You have a right to request access to your personal information when it’s held by an organisation covered by the Privacy Act.

This includes Australian Government agencies, businesses with an annual turnover of more than $3 million, health service providers, and some other organisations.

Personal information is information about you, like your name, address or phone number, photographs or signature

It also includes sensitive information, like your health information, credit report or tax file number, any criminal records, your racial or ethnic origin, and political or religious beliefs.

You only have a right to request access to personal information about you when it’s in a record or publication.

The organisation that holds the information must carry out a reasonable search of their records to find what you’ve asked for.

In some cases, they may be able to charge you for the cost of giving you access.

They may also provide you with a summary, instead of a copy of the original record.

They may be allowed to refuse access, including when:

  • It would have an unreasonable impact on other people’s privacy
  • Another law or a court order says it’s not allowed, or
  • they reasonably believe it would pose a serious threat to life, health or safety.

The organisation must give you clear reasons for refusing access, in writing.

If you believe your request has been mishandled, or it hasn’t been dealt with in a reasonable timeframe – generally 30 days – you should complain to the organisation first.

If you’re unhappy with their response, you can complain to us at the OAIC.

We’ll work with both parties to try to resolve the issue. That may mean:

  • Asking the organisation to respond to you, or to check their records and make sure they’ve carried out reasonable searches, and
  • Encouraging them to give you access

We may then be satisfied that they have acted reasonably; or, we may attempt to conciliate your complaint.

The Commissioner can also make a determination about access to your personal information. An organisation may be required to apologise, provide you with access to your personal information or pay compensation if you’ve been caused damage.