Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Roth, Paul --- "Privacy Act Review: access and complaints" [1998] PrivLawPRpr 80; (1998) 5(6) Privacy Law & Policy Reporter 115

Privacy Act Review: access and complaints

Access to personal information
Complaints jurisdiction

Privacy Act Review: access and complaints

Paul Roth

Most of the Review’s recommend-ations relating to access to personal information and the privacy complaints jurisdiction are technical in nature. They are generally intended to clarify existing rights and obligations under the Privacy Act (the Act), streamline the coverage of particular provisions or processes, and plug gaps. The aim of this article is to single out just a few of the issues raised in the Review that illuminate some of the characteristics and problems of a privacy regime that makes provision for an individual access and complaints procedure.

It is perhaps best to begin with a brief summary of the parts of the Act with which this article is concerned. The Act entitles individuals to seek access to and correction of their personal information,[1] so long as it is ‘readily retrievable’. Access rights are exercised under the procedural provisions of Pt V of the Act. Agencies may withhold information if one or more of the ‘good reasons for withholding’ under Pt IV of the Act applies. Decisions relating to access must be made as soon as reasonably practicable and normally not later than 20 working days.[2] Agencies must provide assistance to individuals who request their personal information,[3] and must transfer requests if another agency is believed to hold the information.[4] Information held by public sector agencies is available free of charge, whereas private sector agencies may charge a reasonable amount.[5]

Where information is refused, the agency must give its reasons and inform the requester of the right to seek an investigation and review of the refusal by the Privacy Commissioner.[6] Where an individual has a complaint relating to access or correction, or the breach of any other information privacy principle in s 6 of the Act, the procedure in Pt VIII must be followed. This involves going through the Privacy Commissioner and the Complaints Review Tribunal. In cases of access complaints against public sector agencies, however, the individual has the option of going directly to the courts of general jurisdiction for enforcement.[7]

Access to personal information

Two Review recommendations relating to the ‘good reasons’ for refusing access to personal information are particularly noteworthy for illustrating the sorts of conceptual and practical issues that have arisen under the access regime. These recommendations recognise that the exercise of access rights may sometimes infringe the privacy interests of others.

The Review recommends that consideration be given to the provision of statutory guidance on the withholding of information in cases involving ‘mixed information’, that is, information concerning the requester and other individuals.[8] This was always going to be a difficult problem. Much information about an individual will involve matters concerning that individual in relation to other individuals. Moreover, whenever one person records or discloses information about another person, that information will tend to record or disclose information about at least two individuals: the individual subject of the information; and the individual who is the originator of the information and is recording or passing on his or her own observations, assessment, or thoughts about the subject.

In relation to access rights, the control on disclosure of this sort of information is the s 29(1)(a) ‘good reason’ for withholding, namely, that disclosure ‘would involve the unwarranted disclosure of the affairs of another individual or of a deceased individual’. As the Review recognises, ‘there can be a tension between the privacy rights or expectations of two individuals, one of whom would like to have access to information and the other who may prefer control of, or restriction on, the disclosure of that information’.[9]

Legislation governing this area will therefore have to institutionalise some form of balancing process between the respective privacy values, neither of which can be presumed in advance to be more weighty than the other.[10] The process will have to take into account factors that arise in the particular circumstances of each case. Just as some reasons for seeking access may be more important than others, so too, in relation to disclosure, will some items of information be more sensitive or intimate than others. For example, access sought out of mere curiosity does not carry as much weight as a need for information to enable one to defend criminal charges. The test for withholding under the Act is whether disclosure in the circumstances is ‘unwarranted’.

This is an appropriate test to deal with the issue of ‘mixed information’, even though it may be extremely difficult to apply in many circumstances. It will always be undesirable to curtail a privacy interest in the name of privacy. The proposal in the Review is that, given that the Privacy Commissioner and the Ombudsman under the freedom of information legislation have developed a consistent approach to a number of commonly recurrent situations, it may be possible sometime in the future to ‘spell out a new set of withholding grounds which make some of the recurrent issues plainer to deal with’.[11]

The Review also recommends that consideration be given to a provision enabling the withholding of information where disclosure is likely to lead to the harassment of an individual.[12] Under s 27(1)(d) of the Act, information may be withheld by an agency if disclosure ‘would be likely to endanger the safety of any individual’. The Complaints Review Tribunal has held in a number of cases, however, that this provision refers to physical safety only, not ‘mental safety’, and so does not encompass harassment falling short of physical attack.[13]

In relation to the process of handling requests for access, the Act’s regime was adopted largely intact from New Zealand’s existing public sector freedom of information legislation, the Official Information Act 1982 and the Local Government Official Information and Meetings Act 1987. This means that although the procedural provisions relating to access have been tested thoroughly through many years of experience, not all of the provisions may be appropriate for a privacy regime.

In particular, the Review recommends that the Act’s standing requirements in s 34 — that requesters must be NZ citizens, permanent residents of NZ, or individuals actually present in NZ — be abolished.[14] Although such requirements might have been suitable for a regime that was limited to access to public sector information, they are not necessarily appropriate for a regime that extends to the private sector and which operates in an international context. In this connection, the Review expresses a fear that the European Union ‘will see the non-availability of legal access and correction rights to Europeans while in Europe as a feature that is not “adequate” in terms of the [EU Data Protection] Directive.’[15]Moreover, in its ‘principle of interested party access’, the UN Guidelines provide that access should be available to everyone ‘irrespective of nationality or place of residence’.[16]

The NZ Law Commission has recently reviewed the Official Information Act,[17] including some of the provisions relating to access to information. Among the major problems identified with the access regime in that Act was the slowness of some agencies to respond to requests for information. The Law Commission recommended that the 20 working-day time limit be reviewed in three years, with a view to reducing it to 15 working days. Such a reduction was said to be justified in view of developments in information technology and management that have taken place since the original time limit was first set in 1987, rendering information generally more ‘readily retrievable’ in terms of the legislation.[18]

Interestingly, this issue did not arise in connection with the Act review. Could it be because NZ agencies are particularly law-abiding in respect to personal information? Perhaps the answer may lie in the fact that most of those making submissions to the review were agencies that handle requests for personal information, rather than individual requesters. Agencies will hardly complain of their own failure to deal with requests for information in a timely manner. At any rate, the argument for reduction of the 20 working-day time period, while appropriate for the public sector, is less applicable to many private sector agencies. Public sector agencies can be expected to have sophisticated information management systems and the ability to absorb their cost, whereas the same requirements and resources cannot be assumed for the private sector as a whole.

Given the extension of the personal information access regime to the private sector, one also wonders whether information is ever destroyed rather than disclosed to the requester. There are very few anecdotes about this occurring. Perhaps, therefore, New Zealanders really are exceptionally law-abiding.

Complaints jurisdiction

The main issue in relation to complaints under the Privacy Act is the apparent lack of adequate resources to deal with them in timely fashion because of their great number.

When the Act first came into force in mid-1993, the Privacy Commissioner maintained (somewhat optimistically, as it proved) that his office would not be complaints-driven. The Privacy Commissioner’s assorted functions as listed in s 13 of the Act are indeed numerous and far-ranging. Of the 21 functions described in that provision, the handling of complaints is not specifically referred to at all, but falls under the final omnibus function of performing such functions as are conferred under the Act. In retrospect, it would perhaps be fair to say that the Privacy Commissioner’s most valuable work, from the point of view of privacy advocacy and greatest overall benefit to the public weal, has been in vetting proposed new legislation and in commenting publicly on the significant privacy issues of the day.

Over the years, however, the volume of complaints has steadily increased to the point that a queue has had to be established. It can now take about 12 months before an investigation is allocated. The queue for complaints awaiting investigation has increased from 324 as at 30 June 1997, to 673 as at 30 June 1998.[19] The investigation of complaints appears to devour much of the Office’s time and resources.

The phenomenal growth in the volume of complaints (513 for the year ended 30 June 1994; 877 for 1995; 993 for 1996; and 1,200 for 1997) might have been predicted, given that (1) the process is free of charge; (2) the population at large is relatively well-informed and rights-conscious; and (3) there will always be a demand effect when people hear of a complaint that has been successfully resolved (particularly if a monetary settlement is involved). The complaints regime, therefore, will tend to be a victim of its own success.

Another factor that seems relevant in this connection is that a concern with privacy is not necessarily always at the root of the issues that are dealt with through the Act’s complaints process. Many issues pursued in the privacy jurisdiction have their genesis in relationships gone wrong — employment, marital, parent/child, doctor/patient, neighbours, banker/ client, debtor/ creditor. Ultimately, all social intercourse involves the collection, use and disclosure of personal information.

The Act provides a low-risk avenue for ventilating all manner and form of grievance. Unlike defamation, where liability may be incurred where information is false, a defence of truth is of no avail under the Act. This is not to suggest that such a defence be available, but merely to illustrate a salient characteristic of the jurisdiction that enables it to accommodate an immense range of grievances, and why the volume of complaints may not plateau out anytime soon.[20] This may be a fundamental problem with any regime that makes provision for individual privacy-related complaints.

The increasing number of complaints that seemingly threaten to swamp the Privacy Commissioner’s office would thus appear to be the major problem in relation to the complaints jurisdiction. Two recommendations attempt to address this problem.

One is a plea for more funding,[21] so that the Office of the Privacy Commissioner will be able to process the great volume of complaints ‘with due expedition’, as required under s 75.

If the complaints being investigated are quite serious, there should be no objection to the expenditure of additional money to deal with the problem. If, on the other hand, many of the complaints are of a relatively minor nature,[22] throwing money at the backlog may only fuel greater demand for the jurisdiction. A plea for money will therefore be more convincing if it can be accompanied by some evidence that this way of addressing privacy issues provides value for money in terms of the overall picture. If the backlog is being caused by a great number of relatively minor complaints, then perhaps thought ought to be given to amending legislation that subjects complaints to a more strict winnowing process. In the meantime, the queue itself may be functioning as an effective, if awkward, sifting mechanism.[23]

The other recommendation to relieve the increasing pressure on the jurisdiction directly addresses the issue of case management. It provides for a deferral of action on a complaint where the complainant has not yet complained directly to the agency concerned and where it would be appropriate to do so, or where there is another independent procedural channel for addressing the complaint that has not been followed.[24] As the Review notes, such a power of deferral would be similar to that provided for under s 41(3) of the Australian Privacy Act. However, the Review cautions that:

... no-one should be under any illusion that [the introduction of deferral] will significantly reduce the complaints queue. It may contribute to a small reduction, to be welcomed, but the proposal is really directed to enhancing the processing and prioritising of complaints investigation whether or not there is a backlog of complaints.[25]

Urgent action to reduce the length of the queue is clearly required. The queue is highly unlikely to reduce in size in the near future given the present law and available resources. Moreover, although the Act came into force in mid-1993, most of the principles have only become fully enforceable since mid-1996. These include the principles that one might expect to form the basis for the greatest number of complaints: the principles relating to collection, accuracy, use, and disclosure of personal information. The danger posed by the increasing number of individual complaints is that attention to privacy issues of greater significance, in terms of effect or number of people affected, will be diluted.

Paul Roth is a Senior Lecturer in Law at the University of Otago in Dunedin. He is the author and editor of Privacy Law and Practice, and the Asia-Pacific editor of The Global Encyclopaedia of Data Protection Regulation, to be published in 1999 by Kluwer Law International.

Telephone: (03) 479-8600

Email: paul.roth@stonebow.otago.ac.nz

[23] At para 5.6.9 of the Review, the Privacy Commissioner notes that ‘my office does undertake a preliminary filtering of the complaints received and will bring cases substantiated as urgent to near the front of the queue.’