With the introduction of compulsory reporting of privacy breaches and the possibility of convictions and fines under the Privacy Act 2020 (the Act), more than ever, employers need to ensure that the collection, storage and use of personal information is being undertaken properly. The Act comes into force on 1 December 2020 which allows employers time to get on top of any issues now. [1]
Personal information in employment
Personal information is collected throughout a person’s employment. Every time personal information is collected from an employee, your organisation should be asking the following questions:
- What is the information that is needed?
- Why is it being collected?
- Who will receive the information?
- Is providing the information voluntary?
- If the information is not provided what will happen?
The answers to these questions should also be provided to the employee at the time of collection.[2] An example of collection of personal information during employment could be a misconduct investigation. During an investigation, an employee who is asked to provide information should be made aware of the reasons for collection, who will see it, and what may happen if the information is not provided.
Likewise, the accuracy of information should be checked with employees prior to relying on that information, particularly where that information has not been collected directly from the employee it concerns.
An employee has the right to correct any information held by an employer except where there is a dispute about the correction the employee wishes to make. Where an employee wishes to correct information, but the employer does not agree with the correction, a note should be put on file to be read along with the relevant information. The note should detail why the employee considers the information to be incorrect and why they consider to be the correct information.
Access to employee documentation
Once a business has collected information on an employee, that information must be stored securely, and access should be provided to the individual whose information it is, should they request access. There are limited circumstances where an agency may refuse a person access to their personal information.
The requirement to notify the Commissioner of a privacy breach that is likely to cause serious harm means, safely storing employee’s information is paramount for an employer in meeting the requirements of the Act.
Information should be stored in a way that only those who need to be able to access that information can access it. For example, employment documentation such as employment agreements should be stored in a way that cannot be accessed by that person’s colleagues.
Protections
Information also needs to be reasonably protected from loss, therefore digitally storing information, and backing up that system may reduce the risk of loss. Where an employee disputes an employment matter it will be important for an employer to be able to refer to the relevant documents therefore, it is advantageous for employers to be safeguarding these documents.
Businesses also need to be aware that employee information does not just include those documents relating to the employee, it also includes information held by anyone within the employers’ organisation that holds personal information in any form (i.e. in the mind, or emails). How information is communicated to employees and what processes are in place to document that information will be critical when people exit the organisation and future employees need access to that information.
Employee information after termination of employment
IPP 9 requires that personal information should not be kept longer than is required. However, because employees can raise claims against an employer after their employment has ended, generally employment documentation and personal information will be required to be kept after a person is no longer an employee. There are other laws that stipulate how long businesses should hold certain types of information which will override the Act.
The use of an employee’s information is limited to the purpose for which it was collected. Therefore, employers should be deliberate when using personal information, especially once the employment relationship has come to an end. Employee information should not be shared with without a lawful reason.
Practical tools:
The Office of the Privacy Commissioner’s website provides a response calculator for access and correction requests.[3]
For further advice on privacy law, including review of policy and compliance, as well as privacy training, please contact our team of specialist employment lawyers by phone on: 07 282 0174.
[1] See our previous articles on the Privacy Act 2020 www.dtilawyers.co.nz/news-item/spotlight-on-privacy-changes-to-privacy-law and www.dtilawyers.co.nz/news-item/spotlight-on-privacy-compliance-and-enforcement-under-the-new-privacy-act-2020
[2] Information Privacy Principles (IPP) 1 – 4 apply to the collection of personal information, if the information has been provided without solicitation, the IPP’s 1 -4 do not apply but IPP 5 – 13 will apply.
[3] www.privacy.org.nz
Content from: www.dtilawyers.co.nz/news-item/spotlight-on-privacy-respecting-employees-personal-information-and-complying-with-the-privacy-act