Let’s recap. The Privacy Act gives people the right to access their information. And when a person requests their information, the organisation or business must respond to the request within 20 working days.

But here’s the trap. Sometimes an organisation refuses to comply with the request because it wants proof that a person is who they say they are. These cases come to us from time to time. We thought it would be helpful to explain why an organisation needs to be able to verify a person’s identity – and how this can delay the process.

Firstly, it says so in the Privacy Act. Section 45 says when an agency receives an information privacy request, it must take steps to verify the identity of the requester, or the agent who is acting for the requester.

Police case

In a recent case, a person complained to us that it was unreasonable that Police ask for photo ID in order to comply with an access request. We said we considered Police’s policy of requiring photo ID an acceptable way of complying with its obligations under section 45 of the Act. We agreed with Police that the purpose of photo ID was to satisfy the officer receiving the access request that the requester was who they claimed to be. Photographic identification was the quickest and most accurate means of confirming the identity of a person.     

Hospital case

In another case, a woman requested a copy of her file from a hospital. The hospital told her they had their file ready, but they would not send it until she had completed a form – despite her having sent her details, a copy of her driver’s licence and a copy of her name change certificate. She was also told that her signature would be required.

The woman believed the hospital’s refusal to send her information until it had received a completed form was an unnecessary step causing undue delay. We contacted the hospital and were told the hospital had advised the woman it needed the completed form in order to ensure there was a record of her request.

Our view was that an agency is entitled to set its own administrative process to ensure appropriate records are kept of requests for information, and it is required under the Act to adopt appropriate measures to ensure that information intended for a person is only received by that person. An agency asking a person to complete and sign a form to ensure compliance with its internal administrative requirements does not appear to raise any issues under the Privacy Act.

Government case

In a third case, a New Zealander living in another country emailed a request to a New Zealand government agency asking for all the information it held about her. She received a reply that her information was ready to be sent to her but it could only be delivered by registered mail and only after the woman confirmed in an email that she would not hold the government agency liable or responsible if the information was signed for an opened by another party at her address.

We contacted the agency concerned and listened to its explanation that it just wanted to ensure the information was sent to the right person because the nature of the information it dealt with was very sensitive. It checked a requestor’s ID carefully before any information was handed over and was cautious in mailing the information out, so we thought that was fair enough.

Risk averse

It is understandable many organisations are risk averse in responding to requests for personal information. Responding to access requests is an obligation that every organisation has to meet but we’ve seen many examples where organisations haven’t made the necessary checks. These incidents are frequently reported in the news media and they make organisations gun shy. The Privacy Act also says organisations have to keep personal information safe, and, as we see from these examples, that has to be balanced with making it accessible to the right person.

Image credit: Fingerprint via Pixabay (Creative Commons)

complaints, IPP6 - access