Responding to Employee Privacy Requests

A Practical Guide for Employers

 

If you’re an employer, you may at some point receive a request from an employee, or ex-employee, asking to access the personal information you hold about them. These requests are made under the Privacy Act 2020 (“Privacy Act”), which governs the collection, holding, use and disclosure of personal information.

Whilst the Employment Relations Act 2000 has its own general information disclosure principles governed by ‘good faith obligations’, these provisions do not affect or limit an employer’s obligations under the Privacy Act. Therefore, employers need to navigate both legislative frameworks to ensure compliance.

Receiving a privacy request may feel daunting, but responding properly is typically straightforward once you understand your responsibilities. 

What is a Privacy Act Request?

A Privacy Act request is a way for someone to check what personal information an organisation holds about them. This might include things like:

• Employment records, such as employment agreements or contractor agreements.
• Performance reviews or feedback.
• Wage and leave records.
• Notes from disciplinary meetings or investigations.
• Emails or other communications that include their personal information.

“Personal Information” means information about an identifiable individual. This doesn’t just mean obvious facts like their name or phone number. It includes any information that relates to the person, such as opinions about their work, salary details, or even photos and recordings. For example, if you hold a file note about an employee’s punctuality or attitude, that note counts as personal information.

However, not all communication sent or received by the requester will be considered ‘personal information’. For example, if X sends a message to Y asking them to do Z, the message is not about X, as it conveys no information about them. It may, however, contain information about Y, as Y has been assigned a task.

What Should You Do When You Receive a Request?

1. Take it seriously and act promptly

When you receive a request, it’s important to acknowledge it and start the process promptly. Under the Privacy Act, you must respond as soon as reasonably practicable – and no later than 20 working days after receiving the request. The response must indicate whether you hold the information and, if so, whether you will provide it.

If you need more time (for example, because the request is complex or you do not have dedicated resources (such as HR staff) to action it), you can extend this timeframe. In doing so, be sure to let the requester know:

• the period of the extension;
• the reasons for the extension; and
• that they can make a complaint to the Privacy Commissioner about the extension.

2. Confirm the scope of the request

Make sure you understand exactly what information the requester is asking for. Sometimes, requests can be broad or vague, so clarifying the details can help you gather the right information without delay or unnecessary additional work outside the scope of what the requester has sought.

3. Gather the relevant information

Collect all the requested personal information you hold about the requester. This could be in digital files, paper documents, Teams (or equivalent) correspondence, or emails. Remember, it’s all information about the person, not just formal HR files/documents.

4. Review the information carefully

Before handing over the information, check whether it includes:

• details that may impact someone else’s privacy;
• commercially sensitive information; or
• information that could cause serious harm if released.

In some cases, you may be entitled to withhold or redact parts of the information to protect others’ rights, but this should only be done if justified under the Privacy Act.

5.Provide the information in a clear and accessible format

The employee should receive the information in a way that’s easy to understand. Avoid excessive jargon or technical language. If necessary, provide explanations or context to help them make sense of the information they are receiving.

What if the Request Seems Unreasonable?

Sometimes, a request may be:

• Frivolous or vexatious - the request is made without serious purpose, perhaps by an ex-employee just to annoy or harass you.
• Trivial - the information requested is insignificant or unimportant. Using the earlier example, if Y makes a request for the message they received from X, this may be considered trivial if it contains no meaningful personal information.

Under section 53 of the Privacy Act, you can limit or refuse these kinds of requests. For example, if an employee repeatedly requests the same trivial information or asks for documents unrelated to them without a clear reason, you may not have to provide it. However, a clear explanation should be provided as to why the request was refused.

Other reasons for refusal to provide information include that the information in question doesn’t exist, it would involve unwarranted disclosure of the affairs of another individual, or it would breach legal professional privilege.

Practical Tips for Employers

• Record keeping: Maintain up-to-date employee records. This will make responding to requests faster and less stressful.
• Training: Ensure HR staff and managers know about the Privacy Act requirements and how to spot a request for personal information (a request doesn’t have to state it is being made under the Privacy Act to qualify as one).
• Communication: When acknowledging the request, explain what the process will involve, how long it might take, and a contact person for any questions.
• Protect privacy: Always keep confidentiality in mind. Sharing information beyond what is requested or necessary can lead to privacy breaches.
• Documentation: Keep a record of the request, how you responded, and what information you provided. This is helpful if issues arise later.

Employers who understand their obligations under the Privacy Act are better equipped to respond efficiently and confidently to requests. Being aware of your responsibilities and implementing good privacy practices such as training and record keeping will help ensure compliance and take the worry out of the task.

Frequently Asked Questions about the Privacy Act 2020

Q. What is the legal requirement for keeping employee records?

A. In New Zealand, employers must keep accurate wage, time, holiday, and leave records for each employee for at least six years after the date they were created. These records must be easily accessible and available for inspection by the Labour Inspectorate if requested.

Q. What information can I request from my employer?

A. You can request access to any personal information your employer holds about you, including your employment agreement, performance reviews, pay records, and any notes or correspondence related to your employment. Under the Privacy Act 2020, your employer must provide this information as soon as reasonably practicable (and no later than 20 working days after receiving the request) unless there’s a lawful reason to withhold it.

Q. How long do I need to keep employee records in NZ?

A. In New Zealand, employers are legally required to keep wage, time, holiday, and leave records for at least six years after they are created. This ensures compliance with the Employment Relations Act 2000 and Holidays Act 2003, and allows Labour Inspectors to review them if necessary.

Q. Who can access employment records?

A. Employment records can be accessed by the employee themselves, their employer, and authorised officials such as Labour Inspectors from the Ministry of Business, Innovation and Employment (MBIE). These records must be kept confidential and only shared with others if the employee consents or if required by law.

If you are seeking advice about the Privacy Act 2020 or employment related issues, please do not hesitate to contact our employment experts, Jaesen Sumner or Maisie Guy, for more information: jaesen@fsl.nz and maisie@fsl.nz