Key Messages

National Privacy Principle (NPP) 6 in the Privacy Act 1988 ('Privacy Act') provides individuals with a right of access to information held about them by an organisation.  How organisations give access will depend on the circumstances.

In some cases organisations may wish to provide a photocopy or print out of the information they hold about a person. In other cases, it may be appropriate to have a suitably qualified staff member explain the content of the information to the individual if it is complex or overly technical.

The steps an organisation must take to comply with the access and correction principle will vary and depend on the type of organisation and the circumstances.

Establishing the identity of the individual asking for access

An important consideration when providing access to individuals to their personal information is to be sure that the person is who they say they are. There may be a risk that an individual tries to use NPP 6 to access information about another individual. For this reason, organisations should take care to establish the individual's identity before providing access.

Charging fees for access

An organisation must not charge an individual for lodging a request for access but may apply a charge that is not excessive to recover reasonable costs of making information available.

Correcting personal information upon request by the individual

NPP 6 also allows individuals to have their information corrected if it is wrong. Where an individual is able to show that the information the organisation holds about them is not accurate, complete and up-to-date, an organisation must take reasonable steps to correct the information. When responding to requests for correction, organisations should also be mindful of their obligations under NPP 3 to make sure personal information they collect, use or disclose is accurate, complete and up-to-date.

If the organisation and individual disagree about a correction, the individual can ask to have a statement attached to the information stating that the individual believes the information to be incorrect.

Explaining denial of access or refusal to correct information

Under NPP 6, there are a limited number of situations where an organisation may deny an individual access to personal information. Organisations must tell the individual the reasons for denying access to information or for refusing to correct information.

Background

Who is this information sheet for?

This information sheet is for organisations in the private sector that are covered by the Privacy Act. 

These organisations must comply with the 10 National Privacy Principles ('NPPs') in the Privacy Act when handling personal information.

'Organisations' are defined in section 6 of the Privacy Act to include:

• all businesses with an annual turnover greater than $3 million
• all private sector health service providers, regardless of turnover
• some small businesses.[1]

What is this information sheet about?

This information sheet provides general guidance and advice on NPP 6 in the Privacy Act.

NPP 6 provides individuals with a right of access to information held about them by an organisation. 

This information sheet covers:

• Giving individuals access and the factors that might affect access
• Responding to requests for access
• Charging a fee for access to information
• Correcting information when an individual shows information to be inaccurate, incomplete or out-of-date
• Attaching a correction statement to a record in the event that the organisation and the individual disagree over a correction
• Explaining a denial of access or refusal to correct information.

Giving access to information held by an organisation

Factors affecting access

Various factors could affect the way an organisation provides an individual with access including:

• the sort of information requested
• the way the individual makes the request
• the way the organisation stores the information
• the technology available to the individual making the request
• the respective locations of the organisation and the individual
• the size of the organisation
• any exceptions that apply to the information requested.

Ways of giving an individual access to information

Examples of the way an organisation could give access include:

• letting the individual inspect all the information the organisation holds about him or her
• providing a copy of the information requested
• letting the individual take notes on the content of the record
• giving the individual a printout of the information if it is in electronic form
• letting the individual view the information and have a suitably qualified staff member explain the content
• giving the individual an accurate summary of the information
• using any other appropriate method to give the individual access to the data.

Generally it's a good idea for the organisation to discuss with the individual the way they would like to receive their information.

This will help make sure that the information is provided in a way that suits the individual and is appropriate for the type of personal information being accessed.

Responding to requests for access

Individuals do not have to give a reason when asking an organisation for access to the personal information an organisation holds about them. They can simply ask for access to the information.

However, an organisation could ask an individual whether they want access to all the information that the organisation holds about them or just some of it.

Establishing the individual's identity

A risk in the access process is that a person may try to use NPP 6 to get access to another individual's information.

To deal with this risk an organisation should have procedures to establish that the individual asking for the information is who they say they are. This will help organisations comply with the requirements of NPP 4.

NPP4 says that organisations must take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.[2]

The way in which an organisation approaches the risk that someone other than the individual accesses the personal information would depend on the organisation and the circumstances. Many organisations will have identity validation procedures already in place as part of their normal business practice.

The way an organisation validates an individual's identity may depend on how the individual approaches the organisation.

For example, the procedures for establishing the identity of an individual face-to-face may differ from the way an organisation validates an identity over the phone or by fax or email.

The identification procedures should be robust enough to satisfy the organisation of the individual's identity.

Other considerations when giving access

To ensure an individual gets an appropriate level of access, an organisation could consider presenting information in a way that takes into account an individual's particular requirements.

Factors to consider when giving access to information include any disability the individual has, or the level of understanding, language or literacy skills of the individual making the request.

Where feasible, organisations could also consider providing a private and convenient area where the individual can inspect the information requested or where the individual can have the information explained to them.

Reasons for considering providing such an area could include that:

• it is not appropriate to explain the contents of an individual's personal information (in particular, health information) in a busy, open public space such as a reception counter
• it would not ordinarily be reasonable to expect people to inspect large quantities of information while standing at a public counter.

With regard to timing, organisations should consider responding to requests for access in a reasonable amount of time. While no timeframe is provided in the Privacy Act, organisations should generally seek to respond to access requests within 30 days or sooner if possible[3].

Charges and access to information (NPP 6.4)

NPP 6.4 says that organisations are not permitted to charge individuals for lodging a request for access and that the charges for giving access to information should not be excessive.

These provisions aim to ensure that organisations only charge reasonable amounts to avoid discouraging individuals from making requests for access. Generally speaking, an organisation could consider not charging for letting an individual view a screen or for sending information to an individual by email.

When considering how much to charge, an organisation may like to consider:

• not charging an individual more than it costs the organisation to give access (for example, an organisation could base charges on the marginal cost of giving that particular access) and
• waiving or remitting the cost of providing access (for example, where the organisation is aware that an individual receives a benefit or pension).

Depending on the circumstances, an organisation could charge for the:

• staff costs involved in locating and collating information
• reproduction costs and
• costs involved in having a staff member explain information to an individual.

Other matters to consider when providing access to personal information:

• Discuss with the individual what information they want access to, and the likely fees, before undertaking their request for access.
• Do not include other outstanding bills in a fee for access.
• The cost of legal and other third-party advice shouldn't generally be passed on to a particular individual, even though you may have sought the advice to help assess their access request.
• Consider other laws or standards that may relate to fees for access.

Form of request for access

It is up to an organisation to decide how it will manage the process of giving an individual access. It could ask the individual to put a request for access in writing; however, the NPPs do not require this. Reasons why an organisation might want a request for access to be in writing (in a letter, fax or email) could be influenced by a number of factors. For example:

• it helps the organisation keep track of a request for access to information which is complex, sensitive or detailed
• the organisation receives many requests for access of a similar kind on a regular basis
• the organisation holds a lot of information about the individual in a number of different places or
• the organisation thinks it may be in its best interests to keep a record of requests for access.

Reasonable steps to correct personal information (NPP 6.5)

NPP 6.5 says that if an individual is able to establish that personal information held about them is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information.

In some cases, individuals may be able to establish that their information is incorrect simply by reporting the problem to the organisation and asking them to fix it.

In other cases, individuals may need to provide further documents or other material to the organisation to establish that the information is not accurate, complete and up-to-date. This might include letters, receipts, bank statements, diary notes, medical records, photographs and testimonies from a trusted third party.

Remember, if you collect documentation of this type containing personal information, you will need to comply with the NPPs when handling it. That means only collecting the information necessary for you to ascertain whether a correction is necessary. In some cases, sighting the material may be adequate.

Also, if you do need to collect the documentation, do you need all of it? Consider only copying part of it or blocking out the parts that are not relevant. Store the information securely and destroy it as soon as it is no longer needed.

Where an organisation has checked the individual's file and can find no obvious inconsistency or error, it might then be appropriate for the organisation to ask for further material to support the individual's claim that there is an inaccuracy. 

The organisation could also consider giving the individual access to the information the organisation holds about them so that the individual can better assess the accuracy of the information in question.

The Office of the Privacy Commissioner believes that an individual does not need to prove beyond doubt that an inaccuracy exists. It may be enough for the individual to establish that it is more likely than not that the information is in need of correction.

If the individual establishes that their personal information is more likely than not inaccurate, incomplete or outdated, the organisation needs to take reasonable steps to correct the information. What is reasonable will depend on the circumstances and the type of information needing correction.

When considering what reasonable steps to take in meeting an individual's request to correct personal information, an organisation could consider that:

• It has obligations under NPP 3 to take reasonable steps to make sure personal information it collects, uses and discloses is accurate, complete and up-to-date. This means that, when it comes to using or disclosing personal information, the onus is on the organisation to make sure information is correct.[4]
• Allowing poor quality information to remain on a record may have adverse consequences for the individual and/or the organisation. For example, organisations may find that, in leaving poor quality information on the record, they breach NPP 3.
• Correction is not necessary if the information is no longer being used. However if this is the case, the organisation should consider destroying or de-identifying information it no longer needs (subject to any legal requirements to retain the information). Destroying or permanently de-identifying personal information that is no longer needed is a requirement under NPP 4.2.
• An organisation could discuss with the individual concerned the reasons it thinks it is inappropriate to delete or alter the original information. The organisation and individual may then be able to agree on alternative ways of noting the discrepancy regarding the accuracy of the information in a way that satisfies the needs of both parties.
• If an individual establishes with an organisation that information about them is incorrect, the organisation should consider correcting the information with any third parties that it has passed the information onto.

Attaching a correction statement to a record (NPP 6.6)

NPP 6.6 applies where the organisation and individual are unable to agree about whether the information should be corrected.   Where an agreement can't be reached, the individual can ask the organisation to attach a statement to the record claiming that the information is not accurate, complete and up-to-date.  In practice, this could be done by putting a note with the individual's information outlining the individual's claim about the inaccuracy of the information or creating a link between the information and the statement.

An example of when an individual and organisation may be unable to agree over a correction could be if an organisation has recorded an opinion about an individual that the individual disagrees with.

If an individual asks the organisation to attach a statement to the information stating that they don't believe the information is correct, the Privacy Act says that the organisation must take reasonable steps to do so. Organisations may like to consider the following when considering reasonable steps to take:

• If the individual disputing the information provides a very extensive statement that an organisation cannot easily attach, the organisation could put a mark or a note on the information to indicate that the statement exists and where it can be found.
• An organisation would ordinarily need to associate the individual's statement about the disputed information in such a way that whenever that information is handled in the future it will be easy to see that the individual does not agree that this particular part of the personal information is accurate, complete or up-to-date.

Giving an explanation instead of access to evaluative information (NPP 6.2)

NPP 6.2 allows an organisation not to release information that will reveal the formulae, or the fine details of the evaluative process the organisation uses in its commercially sensitive business decisions. NPP 6.2 is not aimed at preventing the release of the result of the evaluation nor the factual information about the individual.

Explaining denial of access or refusal to correct information ( NPP 6.1 and 6.7)

There are a limited number of situations where an organisation may deny an individual access to the personal information it holds about them. NPP 6.1 outlines the situations where the Privacy Act allows an organisation to deny access. Some of these situations include:

• providing access to the information would pose a serious and imminent threat to the life and health of any individual
• if the information is health information, providing access would pose a serious threat to the life or health of any individual
• providing access would have an unreasonable impact upon the privacy of other individuals
• providing access would be unlawful
• providing access would be likely to prejudice an investigation of possible unlawful activity.

There are a number of other situations where organisations may, under NPP 6.1, deny access or give partial access to personal information. See our NPP Guidelines for further information.[5]

In addition, NPP 6.7 requires an organisation to tell an individual any reasons the organisation has for denying access to information. Generally, when explaining why access is being denied, the organisation should endeavour to tell the individual which exception under NPP 6.1 it is relying on to refuse access.

If the reason for refusal is complex it would be helpful to give the explanation in writing. Organisations must also tell individuals the reasons for refusing to correct personal information. Reasons why an organisation might consider putting this information in writing include that:

• it gives the organisation an accountability trail in the event of a complaint
• it could help the individual to understand the reasons given by the organisation and so help to avoid unnecessary complaints.

When the organisation tells the individual its reasons for denying access or refusing to attach a correction statement, the organisation may also consider including information about:

• any process the organisation has for reviewing the decision
• the process the individual can follow if they wish to make an external complaint about the decision.

If the organisation has decided that using an intermediary will provide an alternative means of access, it could tell the individual more about what this involves. (Refer to Information Sheet 5- 2001 Access and the Use of Intermediaries.)

Further Information

For further information check out our Guidelines to the National Privacy Principles available at www.privacy.gov.au/materials/types/guidelines/view/6582 and Guidelines on Privacy in the Private Health Sector available atwww.privacy.gov.au/materials/types/guidelines/view/6517.

You may also find our other private sector information sheets useful. They are available at: www.privacy.gov.au/materials#I.

In particular, information sheets 5, 21 and 22 deal with aspects of access to personal information.

• Information Sheet 5 - Access and the Use of Intermediaries is available at www.privacy.gov.au/materials/types/infosheets/view/6564
• Information Sheet 21 - Denial of access to health information due to a serious threat to life or health is available at http://www.privacy.gov.au/materials/types/infosheets/view/6554
• Information Sheet 22 - Fees for access to health information under the Privacy Act is available at www.privacy.gov.au/materials/types/infosheets/view/6555

Private Sector Information Sheets

Information sheets are advisory only and are not legally binding.  The National Privacy Principles in Schedule 3 of the Privacy Act legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works.  They provide explanations of some of the terms used in the NPPs and good practice or compliance tips.  They are intended to help organisations apply the NPPs in ordinary circumstances.  Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges)

TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Private Sector Information Sheet 4 

Web HTML and PDF published May 2009

ISBN 978-1-877079-66-5

© Commonwealth of Australia 2009

www.privacy.gov.au

 

[1] For a more detailed explanation refer to the Private Sector Information Sheet 12.

[2] For more information about how to comply with the data security requirements of the Privacy Act, see Information Sheet 6 - Security and Personal Information available at http://www.privacy.gov.au/materials/types/infosheets/view/6565.

[3] See the discussion in the NPP Guidelines about NPP6.1 for more information about timeframes for access. www.privacy.gov.au/materials/types/guidelines/view/6582

[4] For more information on NPP 3, see Information sheet 28 on data quality, available at http://www.privacyawarenessweek.org/paw/info_sheet28_npp3.html

[5] NPP Guidelines available at www.privacy.gov.au/materials/types/guidelines/view/6582#npp61.