Individuals can ask businesses for access to information that the business holds regarding them. Often those individuals also seek to have information changed or corrected. In this article, we will consider how your business should handle requests to access and correct personal information.
Accessing personal information
If your business holds personal information about an individual, and the individual requests access to that information, Australian Privacy Principle (APP) 12 requires your business to respond within a reasonable period and to give the individual access to the information in the manner requested.
Can your business refuse to give access to personal information?
Your business is entitled to refuse a request to access personal information if:
- giving access would have an unreasonable impact on the privacy of other individuals;
- the request is frivolous or vexatious;
- you are currently negotiating with the individual and the release of personal information would prejudice those negotiations;
- you believe that giving access would pose a serious threat to the life, health or safety of any individual;
- giving access would be unlawful; or
- giving access would reveal commercially sensitive information.
Your business will need to provide a written notice explaining the grounds for refusal and outlining the mechanisms available to the individual to complain about the refusal.
Can your business charge individuals for access to their personal information?
Under APP 12, your business is entitled to charge the individual for your costs in allowing them to access the personal information. The charge must only cover the expenses incurred in retrieving the personal information, cannot be excessive and cannot apply to the making of the request itself.
Correcting personal information
If your business holds personal information about an individual and that individual requests your business correct their personal information or if you believe that an individual’s personal information is inaccurate, out-of-date, incomplete or misleading, you must take reasonable steps to correct the information in accordance with APP 13.
Can your business refuse to correct the personal information as requested?
Your business can refuse a request to correct personal information if the change will make the personal information on record more inaccurate, out-of-date, incomplete, irrelevant or misleading. Your business can also refuse a request if it is unreasonable.
If your business refuses to correct personal information, your business must give a written notice explaining the reasons for the refusal (provided it is reasonable to do so) and the mechanisms available to complain about the refusal.
Can you charge individuals for correcting personal information?
Your business must not charge the individual for making a request to correct personal information, or for correcting the personal information.
Why does it matter?
Failure to comply with the APPs may lead to penalties of up to $1.7 million (for corporations) and up to $340,000 (for individuals) if they seriously or repeatedly interfere with a person’s privacy.
These tips are not exhaustive considerations and you should consult the APP 12 and APP 13 guidelines or contact us for more information.
Privacy awareness week
This article is part of our series on handling personal information as part of Privacy Awareness Week. As an official partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, Cooper Grace Ward will be publishing a series of articles that relate to:
- how your business can collect personal information;
- how your business can engage in direct marketing;
- how your business should handle requests to access and correct personal information;
- the importance of a social media policy; and
- how your business can organise internal privacy awareness and training.