Chapter 15

Australian Privacy Principle 12–access to personal information

Introduction

15.1 Australian Privacy Principle 12 (APP 12) ensures that a person can access their own personal information held by an entity other than when exceptions to granting access apply. APP 12 also provides for how entities are to deal with requests for access, access charges and how entities should respond to an individual when access is refused.[1]

15.2 It is noted in the Companion Guide that APP 12 is aimed at ensuring that individuals have access to the information that entities hold about them and that there is opportunity to correct inaccurate, irrelevant and out-of-date information. There are a limited number of circumstances which an entity may refuse to give individuals access to their own personal information. However, in these circumstances entities have an obligation to provide as much access as is possible in the circumstances to meet the needs of the individual and the entity.[2]

Background

15.3 APP 12, together with APP 13 (correction of personal information), replaces existing Information Privacy Principle 6 (IPP 6), and National Privacy Principle 6 (NPP 6). Currently, agencies must provide access to personal information under IPP 6 except to the extent that an agency is required or authorised to refuse assess under any law of the Commonwealth that provides for access by persons to documents. IPP 6 provides individuals with the same rights as the Freedom of Information Act 1982 (FOI Act).[3]

15.4 NPP 6 provides that generally, an organisation that holds personal information must provide the individual with access to the information. A list of situations where access can be denied or limited is also provided in NPP 6. Where an organisation is not required to give access, it must consider whether the needs of both parties can be met through the use of a mutually agreed intermediary. NPP 6 also provides that an organisation must take reasonable steps to correct personal information that it holds, if the individual to whom the information relates, is able to establish that it is not accurate, complete and up-to-date. Where there is a disagreement about the accuracy of the information, the organisation, if requested by the individual, is to take reasonable steps to associate with the information a statement claiming the information is not accurate, complete or up-to-date.[4]

15.5 The Australian Law Reform Commission's (ALRC) review of the access provisions of the Privacy Act considered both the structure of the principle and how the access provisions should be framed, particularly to allow for a unified principle for agencies and organisations.

15.6 The ALRC came to the view that it was possible for the 'Access and Correction' principle to apply equally to both agencies and individuals and recommended this change.[5] The ALRC also compared the structure of NPP 6, which contains both general, high-level provisions and more detailed, relatively prescriptive provisions, and IPP 6, which contains more general rules.

15.7 The ALRC concluded, as it had in its earlier report, Review of Australian Privacy Law (DP72), that NPP 6 should form the basis of the unified 'Access and Correction' principle.[6] The ALRC pointed to the following matters for this conclusion:

the NPP structure is preferable because the relevant and applicable legislation is not fragmented among several separate Acts, as is the case under the IPP structure. For example, the IPPs do not contain procedural provisions for agencies to follow when processing applications for access. Instead, the IPPs rely on 'administrative machinery' contained within the FOI Act;[7]
the NPP structure is comparatively simpler to navigate, to understand and to use;
if the IPP structure prevailed in the development of the new APP regime, transferring the administrative machinery of the FOI Act into the APP legislation would require the Privacy Principles to be redrafted so that their 'provisions...operate as conventional statutory provisions, as distinct from principles'. Such a fundamental change in the character of regulation would be a reorienting from principles-based regulation to rules-based regulation; a change which the ALRC did not support;[8] and
a radical restructuring of the regulatory regime for organisations would impose 'a greater compliance burden, particularly on organisations that would have to update their privacy protection regimes'.[9]

15.8 In considering how the access provisions should be framed, the ALRC distinguished between the right to obtain access in IPP 6 and the obligation on organisations to provide access in NPP 6. The ALRC concluded that the provision should be expressed as an obligation on an agency, rather than an entitlement of an individual. A further point of difference between IPP 6 and NPP 7 is that the former applies to personal information that is in an agency's 'possession or control' while the latter applies to personal information 'held by an organisation'. The ALRC concluded that the word 'held' should be retained in the 'Access and Correction' principle with 'held' including those documents over which an entity has 'constructive possession'.[10]

15.9 While both the IPPs and NPPs place obligations on agencies and organisations to provide individuals with access to personal information that they hold about the person, the exceptions for this obligation differ. The ALRC's view was that exceptions to the 'Access and Correction' principle should be consistent with the FOI Act and the Archives Act 1983 (Archives Act) as individuals should not be able to compel access under the Privacy Act that would otherwise be exempt under the FOI Act or the Archives Act.[11] In relation to the content of the exceptions, the ALRC made the following comments:

threat to life or health: an individual should not be able to obtain personal information that an organisation holds about him or her if providing access would pose a serious threat to the life or health of an individual; and
other exceptions to access: the existing exceptions in NPP 6 should be included in the 'Access and Correction' principle.[12]

15.10 The ALRC also considered the use of third party intermediaries where access to information has been lawfully denied as currently provided for in NPP 6.3 in certain cases. The ALRC commented that it was important that there is a provision requiring an agency or organisation to take reasonable steps to provide an individual with as much personal information as possible, in circumstances where access to the information legitimately can be refused and stated 'such a provision allows for a more flexible, nuanced approach to requests for access where direct access is not appropriate'.[13]

15.11 However, the ALRC did not support the present requirement in NPP 6.3 that an organisation must 'consider' the use of a mutually agreed intermediary. The ALRC saw the potential for abuse of this provision in that organisations could comply with the requirement by briefly contemplating, and then immediately rejecting, such a course of action. In addition, the ALRC considered that the intermediary requirement proposed in DP72, that an organisation 'reach an appropriate compromise' with an individual seeking access to personal information, was ambiguous and that there was a need for a more clearly stated requirement. The ALRC therefore recommended the 'Access and Correction' principle should provide that where an entity is not required to provide an individual with access to his or her personal information, the entity must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.[14]

15.12 The ALRC also considered the procedural requirements for access. While NPP 6 contains procedural requirements for organisations including limits on the charges that they can levy for providing an individual with access, the IPPs do not. The ALRC concluded that procedures imposed on organisations under the 'Access and Correction' principle should also apply to agencies. In addition, the ALRC commented specifically about the following procedural matters:

fees: fees charged by an organisation for providing access to information, as contained in NPP 6.4, should be continued. However, it was not recommended that these provisions be extended to agencies;
timeliness of response: both agencies and organisations should respond to requests for access within a reasonable time;
manner of providing access: the 'Access and Correction' principle should require agencies to take reasonable steps to provide access in the manner requested by the individual; and
level of detail of the provisions: the ALRC did not support binding schedules or frameworks for the provisions as there would be practical difficulties with such an approach and the use of high-level principles was consistent with its broader approach to privacy regulation.[15]

15.13 In relation to reasons for a decision to deny access to personal information, the ALRC concluded that it is an important element of procedural fairness for the individual to be provided with the reason for the adverse decision. However, there may be situations where providing the reason for the decision could undermine the reason the agency or organisation has denied the access and in these situations the ALRC did not support the provision of reasons. The ALRC also recommended that the individual should be provided with the avenues for complaint.[16]

15.14 The ALRC also recommended that the Office of the Privacy Commissioner develop and publish guidelines to ensure that agencies and organisations are provided with clear guidance on how the changes should be applied.[17]

Government response

15.15 The Government accepted, accepted with amendment, or accepted in principle all of the ALRC's recommendations in relation to access and correction. In accepting that a unified 'Access and Correction' principle should apply to both agencies and organisations, the Government noted the implications for the interaction between the Privacy Act and the FOI Act and stated:

as part of proposed reforms to the FOI Act, it was announced that the Privacy Act would be amended to enact an enforceable right of access to, and correction of, an individual's own personal information, rather than maintaining the right through the FOI Act;
that it would be necessary to recognise the additional responsibilities of Government in relation to the disclosure of some categories of information and documents;
that amendments will make it clear that the right to access and correct information held by agencies will be provided by the Privacy Act rather than the FOI Act although the right to access some personal information will remain under the FOI Act; and
processes around reviews of agency access and correction decisions under the Privacy Act will be aligned as closely as possible with reviews under the FOI Act.[18]

15.16 The Government accepted with amendment recommendation 29–3 which provided that where an organisation holds personal information about an individual, it is not required to provide access to the extent that providing access would be reasonably likely to pose a serious threat to the life or health of an individual. The Government response indicated that to ensure consistency, a 'serious threat' should refer to 'life, health or safety'.

15.17 The Government also accepted with amendment recommendation 29–7 which contains the obligation to respond to an access request within a reasonable time and to provide access in a manner requested by the individual, where reasonable and practicable. The Government commented that the ALRC was silent on the issue of entities charging for access, however, the Government agreed that where an organisation imposes a charge for access, is should not be excessive and must not apply to lodging a request for access.

15.18 The Government accepted with amendment the recommendation relating to denial of a request for access. The Government commented that the principle should explicitly provide for situations where providing reasons would undermine the reason for denying the request for access. Further, the principle should recognise that, where reasons can be provided for an adverse decision, the reasons should specify any relevant exceptions, requirements or authorisations relied upon in making the decision.[19]

Issues

15.19 The Australian Institute of Credit Management supported APP 12.[20] However, other submitters raised several issues in relation to APP 12 including the enforceable right of access; the range of exceptions; and time limits for processing applications.

Enforceable right of access

15.20 The Victorian Privacy Commissioner commented that the Government had announced, as part of the reform of the FOI Act, that the Privacy Act would be amended to provide for an enforceable right of access to an individual's own personal information. While noting the importance of the right of an individual to access and correct their personal information, the Victorian Privacy Commissioner stated that 'the language of APP 12 does not currently reflect this'.[21]

15.21 The Companion Guide notes that an enforceable right of access to (and correction of) an individual's own personal information 'does not appear on the face of Australian Privacy Principles 12 and 13'. It was noted that this is because there are a large number of technical issues in relation to the way that the Privacy Act and FOI Act will interact 'that have not yet been fully resolved'. The Companion Guide also stated that the APPs set up some of the technical infrastructure that will link into other provisions of the Privacy Act and provide the means for merits review as well as provision for additional notice requirements to be prescribed by the regulations. The Companion Guide concluded:

This ensures that there is basic content for notification of decision contained in the legislation, but with capacity to prescribe additional requirements so that the provisions of the Privacy Act are consistent with those in the Freedom of Information Act 1982.[22]

Structure and terminology

15.22 Submitters were concerned by loose and overly complex language and the repetition of clauses in APP 12. The Office of the Privacy Commissioner (OPC) for example, suggested the removal of the apparently redundant section APP 12(5)(a) as the following paragraph refers to refusing access under relevant provision. This would result in a simplified structure for APP 12(5).[23] Privacy NSW noted that the exceptions in APP 12(3) were 'dense and complex'.[24]

15.23 The Department of the Prime Minister and Cabinet responded:

This single principle is more lengthy and prescriptive than other APPs (eg collection, use and disclosure) for a number of reasons. First, it is intended to consolidate the existing access and correction obligations in IPPs 6 and 7 for agencies and NPP 6 for organisations. It is also intended to clarify the existing overlap between the Privacy Act and the FOI Act, with the provisions and administrative machinery under the FOI Act being, in practice, the primary means for dealing with access and correction requests from individuals. In addition, it was also necessary to outline the separate and broader range of exceptions to access for organisations. Finally, it was necessary to set out the process once a request for access is received.[25]

Conclusion

15.24 The committee has provided comments concerning the issue of complexity of the APPs in chapter 3 of this report. As noted in that chapter, the committee considers that some fine tuning of the APPs would improve clarity and simplicity particularly through the use of more concise language and elimination of redundant clauses.

Exceptions

15.25 APP 12(2) contains exceptions to access if the personal information is held by an agency and APP 12(3) contains exceptions to access if the personal information is held by an organisation. Professor Greenleaf and Mr Waters argued that proposed APP 12(2) and 12(3) expand on the current grounds for refusing access, and includes new exceptions, 'without any convincing justification'.[26]

15.26 Other submitters raised concerns with the exceptions in relation to organisations. The Law Institute of Victoria (LIV) commented on two of these exceptions. The first, APP (3)(b), provides an exception where giving access would have an unreasonable impact on the privacy of other individuals. The LIV considered that this exception may be difficult to apply where information about an individual is an opinion, as this is potentially the personal information not only of the person who is the subject of the opinion, but of the person who holds that opinion. In relation to the exception contained in APP 12(3)(e)–where giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations–the LIV raised concern about the broad nature of the provision. The LIV commented that there appeared to be no limitations or parameters about what phase of negotiations the parties are in, such as whether the negotiations need to be already commenced, or at least reasonably anticipated, before this clause becomes operative.[27]

15.27 Dr Colin Bennett criticised the inclusion of the 'frivolous or vexatious' exception (APP 12(3)(c)) as 'the right to access ones personal information is a human right, regardless of motive' and submitted that the 'frivolous or vexatious' exception under APP 12(3)(c) is open to abuse 'especially where individuals might be in conflict with a particular organization over a particular matter, and reasonably want to know everything the organization holds on them'. Dr Bennett concluded:

At the very least, the provision should state that the organization should be obliged to report and account for the use of this discretion.[28]

15.28 The Office of the Health Services Commissioner (OHSC) also raised concerns in relation to APP 12(3)(c) and stated that this was not an appropriate exception in relation to health information because 'a person has a right to access their health information, even if the contents are brief'. The OHSC commented further that an individual does not require a reason to access their health information, and such an exception is likely to lead to organisations refusing access 'without good reason'. The OHSC believed that the other exceptions available to organisations under APP 12(3) provide sufficient protection for organisations to refuse access without APP 12(3)(c) being necessary also.[29]

15.29 Google's submission discussed the international dimension of Google's business and operations. Google noted that entities operating in Australia are subject not only to Australian regulation but also foreign regulation, such as in the case of a business based in one country with activities in another country being required to comply with regulations of both countries. Google noted that due to these requirements to comply with foreign laws, the reference to 'Australian law' in APP 12(3)(g) should be amended so that the need to comply with foreign laws also constitutes an exception under APP 12(3).[30]

15.30 The exception related to information which is generated in connection with a commercially sensitive decision-making process (APP 12(3)(j)), was compared to the current provisions provided by its equivalent, NPP 6.2. The OPC noted that in NPP 6.2, an organisation 'may give the individual an explanation for the commercially sensitive decision rather than direct access to the information'. The OPC commented that although it may be intended that the existing right is given effect by way of APP 12(5) and APP 12(9), it is unclear and should be clarified so that the right to be given reasons for a decision is preserved.[31]

Dealing with requests for access

15.31 The OHSC raised concerns with APP 12(4)(b) which requires that the entity must give access in the manner requested by the individual, if it is reasonable and practicable to do so. The OHSC considered that such an exception should not apply in relation to personal health information. It argued that as most people seek access in the form of a copy, the exception may permit organisations to offer personal inspections of records rather than providing access in the manner requested. This alternative would be more expensive for individuals, as supervision by a staff member would be required. The OHSC concluded that such an outcome 'would be unsatisfactory and contrary to the principle of patient autonomy that applies in a health setting'.[32]

15.32 The Public Interest Advocacy Centre (PIAC) commented on the inclusion of the term 'where reasonable and practicable'. This matter was first raised during the ALRC consultation process. PIAC commented:

...the limit on the obligation in UPP 9.5 created by the inclusion of the term 'where reasonable and practicable' could very easily result in unlawfully discriminatory limits on access both in terms of format of information and in terms of any requirement to travel to a particular location to access that information.[33]

Time limits for responses

15.33 APP 12 requires agencies to respond to requests for access within 30 days (APP 12(4)(a)(i)) and organisations to respond to requests 'within a reasonable period' (APP 12(4)(a)(ii)). This preserves the current arrangements in the Privacy Act.

15.34 Westpac was the only submitter to voice a preference for not setting clear timeframes, instead supporting the proposed regime:

Westpac notes and supports the approach of "reasonableness" when determining a timeframe for a response to an individual, in preference to setting a specified period in which to comply. In developing guidance for industry regarding reasonable response times, we recommend the OPC engage closely with industry to develop flexible and appropriate guidance.[34]

15.35 Other submitters called for greater clarity as to the timeframe in which an organisation is to respond to a request for access. The OPC submitted that the differing standards under APP 12(4) between agencies and organisations 'may unintentionally imply that a reasonable period for organisations to provide access may be longer than 30 days'.[35] The OPC noted that guidance produced by the Office suggested access should be granted within 14 days, if granting access is straight forward, or within 30 days, if access is more complicated. The OPC suggested that a note under APP 12(4)(a) could clarify that a reasonable period would not usually be longer than 30 days.[36]

15.36 The OHSC commented that a fixed timeframe was preferable in the health sector and would remove uncertainty. The OHSC also noted the Victorian Health Records Act contains a requirement that organisations respond to a request for access within 45 days.[37]

Other means of access

15.37 APP 12(5) provides that where an entity refuses access, or refuses to give access in the manner requested, the entity must take such steps as are reasonable to give access in a way that meets the needs of the entity and the individual. The Australian Bankers' Association commented that this obligation 'should provide, in the majority of cases, a workable outcome and avoid escalation of any disagreement'.[38] However, Abacus Australian Mutuals questioned the need for this additional obligation on an entity 'particularly given the fact that the listed exceptions to access are well founded'.[39]

15.38 The OPC submitted that by referring to the needs of the entity, the emphasis is shifted away from the individual and suggested that the phrase 'the needs of the entity' should be removed. The OPC concluded that reasonable steps requirement allows sufficient flexibility to meet an entity's needs and obligations under APP 12.[40]

Access charges

15.39 APP 12(8) allows for entities to charge for access so long as the charge is not excessive and does not apply to the making of the request for access. The LIV commented that an entity is not necessarily precluded from charging unreasonable amounts or profiteering. The LIV suggested that 'excessive' be replaced with 'reasonably necessary to recoup the costs incurred by the entity'.[41]

Conclusion

15.40 The committee considers that it is important to ensure that balance exists in the privacy regime between the interests of individuals and entities. Conversely, there should not be an excessive number of exceptions which may inhibit an individual's right to access personal information. In discussion of APP 12, the Companion Guide states:

There are a limited number of circumstances in which an entity may refuse to give individuals access to their own personal information.[42]

15.41 However, submitters raised concern that some of these 'limited' exceptions are broad, open-ended, and may be open to abuse. The committee considers that this may not only give rise to confusion, but also the potential for unwarranted denials of access to personal information. In particular, the committee is mindful of the comments of the Law Institute of Victoria that the exception in relation to negotiations (APP 12(3)(e)) is too broad as well as the comments in relation to the 'frivolous or vexatious' exception (APP 12(3)(c)) particularly its application in the health sector. The committee considers that the negotiations exception in APP 12(3)(e) could be improved by provided greater clarity as to when this exception may be invoked.

15.42 The OPC also commented that the exception concerning commercially sensitive decision making processes (APP 12(3)(j)) does not contain the currently provided for option of an organisation providing an explanation rather than direct access. While the ALRC noted that concerns were raised by privacy advocates that the option of an explanation instead of direct access could be used inappropriately to deny direct access, the OPC considered that individuals should retain the same rights as are currently contained in the Privacy Act. The committee agrees with this approach and considers that further consideration should be given to this exception.

Recommendation 26

15.43 The committee recommends that, in relation to the proposed exceptions provided for in APP 12(3):

the Australian Information Commissioner provide guidance in relation to the application of the 'frivolous and vexatious' exception (APP 12(3)(c));
clarity be provided as to the stage at which the negotiations exception in APP 12(3)(e) may be invoked; and
further consideration be given to the exception in APP 12(3)(j) in relation to commercially sensitive decisions to ensure that the rights currently provided for in the Privacy Act 1988 are not diminished.

15.44 The committee notes that the absence of a prescribed timeframe in which organisations are required to respond to requests for access. It considers that this appears to be inconsistent with the spirit of the principle as outlined in the Companion Guide, in that individuals are to be provided with the right of access to their personal information. While some submitters called for a fixed timeframe to be applied to organisations, the committee notes the comments by the Office of the Privacy Commissioner in relation to guidance already provided by the office and the suggestion that a note be added to APP 12(4)(a). The committee agrees with the comments of the Office of the Privacy Commissioner and recommends that a note be added to APP 12(4)(a) to clarify that a reasonable period of time in which an organisation must respond to a request for access would not usually be longer than 30 days.

15.45 In relation to access charges, the Law Institute of Victoria recommended that the costs clause in APP 12(8) be amended from organisations not charging 'excessive' fees to charging fees 'reasonably necessary to recoup costs incurred by the entity'.[43] Such an amendment would permit organisations to recoup actual costs but not unreasonable amounts or profiteer. The committee therefore supports the Law Institute's recommendation.

Recommendation 27

15.46 The committee recommends that a note be added to proposed APP 12(4)(a) to clarify that a reasonable period of time in which an organisation must respond to a request for access would not usually be longer than 30 days.

Recommendation 28

15.47 The committee recommends that APP 12(8) be amended so that it is made clear that access charges imposed by organisations should only be charged at a level reasonably necessary to recoup costs incurred by the entity.

15.48 The committee also notes that the exposure draft on the powers and functions of the Australian Information Commissioner will clarify the enforcement aspects of the access and correction principles in light of moving from the Freedom of Information regime to the privacy regime.

Navigation: Previous Page | Contents | Next Page