Privacy

Organisations must make available to the public a document in which they clearly express their policies for the management of personal information they hold (IPP 5.1).

On request, an organisation must also take reasonable steps to inform a person about:

• the kind of personal information it holds;
• why it holds the information; and
• how it collects, holds, uses and discloses the information (IPP 5.2).

The potentially onerous requirements of IPP 5 mean that it will usually be in the interests of organisations to develop detailed written policies about management of personal information that address, among other things, the specific requirements of IPP 5.2.

Every time personal information about an individual is collected, the organisation collecting the information must take reasonable steps to ensure that the individual is aware of:

• the identity of the organisation
• the purpose for which the information is collected
• any law that requires the particular information to be collected
• the main consequences (if any) for the individual if all or part of the information is not provided
• to whom the organisation usually discloses information of the same kind
• the fact that the individual is able to have access to the information.

Important points to note:

• Awareness not notification. The requirement is about making sure the person is aware. It does not require notification, if the person would otherwise be aware.
• Reasonable steps. It is not absolute. The organisation must take 'reasonable steps'. Relevant factors to assessing what are reasonable steps may include the significance of the information to the individual, the likelihood of use by the agency, the extent of prejudice that might arise through use of the information and the resources that would have to be committed to ensuring awareness.
• At or before collection. If the information is collected from the individual, the requirement arises at or before the time of collection (or, if that is not practicable, as soon as practicable after collection).
• From individual or another. It arises even if the information is collected from someone other than the individual. Collection includes collection from another organisation or receiving information volunteered by a member of the community.

Privacy Principle 6 sets out an alternative access scheme to Freedom of Information access. However, the Privacy access scheme is limited to the personal information of the individual concerned.

Like the FOI access scheme exemptions, there are a series of reasons why an organisation can refuse access to information (IPPs 6.1 and 6.2). Many of the exceptions are similar to FOI exemptions but there are some differences. One of the exceptions arises if 'denying access is required or authorised by law'. This would appear to allow refusal based on any of the FOI access exemptions.

In general terms, the requirements for, and procedures involved in, the FOI access scheme are more concrete, and spelled out in more detail, than the Privacy access scheme. In most cases, it will probably be preferable for individuals seeking access to use the FOI access scheme.

Privacy Principle 6 sets out an alternative correction scheme to Freedom of Information correction.

Like the FOI access scheme, the Privacy correction scheme refers to information that is not accurate, complete or up to date. If the person establishes this, the organisation must take reasonable steps to correct it.

In general terms, the requirements for, and procedures involved in, the FOI correction scheme are more concrete, and spelled out in more detail, than the Privacy correction scheme. In most cases, it will probably be preferable for individuals seeking correction to utilise the FOI correction scheme.