Access to Personal Information
In a seashell
Individuals have the right to access and receive:
a copy of their personal information and other supplementary information, including
the purposes for which the personal information is used by the organisation;
the names of the persons to whom their personal information has been disclosed; and
the circumstances in which the personal information has been disclosed.
Individuals who want to obtain access to their personal information need to make the request in writing.
An organisation may charge a fee to deal with the applying individual’s (applicant’s) request not exceeding the prescribed maximum fee for access to the individual’s personal information.
An organisation may not charge a fee where the request results in the correction of an error or omission in the individual’s personal information that the organisation controls.
An organisation may not charge a fee if the organisation is prevented from doing so by its professional regulatory body.
There are two responses to an individual's access request that an organisation must provide:
1. The organisation must provide receipt of the request to the individual “promptly” per section 20(3) along with any requests by the organisation for clarification.
2. The organisation must respond to the applicant within 45 days.
This 45-day time period is for the completed request, and is separate from an initial acknowledgement or confirmation of receipt.
If the substance of the request meets the characteristics of section 20(6), then the response time period may be extended by 30 days. If this is the case, then the organisation must notify the individual described in section 20(7).
It is good practice to provide the information securely, in an accessible, concise, and intelligible format.
An organisation can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unreasonable.
Section 17, Access to personal information, states:
(1) Subject to subsections (2) to (4) and to section 18, at the request of an individual for access to his personal information, and having regard to that which is reasonable, an organisation shall provide the individual with access to—
(a) personal information about the individual in the custody or under the control of the organisation;
(b) the purposes for which the personal information has been and is being used by the organisation; and
(c) the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed.
(2) An organisation may refuse to provide access to personal information under subsection (1)
(a) the personal information is protected by any legal privilege;
(b) the disclosure of the personal information would reveal confidential information of the organisation or of a third party that is of a commercial nature and it is not unreasonable to withhold that information;
(c) the personal information is being used for a current disciplinary or criminal investigation or legal proceedings, and refusal does not prejudice the right of the individual to receive a fair hearing;
(d) the personal information was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed to act under an agreement or by a court;
(e) the disclosure of the personal information would reveal the intentions of the organisation in relation to any negotiations with the individual to the extent that the provision of access would be likely to prejudice those negotiations.
(3) An organisation shall not provide access to personal information under subsection (1)
(a) the disclosure of the personal information could reasonably be expected to threaten
(b) the life or security of an individual;
(c) the personal information would reveal personal information about another individual; or the personal information would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to disclosure of his identity, unless it is reasonable in all the circumstances to provide access.
(4) If an organisation is reasonably able to redact the information referred to in subsection (2) (b) or (3)(b) or (c) from the personal information about the individual who requested it, the organisation shall provide the individual with access to his personal information after redacting the former information.