Personal Information Request Procedures
These procedures apply to all University members who may receive and/or manage a personal information request (PIR) from a data subject.
Note - ‘Data subject’ is the global term for the individual to whom personal information relates. The Privacy Act 2020 uses the term ‘individual concerned’.
Every data subject, or their authorised representative, has the right to request a copy of the personal information the University holds about them (Principle 6 of the Privacy Act 2020), or to ask the University to correct their personal information if they think it is wrong (Principle 7 of the Privacy Act 2020). This procedure sets out the process for managing these requests to ensure that PIRs are managed in compliance with the Privacy Act 2020.
There is a presumption that the University will release to a data subject the personal information it holds about them. While personal information may be withheld in some cases – for example if releasing it to the data subject could breach legal privilege – it should be withheld only where absolutely necessary. We must be as open and transparent as possible with a requester.
Part 4 of the Privacy Act 2020 contains strict procedural requirements that the University must comply with when managing PIRs, including timeframes. A breach of these procedural requirements could lead to an automatic interference with the privacy of the data subject.
Most of the procedures set out below – and in particular the timeframes – relate to both access and correction requests. However, there is some additional guidance at items 14 and 15 about managing correction requests.
Receiving and verifying
1. Recognise the request – A PIR can be made in any form, such as a letter, an email or by phone. It does not matter if the data subject does not mention the Privacy Act. As long as the request relates to their own information, the Privacy Act, and this procedure, applies.
Note: By contrast, where a person or agency makes a request for information about someone else, or information that is not personal information, then this is an Official Information Act request, and a different procedure applies.
2. Remember the timeframe – Start the clock as soon as the request is received. A PIR must be responded to as soon as reasonably practicable and no later than 20 working days after the day it was received. Use this calculator to work out when the response is due.
3. Assist the data subject – Where required, assistance must be given to a data subject, to make sure it is clear what information the data subject is requesting or correcting. The data subject may be asked to complete the PIR Form.
It should be noted however, that a data subject has the right to request all the personal information the University holds about them, and the request cannot be refused on the basis that the data subject refuses to narrow it down.
4. Verify the requester – If the data subject is not using a recognised email address, or is making the request orally, their identity will need to be verified. Data subjects can appoint a representative to make a request on their behalf and it is best practice to see a written authority from the data subject.
5. Escalate the request – If the request is complex, relates to a substantial amount of personal information, or has been made in the context of a sensitive process (such as an employment dispute or student complaint), then it should be escalated to the line manager and/or Privacy Officer.
Collating and deciding
6. Locate and collate the information – Ensure that a complete search of all systems – including local systems of relevant staff (such as desktops or email accounts) – is conducted, particularly where a data subject has requested all the personal information the University holds about them.
7. Transfer the request – Where no personal information is held about the data subject, but it is clear which agency does hold the information, the request must be transferred to this other agency within 10 working days. The data subject must be informed of this.
8. Decide what to release – There is a presumption that the University will release personal information to the data subject. However, it may occasionally be necessary to withhold information or refuse a request. Information may only be withheld under a withholding ground set out in sections 49 – 53 of the Privacy Act 2020. Any decisions to withhold personal information requested must be approved by the Privacy Officer. We have an obligation not to release information if we have reasonable grounds to believe that the request was made under the threat of physical or mental harm.
Responding and releasing
9. Respond to the data subject – Once a decision has been made on the request, this needs to be conveyed to the data subject as soon as possible and within 20 working days. This response must outline what information will be released and what is being withheld, if anything, along with an explanation of the relevant withholding ground. If the response is to a correction request, it must outline whether or not the correction has been made and the reason for a refusal.
Note: Personal information does not need to be released at the same time as the response is given, though in practice it usually is. Once a decision has been conveyed, the information must be released without undue delay. A response is required even if no information is held about the data subject.
10. Delay – Where the circumstances are such that it may take longer than 20 working days to decide on the request (for example, if the request is for a significant amount of information or wide consultation is required to make a decision on it), the data subject must be informed of this within the 20 working day timeframe. The data subject must be provided with an explanation for the delay and must be informed that they may complain to the Privacy Commissioner about it. Any extension of time must be reasonable.
11. Release the information – The information must then be released without undue delay (if it has not already been released at the same time as the response was provided). This essentially means the information should be released as soon as possible. If there is likely to be a delay in releasing the information, this needs to be explained to the data subject.
12. Urgency – A data subject is entitled to make a request under urgency if they have good reason to do so (for example, if they need the information for court proceedings or an immigration issue). In this case, the request must be processed and responded to more quickly if this is reasonably practicable.
13. Decide whether to correct – The right to correct personal information is not absolute. Where there is a clear error (for example, the wrong address or date of birth), then a correction is appropriate. However, where a data subject seeks to correct an opinion, this can be more difficult.
14. If a correction is not appropriate, then the data subject has the right to request that the University attach the correction request to the disputed information (this is called a “statement of correction”).
15. Informing people about the correction – Where personal information has been corrected, or a statement of correction has been added to the disputed information, the University must provide the data subject with a copy of this (at the same time as the response set out at item 10). Any person or agency to whom the information was previously disclosed must also be informed that it has been corrected.
The following definitions apply to this document:
Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses.
Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.
Personal information request means a request (in any form) from a data subject, or their authorised representative, for a copy of the personal information the University holds about them, or to ask the University to correct their personal information if they think it is wrong.
University means the University of Auckland and includes all subsidiaries.
University member includes members of Council, committee members, staff, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.
Key relevant documents
Include the following:
- Health Information Privacy Code 2020
- Official Information Act 1982
- Privacy Act 2020
- Disclosure of Personal Information Procedures
- Employee Privacy Statement
- Privacy Centre
- Privacy Statement
- Personal Information Request Form
- Privacy Breach Reporting Form
- Privacy Impact Assessment Checklist
Document management and control
Content manager: General Counsel and Privacy Officer
Approved by: Vice-Chancellor
Date approved: 10 November 2020
Review date: 10 November 2023