Dealing with requests for access to personal information
This is a step-by-step guide to help businesses deal with requests for access to personal information in accordance with the requirements of Australian Privacy Principle (APP) 12. It should be read together with the full text of the APP guidelines.
Under APP 12, an individual has the right to access all the personal information you hold about them unless an exception applies. The flow chart below sets out the key steps to help you respond to a request for access to personal information.
When can you provide access to personal information?
Request for access
- You must respond to an access request within a reasonable period after the request is made. In most cases, a reasonable period will not exceed 30 calendar days.
- You must not charge an individual for making a request to access personal information. You may charge for giving access, provided the charge is not excessive (see further below). You do not have to charge for access.
Can you verify the individual’s identity?
- You must ensure that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney or authorised agent.
- Ask the individual for any evidence you may reasonably need to confirm their identity. However, sufficient flexibility should be provided to enable individuals who may not have a particular form of identification to be able to access their own personal information.
- It is preferable to simply sight identity documents, rather than make copies and retain these in your records.
- You should not disclose personal information if you are not sure of the individual’s identity. See the APP Guidelines ’Verifying an Individual’s Identity’.
Can you locate the requested personal information in your records?
- APP 12 requires you to provide access to ‘personal information’ that you ‘hold’. For more information about what constitutes personal information and the meaning of the term ‘holds’, see Chapter B — Key concepts of the APP Guidelines.
- You should search the records that you possess and control, including hard copy records and electronic databases including emails, calendars etc.
- This also extends to situations where you have outsourced the storage of personal information to a third party, but still retain the right to deal with that information. For more information, see Chapter 12 — Access to personal information.
- You should also make enquiries of staff or contractors with relevant knowledge.
- The right to request access under APP 12 is not a right to request access to documents more broadly. You are not required to provide access to documents in full where they also contain information that is not personal information.
Does a ground of refusal exist?
- There are ten grounds on which you may refuse to give access to personal information. These grounds are:
- you reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
- giving access would have an unreasonable impact on the privacy of other individuals
- the request for access is frivolous or vexatious
- the information relates to existing or anticipated legal proceedings between you and the individual, and would not be accessible by the process of discovery in those proceedings
- giving access would reveal your intentions in relation to negotiations with the individual in such a way as to prejudice those negotiations
- giving access would be unlawful
- denying access is required or authorised by or under an Australian law or a court/tribunal order
- you have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to your functions or activities has been, is being or may be engaged in and giving access would be likely prejudice the taking of appropriate action in relation to the matter
- giving access would be likely to prejudice one or more enforcement related activities conduct by, or on behalf of, an enforcement body
- giving access would reveal evaluative information generated within your organisation in connection with a commercially sensitive decision-making process.
- For more information, see Chapter 12: Refusing to Give Access.
- If you decide not to grant access based on one of the grounds listed above, you are required to take reasonable steps (if any) to give access in a way that meets your needs and the needs of the individual (see Can You Give Access by Other Means?).
Can you give access in the manner requested by the individual?
- You must give access in the manner requested by the individual. For example, an individual may request information over the phone, by email, in hard copy or an electronic record.
- You do not have to give access in the manner requested if it is unreasonable or impracticable for you to do so. For example, it may be impracticable to provide a large amount of personal information over the phone.
- If you refuse to give access under one of grounds listed above, or in the manner requested by the individual, you should take reasonable steps to give access in a way that meets your needs and the needs of the requesting individual.
- You should talk to the individual to try and agree on a way to satisfy their request.
- Some alternatives you could consider are:
- deleting any personal information for which there is a ground for refusing access and providing a redacted version to the individual
- giving a summary of the information to the individual
- giving the individual the option of inspecting hard copy records and permitting the individual to take notes
- facilitating access to the requested information through a mutually agreed intermediary (see Chapter 12: Giving Access through an Intermediary).
Will you charge the individual?
- You may charge an individual for providing access, however, you do not have to. Items that may be charged for include staff costs in searching for and retrieving the requested personal information, staff costs in reproducing and sending the personal information, costs of postage or materials in giving access and costs associated with using an intermediary.
- When charging fees for time and labour, individuals should be charged at a clerical rate for labour that clerical staff can perform (such as photocopying, printing, collating and posting documents). To the extent that a professional needs to play a role, such as reviewing a file before providing access, it may be reasonable to charge for time at their professional rate (or a proportion of it).
- You could also consider offering cheaper ways of granting access if the individual prefers this, such as letting the individual view the information, providing an electronic copy or providing a summary.
- The charge must not be excessive and you must not charge the individual for making the request (APP 12.8). Whether a charge is excessive will depend on the nature of your organisation, including its size, resources and functions, and the nature of the personal information held. Charges that may be considered excessive include the cost of obtaining legal advice in deciding how to respond to an individual’s request, a charge that reflects shortcomings in your information management systems and a charge that has not taken into account the individual’s circumstances and capacity to pay.
- For more information about calculating charges, see Chapter 12: Access Charges.
Providing written notice
- If you refuse to give access, or refuse to give access in the manner requested by the individual, and you cannot agree on an alternative form of access, you must give the individual a written notice setting out:
- the reasons why you have refused access, or refused to provide access in the manner requested (except to the extent it would be unreasonable to do so)
- how the individual may make a complaint about your decision, how you will deal with the complaint and any information about external complaint avenues (such as an external dispute resolution scheme and the OAIC).
- You could also set out steps the individual could take that would mean that access would not need to be refused, for example, by re-framing or narrowing the scope of their request.
The information provided in this resource is of a general nature and is not a substitute for legal advice
Long text description
Start: Access request received.
Question 1: Can you verify the individual’s identity?
- Yes: Go to Question 2.
- No: Do not disclose personal information. End
Question 2: Can you locate the requested personal information?
- Yes: Go to Question 3.
- No: Provide written notice to individual. End
Question 3: Is there a reason to deny access?
Question 4: Can access be given by other means?
- Yes: go to Question 6.
- No: Provide written notice to individual. End
Question 5: Can access be provided in the manner requested?
Question 6: Will you charge for access?
- Both Yes and No: Provide access. End