Information Sheet 4 - 2001: Access and Correction

View printable version of this page

National Privacy Principle 6 (NPP 6) provides individuals with a right of access to information held about them by an organisation.

An organisation must not charge an individual for lodging a request for access (NPP 6.4) but may apply a charge that is not excessive to recover costs of making information available.

The steps an organisation must take to comply with the access and correction principle will vary and depend on the type of organisation and the circumstances.

The following information is provided to help organisations when they are considering ways to comply with NPP 6. The Guidelines to the National Privacy Principles and the Guidelines on Privacy in the Private Health Sector also offer guidance on how to comply with NPP 6.

Giving access to information held by an organisation

Factors affecting access

Various factors could affect the way an organisation provides an individual with access. These factors could include:

• the sort of information requested;
• the way the individual makes the request;
• the way the organisation stores the information;
• the technology available to the individual making the request;
• the respective locations of the organisation and the individual;
• the size of the organisation; and
• any exceptions that apply to the information requested.

Ways of giving an individual access to information

Examples of the way an organisation could give access include:

• letting the individual inspect all the information the organisation holds about him or her;
• providing a photocopy of the information asked for;
• letting the individual take notes on the content of the record;
• giving the individual a printout of the information if it is in electronic form;
• letting the individual view the information and have a suitably qualified person explain the content;
• faxing the information asked for;
• giving the individual an accurate summary of the information;
• using any other appropriate method to give the individual access to the data; and
• letting the individual take away copies of this information.

Responding to requests for access

Individuals do not have to give a reason when asking an organisation for access to the personal information an organisation holds about them. They can simply ask for access to the information. However, an organisation could ask an individual whether they want access to all the information that the organisation holds about them or just some of it. If they only want some of it, the organisation could ask which information the individual wants access to.

Establishing the individual's identity

A risk in the access process is that a person may try to use NPP 6 to get access to another individual's information. To deal with this risk an organisation could have procedures to establish that the individual asking for the information is who they say they are. The way in which an organisation approaches this risk would depend on the organisation and the circumstances. Many organisations will have identity validation procedures already in place as part of their normal business practice.

The way an organisation validates an individual's identity may depend on how the individual approaches the organisation. For example, the procedures for establishing the identity of an individual face-to-face may differ from the way an organisation validates an identity over the phone or by fax or e-mail. The identification procedures should be robust enough to satisfy the organisation of the individual's identity.

Other considerations when giving access

To ensure an individual gets an appropriate level of access, an organisation could consider presenting information in a way that takes into account an individual's particular requirements.

Factors an organisation may like to consider when giving access to information include any disability the individual has, or the level of understanding, language or literacy skills of the individual making the request.

Charges and access to information (NPP 6.4)

NPP 6.4 says that the charges for giving access to information should not be excessive. This provision aims to prevent organisations from charging excessive amounts to discourage individuals from making requests for access. Generally speaking, an organisation could consider not charging for letting an individual view a screen or for sending information to an individual by email.

When considering how much to charge, an organisation may like to consider:

• not charging an individual more than it costs the organisation to give access (for example, an organisation could base charges on the marginal cost of giving that particular access); and
• waiving or remitting the cost of providing access (for example, where the organisation is aware that an individual receives a benefit or pension).

Depending on the circumstances, reasonable administrative costs an organisation could consider charging for could include:

• staff costs involved in locating and collating information;
• reproduction costs; and
• costs involved in having someone explain information to an individual.

Form of request for access

It is up to an organisation to decide how it will manage the process of giving an individual access. It could ask the individual to put a request for access in writing; however, the NPPs do not require this. Reasons why an organisation might want a request for access to be in writing (in a letter, fax or e-mail) could be influenced by a number of factors. For example:

• it helps the organisation keep track of a request for access to information which is complex, sensitive or detailed;
• the organisation receives many requests for access of a similar kind on a regular basis;
• the organisation holds a lot of information about the individual in a number of different places; or
• the organisation thinks it may be in its best interests to keep a record of requests for access.

Reasonable steps to correct personal information (NPP 6.5)

When considering what reasonable steps to take in meeting an individual's request to correct personal information, an organisation may like to consider the following points.

• Allowing poor quality information to remain on a record may have adverse consequences for the individual or the organisation.
• Correction is not necessary if the information is inaccessible and not used. However if this is the case, the organisation may then consider destroying or de-identifying information it no longer needs for any organisational or lawful purpose.
• An organisation could discuss with the individual concerned the reasons it thinks it is inappropriate to delete or alter the original information. Alternative ways of correcting the information in a way that satisfies the needs of both parties may then be agreed on.

Attaching a correction statement to a record (NPP 6.6)

NPP 6.6 says that if an individual and an organisation are unable to agree about whether information is accurate, up-to-date and complete, the organisation must, at the request of the individual, take reasonable steps to associate with the information the individual's claim to this effect.

Organisations may like to consider the following when considering reasonable steps to take.

• If the individual disputing the information provides an excessively long statement that an organisation cannot easily attach, the organisation could put a mark or a note on the information to indicate that the statement exists and where it can be found.
• An organisation would ordinarily need to associate the individual's statement about the disputed information in such a way that whenever that information is handled in the future it will be easy to see that the individual is not satisfied that this particular part of the personal information is accurate, complete or uptodate.

Giving an explanation instead of access to evaluative information

NPP 6.2 allows an organisation not to release information that will reveal the formulae, or the fine details of the evaluative process the organisation uses in its commercially sensitive business decisions. NPP 6.2 is not aimed at preventing the release of the result of the information nor the factual information about the individual.

An example

An individual has applied for a bank loan. The bank collects information from the individual about income, assets, other loans and employment history. With the individual's consent it might collect other information such as credit worthiness information from other sources.

The bank has an internally derived formula that it uses to make a decision about the loan by giving different weights to each factor. Under NPP 6.2, the bank can withhold the information that would reveal the formula or weightings given to the various factors.

The individual requesting the information would be given access only to the raw facts and opinions that were inputs to the bank's evaluative process and an explanation of any decision based on the formula.

Explaining denial of access or refusal to correct information (NPP 6.7)

NPP 6.7 requires an organisation to tell an individual any reasons the organisation has for denying access to information. If the reason for refusal is complex it would be helpful to give the explanation in writing. Organisations must also tell individuals the reasons for refusing to correct personal information. Reasons why an organisation might consider putting this information in writing include that:

• it gives the organisation an accountability trail in the event of a complaint; and
• it could help the individual to understand the reasons given by the organisation and so help to avoid unnecessary complaints.

When the organisation tells the individual its reasons for denying access or refusing to attach a correction statement, the organisation may also consider including information about:

• any process the organisation has for reviewing the decision; and
• the process the individual can follow if they wish to make a complaint about the decision, either to the Commissioner or the relevant code adjudicator.

If the organisation has decided that using an intermediary will provide an alternative means of access, it could tell the individual more about what this involves. (Refer to Information Sheet 5 - 2001 Access and the Use of Intermediaries.)

Providing an area to inspect information

Where feasible, organisations could consider providing a private and convenient area where the individual can inspect the information requested or where the individual can have the information explained to them.

Reasons for considering providing such an area could include that:

• it is not appropriate to explain the contents of an individual's personal information (in particular, health information) in a busy, open public space such as a reception counter; and
• it would not ordinarily be reasonable to expect people to inspect large quantities of information, which may take a long time to go through, while standing at a public counter.

Office of the Privacy Commissioner
ISBN 1- 877079 - 26 - X
Privacy Hotline 1300 363 992 (local call charge)