Chapter 15
Australian Privacy Principle 12–access to personal information
Introduction
15.1
Australian Privacy Principle 12 (APP 12) ensures that a person can
access their own personal information held by an entity other than when exceptions
to granting access apply. APP 12 also provides for how entities are to
deal with requests for access, access charges and how entities should respond
to an individual when access is refused.[1]
15.2
It is noted in the Companion Guide that APP 12 is aimed at ensuring
that individuals have access to the information that entities hold about them
and that there is opportunity to correct inaccurate, irrelevant and out-of-date
information. There are a limited number of circumstances which an entity may
refuse to give individuals access to their own personal information. However,
in these circumstances entities have an obligation to provide as much access as
is possible in the circumstances to meet the needs of the individual and the
entity.[2]
Background
15.3
APP 12, together with APP 13 (correction of personal
information), replaces existing Information Privacy Principle 6 (IPP 6),
and National Privacy Principle 6 (NPP 6). Currently, agencies must provide
access to personal information under IPP 6 except to the extent that an
agency is required or authorised to refuse assess under any law of the
Commonwealth that provides for access by persons to documents. IPP 6
provides individuals with the same rights as the Freedom of Information Act
1982 (FOI Act).[3]
15.4
NPP 6 provides that generally, an organisation that holds personal
information must provide the individual with access to the information. A list
of situations where access can be denied or limited is also provided in
NPP 6. Where an organisation is not required to give access, it must
consider whether the needs of both parties can be met through the use of a
mutually agreed intermediary. NPP 6 also provides that an organisation
must take reasonable steps to correct personal information that it holds, if
the individual to whom the information relates, is able to establish that it is
not accurate, complete and up-to-date. Where there is a disagreement about the
accuracy of the information, the organisation, if requested by the individual,
is to take reasonable steps to associate with the information a statement
claiming the information is not accurate, complete or up-to-date.[4]
15.5
The Australian Law Reform Commission's (ALRC) review of the access
provisions of the Privacy Act considered both the structure of the principle
and how the access provisions should be framed, particularly to allow for a
unified principle for agencies and organisations.
15.6
The ALRC came to the view that it was possible for the 'Access and Correction'
principle to apply equally to both agencies and individuals and recommended
this change.[5]
The ALRC also compared the structure of NPP 6, which contains both
general, high-level provisions and more detailed, relatively prescriptive
provisions, and IPP 6, which contains more general rules.
15.7
The ALRC concluded, as it had in its earlier report, Review of
Australian Privacy Law (DP72), that NPP 6 should form the basis of the
unified 'Access and Correction' principle.[6]
The ALRC pointed to the following matters for this conclusion:
-
the NPP structure is preferable because the relevant and
applicable legislation is not fragmented among several separate Acts, as is the
case under the IPP structure. For example, the IPPs do not contain procedural
provisions for agencies to follow when processing applications for access. Instead,
the IPPs rely on 'administrative machinery' contained within the FOI Act;[7]
-
the NPP structure is comparatively simpler to navigate, to
understand and to use;
-
if the IPP structure prevailed in the development of the new APP
regime, transferring the administrative machinery of the FOI Act into the APP
legislation would require the Privacy Principles to be redrafted so that their
'provisions...operate as conventional statutory provisions, as distinct from
principles'. Such a fundamental change in the character of regulation would be
a reorienting from principles-based regulation to rules-based regulation; a
change which the ALRC did not support;[8]
and
-
a radical restructuring of the regulatory regime for organisations
would impose 'a greater compliance burden, particularly on organisations that
would have to update their privacy protection regimes'.[9]
15.8
In considering how the access provisions should be framed, the ALRC distinguished
between the right to obtain access in IPP 6 and the obligation on
organisations to provide access in NPP 6. The ALRC concluded that the
provision should be expressed as an obligation on an agency, rather than an
entitlement of an individual. A further point of difference between IPP 6
and NPP 7 is that the former applies to personal information that is in an
agency's 'possession or control' while the latter applies to personal
information 'held by an organisation'. The ALRC concluded that the word 'held'
should be retained in the 'Access and Correction' principle with 'held'
including those documents over which an entity has 'constructive possession'.[10]
15.9
While both the IPPs and NPPs place obligations on agencies and
organisations to provide individuals with access to personal information that
they hold about the person, the exceptions for this obligation differ. The
ALRC's view was that exceptions to the 'Access and Correction' principle should
be consistent with the FOI Act and the Archives Act 1983 (Archives Act) as
individuals should not be able to compel access under the Privacy Act that
would otherwise be exempt under the FOI Act or the Archives Act.[11]
In relation to the content of the exceptions, the ALRC made the following
comments:
-
threat to life or health: an individual should not be able
to obtain personal information that an organisation holds about him or her if
providing access would pose a serious threat to the life or health of an
individual; and
-
other exceptions to access: the existing exceptions in
NPP 6 should be included in the 'Access and Correction' principle.[12]
15.10
The ALRC also considered the use of third party intermediaries where
access to information has been lawfully denied as currently provided for in NPP 6.3
in certain cases. The ALRC commented that it was important that there is a
provision requiring an agency or organisation to take reasonable steps to
provide an individual with as much personal information as possible, in
circumstances where access to the information legitimately can be refused and
stated 'such a provision allows for a more flexible, nuanced approach to
requests for access where direct access is not appropriate'.[13]
15.11
However, the ALRC did not support the present requirement in
NPP 6.3 that an organisation must 'consider' the use of a mutually agreed
intermediary. The ALRC saw the potential for abuse of this provision in that
organisations could comply with the requirement by briefly contemplating, and
then immediately rejecting, such a course of action. In addition, the ALRC
considered that the intermediary requirement proposed in DP72, that an
organisation 'reach an appropriate compromise' with an individual seeking
access to personal information, was ambiguous and that there was a need for a
more clearly stated requirement. The ALRC therefore recommended the 'Access and
Correction' principle should provide that where an entity is not required to
provide an individual with access to his or her personal information, the entity
must take such steps, if any, as are reasonable to provide the individual with
as much of the information as possible, including through the use of a mutually
agreed intermediary.[14]
15.12
The ALRC also considered the procedural requirements for access. While NPP 6
contains procedural requirements for organisations including limits on the
charges that they can levy for providing an individual with access, the IPPs do
not. The ALRC concluded that procedures imposed on organisations under the
'Access and Correction' principle should also apply to agencies. In addition, the
ALRC commented specifically about the following procedural matters:
-
fees: fees charged by an organisation for providing access
to information, as contained in NPP 6.4, should be continued. However, it
was not recommended that these provisions be extended to agencies;
-
timeliness of response: both agencies and organisations
should respond to requests for access within a reasonable time;
-
manner of providing access: the 'Access and Correction'
principle should require agencies to take reasonable steps to provide access in
the manner requested by the individual; and
-
level of detail of the provisions: the ALRC did not
support binding schedules or frameworks for the provisions as there would be
practical difficulties with such an approach and the use of high-level
principles was consistent with its broader approach to privacy regulation.[15]
15.13
In relation to reasons for a decision to deny access to personal
information, the ALRC concluded that it is an important element of procedural
fairness for the individual to be provided with the reason for the adverse
decision. However, there may be situations where providing the reason for the
decision could undermine the reason the agency or organisation has denied the
access and in these situations the ALRC did not support the provision of
reasons. The ALRC also recommended that the individual should be provided with
the avenues for complaint.[16]
15.14
The ALRC also recommended that the Office of the Privacy Commissioner
develop and publish guidelines to ensure that agencies and organisations are
provided with clear guidance on how the changes should be applied.[17]
Government response
15.15
The Government accepted, accepted with amendment, or accepted in
principle all of the ALRC's recommendations in relation to access and
correction. In accepting that a unified 'Access and Correction' principle
should apply to both agencies and organisations, the Government noted the
implications for the interaction between the Privacy Act and the FOI Act and
stated:
-
as part of proposed reforms to the FOI Act, it was announced that
the Privacy Act would be amended to enact an enforceable right of access to,
and correction of, an individual's own personal information, rather than
maintaining the right through the FOI Act;
-
that it would be necessary to recognise the additional
responsibilities of Government in relation to the disclosure of some categories
of information and documents;
-
that amendments will make it clear that the right to access and
correct information held by agencies will be provided by the Privacy Act rather
than the FOI Act although the right to access some personal information will
remain under the FOI Act; and
-
processes around reviews of agency access and correction
decisions under the Privacy Act will be aligned as closely as possible with
reviews under the FOI Act.[18]
15.16
The Government accepted with amendment recommendation 29–3 which
provided that where an organisation holds personal information about an
individual, it is not required to provide access to the extent that providing
access would be reasonably likely to pose a serious threat to the life or
health of an individual. The Government response indicated that to ensure
consistency, a 'serious threat' should refer to 'life, health or safety'.
15.17
The Government also accepted with amendment recommendation 29–7 which
contains the obligation to respond to an access request within a reasonable
time and to provide access in a manner requested by the individual, where
reasonable and practicable. The Government commented that the ALRC was silent
on the issue of entities charging for access, however, the Government agreed
that where an organisation imposes a charge for access, is should not be
excessive and must not apply to lodging a request for access.
15.18
The Government accepted with amendment the recommendation relating to
denial of a request for access. The Government commented that the principle
should explicitly provide for situations where providing reasons would
undermine the reason for denying the request for access. Further, the principle
should recognise that, where reasons can be provided for an adverse decision, the
reasons should specify any relevant exceptions, requirements or authorisations
relied upon in making the decision.[19]
Issues
15.19
The Australian Institute of Credit Management supported APP 12.[20]
However, other submitters raised several issues in relation to APP 12
including the enforceable right of access; the range of exceptions; and time
limits for processing applications.
Enforceable right of access
15.20
The Victorian Privacy Commissioner commented that the Government had
announced, as part of the reform of the FOI Act, that the Privacy Act would be
amended to provide for an enforceable right of access to an individual's own
personal information. While noting the importance of the right of an individual
to access and correct their personal information, the Victorian Privacy
Commissioner stated that 'the language of APP 12 does not currently
reflect this'.[21]
15.21
The Companion Guide notes that an enforceable right of access to (and
correction of) an individual's own personal information 'does not appear on the
face of Australian Privacy Principles 12 and 13'. It was noted that this is because
there are a large number of technical issues in relation to the way that the Privacy
Act and FOI Act will interact 'that have not yet been fully resolved'. The
Companion Guide also stated that the APPs set up some of the technical
infrastructure that will link into other provisions of the Privacy Act and
provide the means for merits review as well as provision for additional notice
requirements to be prescribed by the regulations. The Companion Guide
concluded:
This ensures that there is basic content for notification of
decision contained in the legislation, but with capacity to prescribe
additional requirements so that the provisions of the Privacy Act are
consistent with those in the Freedom of Information Act 1982.[22]
Structure and terminology
15.22
Submitters were concerned by loose and overly complex language and the
repetition of clauses in APP 12. The Office of the Privacy Commissioner (OPC)
for example, suggested the removal of the apparently redundant section APP 12(5)(a)
as the following paragraph refers to refusing access under relevant provision.
This would result in a simplified structure for APP 12(5).[23]
Privacy NSW noted that the exceptions in APP 12(3) were 'dense and
complex'.[24]
15.23
The Department of the Prime Minister and Cabinet responded:
This single principle is more lengthy and prescriptive than
other APPs (eg collection, use and disclosure) for a number of reasons. First,
it is intended to consolidate the existing access and correction obligations in
IPPs 6 and 7 for agencies and NPP 6 for organisations. It is also intended
to clarify the existing overlap between the Privacy Act and the FOI Act, with
the provisions and administrative machinery under the FOI Act being, in
practice, the primary means for dealing with access and correction requests
from individuals. In addition, it was also necessary to outline the separate
and broader range of exceptions to access for organisations. Finally, it was
necessary to set out the process once a request for access is received.[25]
Conclusion
15.24
The committee has provided comments concerning the issue of complexity
of the APPs in chapter 3 of this report. As noted in that chapter, the
committee considers that some fine tuning of the APPs would improve clarity and
simplicity particularly through the use of more concise language and
elimination of redundant clauses.
Exceptions
15.25
APP 12(2) contains exceptions to access if the personal information
is held by an agency and APP 12(3) contains exceptions to access if the
personal information is held by an organisation. Professor Greenleaf and Mr
Waters argued that proposed APP 12(2) and 12(3) expand on the current
grounds for refusing access, and includes new exceptions, 'without any
convincing justification'.[26]
15.26
Other submitters raised concerns with the exceptions in relation to
organisations. The Law Institute of Victoria (LIV) commented on two of these exceptions.
The first, APP (3)(b), provides an exception where giving access would
have an unreasonable impact on the privacy of other individuals. The LIV
considered that this exception may be difficult to apply where information about
an individual is an opinion, as this is potentially the personal information
not only of the person who is the subject of the opinion, but of the person who
holds that opinion. In relation to the exception contained in APP 12(3)(e)–where
giving access would reveal the intentions of the entity in relation to
negotiations with the individual in such a way as to prejudice those
negotiations–the LIV raised concern about the broad nature of the provision. The
LIV commented that there appeared to be no limitations or parameters about what
phase of negotiations the parties are in, such as whether the negotiations need
to be already commenced, or at least reasonably anticipated, before this clause
becomes operative.[27]
15.27
Dr Colin Bennett criticised the inclusion of the 'frivolous or
vexatious' exception (APP 12(3)(c)) as 'the right to access ones personal
information is a human right, regardless of motive' and submitted that the
'frivolous or vexatious' exception under APP 12(3)(c) is open to abuse 'especially
where individuals might be in conflict with a particular organization over a particular
matter, and reasonably want to know everything the organization holds on them'.
Dr Bennett concluded:
At the very least, the provision should state that the
organization should be obliged to report and account for the use of this
discretion.[28]
15.28
The Office of the Health Services Commissioner (OHSC) also raised
concerns in relation to APP 12(3)(c) and stated that this was not an appropriate
exception in relation to health information because 'a person has a right to
access their health information, even if the contents are brief'. The OHSC commented
further that an individual does not require a reason to access their health
information, and such an exception is likely to lead to organisations refusing
access 'without good reason'. The OHSC believed that the other exceptions
available to organisations under APP 12(3) provide sufficient protection for
organisations to refuse access without APP 12(3)(c) being necessary also.[29]
15.29
Google's submission discussed the international dimension of Google's
business and operations. Google noted that entities operating in Australia are
subject not only to Australian regulation but also foreign regulation, such as in
the case of a business based in one country with activities in another country being
required to comply with regulations of both countries. Google noted that due to
these requirements to comply with foreign laws, the reference to 'Australian
law' in APP 12(3)(g) should be amended so that the need to comply with
foreign laws also constitutes an exception under APP 12(3).[30]
15.30
The exception related to information which is generated in connection
with a commercially sensitive decision-making process (APP 12(3)(j)), was
compared to the current provisions provided by its equivalent, NPP 6.2.
The OPC noted that in NPP 6.2, an organisation 'may give the individual an
explanation for the commercially sensitive decision rather than direct access
to the information'. The OPC commented that although it may be intended that
the existing right is given effect by way of APP 12(5) and APP 12(9),
it is unclear and should be clarified so that the right to be given reasons for
a decision is preserved.[31]
Dealing with requests for access
15.31
The OHSC raised concerns with APP 12(4)(b) which requires that the
entity must give access in the manner requested by the individual, if it is
reasonable and practicable to do so. The OHSC considered that such an exception
should not apply in relation to personal health information. It argued that as
most people seek access in the form of a copy, the exception may permit
organisations to offer personal inspections of records rather than providing
access in the manner requested. This alternative would be more expensive for
individuals, as supervision by a staff member would be required. The OHSC
concluded that such an outcome 'would be unsatisfactory and contrary to the
principle of patient autonomy that applies in a health setting'.[32]
15.32
The Public Interest Advocacy Centre (PIAC) commented on the inclusion of
the term 'where reasonable and practicable'. This matter was first raised
during the ALRC consultation process. PIAC commented:
...the limit on the obligation in UPP 9.5 created by the
inclusion of the term 'where reasonable and practicable' could very easily
result in unlawfully discriminatory limits on access both in terms of format of
information and in terms of any requirement to travel to a particular location
to access that information.[33]
Time limits for responses
15.33
APP 12 requires agencies to respond to requests for access within
30 days (APP 12(4)(a)(i)) and organisations to respond to requests 'within
a reasonable period' (APP 12(4)(a)(ii)). This preserves the current
arrangements in the Privacy Act.
15.34
Westpac was the only submitter to voice a preference for not setting
clear timeframes, instead supporting the proposed regime:
Westpac notes and supports the approach of
"reasonableness" when determining a timeframe for a response to an
individual, in preference to setting a specified period in which to comply. In
developing guidance for industry regarding reasonable response times, we
recommend the OPC engage closely with industry to develop flexible and
appropriate guidance.[34]
15.35
Other submitters called for greater clarity as to the timeframe in which
an organisation is to respond to a request for access. The OPC submitted that
the differing standards under APP 12(4) between agencies and organisations 'may
unintentionally imply that a reasonable period for organisations to provide access may
be longer than 30 days'.[35]
The OPC noted that guidance produced by the Office suggested access should be
granted within 14 days, if granting access is straight forward, or within 30
days, if access is more complicated. The OPC suggested that a note under
APP 12(4)(a) could clarify that a reasonable period would not usually be
longer than 30 days.[36]
15.36
The OHSC commented that a fixed timeframe was preferable in the health
sector and would remove uncertainty. The OHSC also noted the Victorian Health
Records Act contains a requirement that organisations respond to a request for
access within 45 days.[37]
Other means of access
15.37
APP 12(5) provides that where an entity refuses access, or refuses
to give access in the manner requested, the entity must take such steps as are
reasonable to give access in a way that meets the needs of the entity and the
individual. The Australian Bankers' Association commented that this obligation
'should provide, in the majority of cases, a workable outcome and avoid
escalation of any disagreement'.[38]
However, Abacus Australian Mutuals questioned the need for this additional
obligation on an entity 'particularly given the fact that the listed exceptions
to access are well founded'.[39]
15.38
The OPC submitted that by referring to the needs of the entity, the
emphasis is shifted away from the individual and suggested that the phrase 'the
needs of the entity' should be removed. The OPC concluded that reasonable steps
requirement allows sufficient flexibility to meet an entity's needs and
obligations under APP 12.[40]
Access charges
15.39
APP 12(8) allows for entities to charge for access so long as the
charge is not excessive and does not apply to the making of the request for
access. The LIV commented that an entity is not necessarily precluded from
charging unreasonable amounts or profiteering. The LIV suggested that
'excessive' be replaced with 'reasonably necessary to recoup the costs incurred
by the entity'.[41]
Conclusion
15.40
The committee considers that it is important to ensure that balance
exists in the privacy regime between the interests of individuals and entities.
Conversely, there should not be an excessive number of exceptions which may
inhibit an individual's right to access personal information. In discussion of
APP 12, the Companion Guide states:
There are a limited number of circumstances in which an
entity may refuse to give individuals access to their own personal information.[42]
15.41
However, submitters raised concern that some of these 'limited' exceptions
are broad, open-ended, and may be open to abuse. The committee considers that
this may not only give rise to confusion, but also the potential for
unwarranted denials of access to personal information. In particular, the
committee is mindful of the comments of the Law Institute of Victoria that the
exception in relation to negotiations (APP 12(3)(e)) is too broad as well
as the comments in relation to the 'frivolous or vexatious' exception
(APP 12(3)(c)) particularly its application in the health sector. The
committee considers that the negotiations exception in APP 12(3)(e) could
be improved by provided greater clarity as to when this exception may be
invoked.
15.42
The OPC also commented that the exception concerning commercially
sensitive decision making processes (APP 12(3)(j)) does not contain the
currently provided for option of an organisation providing an explanation
rather than direct access. While the ALRC noted that concerns were raised by
privacy advocates that the option of an explanation instead of direct access could
be used inappropriately to deny direct access, the OPC considered that
individuals should retain the same rights as are currently contained in the
Privacy Act. The committee agrees with this approach and considers that further
consideration should be given to this exception.
Recommendation 26
15.43
The committee recommends that, in relation to the proposed exceptions
provided for in APP 12(3):
- the Australian Information Commissioner provide guidance in
relation to the application of the 'frivolous and vexatious' exception
(APP 12(3)(c));
- clarity be provided as to the stage at which the negotiations
exception in APP 12(3)(e) may be invoked; and
- further consideration be given to the exception in
APP 12(3)(j) in relation to commercially sensitive decisions to ensure
that the rights currently provided for in the Privacy Act 1988 are not
diminished.
15.44
The committee notes that the absence of a prescribed timeframe in which
organisations are required to respond to requests for access. It considers that
this appears to be inconsistent with the spirit of the principle as outlined in
the Companion Guide, in that individuals are to be provided with the right of
access to their personal information. While some submitters called for a fixed
timeframe to be applied to organisations, the committee notes the comments by
the Office of the Privacy Commissioner in relation to guidance already provided
by the office and the suggestion that a note be added to APP 12(4)(a). The
committee agrees with the comments of the Office of the Privacy Commissioner
and recommends that a note be added to APP 12(4)(a) to clarify that a
reasonable period of time in which an organisation must respond to a request
for access would not usually be longer than 30 days.
15.45
In relation to access charges, the Law Institute of Victoria recommended
that the costs clause in APP 12(8) be amended from organisations not
charging 'excessive' fees to charging fees 'reasonably necessary to recoup
costs incurred by the entity'.[43]
Such an amendment would permit organisations to recoup actual costs but not
unreasonable amounts or profiteer. The committee therefore supports the Law
Institute's recommendation.
Recommendation 27
15.46
The committee recommends that a note be added to proposed APP 12(4)(a)
to clarify that a reasonable period of time in which an organisation must
respond to a request for access would not usually be longer than 30 days.
Recommendation 28
15.47
The committee recommends that APP 12(8) be amended so that it is made
clear that access charges imposed by organisations should only be charged at a
level reasonably necessary to recoup costs incurred by the entity.
15.48
The committee also notes that the exposure draft on the powers and functions
of the Australian Information Commissioner will clarify the enforcement aspects
of the access and correction principles in light of moving from the Freedom of
Information regime to the privacy regime.
Navigation: Previous Page | Contents | Next Page