IPP6 explained: the individual's right to access their personal information
When someone asks to see what data you hold about them, you have 20 working days to respond. Here is how to handle it.
Information Privacy Principle 6 (IPP6) gives every individual the right to access the personal information that an agency holds about them. It is one of the most exercised privacy rights in New Zealand.
The obligation
When an individual requests access to their personal information, you must:
- Decide whether to grant access within 20 working days.
- If granting access, provide the information in a reasonable format.
- If refusing access (there are limited grounds), explain the reason and advise the individual of their right to complain to the Privacy Commissioner.
Grounds for refusal
You can refuse access in limited circumstances, including:
- Where disclosure would endanger someone's safety
- Where disclosure would prejudice legal proceedings
- Where the information is evaluative material used in a decision-making process (in limited circumstances)
- Where disclosure would breach another person's privacy
The DEIS transparency portal
DEIS's transparency portal gives individuals proactive access to information about lookups performed on them through the platform. This goes beyond the minimum IPP6 requirement by providing access without the individual needing to make a formal request.
For businesses, this reduces the volume of formal IPP6 requests and demonstrates a commitment to transparency that the OPC views favourably.
Law firms: managing privacy compliance in litigation and due diligence
NextIPP7: handling requests to correct personal information