Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Chapter 13: Managing information requests

A teacher and a young child lean over a table to paint a picture. The table is covered with paint, paper, and paintbrushes. As education providers you will likely spend a lot of time responding to requests for information about your learners.

On this page:

Download a PDF of the guidance on this page (PDF, 425KB).

Requests can be made by learners, other people (e.g. a learner’s representative), or other agencies and organisations. 

Knowing how to respond to different types of requests, and having good processes in place, will help you manage and respond to requests in an effective, timely and privacy protective way.

Relevant information privacy principles

The Privacy Act 2020 provides a learner (or their representative) the right to access or correct their personal information. The relevant information privacy principles (IPPs) for access and correction of personal information are:

Principle 6: Access to personal information

A learner (or their representative) is entitled to receive upon request:

  • confirmation of whether you hold any personal information about them
    and
  • access to their personal information.

When providing access to a learner (or their representative) you must advise them that they can ask for correction of that information.

Principle 7: Correction of personal information

A learner (or their representative) is entitled to request correction to their personal information.

When requesting correction of their information, or at any other time, the learner (or their representative) is entitled to:

  • provide you with a statement of correction
    and
  • request that you attach that statement to the information (if you decide not to correct their information).

You must take steps that are reasonable in the circumstances to make sure that the information you hold is accurate, up to date, complete and not misleading (having regard for the purposes for which the information may lawfully be used).

If you decide not to correct a learner’s information that you hold, and you have been provided with a statement of correction, you must take steps that are reasonable in the circumstances to make sure the statement of correction is attached to the information in a way that ensures it will always be read with the other information you hold about the learner.

If you have previously disclosed the information, you must, in so far as is reasonably practicable, inform the people to whom you have disclosed the information of the correction.

Back to top.

Access requests (IPP6)

Every learner (or their representative) has the right to access their personal information (IPP6). 

You must give reasonable assistance to any learner (or their representative) who wants to or has made a request to access their personal information. This includes helping them to make the request and working with them to clarify what information they are asking for.

The Privacy Act (sections 39 to 57) then sets out the rules you must follow when responding to an access request, including the circumstances in which you can decline the request. 

Responding to an access request

Download a printable PDF of these steps (PDF, 225KB).

There are several steps to follow when responding to an access request:

Step 1

Identify what information is being requested.

If the request is vague or too broad, contact the requester to clarify what personal information they are requesting.
Step 2

Work out whether you hold the personal information requested.
Step 3

If you don’t hold the personal information, decide whether the request should be transferred to another agency.

If you decide that an access request should be transferred to another agency, you must transfer the request to the agency and tell the requester within 10 working days of receiving the request.
Step 4

Decide whether you will provide the information or refuse the request (in part or in full).
Step 5

Tell the learner (or their representative) of your decision no later than 20 working days after you received the request.
Step 6

Make the information available to the learner (or their representative) if you have decided to give them access.
Step 7

Record the details (e.g. date received, requester details) and outcome of the request (e.g. decision and date of decision, information provided to requester).

When is a requester a representative?

Under the Privacy Act, a representative is a person who is lawfully acting on the learner’s behalf.

Read more information about who can be a representative in our Responding to requests for a child or young person's information guidance.

Under the Health Information Privacy Code (HIPC), a parent or guardian will be a representative of a learner under the age of 16 years. Read more information about health information in Chapter 9: Health and Learning Support information.

We also have more information about the HIPC and general guidance about health information.

What do you need to tell the learner (or their representative)?

When you tell a learner (or where appropriate their representative) of your decision in step 3, you must inform them of the following if:

  • you do not hold the information requested
    or
  • you do not hold the information requested in a way that makes it readily retrievable 
    or
  • you do hold the information requested, and access to all, or some, of that information has either been granted or refused 
    or
  • you neither confirm nor deny that you hold information about the learner to whom the request relates.

If you have granted access to all, or some, of the information requested, you must tell the learner (or their representative) about:

  • The way the information will be made available. If the way you are making the information available is different to their preferred method, you need to tell them why.
  • The charge (if any) payable, and whether all or part of that charge is payable in advance.
  • The learner’s (or their representative’s) right to make a complaint to the Privacy Commissioner about the charge.

Read our guidance about charging for access requests.

After notifying the learner (or their representative) of the decision to give them their information, the way the information will be made available, and any charge payable, you must then give the information to the learner (or their representative) without due delay. 

Ways to grant access to information

There are a several ways you can provide a learner (or their representative) access to their personal information. 

If the information is contained in a document, you can:

  • give the learner (or their representative) an opportunity to inspect the document
  • provide the learner (or their representative) a copy of the document (digital or hardcopy)
  • give the learner (or their representative) a summary of the document
  • where the document is an article, or a thing from which sounds or images are capable of being reproduced, enable the learner (or their representative) to hear or view the sounds or images 
  • tell the learner (or their representative) verbally of the information about them in the document.

Unless there is good reason not to do so, you must make the information available to the learner (or their representative) in the way they prefer.

Responsibilities before providing access to personal information

Before you provide access to the learner’s personal information you must:

  • be satisfied of the identity of the requester
  • not provide access if you have reasonable grounds to believe the request has been made under the threat of physical or mental harm
  • ensure that information intended for the learner (or their representative) is only received by them.

Read our blog post about confirming a requester's identity.

Refusing an access request

In general, you must provide a learner (or where appropriate their representative) access to their personal information. However, there may be some circumstances where that’s not appropriate.

The Privacy Act provides several refusal grounds that cover different circumstances including:

  • protection of an individual
  • evaluative material
  • other administrative reasons.

Some commonly used refusal grounds for education providers might include:

  • You don’t hold the information.
  • Providing access to some or all of the information could negatively affect the learner’s mental health.
  • The learner is under the age of 16 and providing access to the information would be:
    • contrary to their interests or 
    • contrary to the interests of another individual to whom the information relates and who is also under the age of 16.
  • Providing access would pose a threat to the health and safety of the learner or another person(s.)
  • Providing access would include sharing information about a victim of an offence and cause the victim significant distress, loss of dignity or injury to their feelings.
  • Providing access would involve the unwarranted disclosure of the affairs of another person.
  • Providing access would breach legal professional privilege.
  • The request is frivolous or vexatious, or the information is trivial.

Deciding that a refusal ground applies to a piece of information should be a considered decision. In cases where you don’t hold the information, the decision will be a simple one. In cases where you believe that granting access will cause harm to the learner or another person, the decision may be more complex.

For schools, it will usually be your privacy officer that is responding to access requests, including refusing requests. In more complex situations you should consider keeping your school board or ECE service managers informed.

If the personal information requested is contained in personal communications (e.g. emails, text, online messaging apps), this will not be a reason to refuse an access request.

What do you need to tell the learner (or their representative)?

If you have refused access to all, or some, of the information requested, you must tell the learner (or their representative):

  • The reason for the refusal or reasons for refusal for each deletion within a document or masking in a digital image. 
  • The grounds on which the reason for refusal was made if you have refused the request on the basis of the information being evaluative material.
  • The grounds on which the reason for refusal was made (for refusal grounds other than evaluative material) if the learner (or their representative) asks for those grounds.
  • The learner’s (or their representative’s) right to make a complaint about the refusal to our Office.

Redacting information from documents

In some cases, personal information about a learner will be in documents or digital images that contain information about other people. A digital image includes, but is not limited to, photos, videos, CCTV recordings, audio recordings. This is often referred to as ‘mixed information’.

Where you have determined that a refusal ground applies to some of the information contained in the document or digital image you can grant access to that document with appropriate deletions (also called redactions) to information that you’ve decided should be refused. 

Remember, you are required to inform the learner (or their representative) of the refusal grounds. If you are using different refusal grounds for different sections of the document or digital image you need to tell the learner (or their representative) about the refusal ground used for each deletion. 

Granting access with conditions

Where you have determined that a refusal ground applies, you can decide to grant access to the information with conditions relating to the learner’s (or their representative’s) use of the information and disclosure of the information to another person

Conditions could include enabling the requester to view the information on site (rather than providing a copy of the information), and restrictions on sharing the information (e.g. posting the information online, or otherwise on-sharing the information to third parties). Restrictions will be more relevant where a document contains personal information about others.

Access directions

An access direction is a binding written notice issued by the Privacy Commissioner. An access direction can be issued if the Privacy Commissioner has investigated an IPP6 complaint and the Commissioner has determined that the requester is entitled to some, or all of the information requested.

Read more information about access directions.

Additional guidance

For more information on access requests, including refusal grounds, charging and access directions, see:

Back to top.

Responding to access requests in practice

The following section provides some examples of how to respond to access requests in the education sector.

Example: Non-custodial parent requesting information about their child

A parent currently living overseas requests all the personal information that a school holds about their child. The child is a learner in year 4. The requester did not complete or sign the enrolment form, and the school holds no information about them. Teachers and other staff have never heard the learner talk about the overseas parent.

Can the school’s privacy officer provide access to the information?

The privacy officer will first need to determine whether the requester is acting as a representative for the learner. If the Privacy Officer determines that the requester is acting as the child’s representative, they will then need to:

  • decide whether to provide access or not
  • if they decide to grant access, consider whether any refusal grounds apply
  • confirm the identity of the requester before providing access to the learner’s information.

Read about how to determine whether a requester is acting as a representative for the child and whether the Privacy Officer can provide access to the information in this case in our Responding to requests for a child or young person's information guidance.

An email address or contact number on their own won’t necessarily provide assurance of identity, but they may form part of the evidence you collect to confirm the requester’s identity.

The privacy officer should talk to the school principal about whether any of the learner’s information should be shared with the non-custodial parent under section 103 of the Education and Training Act.

Example: Request from Lawyer for the Child

An Early Childhood Education (ECE) service manager receives a request from a lawyer requesting information about a learner who attends the ECE service. The lawyer advises that they have been appointed by the Family Court to represent the learner in court proceedings and provides evidence of their appointment. 

Can the ECE service manager provide access to the information?

Yes, they can. A Lawyer for the Child is a specialist lawyer appointed by the Family Court to represent the interests of the child or young person in Family Court proceedings involving care of children or guardianship issues, or situations of family harm. 

To fulfil their responsibilities, the Lawyer for the Child often needs information about the child or young person held by agencies such as a school or healthcare provider. When making a request for information, the Lawyer for the Child will be acting as a representative for the child or young person.

The Lawyer for the Child should always provide evidence of their appointment and brief from the Family Court. (A Lawyer for the Child is appointed by Court Minute and receives their brief by letter from the Court.) If it’s not clear whether the requester is acting as the Lawyer for the Child, you should ask them to provide evidence of their appointment before providing access to a learner’s personal information.

Read more information about lawyer for the child.

Example: Refusal Ground – under 16, not in child’s best interest

A year 9 learner disclosed personal information about their homelife to a teacher. The teacher referred the learner to the school guidance counsellor who supported the learner through that time. The issues raised by the learner did not impact the learner’s educational achievement or their relationships with teachers or other learners. The learner’s homelife has improved and they no longer see the guidance counsellor. 

The learner’s parents have made an access request as representatives of the learner. The school privacy officer has identified all the information the school holds about the learner but is concerned about providing access to the information recorded by the school guidance counsellor. The guidance counsellor noted in the learner’s file that the learner did not want this information shared with their parents. 

Should the privacy officer provide access to the information to the learner’s parents?

If the privacy officer determines that the parents are acting as representatives of the learner, they then need to consider whether any refusal grounds apply. In this case, the privacy officer has identified information that the learner expressly stated they did not want shared with their parents. 

As the learner is under 16, the privacy officer can consider the section 49(1)(c) refusal ground which states that:

“…access to personal information may be refused where the individual concerned is under the age of 16 and the disclosure of the information would be contrary to the interests of the individual concerned”.

 If the privacy officer considers refusal under this ground is appropriate, they must:

  • tell the parents (in their capacity as representatives) that access to some of their child’s personal information has been refused
  • the specific refusal ground relied on
  • that they can make a complaint about the refusal to the Office of the Privacy Commissioner.

Example: Mixed information and protecting victims

A school has commenced an investigation into a serious learner on learner assault that occurred on school grounds. The assault was committed by a year 12 learner. The learner and their parents were interviewed and had an opportunity to provide information during the investigation. At the completion of the investigation, the presiding member of the school board determined that the learner should be expelled and informed the learner and their parents in writing of the reasons for the board’s decision. The parents of the expelled learner have written to the school principal requesting a copy of the full investigation report. 

The investigation report contains mixed information e.g. personal information about other learners (victim and witnesses), and teachers. The victim of the assault has been significantly impacted, both mentally and physically by the assault. The victim has indicated they don’t want information about how the assault affected them disclosed to other people. The learners who witnessed the assault have also been affected: some also requiring time out of school. The school principal is concerned that disclosing the personal information about the victim and other learners could cause them on-going harm and distress. 

Can the school principal provide access to the full investigation report?

The school principal will first need to determine whether the learner’s parents are acting as their representative. In this case, because the learner is in year 12 and is likely old enough to make the access request themselves, the learner should authorise their parents to exercise their IPP6 rights on their behalf. The school principal could ask the parents to provide confirmation that the learner has provided that authorisation.

If the learner has provided authorisation, and there are no other factors that show it wouldn’t be in the learner’s best interests for their parents to exercise their IPP6 rights on their behalf, it would be reasonable for the school principal to decide the parents are acting as the learner’s representative.

The school principal then needs to consider whether any refusal grounds apply to the disclosure of the investigation report in full or in part. While the investigation report contains personal information about the learner, it also contains personal information about other learners, including the victim. The school principal is aware that both the victim and other learners have been significantly impacted by the assault. 

The refusal ground set out in section 53(b)(i) of the Privacy Act enables the school principal to refuse access to personal information to protect against the unwarranted disclosure of affairs of another person. This refusal ground is designed to protect the privacy of people other than the requester. To determine whether the disclosure of the victim’s information is unwarranted, the school principal must balance the interests of the requester against those of other people mentioned in the investigation report. 

In this case, the disclosure of certain information about the victim would likely be unwarranted for the following reasons:

  • The information about the impact to the victim’s mental health is sensitive in nature.
  • The victim has indicated they don’t want information about them to be disclosed to the perpetrator.
  • Disclosure would likely cause distress to the victim.
  • The perpetrator is not aware of how the assault affected the victim’s mental health.

However, the principal could consider whether it is possible to provide parts of the investigation report (e.g. excluding the victim's comments about the impacts), or whether a summary of it could be provided, which would go some way to providing an understanding of the information the board considered. 

Read our more information about unwarranted disclosure of another person's affairs.

Example: Request for CCTV footage

A primary school received a complaint that a learner was using their cell phone during lunch breaks which was against the school’s no cell phone policy. The complainant stated that a group of learners were videoing other learners in the school grounds. 

The school administrator reviewed the school’s CCTV footage and observed several occasions where a group of learners appeared to be using a cell phone to record other learners. From the CCTV footage, the administrator was able to identify the year 8 learner who owned the cell phone. The learner and their parents had recently been warned about previous cell phone use at the school and reminded about the no cell phone policy. A disciplinary process was commenced, and the learner’s parents requested a copy of the CCTV footage.

Can the school administrator provide access to the CCTV footage?

The school administrator will first need to determine whether the learner’s parents are acting as their representative. In this case, because of the age of the learner, and the fact that the parents are acting on behalf of the learner through the disciplinary process, it would be reasonable for the school administrator to decide that the parents were acting as the representative of the learner when making the request for the CCTV footage.

The school administrator then needs to consider whether any refusal grounds apply to the disclosure of the CCTV footage. While there are other learners identifiable in the footage, the administrator needs to balance the rights of the learner to be able to defend the allegations against them, and the privacy rights of the other learners seen in the footage. 

The footage itself is not particularly controversial and would unlikely be an unwarranted disclosure of the affairs of other learner’s (section 53(b)(i) refusal ground). In this case, it is not likely that any other refusal grounds that would apply to the CCTV footage in question. 

While no refusal grounds might apply, there are some things the school administrator could consider that safeguard the privacy rights of other learners who are identifiable in the CCTV footage. If the CCTV functionality enables the administrator to blur the images of the other learners, then this functionality should be used before the footage is made shared with learner’s parents. If that functionality isn’t available, they could ask the learner’s parents whether they would be happy to view the CCTV footage onsite rather than receiving a copy of the footage. 

Read more information about responding to requests for CCTV footage.

Example: Refusal based on physical or mental health of the learner

A school guidance counsellor has received a request from a year 12 learner for all information the counsellor has collected about the individual during their counselling sessions over the last two years. The learner has experienced significant mental health concerns over that time, including depression. While the learner is currently in a good space with their mental health, the counsellor is concerned that disclosing the session notes which contain information from when the learner was quite unwell may negatively impact them. 

Can the guidance counsellor refuse access to the information?

As a year 12, the learner is old enough to exercise their IPP6 rights and request access to their personal information. However, there are genuine concerns that disclosing the information to the learner could impact their mental health. 

The counsellor could consider refusing access under section 49(1)(b) of the Privacy Act. This refusal ground can be used where the information relates to the learner, and the disclosure of the information relates to the physical or mental health of the learner and would likely impact the learner’s health. 

The counsellor would first need to consider whether it is practical to consult with the learner’s health practitioner. If the learner has not engaged with a health practitioner in respect of these issues, then consultation may not be practical.

The counsellor should also consider whether:

  • a summary of the information might be more appropriate
  • they could talk to the learner about any concerns they may have
  • whether they could provide access with conditions e.g. having a trusted person sit with the learner while they read the information onsite.

The right response will depend on the circumstances and the potential risk to the learner and their physical or mental health. 

Read more about refusing access requests on the grounds of physical or mental health.

Example: Request for an online assessment questions and answers

A secondary school uses a third-party provider for assessments of learners so they can identify learning support needs. A learner, with the assistance of a teacher, completes the online assessment. The assessment tool provides a report that is used to identify appropriate supports for the learner. The report provided to the school does not contain the questions asked or the learner’s answers to them. 

A year 11 learner has recently completed an online assessment. The assessment report was provided to the teacher and the learner and their parents. The learner’s parents have contacted the school principal raising concerns about the report and asked for a copy of the assessment questions asked in the online assessment tool and the answers provided by their child. The learner has advised that they are happy for this information to be provided to their parents.

Can the school principal provide the information?

The assessment tool, including the questions that make up the assessment and the answers provided by the learner, is provided by a third-party provider. The school does not hold a copy of the questions used by the provider to complete the assessment, or the answers that the learner gave to those questions. Therefore, it is the third-party provider that holds that part of the information requested by the parents, not the school.

The assessment questions are not personal information so are outside the scope of the Privacy Act. The answers the learner provided to those questions are personal information but as the school does not hold that information this part of the request will need to be transferred to the third-party provider. 

In this case, the school principal should inform the learner’s parents:

  • that they do not hold the information requested
  • the assessment questions are not personal information about the learner so IPP 6 of the Privacy Act does not apply to that part of the request
  • that they will transfer the request for the learner’s answers to the assessment questions to the third-party provider (unless the parents inform the school principal that they do not want the request transferred).

Back to top.

Correction requests (IPP7)

Every learner (or their representative) has the right to request correction of their personal information (IPP7). 

You must give reasonable assistance to any learner (or their representative) who wants to or has made a request to correct their personal information. This includes helping them to make the request and working with them to clarify what information they’re wanting to correct.

If you decide not to correct a learner’s personal information, they (or where appropriate their representative) can ask you to add a statement of correction to the information in dispute.

The Privacy Act (sections 58 to 65) then sets out the rules you must follow when responding to a correction request. 

Responding to a correction request

Download a printable PDF of these steps (PDF, 227KB).

There are a number of steps to follow when responding to a correction request:

Step 1

Identify what information the requester wants corrected.

If the correction request is unclear, contact the requester to clarify what personal information they want corrected, and how they want it corrected.

Step 2

Work out whether you hold the personal information that the request relates to.

Step 3

If you don’t hold the personal information, decide whether the request should be transferred to another agency.

If you decide that a correction request should be transferred to another agency, you must transfer it to the agency and tell the requester within 10 working days of receiving the request.

Step 4

Decide whether you will correct the information or not.

Step 5

Tell the learner (or their representative) of your decision no later than 20 working days after you received the request.

Step 6

If the learner (or their representative) requests a statement of correction to be added to the information, decide whether you will attach the statement of correction of not.

Step 7

Tell the learner (or their representative) of your decision about the statement of correction no later than 20 working days after you received the request. 

Step 8

Record the details (e.g. date received, requester details, correction requested) and outcome of the request (e.g. decision and date of decision for request and statement of correction).

What do you need to tell the learner (or their representative)?

When telling the learner (or their representative) about your decision in step 4, you must also tell them that:

  • you have corrected, or will correct, the information. Also tell them what you have done, or will do, to correct the information
    or
  • you will not correct the information and the reasons for that decision. Also tell them that the learner (or their representative) can provide a statement of correction and request that statement be added to the learner’s information, and that they can make a complaint to the Privacy Commissioner.

When telling the learner (or their representative) of your decision in step 6, you must also tell them that: 

  • you have added the statement of correction to the learner’s information and the actions you have taken to add the statement of correction 
    or
  • you haven’t added the statement of correction to the learner’s information, and the learner can make a complaint about the refusal to the Privacy Commissioner. 

Refusing a correction request

If you consider that the learner’s information you hold is accurate, you don’t need to correct it.

There might be a good reason why you can’t correct the information requested. For example, a learner’s sex information must be recorded in your student management system as their sex registered on their birth certificate in accordance with prescribed Ministry of Education data standards (compared to a learner’s gender which can be changed to record their preferred gender at any time).

However, you are required to ensure all learner information is accurate, up to date, complete, relevant and not misleading before you use or share it (IPP8). Decisions made using inaccurate information can have significant short- and long-term consequences for the learner. So, it is a good idea to carefully consider the accuracy of the information in question when you receive a correction request.

Read more about accuracy of leaner information in Chapter 8: Accuracy of information.

Statement of correction

When you refuse a request to correct a learner’s information you must advise the learner (or their representative) of their right to ask for a statement of correction to be added to the information in question.

A statement of correction should clearly set out the information the learner (or their representative) believes is wrong or incorrect and explain what the correct information should be.

When you add a learner’s statement of correction, you need to make sure you’re adding the statement of correction to the correct information – if you’re unsure, confirm with the learner (or their representative) exactly what information they want the statement of correction added to.

You also need to attach the statement of correction in a way that ensures it will be seen and is available to be read whenever the information that has been disputed by the learner (or their representative) is accessed.

Adding a statement of correction to a digital file may be more complex that a paper file. How you add a statement of correction to a digital file will vary depending on the functionality of your systems. It may be necessary to add it into multiple places.

When adding a statement of correction to a digital system appropriately naming the statement of correction file can help ensure the statement of correction is easily accessible and clearly associated to the original document e.g. ‘Statement of Correction to File [insert name of file], [insert date of Statement of Correction]’.

Does correction include deletion?

Yes, the definition of ‘correct’ includes deletion. However, if you’ve collected that information for a specific purpose, you’re allowed to keep that information for as long as it is necessary for that purpose (IPP9).

Schools and other organisations subject to the Public Records Act 2005 are required to keep certain information for specified periods. If this is the case, then you can refuse a request to delete a learner’s personal information.

If you have received a correction request that asks for information to be deleted, it is best practice to record your reasons for refusing to delete the information.

Additional Guidance

For more information on correction requests see:

Back to top.

A girl sits at a table and looks at her cell phone. Her mother stands over her, with a hand on her hip. Responding to correction requests in practice

The following section provides some examples of responding to correction requests in the education sector.

Example: Request to correct information in an investigation report about a learner’s misconduct

A school principal completed an investigation into alleged misconduct of a learner. An investigation report was completed for the school board that recommended the learner be suspended for several days. The learner and their parents were provided a copy of the investigation report prior to the school board considering the report and deciding on the disciplinary outcome.

The learner’s parents have made a request to the principal for certain information within the report to be corrected. In particular, the learner and their parents don’t agree with the conclusions drawn about the actions of the learner from the evidence available. They’ve requested that certain conclusions are removed from the report.

Can the school principal refuse to make the corrections?

The school principal will first need to determine whether the learner’s parents are acting as their representative. In this case, the parents have been acting as the learner’s representative throughout the investigation process so it would be reasonable to decide that the parents are acting as the learner’s representative when requesting changes to the investigation report.

If the school principal decides the information in the report is correct, they can refuse the correction request. However, when they tell the learner and their parents of the decision, they must also tell them about their right to request a statement of correction be added to the report. If the learner and their parents provide a statement of correction, this should be added to the investigation report in a way the ensures the two documents will be read together.

If the school principal decides that corrections requested should be made, they should correct the investigation report. Once the amendments are made, the school principal should check with the learner and their parents that the amendments reflect the corrections they were seeking.

Example: Request to correct name and gender of learner

A school principal receives a request from a learner’s parents to change their child’s name, sex and gender in the school’s student management system (SMS). The learner is in year 7.

Can the school principal make these changes in the SMS?

The school principal will first need to determine whether the learner’s parents are acting as their representative. In this case, the learner is likely too young to exercise their right to request correction of their information. If the school principal considers that the parents are acting in their child’s best interests, then it would be reasonable to determine that the parents are acting as their child’s representative.

The school’s SMS system enables the recording of a learner’s name, sex and a variety of gender identities. The school principal can update a learner’s gender in the SMS but can’t amend the sex field. The school principal is legally required to record a learner’s sex as that shown on the learner’s birth certificate or passport.

With regards to the learner’s name, the SMS system records both legal name and preferred name. The school principal can amend the learner’s preferred name, but the legal name must reflect the name on the learner’s official documentation.

The school principal should inform the learner’s parents of the changes that can be (or have been) made, and the reasons why some of the learner’s information (legal name and sex) can’t be corrected.

It’s a good idea if, before making the changes, the school principal talks to the learner and their parents about any downstream impacts of updating the SMS e.g. reports that will show the learners name and gender or communications sent to parents. This enables the learner to make an informed decision about changing their name and sex information in the SMS.

Example: Request to correct an external report

A learning support coordinator has been working with a Year 13 learner and an occupational therapist to identify and provide appropriate supports to the learner. The occupational therapist completed an assessment and prepared a report. The learner is unhappy with some of the report and has made a request to the learning support coordinator for that information to be corrected.

Can the report be corrected?

In this case, the health assessment report has been completed by an independent health practitioner. This means that only the occupational therapist can make changes to their report.

The learning support coordinator should inform the privacy officer of the request so it can be transferred to the occupational therapist to consider. The learner should be informed that the request will be transferred to the occupational therapist and the reasons why.

Back to top.

When a request should be managed as an Official Information Act (OIA) request

The Official Information Act 1982 (OIA) enables a learner (or their representative) to make a request for ‘official information’ (certain information held by public sector agencies). Official information can include personal information about other people, including other learners.

Where the person requesting the information isn’t the learner (or their representative), the request should be considered under the OIA.

Read more information about whether the Privacy Act or OIA apply.

Other information requests

Outside of access and correction requests, you may receive requests for information about learners from third parties.

When you receive a request for information about a learner, you shouldn’t share their personal information unless you have a legal authority to do so. Legal frameworks that enable the sharing of personal information include:

  • the Privacy Act (IPP11)
  • the Oranga Tamariki Act (section 15, section 66 and section 66C)
  • the Family Violence Act (section 20).

Read more information about sharing learner information in Chapter 7: Sharing information.

Back to top