The problem – ignorance about the Privacy Act 1993
For many lawyers and other professionals the implications of the Privacy Act 1993 are scarcely “top of mind,” or particularly well-known and well-understood. Briefly, the Privacy Act controls how what are called “agencies” in the Act collect, use, disclose, store and give access to “personal information.” An “agency” is “any person or body of persons, whether corporate or unincorporate, and whether in the public sector or in the private sector …” so the Act clearly covers incorporated and unincorporated societies and charities.
In response to my request for topics for this series of articles, a staff member at the Privacy Commissioner’s office advised me that they receive a number of complaints about how small organisations like charities and societies handle privacy issues such as requests for personal information. Such privacy issues usually arise in the context of disputes between members, or between the committee and members. As is normal with most community organisations, the committee and officers are usually volunteers and don’t know what to do and make a mess of things.
Clearly, knowing about the Act and what to do about privacy issues should save amount of time, anguish and stress.
So what is “personal information” under the Privacy Act?
Anything about an identifiable, living human being is personal information, and it doesn’t have to be in any way sensitive or “private.” For societies and charities personal information may include information about members and former members (name, home, postal and email addresses and phone numbers, offices held, awards, skills, references, and photographs), but also information about individuals other than members who may have been assisted or trained by the organisation. That information may be held in membership registers, meeting minutes, written and electronic correspondence, newsletters, websites, etc.
Societies will also hold other types of information such as financial accounts, policies and so on, which are not personal information and so are not covered by the Privacy Act.
Does the information need to be collected and held?
Under Privacy Principle 1 in the Act says an agency such as a society can only collect information for a lawful purpose connected with a function or activity of the agency and if such collection is necessary for that lawful purpose. The best advice is that organisations should collect only what information they truly need.
Societies registered under the Incorporated Societies Act 1908 are obliged by section 22 to maintain a register of members including “the names and addresses of the members, and the dates when they became members.” Collecting that information is clearly “necessary,” and will similarly be necessary for charities incorporated under the Charitable Trusts Act and also for unincorporated entities. That type of information covers the basics to send out membership renewal notices, newsletters and the like, and to compile a membership contact list. The organisation may need far more information; for instance, if it is providing training funded by the Government considerable information will be collected, including the dates of birth of trainees.
Making people aware that information is being collected, and keeping it accurate
Information should (under Privacy Principle 2) be collected from each individual, and who should be told that the information is being collected, why the organisation needs the information and what will be done with it, to whom the information may be disclosed outside the organisation, whether the person is obliged to provide the information and any consequences of not providing it, and that the individual has the right to access and correct the information.
Some people have good reasons for wanting or needing to protect their privacy, such as safety, ill-health, avoidance of harassment, past experience, etc. When information is being collected from people it is good practice to include an “opt-out” provision to allow people the option to have personal information kept private.
Under Privacy Principle 8, an organisation must not use information without first taking reasonable steps to ensure that personal information is “accurate, up to date, complete, relevant, and not misleading” before that information is used. A common way for a society to ensure that it has accurate information is to use annual subscription notices to encourage members to check their details and send in corrections, updates, or changes of address. Under Privacy Principle 7 people are entitled to request the correction of information held.
Using personal information
Societies and charities must that ensure, under Privacy Principle 5, that the information is “protected, by such security safeguards as it is reasonable in the circumstances to take” from misuse, including loss and “access, use, modification, or disclosure, except with the authority of the agency that holds the information.” That might include adopting levels of access available to different people (for instance, dates of birth might only be available to those whose tasks require access to that information).
When records are put out with rubbish or are on old computers, any personal information must be protected from accidental disclosure. Some statutes and contracts may require some information to be kept for minimum periods, but otherwise personal information should be removed from an organisation’s records as soon as the need for the information to be retained expires (Privacy Principle 9).
To ensure compliance with the Privacy Act and Principles, it is good practice to have at least one person in an organisation familiar with the application of their requirements for that organisation.
Using personal information
If private information is used after informing the individuals concerned that this may or will occur, little difficulty should arise. However, unauthorised use may cause problems – for instance, using or disclosing private information (including a photograph) to:
- Publicise an organisation’s activities,
- An external provider of goods or services,
- A sponsor or funder of the organisation, and
- Members who then provide it to someone else.
Individuals’ access to personal information
Generally speaking, individuals are entitled to know what information an organisation holds about them. However, they can only access information about themselves, not other people (which may require some editing of information disclosed), and the release of information might sometimes result in an unjustified breach of another person’s and in employment situations confidential references can usually be withheld. Sometimes the provisions of an organisation’s constitution and the Privacy Act and Principles may need to be compared as members may have rights under the constitution to more information than might otherwise be permissible.
Especially where a complaint has been made about a member of an organisation it is important that any requests for access to personal information are promptly and properly handled.
Getting assistance on privacy issues
An article like this can only skim the surface of a topic which is not easy to understand. The Privacy Commissioner’s website www.privacy.org.nz contains a wealth of information, with specific guidance to societies and charities. The Privacy Commissioner’s office provides training for privacy officers and has an enquiries service to provide general advice but not advice about specific problems (call 0800803909 or Auckland 09 3028655, or email firstname.lastname@example.org). Complaints can also be made to the Privacy Commissioner about possible breaches of the Privacy Act or its Principles.