“Privacy open for consultation”: OAIC releases final tranche of Australian Privacy Principles Guidelines

In December 2013, the Office of the Australian Information Commissioner (OAIC) released the final tranche of the draft Australian Privacy Principles Guidelines (Guidelines) for public consultation.  We have released earlier updates on the previous tranches of the Guidelines for the Australian Privacy Principles (APPs), which can be accessed here

APP 12: Access to personal information

APP 12 requires entities that hold personal information about an individual to give the individual access to that information on request.  It is worthwhile emphasising that APP 12 is only concerned with personal information – being “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.

Moreover, APP 12 only applies to personal information that an APP entity holds – an APP entity will be considered to ”hold” information “if the entity has possession or control of a record that contains the personal information”.  An entity will also hold information where it holds records of personal information stored on servers managed by a third party. 

What procedural issues does an entity need to keep in mind?

  • Ensure it verifies the identity of the person making the request.  When processing a request for the provision of personal information, an entity needs to ensure that the request made pursuant to APP 12 has been made by the individual concerned or by a person who is authorised to make a request on their behalf – such as an agent or legal guardian.  If an entity fails to ensure that they are giving access to the person about whom the information is concerned, they may be breaching APP 6 – by disclosing personal information to another party. 

  • The manner in which the request is made.  The Guidelines stipulate that an individual does not have to comply with any formal requirements when making a request for personal information and they do not have to make the request in writing.

When can we refuse access?

The exact circumstances in which an entity can refuse to grant an individual with access to their personal information depends on whether that entity is an organisation or an agency.

If you work for or manage an entity which is an organisation, you and/or your employees do not have to give access to personal information if:

  • your organisation reasonably believes that giving access would pose a serious threat to the well being of any individual or to public well-being;

  • giving access would undermine the privacy of other individuals;

  • the request for access is frivolous or vexatious;

  • the information concerns legal proceedings between your organisation and the individual and the information would not be available via the discovery process;

  • giving access would prejudice negotiations between your organisation and the individual;

  • giving access would be unlawful;

  • denying access is required or authorised by or under an Australian law or court order;

  • your organisation has reason to believe that unlawful activity, or misconduct of a serious nature, that relates to your organisation’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;

  • giving access would prejudice the activities of a law enforcement body; and/or

  • giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

Before your organisation refuses access to personal information, it should consider whether it can redact part of the document(s) in question and provide the individual with access to it in that format.

What minimum access requirements do we need to comply with?

The watermark test here is reasonableness – your organisation or agency must take all reasonable steps it can to comply with the requirements of the APPs and to assist the individual with their request.

APP 12 contains a number of minimum access requirements that an entity must comply with when it receives a request from an individual for access to their personal information.  These requirements include:

  • entities must “respond” to a request for access within 30 calendar days: this means that your organisation or agency must respond within the 30 day period by either providing the individual with access to the requested information or by notifying the individual that your organisation or agency is refusing to give access.  Where there is a delay,  as a bare minimum, your organisation should at least contact the individual to explain why the delay has occurred and to advise as to when they can expect to receive a document;

  • entities must give access to personal information in the manner requested by the individual, if it is reasonable and practicable to do so: for example, your entity may provide access by email, by phone, in person, in hard copy or by electronic record.  Where an entity is unable to provide access in the manner requested, there is an expectation that they will consult the individual to try and satisfy their request in another acceptable way;

  • entities can provide access through a mutually agreed intermediary: the role of the intermediary is to enable the individual to be given access to their personal information and to have the content of the information explained to them, where direct access would otherwise be refused; and

  • entities need to consider whether or not they can impose charges for access requests: if your entity is an agency, then it cannot impose on an individual an application charge for requesting access to or a charge for giving access to personal information or if your entity is an organisation, it may impose a charge for giving access to personal information if the charge is not excessive.

Working with other legislation

Many of you will already be aware of the Freedom of Information Act 1982 (Cth) (FOI Act) and will have measures in place to deal with and process any applications made pursuant to the FOI Act.  APP 12 has not been designed to replace or supersede the FOI Act – rather, it is intended to operate alongside it.  The Guidelines advise that it may be appropriate for an organisation to implement and give access to personal information through an informal administrative arrangement – so long as the minimum access requirements discussed above are met. 

Nonetheless, in certain circumstances it may be more appropriate to bring a request for information under the FOI Act or the APPs – the Guidelines recommend that your entity should assist individuals in determining which Act and/or mechanism is more appropriate for their request.

It is important that your entity understands the differences between the requirements and obligations under the FOI Act and the APPs.

APP 13: Correction of personal information

What minimum access requirements do we need to comply with?

At the very least, when correcting personal information your organisation or agency must:

  • upon request by an individual whose personal information has been corrected, take reasonable steps to notify another entity of a correction made to personal information that was previously provided to that other entity;

  • give notice in writing to an individual when a correction request is refused – which explains why the request has been refused and what the individual can do to respond to the refusal;

  • upon request by an individual whose correction request has been refused, take reasonable steps to associate a statement with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading;

  • respond, within a reasonable period of time, to an individual’s request for information to be corrected or to associate a statement with the information; and

  • not charge individuals a fee for making requests to correct personal information or associate a statement.

Lavan Legal comment

APP’s 12 and 13 come into effect on 12 March 2013.  In order for your organisation or agency to ensure it complies with the amended Privacy Act 1988 (Cth), it is essential that it reviews its existing privacy policies and procedures, in order to ensure that it:

  • is readily able to respond to and manage any request for access to personal information; and

  • can correct any inaccurate, out-of-date, irrelevant or misleading information.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.