People have the right to request access to their personal information when it’s held by an organisation that’s covered by the Privacy Act.

That includes Australian Government agencies, businesses with an annual turnover of more than $3 million, health service providers, and some other organisations.

Personal information is information or an opinion about an individual which appears in a record or publication.

It includes their contact details, photographs or signature…

  • health and credit information…
  • their racial or ethnic origin…
  • and political or religious beliefs.

If your organisation is covered by the Privacy Act, your privacy policy must explain how people can access their personal information…

and, how to complain to you if they’re unhappy with your response.

When you get a request for access to personal information, you must carry out a reasonable search.

That includes checking electronic and physical records, emails and archives, and interviewing staff.

You must also respond within a reasonable timeframe – generally, 30 days.

Access can only be refused on specific grounds.

  • For example, when it would have an unreasonable impact on other people’s privacy…
  • if another law or a Court order says you’re authorised to refuse access, or not allowed…
  • or if you have a reasonable belief that giving access would pose a serious threat to life, health or safety.

Australian Government agencies may refuse access when they are required or authorised to do so under the Freedom of Information Act.

If the person making the request isn’t satisfied with your response, and has already complained to you…

they can complain to the Office of the Australian Information Commissioner, or OAIC.

We’ll work with both parties to try to resolve the issue and ensure all relevant records have been checked.

You may be required to carry out more searches and respond in a reasonable timeframe.

If access to personal information can’t be facilitated, we may attempt to conciliate the matter…

or, the Commissioner can make a public determination requiring access to be given.

Compensation may also be payable to the person who made the request, if they’ve been caused any damage.