Privacy Awareness Week 2021 – Access to your Personal Information
With Privacy Awareness Week (PAW) upon us once more (3-9 May 2021), we are reminded of the importance of protecting personal information online. If we don’t practise due diligence to protect our personal information, we may be sharing more than we intend to. Whether through work, study or social activities, our contact details, financial data, and sensitive information can be shared in unexpected ways, leaving us vulnerable to data breaches and fraud.
As a small business, it’s vital to be aware of the Australian Privacy Principles (APP) and to understand how to navigate the privacy landscape. While the Australian Privacy Principles are available to everyone, without a dedicated Privacy Officer on hand, they can be complicated to fully understand. To help simplify things, InfoTrust will be taking a look at APP 12 – Access to Personal Information and the key things you need to know.
What is APP 12?
APP 12 is a guideline that sets out the details for access to personal information, including how to do so and on what grounds access can be refused.
While not all small businesses come under the Privacy Act, many do. The APP applies to organisations that generate an annual turnover of $3 million or more.
In relation to government agencies, APP 12 works alongside the right of access as specified in the Freedom of Information (FOI) Act 1982. The FOI Act gives you the right to request access to government-held information. This includes information they hold about you or about government policies and decisions.
What are the requirements of APP 12?
APP 12 requires that any entity holding personal information about an individual to give that individual access to the information on request. The guideline sets out the requirements in the following areas:
- Verification of the individual requesting the information
- Giving access
- Refusing access
- The time period for responding to requests
- How access is to be given
- Access charges
- The need for written notice when access is refused.
The grounds for access differ in relation to agencies and organisations.
How to Verify an Individual’s Identity
Before providing information to someone under APP 12, it’s vital to ensure that they are indeed who they claim to be and that they are authorised to access the information in question.
The steps for verifying an individual’s identity will vary depending on the circumstances in question. In the event that the individual is already known or readily identifiable to the entity, a minimal amount of information will need to be sought. If an entity needs to collect information to verify an individual’s identity, they should then take reasonable steps to destroy it once no longer required for the purpose of identification.
Giving Access to Personal Information
Personal information is valuable and worth protecting. If your business holds personal information about an individual and that individual requests access, you are generally required to provide it. However, it is vital that you verify the individual’s identity and are aware of reasons where access should be refused. The procedure for requesting access or request form can be published to facilitate access.
Refusing Access to Personal Information
APP 12 sets out several grounds by which an organisation can refuse to give access to personal information. Organisations should always endeavour to provide access, but should ensure access doesn’t:
- Pose a serious threat to the life, health, or safety of an individual or the public
- Have an unreasonable impact on the privacy of other individuals
- Relate to legal proceedings
- Become unlawful
- Conflict with a denial of access which has been authorised by Australian law
- Impact the ability to take action against unlawful activities or misconduct
- Affect related activities conducted by an enforcement body
For agencies, there are several grounds under the FOI Act that access to information can be refused:
- A document is exempt due to legal proceedings or secrecy provisions
- A document is conditionally exempt as it would involve the disclosure of personal information about another person and would be contrary to public interest
- The document is available for purchase
- Providing access would substantially divert agency resources
- Processing the request would force the agency to disclose the existence of a document that includes exempt information
Agencies can also refuse access due to other Acts. This may be a statutory secrecy provision or exempt records under the National Archives of Australia (NAA).
Requirements for Accessing Personal Information
When it comes to accessing personal information, you will first need to contact the organisation or agency in question. You may well be asked to put the request in writing and to provide information that identifies you. This is also when you can specify how you would like to access the information, for example, via email, by post or over the phone. The timeframe to respond to a request, either giving or refusing access, must be within a reasonable period which is usually within 30 days.
Requesting your personal information is free, although there may be a charge for access where there is a significant cost in relation to searching for the information, reproducing it, or delivering it. Organisations should be upfront about any associated costs and should work with you to minimise them. However, when it comes to agencies, they aren’t permitted to charge you for providing access. When a decision is made to refuse access to the information, a written notice is required to include the reasons for refusal and the necessary complaint procedures.
If you’d like to read our blog on APP 11 – Security of Personal Information, click here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help