We live in an age where agencies collect and hold a lot of information about us. When we then request access to that information, this places demands on the time and resources of agencies to meet their obligations under the Privacy Act. Agencies sometimes feel a bit overwhelmed when responding to requests for personal information - especially where a high volume of information is held.
Here are our top tips for getting sorted and avoiding problems down the road:
1. Can you get the requester to narrow the scope of their request?
While individuals are entitled to access all personal information held by an agency, we often find that requestors have a specific issue in mind when they make a request for personal information. A phone call to the requestor can sometimes clarify what it is they are after.
For example, an elderly man requested all of his health information from his GP. These records dated back some 20 years and included hard copy material archived off site. A phone call from the GP to the man established that he wanted information relating to an issue with his hip. There was no need for the GP to trawl through 20 years worth of records to satisfy his request, once both parties had agreed on the amended parameters of the request.
2. Don’t duplicate information
The Privacy Act entitles individuals to access their personal information held by an agency. But where an agency holds this information in multiple and duplicate forms, it is not required to provide the same information over and over again.
For example, we recently dealt with a case where an agency sought to withhold emails because they were subject to legal professional privilege. The agency supplied hard copies of each email to the requestor, with the contents blanked out. Rather than supply one copy of the email trail, which included all of the correspondence, the agency supplied every single copy of each email, which included all of the correspondence that came before it. This added up to dozens of pages, with all of the content redacted. This gave the impression to the requestor that far more information was being withheld than was actually the case (because much of the blanked out material was simply duplicated information).
We also advise agencies that, rather than providing completely blanked out documents, they can simply tell requesters that some information is being withheld under the Privacy Act, and give the specific grounds (for example, advising a requester that “some information has been withheld from you under 29(1)(a) of the Privacy Act”).
3. Think carefully about whether information should actually be withheld
In our experience, human nature means that as soon as someone sees that information has been redacted, (or is advised that some information has been withheld) they automatically assume it is far more interesting than it is! Most of the withheld information we review is quite benign. In fact, we have reviewed some documents in which pages numbers have been redacted - the result of some over enthusiastic redaction. Keep in mind that requestors always have the right to complain to our office and have any redacted or withheld information reviewed. Getting the redactions right in the first place can save you a lot of time down the line, in terms of engagement with our office, or as subject to proceedings in the Human Rights Review Tribunal.
4. Make sure you redact information properly
We have seen redactions made with vivid pen, in which the information can be read when held up to the light. Use of redaction tools such as Adobe PDF is a good idea, however, be aware that in some cases, if the file is sent electronically, cutting and pasting the withheld information into a different document will reveal the contents of the redacted section!
5. Think about plain English explanations for why information is withheld
If you use a withholding section often, it can be useful to prepare some clear wording that explains in a straight forward way why you believe the information needs to be withheld. The minimum you need to provide to a requester is the section of the Privacy Act you are relying on and, if the requestor asks for it, you will also need to provide the grounds in support of the section used. Providing a reasonable explanation up front can save you time.
6. Good communication prevents complaints
Make it your practice to give good information to requestors about what’s happening with their request, and tell them when they can expect to hear from you. They won’t need to engage with us if you are engaging with them.
7. Keep an eye on the clock!
Agencies have timeframes they must meet under the Privacy Act when responding to requests. Make sure you are familiar with these. We don’t want you to respond to a request with the best of intentions, and end up being caught foul of the Privacy Act because your response was a day late. We have a handy calculator on our website to assist. Familiarise yourself with Part 5 of the Act – we’re told it makes great bedtime reading.
Don’t be afraid to ask for advice. Our AskUs tool on our website contains information and our enquiries line can offer general advice.
Image credit: Information centre sign (Malaysia) via Wikipedia