Another case note from the New Zealand Privacy Commissioner’s Office:
A woman made a request to a health agency for the access logs of her records. She said she was worried about people looking at her file who shouldn’t be doing so (employee browsing). The agency released the access log to the woman with the position titles of everyone who had looked at her file, and the dates of access, but withheld the names of the individual employees.
The woman sought a review of the agency’s decision to withhold the names of the employees from the access logs.
In her complaint, the woman sought an access log for her records for a specified timeframe. The agency released an access log with only the positions of the employees and the dates they had accessed the woman’s records.
The agency withheld the names of the employees on the grounds that disclosure would create a significant likelihood of serious harassment of the employees (section 49(1)(a)(ii) of the Privacy Act 2020).
This complaint raised issues under rule 6 of the Health Information Privacy Code 2020. Rule 6 of the Code mirrors principle 6 (but for health information held by a health agency) and states an individual is entitled to access health information that an agency holds about them unless a withholding ground contained in sections 49-53 of the Privacy Act 2020 applies.
Under section 49(1)(a)(ii) of the Act, an agency may refuse access to personal information requested if disclosure of the information would create a significant likelihood of serious harassment of an individual. This is a new withholding ground in the 2020 Act and implemented a recommendation by the Law Commission that agencies be allowed to refuse access in situations where the information may be used “to make repeated, unwanted contact with individuals in ways that fall short of posing a physical danger to those individuals, but that seriously detract from their quality of life.” Review of the Privacy Act 1993 (NZLC R123, 2011) at [3.76 – 3.78] and [R23].
For an agency to rely on this ground, it will have to meet two requirements: the likelihood of harassment created by disclosure must be significant, and this likely harassment would be serious. On the definition of harassment, our Office was guided by the Harassment Act 1997, specifically sections 3 and 4 of the Act which define harassment as a “pattern of behaviour directed against that other person that includes doing any “specified act” to the other person on at least two separate occasions within a 12 month period.”
Read more of the Commissioner’s analysis and comments on their web site.