How to Handle Privacy Access Requests Under the AU Privacy Act
Under the Australian Privacy Act (also known as the AU Privacy Act, or the APA), individuals have a general right to access the data that a company holds on them. This is known as making a privacy access request.
The information that individuals can request includes:
- Personally identifiable information, or "personal data"
- Healthcare information
- Some government records that contain personal information
Sometimes, however, the law allows you to refuse these privacy access requests. The circumstances are quite limited, but generally, you can refuse access requests if you have a valid reason.
Let's take a deeper look at all of this.
- 1. A Brief Overview of the Australian Privacy Act
- 1.1. Definition of Personal Data
- 2. Rights of Access to Personal Information
- 2.1. The Australian Privacy Principles
- 2.2. Australian Privacy Principle 12
- 3. How Businesses Must Respond to Access Requests
- 3.1. Identity Verification
- 3.2. Relevant Information
- 3.3. Grounds of Refusal
- 3.4. Data Provision
- 3.5. Refusal
- 3.6. Charges
- 4. Conclusion
Valid reasons to refuse a privacy access request include:
- You believe that releasing the information unfairly impacts the privacy rights of other individuals
- Releasing the information may endanger the safety or health of someone else, or a group of people
- It's a frivolous request, or the individual has made numerous requests for the same information
- The personal data is part of ongoing legal proceedings between you and that person
The Australian Privacy Act aims to balance two competing needs:
- The rights of the individual to have control over their personal data, and
- The rights of business to protect themselves from excessive admin tasks that affect their daily operations
In other words, it's not reasonable to expect companies to honor every single privacy access request that comes their way. It's also not reasonable to expect companies to jeopardize the rights of other individuals purely to satisfy one access request.
However, for the most part, you are expected to comply with access requests, and so it's important you know how to do so.
We'll go over how to handle access requests in more detail later, but for now, let's be clear on how the AU Privacy Act works, and where the rules come from.
A Brief Overview of the Australian Privacy Act
The AU Privacy Act is designed to protect the privacy rights of individuals. It aims to safeguard personal data and encourage responsible data handling. The Act sets out these specific principles in section 2A of part I:
You must comply with the Act's terms if you are:
- An Australian private sector organization, or
An overseas private sector organization with links to Australia, meaning:
- The company was originally incorporated in Australia, or
- It carries on business in Australia and collects personal data from Australians
If, for example, you're a U.S.-based company serving local customers, with no links to Australia, the Act likely doesn't apply to you. If, on the other hand, you receive site traffic from Australia, or you ship to an Australian territory, the Act does apply, and you're known as an "APP entity."
So, briefly, what is personal data?
Definition of Personal Data
The AU Privacy Act defines "personal data" in Part II, section 6. As you'll see, it's a broad definition - it's essentially any information, or even just an opinion, about an identified individual:
Although the Act doesn't give specific examples of personal data, it's essentially any information that clearly identifies an individual or their household.
Some examples of personal data include but aren't limited to the following:
- First and last names
- Mailing addresses
- Email addresses
- Online usernames
- Financial information
If you hold any such data, then individuals have a right to access it. Let's take a look at this right in more detail and then set out how to respond to it.
Rights of Access to Personal Information
The AU Privacy Act gives individuals various rights of access to their personal information. Briefly, individuals have the right to:
- Know that an organization will collect their personal data before it's collected
- Access this information without unreasonable delay
- Request that you answer their request in a specific format; e.g. by email
- Request that you amend their data if it's inaccurate
- Refuse consent to direct marketing (there are many exceptions to this which are outside the scope of this article)
These rights are set out fully in Australian Privacy Principle (APP) 12.
The Australian Privacy Principles
The 13 Australian Privacy Principles are central to the AU Privacy Act. Although they don't have the same legal status as the Act itself, it's essential that you follow them.
The APPs govern four specific areas:
- A company's accountability to individuals for their data handling practices
- An individual's personal data access rights, and how businesses must comply
- The correction of personal data
- How personal data is collected, stored, transferred, and used more generally
Failing to comply with the Australian Privacy Principles is a regulatory offence, and you could be fined or face other penalties.
So, what do you need to know about APP 12? Let's take a look.
Australian Privacy Principle 12
APP 12 sets out an individual's specific access rights. Firstly, it establishes that you're expected to honor an access request:
Note from this clause that the access request only applies to information your organization holds. In other words, you can't simply refer individuals to a third party vendor who holds their information. The individual should redirect their access request.
You can't insist that an individual follows any particular procedure for making an access request, either.
Although it might be helpful to set out a way for individuals to request access, whether it's by filling out a form or contacting a dedicated number, you can't force them to follow this procedure. The Australian Government makes this clear:
For completeness, here's an example of a contact clause from Waterstones. You'll see they provide two ways for individuals to contact them to exercise their privacy rights:
So, if an individual wants to access the personal information you hold on them, whether it's simply to view it or make amendments, how do you handle their request, do you need to follow any timelines, and how do you legally refuse access?
How Businesses Must Respond to Access Requests
Don't let the idea of complying with the AU Privacy Act overwhelm you. The good news is that there are clear, substantive guidelines for honoring or refusing access requests, and we're breaking them down even further.
As is set out in APP 12 part 4, you should respond within 30 days of receiving a request from an individual. For most companies, there's no reason why you can't meet this timeline:
You can't charge anyone for making an access request. You can, however, levy a small charge to cover your expenses in dealing with the request:
So, once the request is made, how do you handle it? We can summarize the steps as follows:
- First, the individual makes a privacy access request.
- You must attempt to verify their identity.
- You must then find the relevant personal information.
- Now, you can consider whether any grounds of refusal exist. If so, you can issue a written notice of refusal.
- You give the individual the data in the manner they requested it, unless it's impractical or unreasonable. In this case, you offer it in an alternative format.
- Decide if charges are applicable.
Let's cover these steps in more detail.
You can't release personal information if you can't verify that it belongs to the individual. This is key to protecting confidential data and complying with global privacy laws.
When verifying someone's identity, there are two major factors to consider:
- Only collect as much information as you need to verify the individual's identity
- Sight the verification data rather than copying it. A visual inspection and a note that you've performed the inspection should suffice.
How you verify an individual's identity depends on the circumstances. There are no set rules. The precautions you take depend on factors including:
- How easy it is to identify the person
- The sensitivity of the data you're releasing
- The financial and general consequences of unauthorized disclosure - For example, accidentally disclosing the UK Prime Minister's personal records has severe consequences
However, if you're in any doubt about the individual's identity, don't release the data. They can always provide further verification and you can process the request at a later data.
Remember, you only need to grant access to information you hold. So, if you don't hold the information, you can't grant access.
There are a few steps to take here. You should:
- Search records in your possession and control
- Ask staff, contractors, and other relevant organizations if they have the information
- Check with third party storage providers, such as IT providers, who hold information that's still within your control
All this means is that you should make reasonable enquiries to see whether you've got control of the data.
You shouldn't release any more data than you need to, either. For example, don't release a full document if it contains information other than personal data. Just release the relevant parts. The individual has no right to access this additional information and it puts you at risk of non-compliance.
Grounds of Refusal
In all, there are 10 reasons why you can refuse to grant access to personal data. We'll post the clause in full, but essentially, you can refuse access to personal data if:
- It's a public health, legal, or data protection risk
- It's a vexatious or nonsensical request (e.g. someone who repeatedly requests their information)
- It's unlawful, or you suspect the individual plans on doing something illegal with the information (e.g. you're worried about fraud)
- It prejudices ongoing negotiations you're having with this person, or ongoing legal proceedings (e.g. if you're in a sales or employment dispute)
Here is the clause in full:
These grounds for refusal have one thing in common - they balance the rights of the individual against the rights of businesses and enterprises.
There's one caveat to these rights of refusal. Even if you can't meet the individual's request in full, you must consider if you can provide less information, or provide it in a way that doesn't impact your business.
That's where data provision comes in.
Where practical, you should give individuals their personal data in the manner they requested it, whether it's by email, post, or telephone. What's more important for our purposes is how you accommodate privacy access requests that you can't honor in full.
The Act expects you to do a few things if you're not in a position to honor a person's request at first glance:
- Advise the individual that you can't give them the exact data they're looking for, or data in a specific format
- Explain your reasons why
- Offer a summary of the data to them, giving them a redacted version, or grant them access under supervision
Essentially, it's on you to prove that you're doing everything you can to comply with an access request. Remember, individuals have the right to know what data you hold on them, and they have the right to inspect it.
If you decide that you can't honor a request, you must set this out in writing. Privacy Principle 12 sets out the two components of every written refusal:
- An explanation of why you're refusing the request
- Clear guidance on how the individual can complain about your decision
This is also an opportunity for you to set out alternatives; for example, giving them a redacted copy of the document. The point is you should do what you can to accommodate the request, and be clear and transparent at all times.
Since you can't charge an individual for making a request, you can levy small charges for administrative work, including:
- Data retrieval
- Reproduction i.e. making copies
- Clerical rates for labor
You can, of course, offer the information in alternative formats to reduce the individual's expenses. What's not acceptable are excessive charges.
- Taking legal advice on whether to release the information
- Charges that don't take into consideration an individual's ability to pay
- Charges that are simply excessive for the size, scale, and function of your company and the data requested
So, although you can charge individuals, the charge must be one thing - proportionate.
If you hold data on Australian individuals, and you're a private sector organization, you're bound by the terms of the AU Privacy Act. The Act sets out an individual's right to access their personal data and make corrections where appropriate.
The default position is that you're expected to honor privacy access requests in full unless they meet the exemption criteria. If you can't fully honor a request, you should accommodate the individual by offering them redacted or summarized versions of their data instead, or you should give them the data in a different format.
You can't charge people for wanting to see their personal data. However, you can charge proportionate and fair fees for admin costs. You can, of course, give people the option of choosing cheaper alternatives, but you can't force them to take these options just because they may be easier on your business.