998 Proposed Amendment No. 2

Mon, 20 Oct 2008 09:37:34 +1300

The Privacy Commissioner has given public notice of her intention to issue an amendment to the Justice Sector Unique Identifier Code 1998.

An information paper containing information to assist in public consultation is attached. A copy of the current code and the proposed amendment are included in the information paper. These materials are also available on our website at www.privacy.org.nz/justice-sector-unique-identifier-code/

Written submissions on the proposed amendment are welcomed and may be made not later than Friday 14 November 2008. Submissions should be addressed to:

Sarah Oliver
Legal and Policy Adviser
Office of the Privacy Commissioner
P O Box 10094, The Terrace, Wellington 6143

Fax: 04-474-7595
Email: code@privacy.org.nz

Submissions may be released by the office and will be available to requesters under the Official Information Act 1982.

Any substantive enquiries concerning the amendment or the process should in the first instance be directed to Sarah Oliver, Legal and Policy Adviser, on 04-474-7596.

Justice Sector Unique Identifier Code 1998 Proposed Amendment No. 2

Mon, 20 Oct 2008 09:28:44 +1300

The Privacy Commissioner has given public notice of her intention to issue an amendment to the Justice Sector Unique Identifier Code 1998.

Written submissions on the proposed amendment are welcomed and may be made not later than Friday 14 November 2008. Submissions should be addressed to:

Sarah Oliver

Legal and Policy Adviser

Office of the Privacy Commissioner

P O Box 10094, The Terrace, Wellington 6143

Fax: 04-474-7595

Email: code@privacy.org.nz

Submissions may be released by the office and will be available to requesters under the Official Information Act 1982.

Any substantive enquiries concerning the amendment or the process should in the first instance be directed to Sarah Oliver, Legal and Policy Adviser, on 04-474-7596.

Justice Sector Unique Identifier Code 1998 and Amendment No. 1, 2005

Wed, 15 Oct 2008 13:02:28 +1300

This Code came into force on 30 June 1998. It has been amended by Amendment No. 1 which commenced on 2 March 2006.

Download the Code below.