Respond to personal information request
Overview
A personal information request, (also known as a Privacy Act request), is a query from a person
asking for information about themselves that is held by an organisation.
Note: The person requesting information does not need to reference the Privacy Act in their
request.
This process sets out how to respond to a personal information request, outlining the roles and
responsibilities, and providing guidance about what to consider at each step of the process.
Background
The purpose of the Privacy Act 1993 is to promote and protect personal privacy. The Act imposes
rules on the ways that agencies collect, store, use, and disclose personal information. It also gives
people a legal right to have access to information about themselves, and a right to request
correction of any incorrect or misleading personal information.
Roles and responsibilities
The process is intended to highlight the best practice process for all staff and contractors working at
MBIE. As there are numerous job titles, this process uses generic role names to make it easy to
follow.
Role
Responsibilities
Receiver
•
Answer any immediate requests
•
Pass on formal personal information requests to the allocator
Allocator
•
Review and log request in tracking tool
•
Conduct initial request analysis
•
Assign request to appropriate researcher
•
Send acknowledgement to requester
Researcher
•
Identify information relevant to the person’s request
•
Review collated information to confirm it is appropriate to send
•
Organise appropriate SME, Legal and peer review and approval
•
Send response
Subject matter expert (SME)
•
Assist the researcher finding information relevant to the
request
•
Ensure information to be sent to person is factual, complete
and appropriate for the individual
Legal
•
Confirm that appropriate information is sent and/or withheld
Peer reviewer
•
Check that the response is appropriately worded, with correct
punctuation, grammar and formatting.
Approver
•
Confirm the response is appropriate
Page 1 of 19
Process map
Page 2 of 19
Business rules
These are the business rules that apply across all of MBIE.
Please note that additional business rules or procedural steps may be developed by individual
business units.
Specific Immigration NZ step-by-step instructions, business rules and practices can be found in the
INZ Toolkit.
#
Description
1
Requests for personal information must be responded to within 20 working days (this is a
legislative requirement).
2
Individuals are entitled to access and request correction to their personal information held by
MBIE, with some withholding criteria.
Note: More information about withholding information can be found in the Operational policy.
3
Staff members who receive a request for personal information must take all reasonable steps
to assist the requester – including finding the appropriate person to respond if they are unable
to help.
4
When a response is not provided within 20 working days, the responsible MBIE staff member
must report this as a privacy breach, unless an extension has been granted.
Note: If an extension is granted yet the timeframe still not met, this must also be reported as a
breach.
5
Requests by an individual for both personal information and official information will be
responded to in a single response.
6
Where a MBIE-wide response is required, Ministerial Services will be responsible for
researching and coordinating a response following this Respond to personal information
request process.
7
When an individual requests personal information and:
•
the information is easily accessed, and
•
it is part of the staff member’s business as usual role to disclose the information (either
verbally or by sending information without collation or redaction)
the staff member does not need to follow this documented Respond to personal information
request process. They do, however, need to follow the standard business rules that normally
apply to their job.
8
Requests for information that require document or information collation must follow this
Respond to personal information request process.
Page 3 of 19
A
ssess and send request to allocator
Guidance
When to use
Use this guidance to determine if a written personal information request response is required when
an individual requests personal information via one of the following mediums:
•
phone
•
face-to-face
•
mail
•
a generic MBIE email address.
Role responsible
Receiver
Steps
#
Instructions
1
How have you received this request?
If via…
then…
the contact centre
•
verify the person’s identity following
current best practices
•
go to the next step.
•
a face-to-face interaction (e.g.at a
•
attempt to verify the person’s identity
reception desk) or
(ask to see photo ID or cross-reference
•
a phone call, but you are not a trained
information already held about the
contact centre staff member
person – if possible)
•
record details of the request, explain
that you will pass this on to a team
member who can help, and that they
will respond as soon as possible within
20 working days
•
go to step 3.
post or email
go to step 3.
Page 4 of 19
# Instructions
2
Determine if a formal personal information request is required.
If the request is…
then…
very simple e.g.
•
provide the information
•
‘When did I submit my application?’
•
record details of the call in line with
•
‘What is that status of my application?’
current practices
•
this process ends.
requires further research / information
•
record details of the request, explain
collation
that you will pass this on to a team
member who can help, and that they
will respond as soon as possible within
20 working days
•
go to the next step.
3
Send the request details to the allocator:
•
in Ministerial Services, at: [email address]
•
in Immigration NZ, at either:
•
[email address] (for requests made in the North Island)
•
[email address] (for requests made in the South
Island.
Next steps
The allocator will allocate this task to the appropriate team to respond to the requester. See
guidance: Review and log request, and send acknowledgement.
Page 5 of 19
R
eview and log request, and send acknowledgement
Guidance
When to use
Use this guidance to determine if a personal information response is required, and if so, to allocate
to the appropriate person within MBIE, when:
•
you receive a request for personal information:
•
from an individual direct to you
•
via the Minister’s Office
•
via another MBIE channel (e.g. the call centre or a generic email address)
•
a researcher returns an allocated request to you as they are not the correct team to respond to
the request
•
the Minister’s Office returns a response to the Ministry requesting updates.
Role responsible
Allocator
Systems/Tools
Privacy tracking tool
Steps
#
Instructions
1
Review the request.
If the request…
then…
is new to you
•
verify the person’s identity to the best
of your ability – cross-reference
available data (e.g. name and address)
against current MBIE records
•
go to the next step.
has been returned to you by the:
•
identify the correct person to send the
•
original responder, or
request to
•
Minister’s Office, with a request to
•
update the tracking tool
update the response
•
go to step 8.
2
Confirm that MBIE should answer the request.
If the request is…
then…
frivolous / vexatious (time wasting or
call / email Legal, to request advice about
aggravating)
whether it is appropriate to decline the
Note: For a request to be frivolous or
request.
vexatious, you must have grounds for
If this decision is to… then…
believing that the requester is abusing the
respond to the
go to the next
rights granted by the legislation – no
request
step.
reasonable person would see the request
as being in good faith.
decline the request
go to step 6.
none of the above
go to the next step.
Page 6 of 19
# Instructions
3
Confirm that the request relates to personal information.
If the request is…
then…
about a living individual
go to the next step.
not about a living individual
this is an OIA request. Refer to the Respond
to OIA request process. This process ends.
has aspects of both of the above
•
this is a combination personal
information and OIA request
•
go to the next step.
4
Confirm that MBIE holds the information requested.
If the information is…
then…
•
held by MBIE or
go to the next step.
•
partially held by MBIE
not held by MBIE
you can either transfer to the appropriate
agency or notify the requester that MBIE
cannot process the request. Go to step 6.
5
Confirm that requester is legally entitled to the information.
If the request is…
then…
•
about the requester, or
go to the next step.
•
from an authorised person (including a
government agency) on behalf of an
individual
Note: Where a request is made by a person
on behalf of an individual, you will need to
ensure that the individual has authorised
the requester to obtain the information.
Refer to the Operational Policy.
not about the requester
this is an OIA request. Refer to the Respond
to OIA request process. This process ends.
6
Enter the request as either a PIR or combined PIR/OIA in your Privacy Tracking Tool, and save
the request in the new folder.
Page 7 of 19
# Instructions
7
Prepare the appropriate acknowledgement letter.
Notes:
•
If MBIE does not hold the requested information, best efforts must be made to transfer
to the correct agency.
•
MBIE may hold some of the requested information. In this situation, transfer the part of
the request to the appropriate other agency, and continue with this process.
If the request…
then…
will be answered by MBIE (either in full or
•
prepare and send acceptance letter
in part)
•
update tracking tool
•
go to the next step.
will be transferred to another agency
•
prepare and send transfer letters
•
update tracking tool
•
this process ends.
is being declined due to:
•
prepare and send decline letter,
•
the requester not being entitled to the
outlining reasons for declining
information
•
advise, where appropriate, issues with
•
insufficient authorisation in request
request, and request resubmission with
criteria met
•
MBIE not holding the information
•
update tracking tool
•
this process ends.
8
Send request to researcher who will identify all the information and prepare the response.
Next steps
The researcher will identify the personal information requested and prepare a draft response. See
guidance: Find information and draft response.
Page 8 of 19
F
ind information and draft response
Guidance
When to use
Use this guidance when you receive a personal information request via the MBIE allocator to:
•
review the request
•
gather the information required
•
draft a response
•
organise the appropriate review (legal, subject matter expert/s and peer review – as required).
Role responsible
Researcher
Before you begin
Ensure you have the original request.
Steps
#
Instructions
1
Review the request.
If you are uncertain about what the requester is asking for, contact them directly and
request they clarify what they are asking for.
If the request …
then…
clearly states the information required
go to the next step
is unclear
•
you are still required to answer to the
request to the best of your ability. It is
appropriate to contact the requester
directly to request clarification
•
go to the next step.
2
Consider the request.
If you are…
then…
the correct person to coordinate the
go to the next step.
response
not the correct person to coordinate the
•
advise the allocator that your team
response
does not hold this information.
•
they will reallocate the work
•
this guidance ends.
Page 9 of 19
# Instructions
3
Identify and collate the information required.
Note: Talk to MBIE staff members who may have been in contact with the requester.
Locations to check
Information types to look for
•
MAKO
•
official documents
•
other document management systems
•
documents not on letterhead
(if applicable)
•
draft papers or letters
•
external storage devices
•
emails
•
magnetic tapes
•
meeting minutes/notes
•
any legacy systems
•
recollections of unminuted/meetings
•
media logs
•
aide memoires
•
email system records
•
oral advice
•
information held by an agent of MBIE
doing work on its behalf (e.g. a
consultant or contractor)
4
Review the Refusing requests (in the Operational Policy) grounds to determine whether it is
appropriate to withhold all or part/s of the information.
If the withholding the information…
then…
may be appropriate
•
seek Legal advice via email:
•
Auckland Legal (for regions north
of New Plymouth)
[email address]
•
Wellington Legal (for regions south
of New Plymouth)
[email address]
•
provide hardcopy files if required
•
specify the grounds on which you think
information should be withheld.
is not appropriate
go to the next step.
5
Draft response using response letter template.
6
Determine who must review response.
If you…
then…
require subject matter expert review – i.e.
•
send to subject matter expert
to check that you what you are about to
•
once they provide feedback, update
release is accurate
the tracker and go to the next step.
do not require subject matter expert
go to the next step.
review
7
Update response (as required).
If you…
then…
•
have received legal advice, and / or
•
send the draft to Legal for review
•
wish to discuss any aspect of the
•
once they provide feedback, update
request with Legal
the tracker and go to the next step.
do not require legal feedback
go to the next step.
Page 10 of 19
# Instructions
8
Update response (as required).
Send to a colleague for peer review.
Once they provide feedback, update the tracker.
Next steps
Prepare the letter for manager approval. See guidance: Finalise response.
Page 11 of 19
R
eview response and provide advice
Guidance
When to use
Use this guidance when you receive a request from a researcher asking for assistance with a
personal information request.
Role responsible
•
Subject matter expert (business review)
•
Legal adviser (legal review)
•
Peer reviewer (sense check review)
Before you begin
Ensure you have the following:
•
the original request
•
the collated file of information (if appropriate)
•
the draft response with information to be withheld marked up, stating refusal grounds.
Steps
#
Instructions
1
Follow the steps required for your role.
If you are a…
then…
subject matter expert
go to the next step.
legal adviser
go to step 3.
peer reviewer
go to step 4.
2
Subject matter expert actions:
•
Make sure the researcher has understood what the requester has asked for.
•
Check that the information provided is complete.
•
Assess the risk of releasing the information – should anything be withheld?
•
Send your feedback to the researcher.
•
This guidance ends.
3
Legal adviser actions:
•
Review response and information file, as appropriate.
•
Assess the risk of releasing the information – should anything be withheld?
•
Send your feedback to the researcher.
•
This guidance ends.
4
Peer reviewer actions:
•
Check that the response answers the question, or provides adequate reasons for why
MBIE cannot meet the request.
•
Check that the response reads well – i.e. the grammar and punctuation are correct.
•
Check that any withheld information has been properly marked and removed.
•
Send your feedback to the researcher.
•
This guidance ends.
Page 12 of 19
N
ext steps
The researcher will update the response with your feedback. See guidance: Find information and
draft response.
Page 13 of 19
F
inalise response
Guidance
When to use
Use these guidelines when you need to prepare the final response for the approver, once it has been
reviewed by a peer reviewer.
Role responsible
Researcher
Steps
#
Instructions
1
Make any final changes to the document.
2
Send the response to the approver (this will normally be your manager).
Request that they respond in a timely manner so that the response can be sent to the
requester within the 20-working day timeframe.
3
Update the tracking tool with your actions.
Next steps
The approver will review and approve the response. See guidance: Approve response.
Page 14 of 19
A
pprove response
Guidance
When to use
Use this guidance to review a response to a personal information request and approve that it be
sent to the requester.
Role responsible
Approver
Before you begin
Ensure you have the following:
•
the original request
•
the collated file of information (if appropriate)
•
the draft response with information to be withheld marked up, stating refusal grounds
•
any legal or SME comments/advice (if provided).
Steps
#
Instructions
1
Read the original request and review the draft response.
If the response is…
then…
appropriate
go to the next step.
not appropriate
•
return the draft to the researcher, and
provide feedback about what is
required
•
this guidance ends.
2
Sign the response and advise the researcher.
Next steps
The researcher will prepare the final response to be sent to the requester. See guidance: Send
response.
Page 15 of 19
S
end response
Guidance
When to use
Use this guidance to prepare the response to send to the requester once it has been approved by
the appropriate manager.
Role responsible
Researcher
Steps
#
Instructions
1
Scan the signed document and save in MAKO.
2
Send the response to the requester, or if the initial request was via the Minister’s Office,
back to the Office.
3
Update the tracking tool.
Next steps
This process ends.
Page 16 of 19
P
ersonal information requests: Operational policy
Operational policy
Overview
This operational policy aims to support the Respond to personal information request process. It
provides extra guidance in order to assist process users make informed decisions about how to
respond to personal information requests.
Please note that branches and are welcome to add their own operational policy and business rules
relevant to how their business operates.
Sections
•
Personal information definition
•
Personal information request vs. Official Information Act request
•
Response timeframes
•
Authorised persons
•
Refusing requests
Personal information definition
A personal information request, (also known as a Privacy Act request), is a query from a person
asking for information about themselves that is held by an organisation.
Personal information request vs. Official Information Act request
The Privacy Act 1993 (PA) aims to protect information about individuals, whereas the Official
Information Act 1982 (OIA) aims to ensure transparency of State sector information, and Minister
and government official accountability of to the people of New Zealand.
A request from a natural person (an individual) asking for information about themselves is a
personal information request. A request from an individual asking for any official information –
including information about companies, body corporates etc., is an OIA request.
Sometimes requests can be made asking for information under one or both of the Acts, but this is
not definitive – it is MBIE’s responsibility to decide which Act/s is applicable, and to respond
appropriately.
Example request
Apply
Individual asks for their immigration file to check status
PA
Lawyer acting as nominated person on behalf of individual asks for
PA
Tenancy Tribunal information about individual
Individual asks for information about their business
OIA
Individual asks for information about another individual
OIA
Individual asks for their job application details, and copies of HR policies
Combination:
to determine why they were unsuccessful in job application
Applicant file – PA
HR policies – OIA
Page 17 of 19
R
esponse timeframes
The general statutory obligation is to answer all requests ‘as soon as reasonably practicable’, but
within no more than 20 working days of receiving the request. A working day is any day that is not a
Saturday, a Sunday, a public holiday, or a day between 25 December and 15 January inclusive.
The Ombudsman’s website has a response calculator (http://www.ombudsman.parliament.nz/) on
the homepage which determines 20 working days, taking into account public holidays.
Important:
•
Regional Anniversary Day holidays are not standard public holidays, so must still be counted.
•
If a request has been made orally, then later confirmed in writing, you must count the working
days from the date of the oral request, not from the receipt of the written confirmation.
•
Should the response require a Minister’s approval, the completed response is due at the
Minister’s Office within 15 working days.
Extensions
Under section 41, the 20 working day time limit for responding to a request may be extended if:
•
the request is for a large quantity of information, or a large quantity of information must be
searched, and meeting the original time limit would unreasonably interfere with other work, or
•
any consultations (with external agencies or a Minister) necessary to make a decision on the
request cannot reasonably be made within the original time limit.
If you are going to need more time and have to extend the timeframe, the PA gives 20 working days
to notify the requester of the extension of and the new timeframe. However, wherever possible,
extensions should be considered in the first three working days. This will not always be possible, as
the volume of information covered by the request is revealed outside the three working days, or
when in the course of processing the request, the need for wider consultation is identified.
Make sure that the extension will allow you sufficient time to collate the information and undertake
all necessary consultation. You cannot further extend a time limit if you have already extended it.
Transfers
If you are transferring the request to another agency or to a Minister, the statutory requirement is
to do this within 10 working days of receiving the request. However, wherever possible, transfers
should be made within three working days, to allow the requester to receive their information in a
timely manner.
If you receive a request that is transferred from another agency or a Minister you have a maximum
of 20 working days (from when this Department receives the request on transfer) to respond.
Authorised persons
Where another person makes a request on behalf of an individual (e.g. a lawyer, representative,
advocate, consultant, family member), you will need to ensure that the individual has authorised
this person to obtain the information. Written notice of this authorisation (e.g. letter or consent
form) is preferable, however, there may be other grounds to rely on, e.g. verbal confirmation from
the individual before processing the request. You must follow any particular business rules your
group has around disclosure to authorised persons.
The extent of the authorisation should be checked to ensure the information requested is within the
scope of the authority provided by the individual.
Page 18 of 19
R
efusing requests
The PA provides individuals with a legal right of access to information about them (section 6,
principle 6). Where an individual requests their personal information, MBIE may only withhold that
information under a ground specified in the Privacy Act, unless another Act prohibits release of the
information.
Sections 27, 28 and 29 set out the reasons that are available for refusing a privacy request. The
exercise of deciding whether withholding reasons apply involves considering what prejudice or harm
would result if the information were released and then how that prejudice or harm is prevented by
any particular withholding provision.
Section 27 (security, defence, international relations) deals with a series of reasons that will apply if
the predicted harm ‘would be likely’ to arise. They include:
•
prejudice the security or defence of New Zealand or the international relations of the
Government of New Zealand
•
prejudice the maintenance of the law, including the prevention, investigation and detection of
offences and the right to a fair trial
•
endanger the safety of any individual.
Section 28 (Trade secrets) requires that withholding the information is necessary to protect
information where making the information available would:
•
disclose a trade secret, or
•
be likely unreasonably to prejudice the commercial position of the person who supplied or who
is the subject of the information, where the need to withhold the information is not outweighed
by a public interest in the release of the information (what is in the public interest are things
that promote the overall public good).
Section 29 (other reasons) sets out further grounds for refusal, including that the information:
•
could result in the unwarranted disclosure of the affairs of another individual
•
is evaluative material (e.g., reference checks)
•
relates to the physical or mental health of an individual, where if provided to the individual
could prejudice their health
•
could prejudice the safe custody or rehabilitation of an individual (in custody or convicted)
•
is contrary to the interests of the person (where the requester is under 16)
•
could breach legal professional privilege
•
is trivial, or the request is frivolous or vexatious
•
is not readily retrievable (not merely that it is taking a long time – in that situation you should
seek an extension)
•
does not exist and cannot be found
•
is not held by the agency and MBIE does not know who does hold it.
In addition, section 32 allows an agency to neither confirm nor deny the existence or non-existence
of the information requested. This reason is used extremely rarely and would need senior level
approval before being relied on.
Page 19 of 19