What can I expect after making a request?
People ask
How long does an organisation have to respond?
Can an organisation charge a fee?
What should an organisation send back to me?
Will I always receive everything I asked for?
How long does an organisation have to respond?
An organisation normally has 45 days to respond to your request.
If you have made several requests or your request is complex, they may need extra time to consider your request and they can take up to an extra 30 days to respond.
If they are going to do this, they should let you know promptly why they need more time and when you can expect to receive their response.
Can an organisation charge a fee?
In most circumstances, they should give you a copy of your personal information free of charge.
However, an organisation can charge a reasonable fee to cover their administrative costs – if they think your request is “manifestly unreasonable”.
They can also charge a fee if you ask for further copies of your information following a request.
If an organisation can charge a fee, the 45-day time limit does not begin until they have received the fee.
However, if the organisation made a mistake when recording your personal information and you are requesting a correction, they cannot charge you a fee. See Right to get your information corrected
What should an organisation send back to me?
When an organisation responds to your request, they should normally tell you whether or not they use your personal information and, if they do, give you copies of it. The organisation should also include:
-
what they are using your information for;
-
who they are sharing your information with;
-
how long they will store your information, and how they made this decision;
-
details on your rights to challenge the accuracy of your information, to have it deleted, or to object to its use;
-
your right to complain to PrivCom;
-
details about where they got your information from;
-
whether they use your information for profiling or automated decision-making and how they are doing this; and
-
what security measures they took if they have transferred your information to a third country or an international organisation.
If you specifically wish to receive this additional information, it is highly recommended that you state this in your request.
You may not always receive everything you’ve asked for. Depending on the circumstances:
-
you may receive only part of the information you asked for; or
-
the organisation may not provide you with any personal information at all.
If you make a request for access to your personal information of a medical or psychiatric nature or your personal information kept for the purposes of, or obtained in the course of, carrying out social work relating to you, an organisation may refuse to provide access to personal information if disclosure of your personal information would be likely to prejudice your physical or mental health.
If an organisation refuses your PIPA medical records access request, you can ask the organisation to provide access to your personal information to a health professional who has expertise in relation to the subject matter of the record. The health professional will then determine whether or not disclosure of your personal information to you would be likely to prejudice your physical or mental health.
An organisation can also refuse to comply with your access request if they think it is “manifestly unreasonable”.
There can be other reasons why you may not receive all the information you expect, e.g., when an exemption applies, or the type of information you asked for is not covered by an access request.
People ask
What does “manifestly unreasonable” mean?
Am I entitled to receive copies of entire documents?
What is an exemption?
What if the organisation requires proof of ID?
What information is not covered by my request?
Can I resubmit the same request?
What does “manifestly unreasonable” mean?
There is no set definition of what makes an access request “manifestly unreasonable”. It will depend on the specific circumstances of your request. An organisation should explain the reasons for their decision.
As an example, an organisation may consider a request to be “manifestly unreasonable” when it is clear that:
-
it has been made with no real purpose except to cause them harassment or disruption;
-
the person making the request has no genuine intention of accessing their information (e.g., they may offer to withdraw their request in return for some kind of benefit, such as a payment from the organisation); or
-
it overlaps with a similar request they are still addressing.
To decide this, an organisation must consider each request on a case-by-case basis and be able to explain their reasoning to you.
Am I entitled to receive copies of entire documents?
You’re not. Your right of access does not entitle you to receive full copies of original documents held by an organisation: only your personal information contained in the document.
Scenario
You ask your bank to access your personal information, including full copies of your bank statements. Your bank is not required to provide copies of the actual bank statements. However, they must provide you with your personal information contained within them: for example, by providing you with a list of transactions. By doing so, they have now complied with your access request without having to give you a full copy of the original bank statements.
What is an exemption?
An organisation may withhold all or some of your personal information because of an exemption stipulated in PIPA.
Exemptions protect specific types of information, or how certain organisations work.
Sometimes an organisation may not even have to let you know whether they hold your personal information.
An organisation may also refuse your request to access your information if it includes personal information about someone else, except in situations where:
-
the other individual has agreed to the disclosure; or
-
it is reasonable to give you this information without the other individual’s consent.
When deciding on your access right, an organisation has to balance your right of access against the other individual’s rights with respect to their own information. This may lead the organisation to refuse your access request.
Alternatively, the organisation may attempt to remove or edit out (redact) the other individual’s information before sending your information to you. This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.
The organisation will still need to:
-
tell you why they are not taking action;
-
justify their decision; and
-
explain how you can challenge this outcome.
If you want to learn more about exemptions and exclusions under PIPA, see our Guide to PIPA and Guidance on uses of personal information for organisations hyperlink for more detail on this topic.
What if the organisation requires proof of identity document (ID)?
ID checks are usually required for security – they are part of an organisation’s measures to protect your personal information from unauthorised access.
If an organisation asks you for proof of ID, the 45-day time limit does not begin until they have received it.
What information is not covered by my request?
The right of access does not cover all types of information or uses of personal information, for example:
-
information used for personal/domestic purposes (e.g., family members’ pictures of you);
-
images of you captured on a domestic CCTV system within the boundary of your domestic property; and
-
information about the medical records of relative who’s been dead for at least 20 years.
Can I resubmit the same request?
Yes, you can ask an organisation for access to your information more than once. However, they may be able to refuse your request if:
-
they haven’t yet had the opportunity to deal with your earlier request; or
-
not enough time has passed since your last request (e.g., your information has not changed since then).
Remember, you can also ask an organisation for further copies of your information following a request, but they can charge a reasonable fee for this.