News
Sorry - I can't give you that information
The Privacy Act: What does it mean for employers?
The Privacy Act is arguably one of the most misunderstood (and potentially misused) pieces of legislation in New Zealand.
The application of the Privacy Act in practice is something of a curiosity for many observers who supported its introduction in 1993 as a means for promoting and protecting individual privacy. For the ordinary person, exposure to the Privacy Act is most likely to come in the form of a frustrating denial to access to information - anybody who has attempted to find out whether their spouse is a passenger on a delayed airline flight will know exactly what I mean.
Others may perceive the Privacy Act as a more sinister shield. For example, an organisation may, on one hand, demand an authorisation for access to personal information as a pre-requisite to providing services (such as insurance cover) but may, on the other hand, profess to use the Privacy Act as a reason for not providing any information to that person when their application is declined.
Given the strong perceptions which now exist concerning the application of the Privacy Act, and the possibility for this legislation to be used improperly, it is important for employers who have an appreciation of the obligations which they owe.
The Act enshrines 12 "Information Privacy Principles" which provide guidelines for the collection, use and disclosure of personal information. The key points for employers to note are as follows:
- Collection of personal information should, in ordinary circumstances, be made directly from an individual him or herself. Practically, this is likely to happen at the outset of an employment relationship when a new employee completes an application or information form.
- The employer should ensure that the personal information of its employees is stored in a secure manner. This obligation will be regarded by most employers as obvious in the case of such things as personnel files. Employers may, however, need to give some thought concerning the accessibility of information on an internal computer database.
- A person generally has a right to access their personal information. One of the significant exceptions to this principle concerns access to "evaluative material". In brief, an employer is not obliged to provide an employee with access to such things as performance reviews where reviews have been provided subject to an understanding that the material will be kept confidential from the person being evaluated.
- An employer should not ordinarily disclose personal information which it holds. Two notable exceptions are where the person concerned authorises this disclosure and where the disclosure is required by law. An employer would be well advised to ensure that any authority to disclose material is recorded in writing and signed by the person giving the authorisation.
Arguably, many employers regard the Privacy Act as "toothless" because of a perceived inability for action to be taken in the event of breach of any of the privacy principles. Employers who take this attitude should do so at their peril. A person alleging a breach of a privacy principle may make a complaint to the Privacy Commissioner who may then investigate and rule upon the matter. If a settlement is not achieved as a result of that investigation the matter may be referred to the Complaints Review Tribunal which has a broad power to impose penalties (including giving awards of damages).
Quite apart from this, however, employers should bear in mind that other tribunals (such as the Employment Relations Authority) take a particularly dim view of employers who are guilty of Privacy Act breaches. Further, public criticism of such breaches may also be severe.
The principles of the Privacy Act may be complex in their application and, arguably, often misused. Employers would be well advised to ensure that their policies and procedures accord with the requirements of the Privacy Act and that responses to requests for personal information are actioned in an appropriate way.
