Australian privacy law gives you a general right to access your personal information. This includes your health information. An organisation or agency must give you access to your personal information when you request it, except where the law allows them to refuse your request. You don’t have a right under Australian privacy law to access other kinds of information, such as commercial information.
If you want to access records the police hold about you, please contact the Australian Federal Police or the criminal records section of your state or territory police service.
How to request access
You will need to contact the organisation or agency that holds your personal information to request access. Only you or another person you have authorised, such as a legal guardian or authorised agent, can make the request. An organisation or agency must be satisfied the request came from you or a person you authorised.
You may be asked to put your request in writing and for information that identifies you. If so, include:
- your name and contact details
- the personal information you want to access
- how you’d like access to the personal information (such as receiving a copy by email or post, or if you just want to look at the information)
- if you authorise a person or organisation to access the personal information on your behalf.
When should you get a response to your request?
An organisation must respond to a request for access to personal information within a reasonable period. We think 30 days is a reasonable period.
An agency must respond to a request for access to personal information within 30 days.
Can an organisation refuse your request?
An organisation can refuse to give you access to your personal information if they have a valid reason. Examples of a valid reason include:
- the organisation believes that giving you access may endanger the life, health or safety of any individual, or endanger public health or safety
- giving you access would have an unreasonable impact on the privacy of other individuals
- your request is frivolous or vexatious
- your personal information is part of existing or anticipated legal proceedings between you and the organisation.
An agency can rely on any of the exemptions in the FOI Act to refuse you access.
Generally, if an organisation or agency refuses you access to your personal information under Australian privacy law, they must tell you in writing their reasons for refusing and how you can make a complaint.
How will you access your personal information?
An organisation or agency must give you access to your personal information in the way you asked to access it, if it is reasonable and practical to do so. For example, you may ask to access your personal information by receiving a copy in an email or by post, by being given information over the phone or by inspecting the information in person. If the organisation or agency can’t give you access to your personal information in the way you requested, they must try to give you access in a way that meets both your and their needs.
Is there a charge?
Requesting your personal information is free.
However, an organisation may charge for providing you access, but this charge can’t be excessive. The organisation must tell you there’s a charge and explain the reasons for it.
The charge may include the cost of:
- staff searching for, locating and retrieving the requested information, and deciding which personal information is relevant to the request
- staff reproducing and sending the personal information
- the postage or materials involved in giving access
- using an intermediary, if necessary.
An organisation can’t use this charge to discourage you from requesting access to your personal information. If possible, they should tell you the likely amount of the charge when you make the request.
They should also discuss with you options for changing your request to minimise the charge. For example, changing the way they give it to you — by email rather than post.
An agency can’t charge you for providing access to your personal information.
For more information about accessing your personal information, see the Australian Privacy Principles Guidelines, Chapter 11.
If you’re not happy with a decision made about accessing your personal information you can lodge a complaint with us.