To avoid enforcement action, reputational damage, and legal issues, you need to handle data and privacy access requests correctly.
The UK Information Commissioner's Office reports annually on the most common type of complaints it receives. Every year, the number one spot goes to complaints about the improper handling of subject access requests. And it's an issue in other countries as welll, such as in Canada and Australia.
This article will help you understand the rules on how to properly handle a subject access request in the EU, Canada and Australia, the information you need to provide, and how to create a system that saves time for you and your users.
One of our many testimonials:
- 1. How to Handle GDPR Subject Access Requests - EU
- 1.1. Key Concepts
- 1.2. Carrying Out a GDPR Subject Access Request
- 1.2.1. What Personal Data Do I Need to Provide?
- 1.2.2. Can I Ask for ID?
- 1.3. What If the Request Includes Information About Other People?
- 1.3.1. What Other Information Do I Need to Provide?
- 1.3.2. How Long Do I Have to Respond?
- 1.3.3. Can I Charge a Fee?
- 1.3.4. Can I Refuse a Request?
- 1.3.5. Isn't This All a Huge Hassle?!
- 1.4. Your GDPR Subject Access Request Solution
- 1.4.2. Creating a GDPR Subject Access Request Form
- 1.4.3. Provide a User Interface Solution
- 1.5. Summary of GDPR Subject Access Requests
- 2. How to Handle PIPEDA Subject Access Requests - Canada
- 2.1. PIPEDA Overview
- 2.1.1. Who Does PIPEDA Apply to?
- 2.1.2. Does PIPEDA Apply to Non-Canadian Companies?
- 2.1.3. Does PIPEDA Apply in Every Canadian Province?
- 2.1.4. Other PIPEDA Requirements
- 2.2. Privacy Access Requests Under PIPEDA
- 2.2.1. What Information Must be Provided to the Individual?
- 2.3. Inaccurate or Incomplete Information
- 2.3.1. Timeframe
- 2.3.2. Charging a Fee
- 2.3.3. Verifying an Individual's Identity
- 2.4. Refusing a PIPEDA Privacy Access Request
- 2.4.1. Oral Requests
- 2.4.2. Breach of Third-Party Privacy
- 2.4.3. Solicitor-Client Privilege
- 2.4.4. Confidential Commercial Information
- 2.4.5. Threats to Life or Security
- 2.4.6. Legal Investigations
- 2.4.7. Dispute Resolution
- 2.4.8. Whistleblowing
- 2.4.9. Subpoenas, Warrants, or Orders
- 2.5. Summary of PIPEDA Subject Access Requests
- 3. How to Handle AU Privacy Act Subject Access Requests - Australia
- 3.1. Brief Background on Privacy Access Requests and the APA
- 3.2. Who the APA Applies to
- 3.3. What is Sensitive Information Under the APA?
- 3.4. Rights to Privacy Access
- 3.4.1. Inform Users of the Right to Access
- 3.5. What to Do When You Receive an Access Request
- 3.5.1. Identity Verification
- 3.5.2. Locate the Information
- 3.5.3. Refusal of the Request
- 3.6. Summary of AU Privacy Act Subject Access Requests
How to Handle GDPR Subject Access Requests - EU
One of the chief goals of the GDPR is to provide data subjects with more control over how data controllers process their personal data.
Part of this is the right to access data a business holds about a consumer.
Let's look deeper at what the GDPR requires, and how you can comply.
Here are three of the GDPR's key definitions:
- Data subject - a living individual who can be identified by personal data
- Data controller - an entity that decides why and how to process personal data
- Personal data - information associated with a data subject
Your business is almost certainly a data controller in at least some respects.
From the perspective of your business, data subjects can be:
- Your customers
- Your potential customers
- Your employees
- Your ex-employees
- Your job candidates
- Users of your mobile app
- Visitors to your website
- Anyone else whose personal data your business might collect
The GDPR gives data subjects eight powerful data subject rights over their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision-making
A subject access request is how data subjects can exercise their right of access.
Carrying Out a GDPR Subject Access Request
A subject access request allows data subjects to request a copy of their personal data from data controllers, along with information about how the data controller uses their personal data.
Data processors can also be involved in carrying out a data subject request. A data processor may need to retrieve the relevant personal data on behalf of its data controller. But a data processor does not provide personal data to the data subject directly.
What Personal Data Do I Need to Provide?
You must provide all the personal data you hold about the data subject.
Under the GDPR, all sorts of information can be personal data, including:
- Contact details
- ID numbers
- Online identifiers such as username, IP address, or cookie ID
- Information about a person's preferences or habits (cookies can reveal this)
- Subjective information about a person (emails about them)
There are no exceptions for particular types of personal data.
Can I Ask for ID?
You can request ID if you're uncertain about the identity of the data subject.
Act proportionately. If the data subject has an account with you, you might only need to request they log into it. Don't be obstructive.
What If the Request Includes Information About Other People?
You must take care only to provide information about the data subject making the request.
However, avoiding revealing the personal data of others can be difficult in some cases. For example, the data subject might want copies of emails that name other people.
You shouldn't automatically refuse to provide the data subject with documents that mention other people. You might be able to redact such documents.
Where it is impossible to redact information, or where it would require disproportionate effort to do so, you should seek advice from your Data Protection Authority.
What Other Information Do I Need to Provide?
The GDPR requires data controllers to provide extensive information about how and why they process a data subject's personal data.
The GDPR lists eight types of information that data controllers must make available to data subjects on request.
Here's a breakdown of the information you might have to provide:
|Text from the GDPR||Translation||Example|
|The categories of personal data concerned||What types of personal data do you hold on the data subject?||We collect your full name, email address, shipping address. We also collect information about how you use our website and app.|
|The purposes of the processing||Why are you holding this personal data? What are you actually doing with it?||We use your personal data for activities such as processing your payment, and sending you your product. We also want to learn how you use our website and app so we can make improvements to it.|
|The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations||
What types of companies do you share personal data with? Are any of them based outside of the EU?
(Note that you aren't actually required to reveal the names of specific companies, but you can do so.)
We may share your personal data with trusted business partners such as payment card processors, mail carriers, email marketing companies, and data analytics companies.
We may also need to share your personal data with legal authorities upon receipt of a valid court order.
Our email marketing partner, MonkeyMail, is based in Canada, a non-EU country.
|Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period||
How long do you intend to keep hold of the data subject's personal data?
You might not have a predetermined period of months or years. So, how else do you decide when to delete personal data?
We store your name and email address for two years from the date of your last purchase.
We store your shipping address until you close your account with us.
We store part of your IP address for three days following your most recent visit to our website.
|The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing||You must inform the data subject about their other data subject rights.||
You have the right to request that we erase your personal data or amend any inaccurate personal data. We'll consider your request and respond within one month.
In the meantime, we can temporarily move your personal data to a separate system. This serves to minimize access to your personal data while we consider your request. Let us know if you want us to do this.
If you object to any of the ways in which we use your personal data, just let us know. We'll consider your objection and respond within one month.
|The right to lodge a complaint with a supervisory authority||You must inform the data subject of their right to complain to a Data Protection Authority, and tell them which they would use to complain about your company (see our guidance on determining your data protection authority).||If you're not happy with the way we've carried out your request, or any other aspect of how we use your personal data, you can make a complaint to the Information Commissioner's Office.|
|Where the personal data are not collected from the data subject, any available information as to their source||The data subject will probably have provided most of the personal data you store on them. However, you might receive their personal data from other people too. If so, let them know.||As well as the personal data you provide us with, we also receive some personal data about you from other sources. When you applied for a job with us, we received information about you from the people you provided as your references.|
|The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject||If you make certain automated decisions, you need to tell the data subject about this. Include some information about your decision-making algorithm, and the consequences of its decisions.||
We make certain decisions on an automated basis.
If you apply for a loan, we may use information about your credit history to determine your eligibility automatically. This will include consideration of the number of payments you've missed.
If our automated system determines that you're unlikely to be able to repay a loan, we may deny you credit.
Please let us know if you would like one of our employees to manually review an automated decision.
How Long Do I Have to Respond?
You have one calendar month to respond to a subject access request.
- If you get a request on June 15th, you must respond by July 15th
- If you get a request on August 31st, you must respond by September 30th (there's no September 31st)
- If you get a request in a short month such as February get a move on! A month is a month no matter how many days it contains.
You can extend this period by a further month in exceptional circumstances. You should reserve this extension for exceptionally complex requests. You must let the data subject know that you need more time before the first month is up.
Can I Charge a Fee?
You may not charge a fee unless the request is:
- "Manifestly unfounded" - for example, If the data subject is making the request in bad faith, or they are obviously trying to harm your business
- "Excessive" - if the data subject makes many requests or makes requests that overlap
There's no clear definition of these concepts. If you think a request might be manifestly unfounded or excessive, you'll have to make a judgment call.
If the data subject seems to be asking for an excessive amount of information, this doesn't necessarily make the request itself "excessive."
You can always ask the data subject for further clarification if their request seems very broad.
There's no set amount for the fee. It must be reasonable considering the cost of carrying out the request.
Can I Refuse a Request?
Under certain conditions, you may be entitled to refuse a subject access request.
This is only appropriate where the request is manifestly unfounded or excessive.
When refusing a subject access request, you must inform the data subject about:
- The reasons you're refusing
- Their right to make a complaint to a Data Protection Authority
- Their right to take legal action against you
Consider how you could justify the decision made in court if things go that far.
Isn't This All a Huge Hassle?!
Let's face it. Receiving a subject access request can create a significant burden on your business. But there are steps you can take to reduce this burden.
The subject access request process will be easier if you:
- Don't collect unnecessary personal data
- Erase any personal data you don't need
- Keep personal data well-organized and accessible
- Train your staff so that they recognize a subject access request and forward it to the responsible person
Your GDPR Subject Access Request Solution
It's in your interest to make this process as easy as possible for data subjects. Depending on the context of your business, the best solution could be:
- Setting up a dedicated email address
- Providing a subject access request form
- Creating a user interface solution
It's important to set up a system to help data subjects make requests. But you can't insist that data subjects do things your way. If you receive a subject access request through another channel, you'll still have to respond.
This can be as simple as briefly describing the right of access and providing a contact email address. Here's an example:
We'll take a look at Facebook's subject access request process below.
Creating a GDPR Subject Access Request Form
You might sometimes receive vague or confusing subject access requests. Creating a subject access request form is a good way to avoid this.
By asking the right questions of data subjects, you can elicit a more precise and meaningful subject access request.
Here's an example from CWT:
CWT also uses this form to facilitate other user rights - erasure and opting out of receiving marketing communications.
A form like this helps users know exactly what information they need to submit to you, which makes it easier for both them and you.
Provide a User Interface Solution
If your users can create an account with your service, you can implement front-end account controls to allow them to access their personal data. Automating the subject access request process could save you a lot of work.
Take a look at Facebook's account controls. Users have a number of options here, from accessing information to downloading it or having it deleted:
Facebook users can then view their personal data by category. Note that this is just an excerpt of the list of information categories provided:
Facebook's account controls let users access all the personal data they could realistically want.
But don't forget - you might hold personal data associated with people who don't have active accounts with your service. You'll also need to facilitate requests from non-users via a different channel.
Summary of GDPR Subject Access Requests
To make the subject access request process as painless as possible, both for you and your data subjects, you need to:
- Understand what types of information constitute personal data
- Understand the other types of information about your data processing practices you need to provide
- Meet the one-month deadline in all but exceptional cases
- Never charge for or refuse a request without good reason
- Implement a solution that makes it easy for data subjects to make a request
- Maintain good data protection practices so it's easy to locate personal data when required
How to Handle PIPEDA Subject Access Requests - Canada
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires private sector organizations to provide personal information to individuals on request.
Failing to comply with privacy access requests can lead to unhappy customers, reputational damage, and investigation by the Office of the Privacy Commissioner (OPC).
This section will help you understand all aspects of how to respond to PIPEDA privacy access requests.
First, we're going to give a brief overview of PIPEDA and how it applies to organizations operating in Canada. If you already know that you need to comply with PIPEDA, you can skip ahead to our guidance on privacy access requests.
Who Does PIPEDA Apply to?
As Canada's major privacy law, PIPEDA applies to all organizations that engage in "commercial activity."
Here's how PIPEDA defines "commercial activity":
This definition generally excludes public sector organizations (which are instead covered by the Privacy Act, available here), but it can include nonprofits and organizations that receive some public funding.
Does PIPEDA Apply to Non-Canadian Companies?
According to the OPC, non-Canadian companies with a "a real and substantial connection to Canada" must comply with PIPEDA.
The Canadian Federal Court has also applied PIPEDA to businesses without any physical presence in Canada.
Does PIPEDA Apply in Every Canadian Province?
Certain Canadian provinces have local privacy laws that override PIPEDA, including Alberta, British Columbia, and Quebec.
However, these local laws are substantially similar to PIPEDA, and our guidance on privacy access requests also applies to businesses operating in these provinces.
Irrespective of these provincial exemptions, PIPEDA applies to:
- All processing of personal information that takes place across provincial borders, and
- All federally-regulated organizations, including banks, broadcasters, and telecommunications companies
Other PIPEDA Requirements
Along with the obligation to facilitate privacy access requests, PIPEDA imposes many other requirements on organizations, including:
- Protecting personal information via reasonable security safeguards
- Designating a Privacy Officer to oversee your organization's PIPEDA compliance
- Obtaining consent for the collection of personal information, where appropriate
For more information about these requirements, see our main PIPEDA article.
Privacy Access Requests Under PIPEDA
The privacy access request process requires organizations to provide the personal information of any individual who requests it.
There are numerous exceptions to PIPEDA's right of access (which we'll look at below), but these are only available in very specific circumstances.
What Information Must be Provided to the Individual?
Individuals may request access to a specific piece of personal information that you hold about them, or all the personal information you hold about them.
If you don't hold the personal information that the individual has requested, you must let them know.
Under PIPEDA, personal information can be any "information about an identifiable individual."
In addition to the most obvious examples (including a person's name, address, or ID number), the OPC has identified the following types of personal information:
- Financial transaction histories
- Credit histories
- Other people's opinions about an individual
- Photographs of an individual
- Voice prints
- Blood type
- Video or audio footage in which an individual appears or is heard
- Web cookies
- Internet browsing history
- IP address
You must provide the information in a form that is "generally understandable." If the information contains abbreviations or codes, you may need to explain what these mean.
If the individual requests the information in an alternative format due to a disability, you must accommodate this request.
Inaccurate or Incomplete Information
If an individual informs you that the personal information you hold about them is inaccurate or incomplete, and they can demonstrate this, then you must correct or update it. You might also need to delete part of the information.
If you have disclosed inaccurate or incomplete information to third parties, you may also need to inform them so that they can correct or update it.
You must respond to a privacy access request within 30 calendar days of receiving it.
There are three exceptions. You may extend the deadline if:
- Meeting the deadline would interfere to an unreasonable extent with your organization's activities
- You need to make consultations that would make it impractical to meet the deadline
- You need to convert the information into an alternative format (at the individual's request)
Under such circumstances, you may take an additional 30 days before providing the information.
You must let the individual know of the reason for your delay, and inform them of their right to make a complaint to the OPC (you can direct them to the OPC's website, here).
Charging a Fee
You must not normally charge a fee for responding to a privacy access request.
If you do need to charge a fee, it must be as low as reasonably possible and based on a genuine estimate of the costs involved in providing the requested information.
You should give the individual an estimate of the costs in advance, and obtain their approval before carrying out the request.
Verifying an Individual's Identity
Neither PIPEDA nor the OPC suggests that you verify an individual's identity before providing personal information.
However, the right of access must be balanced against PIPEDA's requirement to keep personal information secure. Therefore, common sense dictates that you may need to verify an individual's identity in certain circumstances.
However, because there is no explicit obligation to verify an individual's identity in the course of a privacy access request, it is important not to be obstructive when doing so.
Ideally, you will be able to identify an individual by asking them to confirm information that you already hold about them. For example, you may ask them to log into their online account, or to list recent transactions they have made with your company.
However, on some occasions, it may be appropriate to ask for identification. If you do so, ensure that you keep copies of the individual's identification secure, and erase them as soon as they are no longer needed.
Refusing a PIPEDA Privacy Access Request
There are numerous exemptions and exceptions to the privacy access request process.
If an individual's request falls under one of these exemptions, you may (or in some cases, must) refuse to provide the personal information they have requested.
When rejecting a privacy access request, you must inform the individual of your reason for doing so. You must also inform them of their right to make a complaint to the OPC.
If an individual makes a request in person or over the phone, you should ask them to put it in writing.
Privacy access requests are only valid if made in writing. If the person has difficulty formulating their request in writing, you should offer to help them.
Breach of Third-Party Privacy
You don't need to comply with a privacy access request "if doing so would likely reveal personal information about a third party."
However, this exemption doesn't apply if you can remove or redact the personal information of other individuals.
For example, the email below contains the personal information of one individual, along with the redacted personal information of four others:
With consent from the other individuals referred to in this email, you could also reveal their personal information, if appropriate.
You don't need to provide personal information that is subject to solicitor (lawyer)-client privilege.
Canadian law defines "solicitor-client privilege" as "confidential communications between lawyers and their clients" (from the case of Blank v Canada). This is also known as the "legal advice privilege."
However, the solicitor-client privilege exemption shouldn't be interpreted too narrowly. It can also encompass information that falls under so-called "litigation privilege." This includes "information and materials gathered or created in the litigation context."
So, under the solicitor-client privilege exemption, you may not need to provide the following types of information under a privacy access request, even if they contain personal information:
- Communications between your company and its legal advisers
- Documents that you have gathered or created for use in legal proceedings
Beware of applying this exemption too broadly, however. In a 2017 complaint report, the OPC advises against adopting a "blanket" policy of refusing to share documents that might be required in legal proceedings.
Confidential Commercial Information
You don't need to comply with a privacy access request if "to do so would reveal confidential commercial information."
If you are able to exclude confidential commercial information from the personal information you provide to the individual, you must do so.
Threats to Life or Security
You don't need to comply with a privacy access request if "to do so could reasonably be expected to threaten the life or security of another individual."
Again, if you are able to exclude life- or security-threatening information from the personal information you provide to the individual, you must do so.
You don't need to provide access to personal information that was collected under paragraph 7(1)(b) of PIPEDA.
Here's paragraph 7(1)(b):
This part of PIPEDA states that organizations may collect personal information without knowledge or consent as part of an investigation into:
- A breach of an agreement (e.g. a contract), or
- Illegal activity
If you have collected personal information for these purposes, you may not be required to share it under a privacy access request.
You don't need to provide access to personal information if "the information was generated in the course of a formal dispute resolution process."
In a 2016 complaint report, the OPC stated that a "formal dispute resolution process" must:
- Have a framework or structure
- Be either legislated or agreed to by the parties to the dispute
- Have recognized rules
A complaints process will not qualify as a "formal dispute resolution process" unless it has the above characteristics. Therefore, personal information generated or collected when dealing with a customer's complaint is unlikely to fall under this exemption.
You don't need to provide access to personal information if "the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act."
The Public Servants Disclosure Protection Act (PSDPA, available here) is also known as the "Whistleblower Law." The law provides a mechanism for individuals to report wrongdoing in the public sector.
The PSDPA only relates to the activity of public sector employees. However, it is relevant to individuals in the private sector who are reporting wrongdoing in the public sector.
The exemption may apply if, for example:
- Your company provides services to a public body
- One of your employees observes wrongdoing at the public body
- Your employee decides to report this wrongdoing under the PSDA
- You keep records of your employee's report
- The individual accused of wrongdoing submits a privacy access request to your company
Under these circumstances, you would not have to provide details of the report to the individual.
Subpoenas, Warrants, or Orders
This exemption may apply if you have disclosed an individual's personal information:
- Pursuant to a subpoena, warrant or order, or
- To a government institution or investigative body in relation to any of the following issues:
- National security
- National defense
- Law enforcement
If you receive a privacy access request for access to such personal information, you must inform the institution to which you disclosed the personal information.
If you do not hear back from the institution within 30 days, you must respond to the individual's request in the normal way.
If the institution objects to you releasing the information, you must not respond to the individual's request (even to inform them that you have been ordered not to disclose the information). You must also report this refusal to the OPC, in writing.
Summary of PIPEDA Subject Access Requests
If your organization is covered by PIPEDA and it receives a privacy access request from an individual:
- You must provide any requested personal information you hold on the individual
- You must respond within 30 days unless you have a valid reason for delaying, in which case you may inform the individual and take another 30 days
- You should not normally charge a fee
If the individual can demonstrate that the information is incomplete or inaccurate, you must update, delete, or correct it as appropriate.
Under certain circumstances, you can refuse a privacy access request, including:
- If the request has not been made in writing (ask the individual to write to you or email you)
- If a third party's privacy would be breached
- If the information is covered by solicitor-client privilege
- If the information contains confidential commercial information
- If revealing the information presents a threat to life or security
- If the information was collected or generated as part of a legal investigation
- If the information was collected or generated as part of a formal dispute resolution process
- If the information was collected or generated to make a disclosure under the Public Servants Disclosure Protection Act
- If the information has been submitted to a court or government institution and the institution object to its disclosure
How to Handle AU Privacy Act Subject Access Requests - Australia
Regardless of the kind of company you run, the Australian Privacy Act (APA) gives your customers the right to ask for access to their data. For example, consumers may ask for information such as:
- Healthcare data
- Government records containing personal data
- Personally identifiable data
The act also provides specific instructions as to what you should do if you receive such a request. There are particular times when you may refuse a privacy access request as long as you have a valid reason, but these instances are rare.
Below, we'll go over precisely what you should know when it comes to complying with the APA's requirements for how businesses should deal with privacy access requests.
Brief Background on Privacy Access Requests and the APA
The issue of online data privacy and protection has taken the world by storm ever since the European Union's General Data Protection Regulation (GDPR) became effective in 2018. It's a topic that has been top of mind for privacy advocates and politicians ever since, and in 2020 it's moved into the realm of a push to enforce laws regarding privacy protection.
However, Australia was ahead of the curve when the modern Commonwealth nation passed its Australian Privacy Act (APA) way back in 1988. Obviously, that privacy law predates the internet, which didn't get underway until 1991. However, it established standards when it comes to a consumer's right to access private data.
Let's start with the basics.
The APA was enacted with the purpose of protecting the private, sensitive data of consumers living in Australia. Additionally, legislators sought to regulate how that data was handled by both federal agencies as well as private businesses.
According to the act, the definition of "private information" may include the following:
- Criminal records
- Sexual orientation
- Email address
- Religious beliefs
- Consumer's name
Who the APA Applies to
The APA's jurisdiction covers both the government as well as the private sectors.
The act defines an organization as:
- An individual, including a sole trader (though generally not an individual acting in a personal capacity)
- A corporate body
- A partnership
- Other incorporated associations
An exception will be if any of the above are also a small business operator, a registered political party, a state or territory authority, or a prescribed instrumentality of a state.
These types of organizations must have an annual revenue that exceeds $3 million in order to be bound to follow the APA's privacy regulations.
In contrast, the APA covers specific types of small businesses that have an annual revenue of less than $3 million. For example, these businesses include:
- A company that is related to a business that is covered by the Privacy Act
- A company that holds accreditation under the Consumer Data Right System
- An employee association registered or recognized under the Fair Work (Registered Organisations) Act 2009
- A contracted service provider for an Australian Government contract
- A credit reporting body
- A company that sells or purchases personal information
- A private-sector health service provider (an organization that provides a health service)
Additionally, as noted above, even if your company isn't located in Australia, if you merely do business on the continent and your organization falls under the Act's definition of organizations, then you are obliged to comply with the act's privacy regulations.
The APA also regulates medical and health reporting in addition to credit reporting.
With all that said, there are specific aspects of the APA that you should pay close attention to as a business owner.
These are the 13 Australian Privacy Principles (APPs), which the act outlines. These principles allow business owners and agencies the freedom to create their own processes and systems to gather and secure sensitive data. The caveat is that whatever methods you put in place must still adhere to the APPS standards and the APA.
Similar to the GDPR in some ways, the APPs of the APA cover:
- Your obligations in regard to sensitive, private information
- How you collect, use, and transfer private data
- Transparency between your business and consumers
- The rights of consumers to access their sensitive information
What is Sensitive Information Under the APA?
According to the APA, sensitive personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- Whether the information or opinion is true or not, and
- Whether the information or opinion is recorded in a material form or not
The act isn't too terribly specific and there are no examples of personal information to be found within its pages. However, it has been interpreted since then to mean data, which identifies a specific consumer or their home and family.
Private data examples include the following:
- First and last names
- Email addresses
- Online usernames and passwords
- Mailing addresses
- Financial information
If you collect, process, use, share, or store this kind of private information, then Australian consumers have the right to request access to it.
Rights to Privacy Access
The APA provides consumers with the right to request access to their private data. Specifically, consumers have the right to request access to confidential, personal information from federal agencies and private companies under the APA's APP 12.
The requested information may include either their own data or data, which is connected to someone else's. (An example of this might be a marriage certificate.)
When a consumer makes a privacy access request from you, they don't have to do so in any specific format or manner. According to APP 12, it is left up to your business as to the process a consumer must follow when requesting access to their data from you.
With that said, you must ensure that whatever process you choose, whether formal or informal, adheres to the APP's overall standards. The regulations of the APP will only apply to your business if you "hold" that data.
According to APP 12, you hold that data if you possess or control "the record that contains the personal information." Simply put, if a third party has possession of a hard copy of the information, but you control the access to that data, then your business is the holder of the record in question.
In addition to the above, a consumer's access rights are specifically spelled out by APP 12. The first thing you need to recall is that you have to honor it if you receive a request. As APP 12, part 5 notes:
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
Take into account that there are exceptions to this.
For example, if your business is an agency and is authorized to withhold information under the Freedom of Information Act, any other Act of the Commonwealth, or a Norfolk Island enactment. Another example of exceptions is when you're an organization and you believe that "giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety."
Above, we mentioned that according to the APA, your business has the right to lay out the procedure that consumers must follow to request access to their personal data as long as you adhere to the act's overall standards. However, you can't force consumers to follow that procedure.
In other words, say you state that a consumer makes a request through email, and they send an email instead. You're still required to honor their request, according to the APA.
As the formal guidance for the APA states, as seen below:
Additionally, you can't stall or put the request off. You must respond within a reasonable period of time after receiving the request, which in most cases will mean within 30 calendar days.
You can't charge users for making the requests or accessing the information.
Inform Users of the Right to Access
Here's how KPMG does it:
Make it as easy as possible for people to request access, and make sure your instructions are clear and straightforward for your average person to understand.
What to Do When You Receive an Access Request
The process you should follow after receiving a privacy access request looks something like this under APP 12:
Ask yourself if you can verify the identity of the consumer requesting access.
- If the answer is "no," then you do not disclose personal information
If the answer is "yes," then you need to try to locate the requested information
- If you cannot locate the information, you must provide the consumer with written notification of that fact.
If you can locate the information, you must ask yourself if there is a valid reason to deny access.
- If there is no reason to deny access, ask yourself if you can provide access to the consumer in the manner requested. If not, you must ascertain if there is an alternative method for delivering the requested data to the consumer.
Let's look at this process in more detail.
If you receive a request for privacy access, it will likely come from an individual. However, you may also receive a request from an authorized agent, a legal guardian, or through power of attorney.
The manner in which you verify a consumer's identity might be through the following as long as they have a photo:
- A passport
- Driver's license
- Residency card
- Student card
- Credit card
- Employment identity card
It's possible that someone's information may be more sensitive than others. In that case, you may need a more in-depth process for identification verification.
According to the APA, you must check the photo against the appearance of the individual in person. Alternatively, you can check one ID against another by correlation over the phone.
Locate the Information
When it comes to locating a consumer's private data, you must first be sure that you are in possession of the information or that you control it. That information can be in the form of hard copies, digital copies of documents, electronic calendars, emails, and more.
If a consumer makes a privacy request, it must be specific. No rule says you must provide any information above and beyond what is actually asked for.
However, you are required to take reasonable steps to ensure that the consumer receives the requested information. Some of these measures might be contacting third parties to whom you've outsourced work, checking with contractors and staff, and of course, searching through your own databases.
Refusal of the Request
There are times when you are allowed to refuse a privacy request, although those instances are rare.
Here's a partial list of circumstances under which you're permitted to refuse:
- When there is an ongoing legal proceeding or negotiation with the person requesting access
- If you suspect that the person requesting access is planning to conduct illegal activities with the data
- If providing the information constitutes a data protection, public health, or legal risk
- If it's a nonsensical or vexatious request (i.e., a consumer who asks for their information repeatedly)
Summary of AU Privacy Act Subject Access Requests
Suppose you own or run a company in the private sector that holds data on Australian residents. In that case, you must comply with the regulations within the APA.
The bottom line is that you must give consumers access to their private data if they request it unless there is a valid reason to refuse.
Remember that you are not allowed to charge anyone who wants to see their information, although you can charge administrative costs, including postage, staff costs for searching records, and costs for producing or sending data.