How to Handle Privacy Access Requests - AU Privacy Act

How to Handle Privacy Access Requests - AU Privacy Act

The issue of online data privacy and protection has taken the world by storm ever since the European Union's General Data Protection Regulation (GDPR) became effective in 2018. It's a topic that has been top of mind for privacy advocates and politicians ever since, and in 2020 it's moved into the realm of a push to enforce laws regarding privacy protection.

However, Australia was ahead of the curve when the modern Commonwealth nation passed its Australian Privacy Act (APA) way back in 1988. Obviously, that privacy law predates the internet, which didn't get underway until 1991. However, it established standards when it comes to a consumer's right to access private data.

Regardless of the kind of company you run, the APA gives your customers the right to ask for access to their data. For example, consumers may ask for information such as:

  • Healthcare data
  • Government records containing personal data
  • Personally identifiable data

The act also provides specific instructions as to what you should do if you receive such a request. There are particular times when you may refuse a privacy access request as long as you have a valid reason, but these instances are rare.

Below, we'll go over precisely what you should know when it comes to complying with the APA's requirements for how businesses should deal with privacy access requests.

Let's start with the basics.

The APA was enacted with the purpose of protecting the private, sensitive data of consumers living in Australia. Additionally, legislators sought to regulate how that data was handled by both federal agencies as well as private businesses.

According to the act, the definition of "private information" may include the following:

  • Criminal records
  • Sexual orientation
  • Email address
  • Religious beliefs
  • Consumer's name

The APA's jurisdiction covers both the government as well as the private sectors.

The act defines and organization as:

  • An individual, including a sole trader (though generally not an individual acting in a personal capacity)
  • A corporate body
  • A partnership
  • Other incorporated associations
  • Trusts

An exception will be if any of the above are also a small business operator, a registered political party, a state or territory authority, or a prescribed instrumentality of a state.

These types of organizations must have an annual revenue that exceeds $3 million in order to be bound to follow the APA's privacy regulations.

In contrast, the APA covers specific types of small businesses that have an annual revenue of less than $3 million. For example, these businesses include:

  • A company that is related to a business that is covered by the Privacy Act
  • A company that holds accreditation under the Consumer Data Right System
  • An employee association registered or recognized under the Fair Work (Registered Organisations) Act 2009
  • A contracted service provider for an Australian Government contract
  • A credit reporting body
  • A company that sells or purchases personal information
  • A private-sector health service provider (an organization that provides a health service)

Additionally, as noted above, even if your company isn't located in Australia, if you merely do business on the continent and your organization falls under the Act's definition of organizations, then you are obliged to comply with the act's privacy regulations.

The APA also regulates medical and health reporting in addition to credit reporting.

With all that said, there are specific aspects of the APA that you should pay close attention to as a business owner.

TermsFeed is the world's leading generator of legal agreements for websites and apps.

This really is the most incredible service that most website owners should consider using.

Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.

- Bluesky's review for TermsFeed. Read all our testimonials here.

With TermsFeed, you can generate:

These are the 13 Australian Privacy Principles (APPs), which the act outlines. These principles allow business owners and agencies the freedom to create their own processes and systems to gather and secure sensitive data. The caveat is that whatever methods you put in place must still adhere to the APPS standards and the APA.

Similar to the GDPR in some ways, the APPs of the APA cover:

  • Your obligations in regard to sensitive, private information
  • How you collect, use, and transfer private data
  • Transparency between your business and consumers
  • The rights of consumers to access their sensitive information

What is Sensitive Information Under the APA?

What is Sensitive Information Under the APA?

According to the APA, personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • Whether the information or opinion is true or not, and
  • Whether the information or opinion is recorded in a material form or not

The act isn't too terribly specific and there are no examples of personal information to be found within its pages. However, it has been interpreted since then to mean data, which identifies a specific consumer or their home and family.

Private data examples include the following:

  • First and last names
  • Email addresses
  • Online usernames and passwords
  • Mailing addresses
  • Financial information

If you collect, process, use, share, or store this kind of private information, then Australian consumers have the right to request access to it.

Rights to Privacy Access

Rights to Privacy Access

The APA provides consumers with the right to request access to their private data. Specifically, consumers have the right to request access to confidential, personal information from federal agencies and private companies under the APA's APP 12.

The requested information may include either their own data or data, which is connected to someone else's. (An example of this might be a marriage certificate.)

When a consumer makes a privacy access request from you, they don't have to do so in any specific format or manner. According to APP 12, it is left up to your business as to the process a consumer must follow when requesting access to their data from you.

With that said, you must ensure that whatever process you choose, whether formal or informal, adheres to the APP's overall standards. The regulations of the APP will only apply to your business if you "hold" that data.

According to APP 12, you hold that data if you possess or control "the record that contains the personal information." Simply put, if a third party has possession of a hard copy of the information, but you control the access to that data, then your business is the holder of the record in question.

In addition to the above, a consumer's access rights are specifically spelled out by APP 12. The first thing you need to recall is that you have to honor it if you receive a request. As APP 12, part 5 notes:

12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

Take into account that there are exceptions to this.

For example, if your business is an agency and is authorized to withhold information under the Freedom of Information Act, any other Act of the Commonwealth, or a Norfolk Island enactment. Another example of exceptions is when you're an organization and you believe that "giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety."

Above, we mentioned that according to the APA, your business has the right to lay out the procedure that consumers must follow to request access to their personal data as long as you adhere to the act's overall standards. However, you can't force consumers to follow that procedure.

In other words, say you state that a consumer makes a request through email, and they send an email instead. You're still required to honor their request, according to the APA.

As the formal guidance for the APA states, as seen below:

There are no formal requirements under APP 12 for an individual to make an access request. You may ask an individual to follow a particular procedure, such as filling out a form, but you cannot require individuals to do this. However, developing a simple process may assist both yourself and the individual when dealing with access requests. Additionally, your APP Privacy Policy should set out how an individual may access their personal information (APP 1.4(d)).

Additionally, you can't stall or put the request off. You must respond within a reasonable period of time after receiving the request, which in most cases will mean within 30 calendar days.

You can't charge users for making the requests or accessing the information.

Inform Users of the Right to Access

You need to provide written notice of the right to access, and how the right can be asserted. A good way to do this is with a clause in your Privacy Policy. Here's how KPMG does it:

KPMG Privacy Policy: Access to Personal Information clause

Make it as easy as possible for people to request access, and make sure your instructions are clear and straightforward for your average person to understand.

What to Do When You Receive an Access Request

What to Do When You Receive an Access Request

The process you should follow after receiving a privacy access request looks something like this under APP 12:

  1. Ask yourself if you can verify the identity of the consumer requesting access.

    • If the answer is "no," then you do not disclose personal information
    • If the answer is "yes," then you need to try to locate the requested information

      • If you cannot locate the information, you must provide the consumer with written notification of that fact.
      • If you can locate the information, you must ask yourself if there is a valid reason to deny access.

        • If there is no reason to deny access, ask yourself if you can provide access to the consumer in the manner requested. If not, you must ascertain if there is an alternative method for delivering the requested data to the consumer.

Let's look at this process in more detail.

Identity Verification

If you receive a request for privacy access, it will likely come from an individual. However, you may also receive a request from an authorized agent, a legal guardian, or through power of attorney.

The manner in which you verify a consumer's identity might be through the following as long as they have a photo:

  • A passport
  • Driver's license
  • Residency card
  • Student card
  • Credit card
  • Employment identity card

It's possible that someone's information may be more sensitive than others. In that case, you may need a more in-depth process for identification verification.

According to the APA, you must check the photo against the appearance of the individual in person. Alternatively, you can check one ID against another by correlation over the phone.

Locate the Information

When it comes to locating a consumer's private data, you must first be sure that you are in possession of the information or that you control it. That information can be in the form of hard copies, digital copies of documents, electronic calendars, emails, and more.

If a consumer makes a privacy request, it must be specific. No rule says you must provide any information above and beyond what is actually asked for.

However, you are required to take reasonable steps to ensure that the consumer receives the requested information. Some of these measures might be contacting third parties to whom you've outsourced work, checking with contractors and staff, and of course, searching through your own databases.

Refusal of the Request

As noted at the beginning of this article, there are times when you are allowed to refuse a privacy request, although those instances are rare.

Here's a partial list of circumstances under which you're permitted to refuse:

  • When there is an ongoing legal proceeding or negotiation with the person requesting access
  • If you suspect that the person requesting access is planning to conduct illegal activities with the data
  • If providing the information constitutes a data protection, public health, or legal risk
  • If it's a nonsensical or vexatious request (i.e., a consumer who asks for their information repeatedly)

In Conclusion

Suppose you own or run a company in the private sector that holds data on Australian residents. In that case, you must comply with the regulations within the APA.

The bottom line is that you must give consumers access to their private data if they request it unless there is a valid reason to refuse.

Remember that you are not allowed to charge anyone who wants to see their information, although you can charge administrative costs, including postage, staff costs for searching records, and costs for producing or sending data.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.