Peaking at Privacy
General / 25 June 2016
By Lucia Vincent and Rebecca Laney
Privacy concerns present themselves in many different ways to an employer or payroll professional who may receive requests for information about their staff or payroll. Requests range from a friend wanting a personal contact number to a company seeking verification of specific details like an employee’s bank account, position and remuneration. Too readily complying with such requests can pose problems. Taking a look at what laws protect privacy helps avoid the pitfalls when responding.
Parliament enacted the Privacy Act 1993 (Act) to protect and promote individual privacy. The Act sets out 12 important principles that employers must observe when it comes to collecting, using, storing and disclosing the personal information of staff. Personal information means information relating to an identifiable individual. Obvious examples are details for contacting someone or their date of birth, pay rates and employment history.
The Act applies to all agencies including most employers and payroll professionals working for or even independently of an employer. Any person employed or otherwise in the service of an agency acts on behalf of the agency when performing the duties of their employment. So if an employee discloses information about an individual, their employer will be treated as having disclosed it. Similarly, if an employee knows information about someone, then their employer is deemed to also know and hold that information (unless the employee holds that information solely due to their connections with another agency).
It’s the Principle of It
Twelve information privacy principles govern what an agency can and can’t do when it comes to personal information.
Principles 1 to 4 govern why, where and how an agency may collect personal information. Specifically, an agency must collect information fairly, lawfully and without unreasonably intruding into an individual’s personal affairs. An agency must collect information directly from the individual unless an exception applies (such as if the information is publicly available or the individual authorises collection from someone else). Collection must relate only to a necessary and lawful purpose connected to an agency’s function. When collecting information an agency must ensure prior to collecting it that the individual is aware of this fact, the reason for collecting the information, any applicable law, who will receive and hold it, any consequences of non disclosure, and the individual’s right to access and correct it. Exceptions may apply including where complying would prejudice the maintenance of the law.
Principles 5 and 9 relate to storage, protection and retention of personal information. An agency must put in place reasonable safeguards to protect against unauthorised or unlawful loss, access, use, modification, disclosure and/or misuse. Principle 6 establishes that an individual is entitled to obtain and access their personal information if it is readily available (and to be advised that they can correct it in accordance with Principle 7 and the various guidelines within that principle). Principle 8 requires an agency to take reasonable steps to ensure information is accurate, up to date, complete, relevant and not misleading, before using it. Principle 9 limits how long and for what purpose an agency may store personal information.
Principles 10 and 11 govern the use and disclosure of the information. For example, an agency should only use personal information for the purpose it obtained it, unless the agency believes on reasonable grounds that the information is publicly available, the individual authorised it, or an exception applies. Disclosure is allowed on very similar terms under Principle 11. Disclosure is ok if it is in relation to the purpose for which an agency obtained it, the information is public, it is to or authorised by the individual concerned, or if it is defined as being necessary under the Act. Lastly principle 12 relates to unique identifiers and their assignment.
An individual may direct any information privacy request to an agency. An agency must respond as soon as reasonably practicably and no later than 20 working days as to whether they will grant the request. Every agency must give reasonable assistance to an individual who wishes to make a request, even directing them to the appropriate agency.
Any refusals must be based on good reasons (like being necessary to protect national security or trade secrets). More common grounds include that disclosure would involve the unwarranted disclosure of the affairs of another individual, relate to evaluative material (such as a confidential reference supplied to a prospective employer), or because the information does not exist or cannot be found. Refusals cannot be made for reasons not specified by the Act.
Employment and Privacy
The principles set out in the Act are not directly enforceable in the Employment jurisdiction. But the Employment Court or Employment Relations Authority will consider the Act when assessing what a fair and reasonable employer would do. In NZ Amalgamated Engineering Printing and Manufacturing Union Inc v Air New Zealand Ltd  1 ERNZ 614 (EmpC) the Employment Court confirmed that it had no jurisdiction to determine whether interference with the privacy of an individual had occurred. Similarly, in New Zealand Public Services Assoc Inc v Southland Regional Council  ERNZ 1008 (EmpC) the Employment Court found that although the Employment Relations Authority did not have jurisdiction to determine whether there was a breach of the Act or its principles it “…can and will in this case inform the Court’s interpretation of other legislative provisions and, in other cases, what is reasonable in employment” (12).
But don’t take this to mean that privacy concerns trump any other rights or obligations. In Vice-Chancellor of Massey University v Wrigley  NZEmpC 37 the Employment Court considered whether potentially breaching the privacy of an individual might provide a good reason to refuse to provide information to an employee where it was relevant to a proposed decision to select them for redundancy (required under the duty of good faith). The Court concluded that it did not.
The Act empowers the Privacy Commissioner to monitor the Act and in particular the use of personal information. Under the Act the Commissioner has the power to issue specific codes of practice that can modify the privacy principles in relation to classes of agency, industry or profession.
An individual alleging that an agency has interfered with their privacy may complain to the Privacy Commissioner who may choose to investigate, conciliate and/or take further action as it considers appropriate. If escalated to the Human Rights Review Tribunal, monetary damages can be awarded against an offending agency.
An agency may be held to have interfered with the privacy of an individual if the action breached a privacy principle and has or may have caused an individual loss, detriment, damage or injury, adversely affected their rights, benefits, privileges, obligations or interests, or resulted in significant humiliation, loss of dignity or injury to their feelings. This threshold is quite high when compared with the objectively fair and reasonable standard an employer may be held to have breached under the Employment Relations Act 2000, and that could justify remedies for “… humiliation, loss of dignity, and injury to the feelings of the employee,” without “significant” evidence of same being required.
Got the Message?
In Case Note 215508  NZ Priv Cmr 5 a woman complained that a debt collector interfered with her privacy when they contacted her workplace and left a message with a workmate who recorded it in a note and placed it on a notice board that staff could read. The Commissioner noted that under principle 11 an agency which holds personal information must not disclose that information unless it believes, on reasonable grounds, that an exception applies. Although the debt collector professed a belief that it had not disclosed any personal information about the individual involved (because it did not discuss the nature of the call, any financial details, nor any previous history during the conversation with the workmate), the Commissioner disagreed and said that it:
“… considered that even disclosing the name of the agency in relation to its dealings with the woman constituted personal information about her. This was on the basis that the name of the agency could easily be associated with debt collection services. It was clear from the information provided by the woman that her workmates had made this association in this case.”
The agency eventually accepted the settlement proposed by the individual and reminded its employees that they should make sure they were speaking to the person they were trying to contact before using the company’s name.
Going back to our opening example, one can easily see how an employer or payroll professional could breach privacy principles by indiscriminately supplying a personal contact number for their staff or details about an employee’s bank account, position and remuneration. But breaches may also occur by failing to provide access to personal information where an individual requests it. Carefully considering how to respond becomes crucial when faced with such requests.
All agencies, including employers and payroll professionals, must respond responsibly to requests for information made by someone apart from the individual concerned. If in doubt, check with the individual and obtain their written agreement before releasing any information. Being overly cooperative can be costly, not only due to damages or settlements if found to have interfered with an individual’s privacy, but also in terms of your organisation’s reputation.
We remind you that while this article provides commentary on employment law topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek guidance from your employment lawyer for any questions specific to your workplace.
First published in Pay And You (PAY) – Issue 4, June 2013