Privacy law for employers in New Zealand

by The Findlaw Team

Every so often we hear stories in the media about major privacy breaches, not uncommonly on the part of a public sector organisation. These media ‘storms’ can wreak havoc on the reputation of the organisation in question, can be damaging to the careers of the employees responsible, and may end up costly in terms of reviewing and improving systems and procedures.

As well as having obligations under the Privacy Act 1993 towards clients and others as an ‘agent’, the Act is relevant to employers in terms of their relationship with employees (including potential or former employees). This article outlines the relevance of privacy law for employers in New Zealand.

What does the Privacy Act cover?

The Privacy Act 1993 covers the protection of individual privacy, and applies to every person and every agency and organisation in New Zealand in respect of information about an identifiable living individual, held in any capacity other than for the purposes of their personal, family, or household affairs.

The central issues for employers relate to the collection, storage, and release of personal information which the employer has on file in relation to any identifiable individual, including employees, past employees, and job applicants.

Any person who is identifiable by this information is covered by the provisions of the Act, and is accordingly entitled to access to that information, either personally, or through their authorised agent.

There is provision for refusal of access to information where the information is “evaluative material”, such as an interviewer’s notes made when assessing a job applicant’s suitability for a position.

Employers must designate a Privacy Officer

The Privacy Act 1993 requires employers (regardless of the size of the business or organisation) to designate a person to carry out the following responsibilities:

  • Encouraging compliance with the information privacy principles within the organisation;
  • Dealing with requests made under the Act;
  • Working with the Privacy Commissioner in relation to investigations being made under the Act; and
  • Doing whatever else is necessary to comply with the Act.

The responsibilities of the person designated to be the “privacy officer” may be in addition to that person’s usual duties.

Privacy principles

At the core of the Privacy Act 1993 are the Information Privacy Principles which set out rules, and exceptions to those rules. These principles can be summarised as follows.

Principle 1: You may only collect personal information, which is information about a particular individual, for a lawful purpose.

Principle 2: You must collect personal information directly from the individual concerned.

Principle 3: You must ensure that the individual is aware of the purpose for which the personal information is collected, the intended recipients, and the fact that the individual has a right of access to, and a right to request correction of, that information.

Principle 4: You must not collect personal information unlawfully or unfairly, or in a way which encroaches unreasonably upon personal privacy.

Principle 5: You must ensure that there are reasonable security safeguards to protect personal information against loss and unauthorised access, use, modification, or disclosure.

Principle 6: Any individual is entitled to confirmation from you of whether you hold personal information, and to have access to that information if it is readily retrievable.

Principle 7: An individual is entitled to request correction of personal information. You may refuse to correct the information, but if you do so, you must, if requested, attach a statement to the information noting that a correction has been sought but not made. You must notify the individual of steps taken to do this.

Principle 8: You cannot use personal information without taking reasonable steps to ensure that the information is up to date, complete, relevant, and not misleading.

Principle 9: Personal information may not be kept longer than necessary for the purposes for which it may lawfully be used.

Principle 10: Personal information obtained for one purpose may not be used for another purpose.

Principle 11: You must not disclose personal information to any body or agency without the consent of the person whom it is about.

Principle 12: Unique identifiers: you may not assign a unique identifier to an individual unless this is necessary to enable your agency to carry out its functions efficiently. A “unique identifier” is a tag which may identify a particular person but does not use the individual’s name.

Complaints procedure

Any person in New Zealand (whether a citizen or not) may complain to the Privacy Commission if there has been an interference with privacy of an individual, in that there has been a refusal, or breach of the correct procedure for:

  • Access to personal information (Principle 6);
  • Correction of personal information (Principle 7);
  • A breach of the Information Privacy Principles (other than principles 6 and 7);
  • A breach of a code of practice; or
  • Non-compliance with the controls on information matching.

This only applies where the action has:

  • Caused loss, detriment, damage, or injury, or may do so;
  • Adversely affected rights, benefits, privileges, obligations, or interests, or may do so; or
  • Resulted in significant humiliation, loss of dignity, or injury to feelings, or may do so.

Dealing with requests for personal information

If an individual requests an employer provides personal information that they hold about that individual, the employer is required (within 20 working days after the request) to decide whether the request is to be granted, what costs (if any) will be imposed and to inform the individual accordingly.

If a large amount of information is sought, the employer must inform the individual:

  • If an extension of time is required; and
  • Of the reason for the extension.

Refusals to provide personal information may be given where an exception exists, or where the information is “evaluative material”.

“Evaluative material” is information compiled solely for the purpose of determining the suitability, eligibility, or qualifications of the individual to whom the material relates:

  • For employment or for appointment to office;
  • For promotion in employment or office or for continuance in employment or office; or
  • For removal from employment or office.

Case example: Employee requested personal information

A man asked his former employer for access to personal information that was kept on his file. The employer didn’t reply to his request, although when the Privacy Commissioner investigated, the employer did provide some of the information. This was around 9 months after the request.
Because the employer failed to tell the man within 20 working days whether or not they would grant his request, the Commission felt that the request was deemed to be refused.

There was material that the employer continued to withhold from the man. One type of material was notes of interviews carried out by the employer following allegations of sexual harassment against the man. The Commissioner was satisfied that this material was evaluative, that it was obtained under a promise of confidentiality and that, by releasing it to the man, that promise would be broken.

There was discussion, however, about the fact that the employer could only withhold the information if it had been “supplied” to it. The Commissioner referred to a Tribunal decision which had addressed the issue of whether evaluative material provided by employees to their employer constituted “supply”. The Tribunal had concluded that it would constitute supply, but only if providing the material was over and above what the employee would normally be required to do in the course of their duties.

In this case, the employees who had been interviewed were factory workers (not supervisors reporting on the employee’s performance), and the Commissioner was satisfied that the employer had the right to withhold this information.

There were also some internal communications about the sexual harassment allegations and investigation. Some of this information had been released in other documents and didn’t identify the people interviewed, so would not have breached the promise of confidentiality. The Commissioner felt this information should have been given to the man.

Case note 73850 [2004], Office of the Privacy Commissioner.

We welcome your feedback

Hi there! We want to make this site as good as it can for you, the user. Please tell us what you would like to do differently and we will do our best to accommodate!

We've updated our Privacy Statement, before you continue. please read our new Privacy Statement and familiarise yourself with the terms.