Privacy Awareness Week 2021 – Access to your Personal Information

With Privacy Awareness Week (PAW) upon us once more (3-9 May 2021), we are reminded of the importance of protecting personal information online. If we don’t practise due diligence to protect our personal information, we may be sharing more than we intend to. Whether through work, study or social activities, our contact details, financial data, and sensitive information can be shared in unexpected ways, leaving us vulnerable to data breaches and fraud.

As a small business, it’s vital to be aware of the Australian Privacy Principles (APP) and to understand how to navigate the privacy landscape. While the Australian Privacy Principles are available to everyone, without a dedicated Privacy Officer on hand, they can be complicated to fully understand. To help simplify things, InfoTrust will be taking a look at APP 12 – Access to Personal Information and the key things you need to know.

What is APP 12?

APP 12 is a guideline that sets out the details for access to personal information, including how to do so and on what grounds access can be refused.

While not all small businesses come under the Privacy Act, many do. The APP applies to organisations that generate an annual turnover of $3 million or more.

In relation to government agencies, APP 12 works alongside the right of access as specified in the Freedom of Information (FOI) Act 1982. The FOI Act gives you the right to request access to government-held information. This includes information they hold about you or about government policies and decisions.

What are the requirements of APP 12?

APP 12 requires that any entity holding personal information about an individual to give that individual access to the information on request. The guideline sets out the requirements in the following areas:

  • Verification of the individual requesting the information
  • Giving access
  • Refusing access
  • The time period for responding to requests
  • How access is to be given
  • Access charges
  • The need for written notice when access is refused.
     

The grounds for access differ in relation to agencies and organisations.

How to Verify an Individual’s Identity

Before providing information to someone under APP 12, it’s vital to ensure that they are indeed who they claim to be and that they are authorised to access the information in question.

The steps for verifying an individual’s identity will vary depending on the circumstances in question. In the event that the individual is already known or readily identifiable to the entity, a minimal amount of information will need to be sought. If an entity needs to collect information to verify an individual’s identity, they should then take reasonable steps to destroy it once no longer required for the purpose of identification.

Giving Access to Personal Information

Personal information is valuable and worth protecting. If your business holds personal information about an individual and that individual requests access, you are generally required to provide it. However, it is vital that you verify the individual’s identity and are aware of reasons where access should be refused. The procedure for requesting access or request form can be published to facilitate access.

Refusing Access to Personal Information

APP 12 sets out several grounds by which an organisation can refuse to give access to personal information. Organisations should always endeavour to provide access, but should ensure access doesn’t:

  • Pose a serious threat to the life, health, or safety of an individual or the public
  • Have an unreasonable impact on the privacy of other individuals
  • Relate to legal proceedings
  • Become unlawful
  • Conflict with a denial of access which has been authorised by Australian law
  • Impact the ability to take action against unlawful activities or misconduct
  • Affect related activities conducted by an enforcement body
     

For agencies, there are several grounds under the FOI Act that access to information can be refused:

  • A document is exempt due to legal proceedings or secrecy provisions
  • A document is conditionally exempt as it would involve the disclosure of personal information about another person and would be contrary to public interest
  • The document is available for purchase
  • Providing access would substantially divert agency resources
  • Processing the request would force the agency to disclose the existence of a document that includes exempt information
     

Agencies can also refuse access due to other Acts. This may be a statutory secrecy provision or exempt records under the National Archives of Australia (NAA).

Requirements for Accessing Personal Information

When it comes to accessing personal information, you will first need to contact the organisation or agency in question. You may well be asked to put the request in writing and to provide information that identifies you. This is also when you can specify how you would like to access the information, for example, via email, by post or over the phone. The timeframe to respond to a request, either giving or refusing access, must be within a reasonable period which is usually within 30 days. Requesting your personal information is free, although there may be a charge for access where there is a significant cost in relation to searching for the information, reproducing it, or delivering it. Organisations should be upfront about any associated costs and should work with you to minimise them. However, when it comes to agencies, they aren’t permitted to charge you for providing access. When a decision is made to refuse access to the information, a written notice is required to include the reasons for refusal and the necessary complaint procedures.

If you’d like to read our blog on APP 11 – Security of Personal Information, click here.

see our

Related resources