Privacy and OIA

What are the Official Information and the Privacy Acts?

The guiding principle of the Acts is that information must be made available unless a good reason exists under the Acts for withholding it.

These Acts create a balance between increasing the availability of official information and enhancing respect and transparency, while at the same time protecting sensitive information where necessary for the public interest and/or to preserve personal privacy.

Information which can be asked for:

  • access to any official information
  • reasons for decisions made about you
  • internal policies, principles, rules or guidelines
  • meeting agendas and minutes of public bodies, including those not open to the publicexcept where they are confidential “closed” meetings.

People can ask for personal information about themselves. However, this type of information is covered by the Privacy Act, not the Official Information Act. If someone is requesting personal information about someone other than themselves, this is covered by the Official Information Act.

An organisation has 20 working days to respond to an Official Information Act request. However this can be extended if the request is large or unwieldy to compile.

The Privacy Act controls how people and organisations collect, use, disclose, store and give access to personal information. For example, under the Act people can apply to the relevant person or organisation if they want a copy of, or access to, personal information held about them. A person may also ask for information to be corrected.

Any person may make a complaint to the Privacy Commissioner if they think that there has been a breach of their privacy by a person or organisation holding their personal information. Likewise an individual can complain to the Ombudsman where they believe an Official Information Act request has not been appropriately dealt with.

Private information might be requested by a third party under the Official Information Act (e.g. the private information is not about the requestor themselves). See image below

Grounds for withholding information

Information can only be withheld when good reason exists under the Official Information Act for not releasing the information (see below).

In addition:

  • The requestor must be told of the reason for the refusal and
  • The requestor must be informed of the right to ask the Ombudsman to investigate the refusal

Reasons to withhold information include:

  • if the info would prejudice the national security or defence of New Zealand
  • if the info would prejudice the maintenance of the law
  • maintain trade secrets and commercial confidentiality
  • prevent the disclosure or use of official information for improper gain or improper advantage
  • protect personal privacy
  • maintain legal professional privilege
  • endanger the health and safety of the public
  • maintain the effective conduct of the decision making and policy advice processes of government
  • put the administrative capacity of the organisation under undue pressure

Sometimes a requester may be given some but not all information requested, e.g. a document with sensitive parts deleted. This is a common practice as in the diagram above. For example Bob requests a funding decision document. He receives this back with other people’s names blacked out to protect their privacy.

Incorrectly withheld information

If requesters of information feel that the information has been incorrectly withheld they have recourse to further investigation via external agencies. In the case of an OIA request they can ask for the Ombudsman to investigate. In the case of Privacy Act issues they can ask the Privacy Commissioner to investigate. These organisations will inform the University of these queries and ask us for justification of our decisions.

What is the Public Records Act?

The Public Records Act (PRA) was passed in 2005, bringing Universities under the ambit of Archives New Zealand and the Chief Archivist for the first time. Only corporate and administrative records are covered by the PRA. It specifically excludes from its coverage academic research and teaching materials.

The OIA and Privacy Acts allow access and revision of content, while the Public Records Act requires creation and maintenance of records in the first place. NZ Universities have a general disposal authority (GDA) that ensures the appropriate retention and disposal of business records under the PRA.

What the PRA requires ofUC staff:

  • That all University employees create records documenting their business activities.
  • That these records are maintained and are accessible over time.
  • That all records must be retained until approved for disposal by the Chief Archivist

The PRA defines records broadly and makes no distinction between formats – records may be either physical (eg, paper) or digital (eg, email).

It requires that, unless otherwise stated, University records that are over 25 years old be open and available to members of the public to access.

Archives New Zealand will regularly audit the information and recordkeeping practices and processes of the University.

Case Studies

Breach of personal privacy

Oscar receivedmarketing correspondence from an organisation which he did not believe he was signed up to. Looking into it further he realised the organisation was affiliated with the University. He complained to the University that his details had been given to the third party without his consent.

Oscar received another non-solicited brochure. He complained to the Privacy Commissioner this time and has no doubt mentioned this to others. This damages the reputation of the University and its staff.While this may seem a minor incident and non-harmful to Oscar this breached his privacy and the Privacy Act.

Confidentiality and privacy

Cathy was asked for information under an Official Information Act request. The information requested was ‘all correspondence between staff members in her department with and around an undergraduate student and their aegrotat applications’.

In gathering this information Cathy found that some of the email streams contained highly unflattering comments about the student and their need (or lack thereof) for the aegrotat. Once requested there was no way to withhold this information even though it was embarrassing for the University and staff members and defamatory of the student.

This widespread discussion of the student’s needs breached their privacy and caused complications for the University in reputation and under law.

Breaching both the Public Records Act and the Official Information Act

Gareth receives a request under the OIA for the quarterly reports which his department prepares for the organisation. Unfortunately Gareth intentionally destroyed these records before their authorised disposal date.

He cannot supply this material as requested which breaches the OIA. He also breaches the PRA by not maintaining the required business documentation under law.

This puts the University in a tough legal position and breaches two acts.

Emails and communications in general

Remember that as part of your work you are creating records through the email system that are public records. These records can be requested under Official Information and Privacy Act requests. Always be mindful of this and consider content and personal commentary. The person you are talking about may end up having access to these records.

For example,Bob asks for correspondence (under the Official Information Act) around a decision made on his PhD. Some staff had previously sent a couple of emails back and forth with some light banter and personal commentary about the annoying nature of Bob and his PhD. This correspondence must be given, even if it includes seemingly irrelevant information and personal remarks.

Taking work homeAny working documents which are confidential in nature should never be taken off campus. Be aware of files you hold on disks, USB drives and in hardcopy; don’t leave these lying around. When working from home it is best to ensure that you have remote access to the network and relevant systems to solve the problems around using loose media.

Links

Legislation

Official Information Act (1982)

Privacy Act (1993)
Public Records Act (2005)

The NZ Privacy Commission

Ministry of Justice

Official Information: Your Right To Know

Office of the Ombudsmen

Archives NZ
OIA and Recordkeeping presentation (by the Deputy Ombudsman)

For more advice, or to answer specific queries, please contact

Information and Records ManagementVersion: September 2011, Page1 of 6