Ready for Privacy Week? We’ve got all your privacy questions covered!
General, Agreements, Employment Law / 26 April 2023
Q: I’ve had a request under the Privacy Act 2020 by a former employee. The employee wants all personal information held by us and some of the information doesn’t even exist. Do I need to respond?
Yes. If an individual makes a request for access to personal information under Principle 6 (also known as an IPP 6 request), an agency has 20 working days to respond, time being of the essence.
The agency would need to notify the individual requesting the information and specify:
- What information is available, and access will be granted.
- What information is available, but access will be refused. There are rules around when access can be refused, including if information was legally privileged. This could be the case if there was an employment dispute and legal advice was sought during the process.
- What information is not held by the agency.
Q: I’ve requested personal information from a company and have asked for it to be made available in hard copy. The company has told me that it will charge me for making the information available. Can it do this?
Yes. In some circumstances an agency can impose a charge for assisting with an IPP 6 request. There are differences depending on whether the agency is in the public sector or in the private sector.
For a private sector agency, may only impose a charge where it is making information available in compliance with a request. This could be for all or some of the information that you have requested. It could require that the charge is paid in advance of the information being made available.
Where you are requesting information to be provided in hardcopy, the agency may be justified in imposing a charge to cover printing costs and the like. If you consider that the charge imposed is unreasonable, you have the right to make a complaint to the Privacy Commissioner about the charge.
Q: I have been told I am the Privacy Officer in our office. I don’t really know what that means or what my responsibilities are. Can you help?
A Privacy Officer is responsible for responding to any privacy related issues. This might include responding to requests for personal information, correcting personal information if a request for correction is made or managing a privacy breach.
You may also need to work with the Privacy Commissioner if an investigation is undertaken.
Remember, if you get stuck, our team is always ready to answer any questions you have.
Q: An employee accidentally emailed a document to the wrong person. The document contained personal information about another individual, including financial information. What do we do?
The issue should be referred to your Privacy Officer immediately. Steps need to be taken to mitigate the harm which could include trying to recall the email or contacting the recipient and requesting that the email is deleted immediately.
The Privacy Officer will need to consider whether the privacy breach is likely to cause serious harm. If the answer is yes, the Privacy Officer must notify the Privacy Commissioner and any affected individuals as soon as practicable. Failure to notify where the breach if likely to cause serious harm could result in fines of up to $10,000.
Fixed Price Offer
Want to educate your team further on their privacy obligations? Talk to us about an in-person training session at your workplace or our offices.
Disclaimer: We remind you that while this article provides commentary on employment law, health and safety and immigration topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek legal advice from your lawyer for any questions specific to your workplace.