Access to Personal Information
In a seashell
Individuals have the right to request access to:
-
a copy of their personal information and other supplementary information, including
-
the purposes for which the personal information is used by the organisation;
-
the names of the persons to whom their personal information has been disclosed; and
-
the circumstances in which the personal information has been disclosed.
Individuals who want to obtain access to their personal information need to make the request in writing.
An organisation may charge a fee to deal with the applying individual’s (applicant’s) request not exceeding the prescribed maximum fee for access to the individual’s personal information.
An organisation may not charge a fee where the request results in the correction of an error or omission in the individual’s personal information that the organisation controls.
An organisation may not charge a fee if the organisation is prevented from doing so by its professional regulatory body.
The organisation must respond to the applicant within 45 days.
This 45-day time period is for the completed request, and is separate from an initial acknowledgement or confirmation of receipt.
The organisation must provide receipt of the request to the individual “promptly” per section 20(3) along with any requests by the organisation for clarification.
If the substance of the request meets the characteristics of section 20(6), then the response time period may be extended by 30 days. If this is the case, then the organisation must notify the individual described in section 20(7).
It is good practice to provide the information securely, in an accessible, concise, and intelligible format.
An organisation can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unreasonable.
Section 17, Access to personal information, states:
(1) Subject to subsections (2) to (4) and to section 18, at the request of an individual for access to his personal information, and having regard to that which is reasonable, an organisation shall provide the individual with access to—
(a) personal information about the individual in the custody or under the control of the organisation;
(b) the purposes for which the personal information has been and is being used by the organisation; and
(c) the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed.
(2) An organisation may refuse to provide access to personal information under subsection (1)
if—
(a) the personal information is protected by any legal privilege;
(b) the disclosure of the personal information would reveal confidential information of the organisation or of a third party that is of a commercial nature and it is not unreasonable to withhold that information;
(c) the personal information is being used for a current disciplinary or criminal investigation or legal proceedings, and refusal does not prejudice the right of the individual to receive a fair hearing;
(d) the personal information was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed to act under an agreement or by a court;
(e) the disclosure of the personal information would reveal the intentions of the organisation in relation to any negotiations with the individual to the extent that the provision of access would be likely to prejudice those negotiations.
(3) An organisation shall not provide access to personal information under subsection (1)
if—
(a) the disclosure of the personal information could reasonably be expected to threaten
(b) the life or security of an individual;
(c) the personal information would reveal personal information about another individual; or the personal information would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to disclosure of his identity, unless it is reasonable in all the circumstances to provide access.
(4) If an organisation is reasonably able to redact the information referred to in subsection (2) (b) or (3)(b) or (c) from the personal information about the individual who requested it, the organisation shall provide the individual with access to his personal information after redacting the former information.
Procedure for making an access request
Section 20, Procedure for making a request under section 17, 18 or 19, states:
-
In order to obtain access to his personal information or make a request for a correction to his personal information, the individual (in this section referred to as the “applicant”) shall make a written request to the organisation setting out sufficient detail to enable the organisation, with a reasonable effort, to identify the personal information in respect of which the request is made.
-
The applicant may ask for a copy of his personal information or ask to examine his personal information.
-
An organisation shall promptly acknowledge in writing receipt of a request, including the date of the request, and the organisation shall at the same time inform the applicant, if there is insufficient detail in the request, what information is required to complete his request.
-
Subject to subsection (5), when a completed request has been received, an organisation shall respond to an applicant not later than—
-
45 days from the day on which the organisation receives the applicant’s written request referred to in subsection (1); or
-
the end of an extended time period if the time period is extended under subsection (6).
-
-
An organisation is not required to comply with subsection (4) whilst any requests to the Commissioner made by the applicant or organisation regarding the scope of rights or obligations pertaining to the applicant’s request under section 17, 18 or 19 are pending.
-
An organisation may, with respect to a request made under section 17, 18 or 19, extend the period for responding to the request by no more than 30 days, or for such longer period as the Commissioner may permit, if—
-
a large amount of personal information is requested or needs to be searched or corrected;
-
meeting the time limit would unreasonably interfere with the operations of the organisation; or
-
more time is needed to consult with a third party before the organisation is able to determine whether or not to give the applicant access to the requested personal information.
-
-
If the period for responding is extended under subsection (6), the organisation shall inform the applicant of the following—
-
the reason for the extension; and
-
the time when a response from the organisation can be expected.
-
-
An organisation may charge an applicant who makes a request under section 17 or 18 a fee not exceeding the prescribed maximum for access to the applicant’s personal information, except where any such request results in the correction of an error or omission in the personal information about the individual that is under the control of the organisation.
-
A fee may not be charged under subsection (8) if the organisation is prevented from charging such a fee by its professional regulatory body.
-
If an organisation is intending to charge an applicant a fee for a service, the organisation may require the applicant to pay all or part of the fee in advance, as determined by the organisation.
-
The Minister may, in consultation with the Commissioner, prescribe any applicable fees.
-
An organisation is not required to comply with section 17, 18 or 19 of this Act if the request is manifestly unreasonable.
-
If an organisation refuses to take action at the request of an applicant, the organisation shall inform the applicant in writing of the reasons for the refusal and of the right to contact the Commissioner to make a complaint.
Checklist: Preparing for access requests
☐ We know how to recognise an access request and we understand when the right of access applies.
☐ We understand what steps we need to take to verify the identity of the applicant, if necessary.
☐ We understand when we can pause the time limit for responding if we need to ask for clarification.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
☐ We understand the nature of the supplementary information we need to provide in response to an access request.
☐ We have suitable information management systems in place to allow us to locate and retrieve information efficiently.
Checklist: Complying with access requests
☐ We have processes in place to ensure that we respond to an access request without undue delay and within 45 days of receipt.
☐ We understand how to perform a reasonable search for the information.
☐ We understand what we need to consider if a third party makes a request on behalf of an individual.
☐ We are aware of the circumstances in which we can extend the time limit to respond to a request.
☐ We understand how to assess whether a child is mature enough to understand their rights.
☐ We understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.
☐ We understand what we need to consider if a request includes information about others.
☐ We are able to deliver the information securely to an individual, and in the correct format.
Organisations ask:
What is the right of access?
The right of access gives individuals the right to obtain a copy of their personal information, as well as other supplementary information. It helps individuals to understand how and why you are using their information, and check you are doing it lawfully.
How do we recognise an access request?
An individual can make an access request in writing only. A request is valid if it is clear that the individual is asking for their own personal information. An individual does not need to use a specific form of words, or refer to legislation.
An individual may ask a third party (e.g., a relative, friend or lawyer) to make an access request on their behalf. You may also receive an access request made on behalf of an individual through an online portal. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
What about requests for information about children?
Before responding to a request for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make an access request on their behalf.
What should we consider when responding to a request?
You must comply with an access request within 45 days of receiving the request. You can extend the time to respond by a further 30 days if the request is complex.
If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until you receive clarification, although you should supply any of the supplementary information you can do within 45 days.
Can we ask an individual for ID?
Yes. You need to be satisfied that you know the identity of the applicant (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a request does not begin until you have received the requested information. However, you should request ID documents promptly as part of the request acknowledgement.
Can we charge a fee?
You may charge a fee not exceeding the prescribed maximum fee for access to the individual’s personal information (more details to come). You may not charge a fee where the request results in the correction of an error or omission in the individual’s personal information that the organisation controls. You may not charge a fee if the organisation is prevented from doing so by its professional regulatory body.
How do we find and retrieve the relevant information?
You should make reasonable efforts to find and retrieve the requested information. However, you are not required to comply if the request is manifestly unreasonable.
How should we supply information to the applicant?
An individual is entitled to request access to their personal information and to other supplementary information (which largely corresponds with the information that you should provide in a privacy notice). If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the information you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. Alternatives can also include allowing the individual to access their information remotely and download a copy in an appropriate format.
When can we refuse to comply with a request?
Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. You can also refuse to comply with an access request if it is manifestly unreasonable.
If you refuse to comply with a request, you must inform the individual of:
-
the reasons why; and
-
their right to make a complaint to PrivCom.
What should we do if the request involves information about other individuals?
Where possible, you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request except where the other individual consents to the disclosure or it is reasonable to comply with the request without that individual’s consent.
You need to respond to the applicant whether or not you decide to disclose information about a third party. You must be able to justify your decision to disclose, withhold, or redact information about a third party, so you should keep a record of what you decide and why.
Can the right of access be enforced?
Yes. In appropriate cases, PrivCom may take action against an organisation if they fail to comply.
If you fail to comply with an access request, the applicant may apply for a court action, such as to seek compensation. It is a matter for the court to decide what action to take.