An organisation that is required to comply with the Privacy Act 1988 (Cth) (Privacy Act) must comply with the Australian Privacy Principles (APPs) contained at Schedule 1 of the Act.
This includes complying with APP12, which is about giving individuals a right to access their personal information that an organisation holds about them, unless one of the exceptions under APP12 applies. Additionally, under APP13, individuals have a right to correct the personal information (or make a correction to a record containing personal information) that an organisation holds about them.
What To Do when a Request to Access or Correct Personal Information is Made
The first step an organisation should take when a request to access or correct personal information has been made by an individual is to verify the individual’s identity to ensure the organisation is dealing with the correct person (and to avoid sharing information with an unauthorised recipient).
An organisation should have some form of documented verification process in place for its staff to follow, which may include the requester providing 100 points of ID to verify their identity and then matching any emails or phone numbers with those on file. Once the verification process is complete the organisation should have a process in place to confirm that it has verified the individual but deleted records of the identifying documents (if they are not longer required for any other purpose).
There is no minimum period set under the Privacy Act to respond to requests for access to personal information. However, the Office of the Australian Information Commissioner recommends that organisations should aim to respond to, and process, requests within 30 days.
How to Provide Access
An organisation should aim to give access to an individual in a manner in which they have requested, but if its not reasonably practical for the organisation then access may be given in another way that meets the needs of both the organisation and the individual.
For example, an individual might have requested access to all their personal information be delivered to them on a CD, but this is not practical for the organisation because they don’t have a CD burner so instead they opt to share the personal information with the individual via a cloud share file. This would be an acceptable format for both the individual and the organisation.
It is important to note an organisation should keep a record of all requests made and completed, including any verification checks as part of demonstrating compliance with APP12.
When Can an Organisation Refuse Access to Personal Information?
There are only a few exceptions where an organisation can refuse to grant an individual access to their personal information:
The APP Entity reasonable believes would pose a serious threat[1] to life, health or safety of any individual, to the health and safety of the public
Giving access would have an unreasonable impact[2] on the privacy of other individuals
The request for access is frivolous or vexatious
The information relates to an existing (or anticipated) legal proceeding between the entity and the individual, and would not be accessible by the process of discovery in those proceedings
Giving access would reveal the intentions of the entity in relation to the negotiations with the individual, which may prejudice those negotiations
Giving access would be unlawful
Denying access is authorised under another Australian law or court/tribunal order
The entity has reasons to suspect that unlawful activity or misconduct of a serious nature that relates to the entities functions is being engaged in AND giving access would likely prejudice the taking of appropriate action in the matter
Giving access would likely prejudice one or more enforcement related activities by an enforcement body, or
Giving access would reveal evaluative information generated within the entity in connection with commercially sensitive decision-making processes (see APP 12.1 and APP 12.3)
An individual cannot deny a request for access to personal information simply because they don’t want to share the information. For example, if a candidate is unsuccessful with a job application they have a right to request a copy of all notes made about them in the recruitment process as one of the above exceptions are unlikely to apply.
How to Process a Request to Correct Personal Information
Once a request to correct personal information has been made (and requester verified) an organisation must take reasonable steps to correct that information to ensure that it is accurate, up to date, relevant and not misleading.
For an example, a customer might update an organisation that is has changed its postal address and provide its new address. An organisation would then be expected to make that update to the customer’s file.
An organisation would also be expected to notify any relevant third party entity, if the individual as requested them to do so, unless it would be unlawful or impractical for the organisation. For example, a customer might ask the organisation to also update their address with the organisation’s affiliated businesses that also hold the customer’s address.
Can an Organisation Refuse a Request to Update Personal Information?
If an organisation does not agree with an individual’s request to update the personal information the organisation holds about them then the individual has a right to request the organisation associate a statement with their record that details the individuals request outlining whether the personal information in accurate, out of date, incomplete, irrelevant or misleading.
For example, an individual who was unsuccessful for a job with an organisation, might not agree with the comments written about the on the recruitment file and might request the organisation associate a statement to correct the record.
This means the notes about the individual will remain, but there will be a record stating the individual does not consider some information in those notes true or correct.
Can an Organisation Charge for Requests to Access or Correct Personal Information?
An organisation may charge for processing a request to access personal information (but they cannot charge for making the request). However, the charge cannot be excessive and should be reasonably justifiable.
An organisation cannot charge for correcting personal information it holds or for associating a statement.
This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.
[1] See example of ‘serious threat’ in Chapter 4 of OAIC’s Guide to Health Privacy.
[2] See example of ‘unreasonable impact on the privacy of others’ in Chapter 4 of OAIC’s Guide to Health Privacy.