Organisations sometimes get it wrong when they respond to a person’s request for their personal information. Information is sometimes lost, displaced or accidentally deleted. A recent privacy case dealt with by the Human Rights Review Tribunal considers when an organisation can call it quits when it comes to searching for personal information in responding to an access request.

In Yiasoumi v Attorney General [2017] NZHRRT12, Police were accused of breaching an individual’s privacy by concealing requested information.

Police investigation

The case unfolded when police officers arriving at a callout in a Wellington suburb in April 2013 found a man suffering from serious injuries. The victim, Yiasoumi Yiasoumi, was the landlord of the residential property where the attack took place. He told police officers he was visiting the address when he was set upon by unknown assailants who, without provocation, beat, kicked and choked him until he lost consciousness.

Mr Yiasoumi was accompanied to hospital by one of the police officers in an ambulance. Using his Police issued iPhone, the officer took four photos of the scene of the attack and, later at the hospital, two of Mr Yiasoumi’s heavily bandaged face. The officer who took the photos did not attach the ones of the victim’s injuries to the investigation file. Instead he stored them in his personal file in the system’s shared drive.

In an interview a few weeks later at the Lower Hutt Police Station, Mr Yiasoumi was informed Police had obtained CCTV footage of the incident and in it he was shown damaging the tyres of a vehicle owned by one of the people thought to be responsible for attacking him.

The detective in charge of the investigation told Mr Yiasoumi that Police could proceed with an assault complaint against one of the people but Mr Yiasoumi would also face charges of criminal damage. Faced with this dilemma, Mr Yiasoumi chose not to proceed with charges and did not make a statement. Police then closed the file.

But Mr Yiasoumi continued to be unhappy with the decision to close the case. One year and four months later, he made a request for the two photos of his injured face. He accused the detective in charge of creating a fictitious police report and concealing the photographs to prevent their use in an intended private prosecution against the officer for perverting the course of justice.

Police told Mr Yiasoumi they couldn’t comply with the request because staff were unable to find the photos in their File Management Centre, which is housed in Palmerston North. Mr Yiasoumi complained to the Privacy Commissioner that Police had breached his privacy by declining his access request and subsequently took his case to the Human Rights Review Tribunal.

Our investigation

In our investigation, we concluded there had been no breach of the Privacy Act because Police could not provide something they could not find - as set out in section 29(2)(b) of the Privacy Act. In hearing the case anew, the Tribunal also had to decide if Police had breached the Act in declining the request.  

Nevertheless, Police continued their inquiry into the question of whether photos had been taken at the hospital. When Mr Yiasoumi explained the photos had been taken by the uniformed police officer who accompanied him in ambulance, the photos were tracked down to the officer’s personal folder. Police explained they had no ability to search across such folders. As a result, due to human error, the File Management Centre did not have a record of the photos.

Tribunal decision

In its decision, the Human Rights Review Tribunal referred to Geary v Accident Compensation Corporation whereby in relying on section 29(2)(b), an agency must show that it made reasonable attempts to find the information. That search must not only be a reasonable one but also thorough and intelligent rather than mechanical.

The Tribunal concluded that section 29(2)(b) did not require an agency to apply unlimited resources to locate the requested information. While Police did carry out an exhaustive inquiry into the photographs, the Tribunal said a ‘no stone unturned’ inquiry is not the standard set by the Privacy Act.

Police were justified in refusing Mr Yiasoumi’s request under section 29(2)(b) on the grounds the information requested did not exist, or could not at the time be found. The Tribunal concluded there had been no interference with Mr Yiasoumi’s privacy. However, as a footnote, once the photos were eventually found, they were sent to Mr Yiasoumi.

When making a request

This case demonstrates the importance of being specific and giving context to your request. Agencies don’t have to expend unlimited resources looking for something - even when the request is really important to the individual. When making an access request, remember to:

• be concise
• give context
• give details of who was involved and where you think they might have put the information; and
• if appropriate, give reasons why you need the information.

Image credit: Creative Commons Licence via Pixabay

IPP6 - access, Human Rights Review Tribunal, law enforcement