Email this page
Send this page to a friend.
This page is printer friendly.
Address by Assistant Commissioner, Policy, to ARANZ during Privacy Awareness Week 2008
Interrelationship between the Public Records Act & Privacy Act:
A Clash Between Good Information Practices and Fair Information Practices? Accountability for government, accountability to individuals
Blair Stewart(1)
Office of the Privacy Commissioner
1. Introduction
This week the Privacy Commissioner released the results of the 2008 UMR privacy survey on Individual Privacy and Personal Information(2). Particularly noteworthy, 62 percent expressed concern about ‘Government departments sharing personal information’, up from the 2006 survey in which 37 percent of respondents expressed concern about ‘data sharing between Government departments’.
In light of these results, the responsibility lies with government agencies to put practices in place that allow personal information to be appropriately safeguarded, and let individuals feel confident about government information handling practices.
Central to the issues are government accountability and citizen trust.
New Zealand has three major pieces of information legislation: the Privacy Act, the Official Information Act and the Public Records Act. This paper examines the aims of the Privacy Act and the Public Records Act and some interesting intersections.
The theme for this conference is ‘Archives - collaborating towards a networked future’ and it is clear that there is a considerable scope for ‘collaboration’ between those involved in records management and privacy protection on many issues relating to recordkeeping. This includes Archives New Zealand and the Office of the Privacy Commissioner but also many others, such as records officers and researches, as we all have a part to play. We all need to recognise the rights to privacy as well as the national interest in archival records.
2. Public Records Act 2005
The Public Records Act came into force in 2005 and brought about something of a ‘sea change’ to the recordkeeping framework of New Zealand. It replaces the Archives Act of 1957 and provides a purpose driven approach to:
promote accountability between the Crown, the public, and Government agencies
enhance public confidence in the integrity of public records
enhance and promote New Zealand’s historical and cultural heritage.
The key institutions under the PRA are Archives New Zealand (‘Archives’). The Chief Executive, known as the Chief Archivist has wide ranging functions. The Archives Council has a specific statutory role in advising the Minister.
3. Privacy Act 1993
The Privacy Act was enacted in 1993 to provide a framework for the protection of personal information. It does this through the establishment of twelve information privacy principles which govern the life cycle of personal information – from collection, security, access, through to disclosure, storage and retention. They also confer rights of access and correction. These are sometimes referred to as ‘fair information practices’ and are based upon international standards.
The Privacy Act provides for the Privacy Commissioner who is an independent Crown Entity and has specific functions under the Act. These include examining proposed legislation and a complaints function as well as more general privacy ‘watchdog’ functions such as speaking out on matters affecting privacy and making inquires where it appears that individual privacy may be affected.
4. Notable intersections
Both Acts are written to be flexible, principled legislation. They obviously intersect on many levels, as far as personal information is involved in the public records at issue, and provide some interesting points of contrast, as well as some often unexpected similarities.
Unlike the Archives Act, the PRA was written in light of the Official Information Act and the Privacy Act which have been instrumental in bringing about more a culture of more openness and access to both government information and personal information.
At a fundamental level both Acts are about good information management practices. Two major areas of intersection between the Acts include retention and access. The PRA refers to access and also ‘appraisal’, of which retention is just one part.
5. Scope
A public record is described by the PRA as a record, in any form, created or received by a public office in the conduct of its affairs. Such a record may contain personal information, which is defined by the Privacy Act as information about an identifiable individual.
Clearly the PRA may require records containing personal information to be kept – perhaps by agencies themselves or permanently by Archives.
The PRA brought additional classes of document under the rubric of ‘public records’ and thus under the Act compared with the Archives Act. School records are a prime example. A number of full or partial exemptions under the 1957 Act were eliminated from the PRA.
Storage of large amounts of data for long periods suggests the need for vigilance around security of the documents. Breaches may occur in the transfer process or through agency error. This office has recently responded to growing nationwide and international awareness of the consequences of large privacy breaches through the issue of Privacy Breach Guidelines(3). The potential effects of such breaches can be seen in the recent concern over the loss of Corrections records in New Zealand and also the (much larger) breach in the UK involving tax information.
Appraisal
While the Privacy Act becomes relevant from the first interaction between agencies and individuals, the Public Records Act - aside from record creation obligations – does not substantially come into consideration until later in the information life cycle. The Privacy Act obligations are front and centre in the direct information dealings with a citizen during a transaction. The PRA requirements are sitting in the background.
Appraisal is the first stage in the management of public records under the PRA which goes beyond normal business practices which can include creating and maintaining records. The PRA presents a pragmatic approach to appraisal but part of that is a consideration of privacy. A holistic approach to the records management process is encouraged which is considerate of privacy concerns at every stage.
Although the Appraisal Standard is still under development by Archives, it is easy to see how privacy may be part of the decisions made at this point. The sensitivity of the personal information involved is a consideration that can be weighed as part of the appraisal process – with perhaps a more detailed consideration at the access stage in applying conditions for restricted access. Ideally appraisal should take place with an eye to the future over access. The individuals expectations during their dealings with government when documents are crated may be relevant.
General Disposal Authorities
Individual patient records are a good example of records that contain highly sensitive personal information. The Public Records Act has clarified the position of the District Health Boards and the Act covers all health records (patient records and other). The way this tension between privacy and archival retention is managed is through the District Health Board General Disposal Authority which identifies which records District Health Board’s can destroy and which need to be transferred to Archives. It is estimated by Archives that under the General Disposal Authority, 10 percent of records are required to be kept as archives, with the other 90 percent able to be destroyed because they are recognised as having no long term value. The General Disposal Authority also outlines how long this 90 percent must be kept before they can be destroyed.
6. Retention
The information contained in public records is a mix of information given voluntarily and that required by the state. When the state seeks or demands information from individuals there is a corresponding duty to protect it. If an individual has been a client of a government agency, they would expect that their personal information collected for that purpose would be retained for as long as it is needed to achieve that purpose. Typically, their reasonable expectation would be that once the information was no longer needed by the agency it would be destroyed.
That is reflected in information privacy principle 9 that requires an agency not to keep information for longer than is required for the purposes for which the information may lawfully be used.
However, the PRA generally prohibits any person from disposing of public records without the authority of the Chief Archivist. This does not apply where the disposal of the record is required under another Act. The requirement under the PRA not to destroy records (without approval) is given effect to under the Privacy Act which provides that of other enactments will prevail over the privacy principles.
One of the cornerstones of the Privacy Act, and good information management generally, is that individuals should understand what happens to their personal information and who gets hold of it. Information Privacy Principle 3 requires that individuals are made aware of the purpose for which their information is collected and the intended recipients. This provides practical challenges for agencies to make people aware of ‘back office’ administrative practices and how to know at the stage of collection whether something will be archived under the PRA. Sometimes the transfer to Archives will be envisaged at the stage of collection but sometimes not. There is scope for agencies to become more transparent in their practices in this context.
One point to note is that, although there is a healthy tension between the Acts on the question of retention, the philosophies underlying each are not too different. There are the competing interests in not retaining personal information for longer than the purpose of collection balanced against the risk of losing the historical value of some documents. Neither of these interests are unqualified.
Census Returns
As well as information which deals with personal information on an individual basis there are also records which are so highly personal in the information they demand special privacy safeguards to be considered. One such group of records is census information.
The national census has been carried out at regular 5 year intervals since the Census Act of 1877 – with some irregularity for reasons such as war. The history of census returns and casts an interesting light over the current situation. The 1957 Archives Act did not apply to census returns and until 1966 they were routinely destroyed. Destruction is of course a guarantee of absolute confidentiality, consistent with the promise of census secrecy. Destruction guarantees that promises are not subject to the whims of governmental changes in policy or officials.
Census information is given to the state for the purpose of compiling statistics, not for anything else. Once those statistics are compiled the returns have served their purpose. Complete and accurate information depends on the goodwill of the people and their trust in the processes to protect their personal information. Destruction of the census return forms is one way to ensure the public’s trust.
In a change in practice, the 1966 census returns were not destroyed – without the knowledge of the subjects – and are currently held for archiving purposes, along with the 1976 returns.
In 2001 Census respondents were asked whether they would agree to the information they supplied on their census forms being archived for 100 years, after which, anyone who wanted to see it would be able to do so. Forty percent of respondents refused permission for their forms to be archived. These forms were destroyed. This might be seen as a lack of trust in government – both current and future. Considering the minimal state interest in retaining identifiable census returns and the large number who did not want their records maintained, it is interesting that this was not taken as a strong signal by the Parliament against the mandatory retention of all returns.
By the 2006 census the Public Records Act was in force. Census returns are the only public records that disposal is provided for specifically in the Public Records Act rather than having to go through the processes laid out in that Act. The Act requires that census returns are to be kept by the Government Statistician for 100 years and after that time are transferred to Archives. What will happen after those 100 years is not immediately clear. Under the Statistics Act, after the 100 years, the Government Statistician may authorise the disclosure of individual returns, after having regard to the advice of the Chief Archivist.
7. Access
Access is an area where the two Acts must work together. At its simplest, there is a requirement under the Privacy Act that an individual has a right to seek access to the personal information that an agency holds about them. In addition, the Privacy Act prohibits disclosure of personal information except to anyone other than the subject of the information outside specific exceptions contained in the Act. These exceptions are found in information privacy principle 11 and cover situations such as maintaining the law, public health and safety, and statistical use.
In contrast, the PRA deals with access through the classification of records as open access or restricted access. The PRA also makes use of access law existing it he Privacy Act and official Information Act.
Individual’s access to their own records
While public records containing personal information are held by the agency that created them, individuals have rights of access to them under the Privacy Act. Once these records are transferred to Archives an individual’s rights under the Privacy Act continue to apply. There is no direct conflict between the Acts on this point.
Allowing an individual access to records kept about them by government is one of many ways of ensuring the accountability of government. This accountability is preserved in both pieces of legislation. It may perhaps be said that the Privacy Act promotes accountability directly to the individual concerned, the citizen to whom the information relates, whereas the PRA is seeking to promote an accountability to the community at large. In this particularly context, the philosophical differences in approach are immaterial.
Individual’s access to public records containing personal information of others
While the records are still held by the agency that created them, access remains covered by the Privacy Act and the Official Information Act. A person’s access to records containing personal information of other people is therefore governed by those Acts. However when the records are transferred to Archives, typically at 25 years or earlier, access depends on the classification of the records – and if the records are restricted, which specific restrictions apply. The classification and any restrictions are determined by the administrative head of the agency. This is done in consultation with the Chief Archivist and privacy is an obvious consideration in this process.
Information transferred to Archives is done so on the grounds of public interest in the retention of public records. However, some records will naturally have a fairly minor public interest aspect and a significant amount of personal information involved that needs protection.
Under the PRA the access provisions start from the position that government information should be made available to the public unless there is good reason to withhold it. The mechanism to protect the privacy of personal information contained in public records is through the restricted access classification which can be applied when the records have reached 25 years of age or when they are transferred to Archives. Public offices should only place restrictions on records if there are good reasons, under the Official Information Act or Privacy Act or other relevant legislation, for withholding some of the information in the records. As the name suggests, ‘restricted access’ does not mean no access. It means additional controls put around access. This is a change or clarification in approach from the old Act. The scope for more sophisticated access provisions means there is more chance of finding an appropriate balance between public interest in access to records and the public interest in privacy of personal information that would restrict such access.
Under the Public Records Act, as with the Archives Act, there is seldom a permanent restriction on access to public records. With the responsive and flexible nature of access restrictions, the question of when ‘sensitivity’ in public records declines. The issue of when privacy diminishes over time will likely become pertinent to questions of access. The question is, at what point does the age of the record override the privacy implications in its release? There is no determinative answer for this in the New Zealand context, although the fact that only living persons have a right to privacy under the Privacy Act may be an indicator. However, some information about an individual carries sensitivities regarding personal information about their family members, and so even death may not offer an obvious easy answer sometimes.
The PRA refers to enhancing the accessibility of records that are relevant to the ‘historical and cultural heritage of New Zealand and to New Zealanders’ sense of their national identity. Over time the privacy interests in certain records will give way to such national interests.
Rather than draw a line in the sand, these are questions that are best answered on a case by case basis.
Of course, just because a public record contains a personal name does not necessarily justify restricted access. Some personal names will be included due to that persons function as an official of the agency involved where the privacy impacts may be less. An assessment must be made of the nature of the information and the circumstances of each case. Some cases where it might be unnecessary to consider restricted access on privacy grounds are where:
The information may already be available publicly;
The information may be about a person, but be of such a nature that no privacy interest requiring protection arises; or
The content of the particular information may not, in fact, relate to an identifiable person.
These are all considerations to think about when agencies are looking into restricting access to public records.
8. Archives Role as a Records Management Agency
One of the key changes to the new regime of public records handling is the role provided for the Archives as a records management agency. The Chief Archivist has a leadership role in recordkeeping in public offices and can issue standards relating to any aspect of record keeping within public offices. Importantly there is also the audit function which allows the Archivist to audit the recordkeeping of public offices. Audits will begin in 2010 and provide a powerful incentive for agencies to ‘get it right’ when creating and maintaining records.
This role of instruction and enforcement recognises that the old assumption that agencies would create and maintain all information required to be public records does not necessarily stand up in today’s working environments. It is a significant extension of the Chief Archivist’s role which can potentially form a basis for advocating the consideration of privacy impacts at every stage of public records creation and management.
This role is about ensuring public records are managed well and appropriately – in the same way that the Privacy Commissioner’s role is about ensuring that personal information is managed well and appropriately. Naturally there is some overlap where the public records at issue contain personal information and this is a significant opportunity to work together to ensure that public records and the personal information they contain are respected and managed appropriately by public bodies.
Technology Challenges
At a recent meeting an Archives official advised “don’t talk about digital records, talk about records”. This nicely sums up the way records are moving in agencies as electronic capabilities eclipse the need for paper records and electronic records become the norm. The Privacy Act is well in advance of these technological developments as it uses the term ‘personal information’ which is technology and medium neutral language and will serve us well into the digital age.
In some ways changes in technology could be said to be nothing unusual for privacy considerations – digital records should naturally be afforded the same privacy protections as paper records. However, the ever changing environment in the world of technology means that some traditional means of protecting access to personal information, as well as storage and retention means that digital records must be given special consideration.
Not least is the problem of access to those records – not just by the public but by Archives and even the agencies’ staff. Information is potentially being put at risk by current approaches to digital information. This is a current issue being tackled by Archives and one which privacy consideration should be a part of any solution.
9. Role of the Archives Council
The PRA provides for an Archives Council to provide the Minister with advice concerning recordkeeping and archive matters. The council also provides the Minister with recommendations on appeals made by agencies in relation to certain decisions of the Chief Archivist:
Declining a request to defer the transfer of a public record
Instructing a public office to maintain and control its electronic records beyond the 25 year period
Declining a request for an exemption from compliance with a standard.
Privacy will inevitably be a consideration in the Archives Councils’ recommendations on some these matters. Although the matters the Council must consider are not listed in the Act, nor in their Charter, privacy will inevitably be a fundamental concern where personal information is at issue. There is a benefit to taking a holistic approach to records management and will always be privacy concerns where there are living people associated with these records.
10. Tension between Competing Public Interests
Finding a balance between these competing public interests in privacy and archival value is often a matter of context and compromise. None of these interests is absolute and a balancing exercise can often find acceptable resolutions that reconcile all interests. Some mechanisms are:
Conditions that can be applied to restricted access records
Best practice statements
Recordkeeping Standards
Privacy Officers of agencies being involved in recordkeeping decisions and processes. Every agency should have a privacy officer who may be able to offer valuable advice and opinions on recordkeeping.
International Comparisons
Both privacy and recordkeeping are high priority international fields of work and New Zealand is active in the global community in both fields. It is interesting to look to other countries to measure our own work and directions.
In the Republic of Ireland, the normal restrictions on processing personal information applied under the Data Protection Act 1988 do not apply to information consisting of archives of departmental records. This includes the requirement that such information be securely disposed of when no longer required for the purpose for which it was first obtained. In order to provide a framework for the handling of such information, the Data Protection Commissioner has recently issued draft Data Protection (Archives and Historical Research) Regulations.
The Regulations lay down requirements that must be met by an agency holding records containing personal information which are kept solely for the purpose of historical records or those covered by the National Archives Act. In a nutshell those records may only be accessed by the individual who is the information’s subject, unless it would be otherwise permitted under the Data Protection Act.
This does not differ hugely from New Zealand but it is interesting to note the Irish have taken a different route to get there.
The draft regulations and accompanying background paper are attached below and can also be viewed at www.dataprotection.ie.
Footnotes
(1) I acknowledge the assistance of Sarah Oliver in preparing this paper.
(2) UMR/Privacy Commissioner, ‘Individual Privacy and Personal Information’, late July 2008, available at www.privacy.org.nz.
(3) www.privacy.org.nz
Background Paper
Draft Data Protection (Archives & Historical Research) Regulations, 2008
Introduction
The Data Protection Acts (Section 1 (3C)) provide that the normal restrictions on processing personal data, in particular the requirement that such data be securely disposed of when no longer required for the purpose for which it was first obtained do not apply to “(a) data kept solely for the purpose of historical research, or (b) other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986) and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects”.
The purpose of the draft Regulations is to prescribe requirements which strike a balance between the rights of individuals who are the subject of personal data and the interests of those conducting research that access be enabled in certain situations.
The Director of the National Archives has been involved in drawing up the draft Regulations. The views of others who may be affected by them is now sought.
Draft Regulations
The draft Regulations lay down three separate sets of requirements that must be met by an organisation holding records that contain personal data and which are kept solely for the purpose of historical research or are covered by the National Archives Act 1986. The requirements do not apply to the personal data of an individual acting in an official capacity (for example, a Civil Servant in a Government Department).
Access to Records: Only the person who is the subject of the records may be granted access to them while that person is still alive, unless such access would otherwise be permitted under the Data Protection Acts. Unless the organisation has information to the contrary, it can assume that a person is no longer alive after 100 years from the date of the most recent record or from that person’s date of birth. As “personal data” is defined in the Data Protection Acts as only applying to a living individual, there are no data protection restrictions on access after the death of the subject of the data.
Data Security: The organisation must adopt security measures which meet the standards set out in Section 2C of the Data Protection Acts.
Effect of Regulations
The Regulations would provide an assurance to individuals that personal data relating to them that is retained either in records subject to the National Archives Act or records retained solely for historical research purposes would be subject to safeguards that protect their right to privacy.
The Organisation holding such records – for example, the National Archives – would have access to them, as would the individual concerned while s/he was still alive. Others (for example, researchers operating under the aegis of the organisation) would not have access to the records other than in accordance with the safeguards contained in the Data Protection Acts. For the sake of clarity, the data controller may allow access to departmental records or archives where it requires the third party person or entity seeking to access the records to enter into an appropriate contract imposing an obligation of confidentiality relating to the access to the data in question.
Information in the records could not be disclosed (other than in an anonymised form) without the consent of the person concerned or unless otherwise permitted under the Data Protection Acts.
The records would have to be kept securely, in accordance with the provisions of the Data Protection Acts.
Some Issues
1. Do the draft Regulations strike the right balance between the legitimate public interest in research and the rights of living individuals?
2. Is the proposed 100-year rule in terms of access to personal data reasonable?
3. Should the Regulations contain other provisions?
Data Protection (Archives & Historical Research) Regulations, 2008
I, BILLY HAWKES, Data Protection Commissioner, in exercise of the powers conferred on me by section 1 (3C) of the Data Protection Act, 1988 (No. 25 of 1988), as inserted by section 2 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003) and with the consent of the Minister for Justice, Equality and Law Reform, hereby make the following regulations:
1. (1) These Regulations may be cited as the Data Protection (Archives & Historical Research) Regulations, 2008.
(2) These Regulations shall come into operation on the x day of X, 2008.
(3) These Regulations shall apply to archives or departmental records within the meaning of the National Archives Act, 1986 (No. 11 of 1986) and to data kept solely for the purpose of historical research.
2. in these Regulations-
"archives" means archives or departmental records within the meaning of the National Archives Act, 1986;
"data subject" means an individual who is the subject of personal data;
“the Act” means the Data Protection Act, 1988 as amended by the Data Protection (Amendment) Act 2003;
“personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of any person given access to the data;
“data kept solely for the purpose of historical research” means data consisting of personal data which is no longer required for the legitimate purpose for which it was obtained.
3. Where archives or data kept solely for the purpose of historical research include personal data, other than personal data relating to a person acting in an official capacity, the relevant data controller shall take the following measures for the purpose of safeguarding the fundamental rights and freedoms of the data subjects concerned: -
(a) access shall not be granted to such data to persons other than the data subject, or a person acting on their behalf, where access would not otherwise be permitted in accordance with the provisions of the Act or as provided for in these Regulations; and
(b) the data shall be subject to security measures at least equivalent to those laid down in Section 2C of the Act;
(c) the data (other than in an anonymised form) shall not be disclosed without the consent of the data subject or a person acting on their behalf, where such disclosure would not otherwise be permitted in accordance with the provisions of the Act or as provided for in these Regulations.
4. (a) Regulation (3) shall not apply where the data controller in question is satisfied that the data is no longer personal data due to the subject of the data being deceased;
(b) for the purpose of subparagraph (a), and without prejudice to subparagraph (c), the data controller may assume that an individual is no longer alive where the most recent record created in respect of her or him is more than 100 years old and the data controller has no other evidence suggesting that the individual is alive;
(c) for the purpose of subparagraph (a), and without prejudice to subparagraph (b), the data controller may assume that an individual is no longer alive where there is reliable evidence that the individual, if alive, would be more than 100 years old, and the data controller has no other evidence suggesting that the individual is alive.
(d) for the purpose of subparagraph (a), the data controller may, in any event, assume that an individual is no longer alive where it has reliable evidence of such.
Explanatory Memorandum: These Regulations stipulate the conditions under which records retained solely for archival or historical purposes and which contain personal data, other than those relating to an individual acting in an official capacity, may be made available for the purposes of public inspection or historical research.
The Data Protection Acts provide a basis whereby the records in question, which have ceased to be retained for any purpose other than for their original purpose, may be made available for archives and historical purposes earlier than the period stipulated in Regulation 4 above where a person has given consent for such access or display. Equally the data controller itself may access the records for archives or historical research purposes or enter into a contract with a third party entity on the basis that such a contract provides appropriate safeguards.
Download the associated powerpoint slides.
Downloads
ARANZ-Presentation.ppt
PPT, 2 MB