Access to personal information

Employers often receive requests for personal information from their employees in the context of a personal grievance or disciplinary process. Sometimes the requests are very broad and involve a lot of information that takes a considerable amount of time to compile, or that the employer does not think is relevant or helpful to resolving the issue at hand. Even if that is so, or if the employer suspects that the request is more tactical than genuine, the employer needs to ensure it complies with the technical requirements of the Privacy Act 1993 and Official Information Act 1982 (where applicable), as well as the more general requirements of good faith.

Outlined in a previous legal update, the proposed privacy law reform will (if passed, and among other things) enable the Privacy Commissioner to make binding decisions on complaints relating to requests to access personal information. The Commissioner has indicated informally that binding decisions will be the exception, not the norm, and will most likely be made in relation to specific pieces of information or documentation. Even so, this new power will increase the focus on compliance with access requests.

Sometimes an organisation will have good reason to refuse a request for personal information, and there are a number of grounds in the Privacy Act that organisations can rely on. 'Relevance' is not one of them, and neither is 'it will take a lot of time', unless it meets the high thresholds set by the Act. Employers can use these reasons - alongside good faith - to try to negotiate refinements to requests, but it is up to the employee ultimately.

A recent case note from the Commissioner clarifies when an organisation may be able to refuse a request on the ground that it is 'vexatious'. While rare, this may assist some employers.