Office of the Privacy Commissioner | Case Note 208123 [2010] NZ PrivCmr 12: Woman wants to know names of Police officers who accessed her records
A woman wrote to the Police and requested the names of Police employees who had accessed her file over the past five years. The woman also requested the dates and times when her file had been accessed. The woman had concerns that particular officers may have accessed her information inappropriately.
The Police told the woman the number of employees who had accessed her file but refused to provide the names of employees, or dates and times, under grounds in the Official Information Act.
In discussions with the Office of the Ombudsmen we decided that the names of employees who may have accessed the woman's file were personal information about her. A record of the employee's name only existed because they had contact with, or a possible interest in, the woman. The woman's request for this information was therefore a request for personal information under principle 6 of the Privacy Act.
Principle 6
This principle provides that an individual is entitled to request access to personal information about them held by an agency. However, an agency may refuse access for the reasons set out in sections 27-29 of the Act.
The Police relied on section 27(1)(c) of the Privacy Act to withhold this information. This section provides that an agency may refuse to disclose information if disclosure would be likely to prejudice the maintenance of the law, including the prevention, investigation, and detection of offences.
To withhold information under section 27, an agency has to show that release of the information would be 'likely' to damage one of the interests protected in that section. This is not a particularly high threshold. An agency has only to prove that there is a real risk to the interest, or a distinct or significant possibility that the interest could be damaged by release.
Police advised us that during the time specified by the woman, she had several interactions with the Police, including a prosecution and conviction; and reports of burglary and theft. This background indicated that Police had legitimate reasons to access the woman's record. In this case, we agreed with the Police that releasing details of officers who had accessed the woman's file would be likely to prejudice the maintenance of the law. This is because that information may indicate when the Police had cause to be interested in an individual's movements or behaviour (even if accessing the file did not result in action by the Police).
If an individual knows when their record has been accessed and who has accessed it, this may result in that individual changing their behaviour. Consequently this could impair the ability of the Police to detect and prevent offences.
It was our view that the Police, in this case, could withhold the information under section 27(1)(c).
However, the woman's complaint was more concerned with the possibility that a Police officer had inappropriately accessed her file. This raised the issue of employee browsing.
Principle 5
This principle provides that an agency that holds personal information should ensure it is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, access or disclosure.
Concerns about employees accessing an individual's file without proper authority or reason can often be dealt with under principle 5.
The Police said if the woman provided the name of the officer or officers the woman suspected of inappropriately accessing her record, they would investigate the matter. However, the woman refused to do so.
We considered that in the circumstances it was reasonable for the Police to ask the woman to provide more information. This would have allowed the Police to look into any specific incidents that could raise employee browsing issues. This was a practical way to determine if her file had been accessed inappropriately.
As the woman declined to provide Police with further details there was nothing further that we could assist with and the file was closed.
June 2010
Access to personal information - Police - names of officers who had accessed file - withheld to prevent prejudice to maintenance of law - Privacy Act 1993, principle 6, section 27(1)(c)
Security of personal information - Police - allegations of employee browsing - reasonable offer to resolve - Privacy Act 1993, principle 5