Privacy Law

Australian Privacy Principle 12 — Access to Personal Information

Access

12.1 An organisation must, on request by the individual whose information it holds, give the individual access to that information. Exceptions exists that allow access to be denied. There are no requirements as to the format or formalities of a request.

 

NOTE: like all other APP’s this applies to government bodies (known as ‘agencies’ in the Act), although the exceptions are different. The obligation to grant access to personal information is separate from obligations under Freedom of Information law.

 

Exception to access — organisations

12.3 An organisation is not required to give the individual access to the personal information if:

  • it reasonably believes that giving access would pose a serious threat to the life, health or safety of any person, or the general public, or

  • giving access would have risk the privacy of other individuals, or

  • the request for access is very clearly frivolous or vexatious, or

  • the information relates to existing or reasonably anticipated legal proceedings between the organisation and the individual, and would not be accessible through formal document discovery (such as if the given record is irrelevant to the topic of given proceedings), or

  • giving access would reveal the intentions of the organisation in relation to negotiations with the individual such as to prejudice the negotiations,

  • giving access would be unlawful (eg: breach of confidence or breach of copyright), or

  • denying access is required or authorised by law or by a judicial order, or

  • giving access is likely to interfere with the taking of appropriate action in relation to unlawful activity or serious misconduct that is reasonable believed to be possible or in progress, or

  • giving access may prejudice enforcement related activities conducted by, or on behalf of, an enforcement body (such as the police), or

  • giving access would reveal sensitive business information, that is, evaluative information generated within the organisation related to a sensitive decision-making process.

  • The OAIC suggests that organisations consider redacting some information from records before releasing them, so as to overcome the problems listed above.

 

Dealing with requests for access

12.4 An organisation must respond to the request for access to the personal information within a reasonable period, and in the manner requested by the individual, if it is reasonable and practicable to do so.

 

Other means of access

12.5 If the organisation refuses to give access to the personal information in the manner requested because of subclause 12.3 then it must give access if possible in a way that meets the needs of the organisation and the individual.

 

Access charges

12.8 An organisation can charge for giving an individual access to the information it holds about them, but the charge must not be excessive. The Act does not specify what is and is not excessive, but anything that merely covers reasonable costs incurred in providing the information will be allowable. The OAIC advises that an organisation cannot make a profit out of granting access, or charge for legal advice.

 

Refusal to give access

12.9 If an organisation refuses to give access to information because of subclause 12.3, or to give access in the manner requested by the individual, it must give a written notice that sets out:

  • the reasons for the refusal (which will be something listed in 12.3, or that the information does not exist), to the extent it is practicable to do so,

  • the appropriate channels of complaint,

  • any other matter prescribed by the regulations.