Help people to understand their rights
Why it's important to remind people about their rights
The Transparency and Choice Guideline describes what service users should be told when their information is collected, including their rights in relation to information held about them.
These rights can be summarised as:
- the right to understand what personal information is collected and stored
- the right to access that information
- the right to request correction of that information, bearing in mind the purposes for which it may be used.
However, in the social sector, there are a number of factors that can affect people's understanding of these rights, or their motivation to exercise them. For example:
- people won’t always be thinking about the information being collected or held about them when they initially seek help - they may be stressed in some manner, and more focused on getting the help they need
- over time, more information about them may be gathered or created without their knowledge, such as information lawfully obtained from other agencies or information that is recorded about them when they are not present (for example, case notes)
- service users often engage with several agencies on related topics. Over time they may become uncertain about which agencies hold what personal information, what the personal information covers, and what those agencies are doing with their information.
These factors can contribute to eventual concerns about where their often sensitive information is held, whether any of it is out of date or could be misunderstood and, therefore, whether it may not be helpful in terms of the services they need.
In addition, sometimes people become concerned about the way in which their sensitive information is recorded, as the act of recording a person's story can involve interpretation and sometimes adverse judgement, stigmatising, generalisation or stereotyping. Having such concerns while also not knowing how to access or request correction of one's personal information can impact negatively on a person’s sense of wellbeing.
For these reasons it’s important to proactively remind people of their rights from time to time. This gives people an opportunity to think about their information, and exercise their rights if and when they would like to. Ensuring that they know what they can do, and that they can readily take action whenever they wish, helps to alleviate a sense of disempowerment that they may have in relation to their information.
While there are grounds for saying no to an access request, the default is to say yes
There are situations where an agency can say no to a person requesting access to his or her personal information. The grounds for saying no are contained in Part 4 of the Privacy Act. They recognise that other interests may be harmed if a person's access to his or her personal information is allowed.
The grounds most relevant in the social sector concern situations where disclosure would:
- be likely to endanger either the safety of any individual or public health or public safety
- create a significant likelihood of serious harassment of an individual
- include information about another person who is the victim of an offence or alleged offence and who would be caused significant distress, loss of dignity or injury to feelings by the disclosure
- breach confidentiality or legal or professional privilege
- be likely to prejudice the physical or mental health of an individual (if the agency is satisfied of this after, where practicable, consulting the individual’s health practitioner)
- in the case of an individual under 16 years of age, be contrary to that individual’s interests
- be likely to prejudice the safe custody or rehabilitation of people convicted of an offence or detained in custody
- interfere with the privacy of others
- be likely to prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial
An agency may also refuse a person's request to access their information if the information can't be found or doesn't appear to exist, or if it is not readily retrievable.
While these grounds do exist, they need to be considered on a case-by-case basis and do not justify a general denial of the right to access one's personal information. To the contrary, the default approach is to grant access to one's personal information when requested unless one of the grounds applies. For this reason, the existence of these grounds does not affect the importance of reminding people about their rights.
Note also that, if an agency refuses a person’s request to access their personal information when no ground for refusal applies, the Privacy Commissioner can require the agency to give the person access to their personal information.
It is important when recording information about a person to ensure that it is accurate, clear and well written, both as a matter of respect and because the person is able to request access to and view what has been written about them. It is especially important that when subjective comments are included these are carefully weighed, respectful and professional. Agencies cannot say no to a person's request for personal information merely because the information was poorly written or expressed with insufficient care.
Examples of things to think about when helping people to understand and exercise their rights
- Will service users be asked how they want to be involved in managing their information?
- What needs to happen to enable service users to ask about their information from time to time and to feel comfortable and safe in doing that?
- How much support might they need to understand or exercise their rights?
- What steps can be taken to confirm that a person is aware of their rights?
- Do you have a process in place to deal with requests from an individual's representative?
- How can operational practices emphasise telling service users upfront what is recorded and how they can access it? This may be in general terms, or specific to the person in question.
- What limits should there be on access in this particular context, and how can service users be told about them upfront?
- If there are limits, why do those limits exist, and are they lawful?
- Is there anything that can reasonably be done to reduce or remove such limits safely to enable access to the information?
Help people to ask for their information
Given the range of agencies that service users encounter or engage with who may hold various elements of information, they may feel overwhelmed at the challenge of exercising their right to ask for information or feel intimidated by the process. Sometimes people are simply too shy to ask. Language, culture, and disability (for example literacy) may also be barriers to individuals feeling comfortable about asking to see their information. These challenges can result in service users being left with general concerns about where their information is, and the range of agencies that have access to it.
It's important to note that the Privacy Act requires agencies to "provide reasonable assistance" to people who wish to request access to their personal information or request correction of their personal information.
Practical and proactive ways to help
- Offer the information about rights without being asked for it, in a safe and comfortable way that supports the ability of the service user to absorb and understand the information being provided.
- Check in with service users on a regular basis to see whether they would like to update their information, or if anything in their circumstances has changed.
- Help people to use the AboutMe tool offered on the Privacy Commissioner’s website.
- Offer to act as the person's agent or representative (where the person wants to request their personal information from another agency), and making appropriate requests on their behalf.
- Offer pre-prepared general summaries of which agencies will hold what kinds of information. This can help by alleviating concerns about agencies knowing things that they are unlikely to know on any general basis, and/or focusing the conversation on the agency or agencies the person is most interested in. Offering these summaries may be done directly by your own agency, or through others that provide services to service users that you may hold information about.
Make it easy to access and request corrections to information
As service users become familiar with their rights and wish to exercise them, people working in a range of different contexts can contribute to making this easy for them to do.
When dealing directly with a service user in a face-to-face situation
There will be two situations to consider:
- situations where your agency holds information about service users for your agency's purposes, or as a consequence of another agency's purpose (for example, maybe you collected the information on their behalf); and
- situations where the information a service user wishes to see is held by another agency.
Examples of the kinds of actions that may help to make it easy include the following:
|Information held by your agency||Information held by other agencies|
|Consider sharing your screen, show people what's recorded about them, ask them to identify any inaccuracies or voice any concerns they may have about that information.||If a person makes a request to your agency for his or her information but you believe the information is held by another agency, the Privacy Act requires your agency to transfer the request to the other agency, promptly and within 10 working days, and inform the person you've done so.|
|Provide screen prints, or other pre-prepared reports that your ICT system may offer, or alternatively allow them to take a photo if they have a phone camera. Ask them to highlight any areas they might wish to be changed.||Offer to help them fill out the Privacy Commissioner's AboutMe form or connect them to the other agency to help them ask directly.|
|Email a photo of the screen to them, taking care to double-check email addresses, and ensure that the service user wishes to have this information by email.||Fill out the AboutMe form on their behalf, and act as they representative, for example if they share an email address with a spouse or partner and would rather the information be kept private.|
|Provide photocopies.||If you have established relationships at an operational level with the agencies in question, contact them by phone and ask on behalf of the service user, or with the service user present.|
Supply the information in an accessible format, adapting this for the needs of differently abled people, for example, children, people with low literacy levels, sight-disabled people and those with English as a second language. What timing, language, format, visuals, flowcharts, pictures or other things could be helpful?
Talk through the information, if that helps with a person’s comprehension.Use a support person who can speak in the person’s first language and translate if possible
|Consider establishing a protocol ahead of time with other organizations about access that will make it easier and more convenient for agencies and therefore for the user.|
Enable NGOs (or other organisations) to act on behalf of service users to access their information
Your agency may hold information that is useful and relevant for an NGO (or other organisation) to be able to provide effective support for service users. Service users may not be able to recall, or may not wish to recount, relevant information when seeking a service. Instead they may wish for the NGO providing the service to act as their representative and request the relevant information from the appropriate agency or agencies. Examples might include: confirming details of benefits and entitlements, information about health or wellbeing; or information about a person’s overall situation that they may prefer not to re-tell, given that doing so repeatedly can have negative impacts on a person’s wellbeing.
Examples of how agencies could make it easier for people to exercise their rights to access their infomration via others include:
- identifying organisations and types of services for which such a provision might make sense and be practically workable - noting that expectations of volume and timeliness that are mutually agreeable will have to be worked through
- establishing local or regional relationships between staff in the agency providing the information and the organisation acting as the service user’s representative, so that each party is well known to the other
- agreeing appropriate formalities (such as signed permission forms) to allow information to flow for lawful and agreed purposes when individuals wish to access and check their records, and are willing to have others act as their agent or representative
- agreeing appropriate contact/request channels and identifying who can do the work
- understanding what information is typically useful and how it can be readily retrieved
- determining response times that can be reasonably achieved for typical requests, and agreed criteria for when quicker response times are needed, for example if the request is urgent
- a telephone support arrangement for urgent cases
- privacy safeguards, for example clarifying expectations about how people’s information will be managed, who can/can’t see it, et cetera, including alignment with advice within this Policy.
When dealing with a service user through digital or other channels
When considering or designing service delivery channels for service users, other than face-to-face, a number of considerations and opportunities may be relevant.
Digital Access: service users in the social sector are not always practically able to access digital channels. This can be for a range of reasons (for example, language, technical confidence, meaningful access to technology that is fit for purpose, the time to do it, disability). Knowing that digital channels exist, but are not meaningfully accessible, can be a significant frustration. Consider making it easier for service providers or others to act on behalf of service users by using an agent or representative, or to complement digital channels with readily accessible alternatives.
Setting up access to digital channels: the most immediate hurdle for people may be understanding what digital channels exist, what they can do, and how to access them. Consider enabling providers to help service users establish access to these channels.
Where possible, provide access to a person's information in the form they prefer
The Privacy Act states that, where a person's requested personal information is contained in a document of any sort (which could be hard copy or electronic), the agency in question can make the information available by, for example:
- allowing the person to look at the document
- giving the person a copy of the document
- giving the person an excerpt or summary of the contents
- giving oral information about its contents.
At the same time, the Act requires the agency to "make the information available in the way preferred by the requestor", unless doing that would be administratively burdensome, contrary to a legal duty over the document or prejudice a reason in the Act for denying a request.
Be careful to limit access to a person's own information
When helping people to access their information, it can be important to check that the information they're accessing is only their own information and does not contain or refer to other people's personal information. Allowing someone to view another person's information could breach that other person’s privacy. Where information of the requesting person is combined with information relating to others, it may be necessary to separate or redact the other information before granting access.
Examples of things to think about - processes and systems
- How can service users be involved in creating records, for example. writing or reviewing case notes or filling out forms?
- For larger agencies, can technology plans include the provision of online portals such as myMSD and ManageMyHealth to allow people to access and update some information?
- Can processes or practices help service users avoid needing to make formal requests for their personal information, for example, automatically providing copies of core information such as referrals, assessments, and forms?
- Does your agency have simple, well understood business practices to retrieve and provide information in response to Privacy Act requests?
- What are simple ways for service users to ask for changes or corrections, for example, in similar ways to the AboutMe tool?
- How can service users' ideas and suggestions be included in regular planning processes to inform how their rights can be readily exercised?
- Does your agency have simple and clear processes for service users to communicate concerns or make a complaint?
Acting as an agent or representative
It may be appropriate in some circumstances for a service user to ask someone else to act as their agent or representative in relation to Privacy Act requests. Permission for a person to do so can take the form of a letter, a signed form, or an email. Brief advice on this topic can be found on the Privacy Commissioner's website.
Reasons for establishing such an arrangement might include considerations of a person's English language ability, their culture, disabilities, whānau-based considerations, or a range of other practical issues.