Access, correction and annotation

15.23 Both the FOI Act and the Privacy Act enable individuals to obtain access to, correct and annotate their own personal information held by agencies. The ALRC notes that different terminology is used in the Privacy Act and the FOI Act with respect to the correction of personal information.[37] In the interest of consistency with the ‘Access and Correction’ principle outlined in Chapter 29, this section of the chapter refers to ‘correction’ of personal information.

Privacy Act provisions

15.24 The rights to obtain access to, correct and annotate personal information provided by the Privacy Act are found in IPP 6 and IPP 7. The OPC has stated that as a result of the terms of IPPs 6 and 7, read in conjunction with other provisions of the Privacy Act,[38] it will generally decline to investigate a complaint about access to, or correction of, personal information held by an agency if the individual has not exhausted all FOI Act processes.[39] The OPC noted that this can result in complainant dissatisfaction and confusion, and unnecessary administrative costs and processes. Since 2001, the OPC has declined 17 complaints about access and seven complaints about correction.[40]

Access

15.25 IPP 6 provides that an individual will be entitled to have access to a record containing his or her personal information, except to the extent that the agency is required or authorised to refuse access to the record under any law of the Commonwealth that provides for access by persons to documents. The effect of this provision is to subject the right of access to personal information under the Privacy Act to the exemptions under the FOI Act. Section 34 of the Privacy Act prohibits the Privacy Commissioner from providing certain information about documents if they would be exempt under the FOI Act.

Correction

15.26 Under IPP 7.1, an applicant may apply for correction of personal information on the grounds that it is inaccurate or, given its purpose, irrelevant, misleading, incomplete or not up-to-date. The FOI Act does not include a reference to ‘purpose’.[41] IPP 7.1 provides for the correction of personal information in a wider range of circumstances than the FOI Act. An application for correction will need to be dealt with under the Privacy Act rather than the FOI Act where a person seeks:

  • correction on the grounds that the information is irrelevant;

  • deletion of personal information; or

  • correction of personal information in a record to which he or she has not been provided lawful access.[42]

15.27 IPP 7.2 provides that the obligation imposed on an agency to correct personal information in IPP 7.1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents. The effect of IPP 7.2 is that the right to correction under IPP 7.1 will be subject to the requirements for an application for correction under Part V of the FOI Act.[43] These requirements are discussed in detail below.

Annotation

15.28 IPP 7.3 provides for the annotation of records containing personal information when:

  • an agency is unwilling to correct a record containing an individual’s personal information in accordance with a request by the individual; and

  • no decision has been made to correct that information under an applicable provision of a law of the Commonwealth.

15.29 The limitation in IPP 7.3 is reflected in s 35 of the Privacy Act, which provides when the Privacy Commissioner may annotate personal information following an unsuccessful application under the FOI Act. Under s 35, the Commissioner’s power to direct an agency to annotate personal information is subject to a number of limitations including that:

  • an application for review of a decision under the FOI Act has been finally determined or otherwise disposed of;

  • the period within which an appeal may be made to the Federal Court has expired or, if such an appeal has been instituted, the appeal has been determined; and

  • the effect of the review and any appeal is that access to the document is not to be given.

15.30 Section 35 of the Privacy Act ensures that even if a person cannot gain access to a document concerning them under the FOI Act and cannot succeed in getting the agency to amend the document, the Privacy Commissioner can still require the agency to annotate the document setting out the amendment that the Privacy Commissioner thinks appropriate. The OPC has noted that this practice is rarely used and that requests for correction which have the Privacy Commissioner’s support are usually resolved without resort to the process.[44]

FOI Act provisions

Access

15.31 The FOI Act provides that every person has a legally enforceable right to obtain access to a document of an agency or an official document of a minister, subject to a number of exemptions under the Act.[45]

15.32 The majority of applications for access under the FOI Act relate to access to personal information. The Freedom of Information Annual Report states that in 2006–07, 87% of the 38,787 FOI requests received were for documents containing personal information. It is not clear from the report what percentage of these requests were from individuals seeking access to their own personal information. The remaining 13% of FOI requests were for documents concerning policy development and government decision making.[46]

Correction and annotation

15.33 The correction and annotation rights in the FOI Act are located in Part V[47] and were included in the FOI Act before the introduction of the Privacy Act. In 1987, the Senate Standing Committee on Legal and Constitutional Affairs recommended that the correction and annotation provisions be transferred from the FOI Act to privacy legislation, ‘should the latter be enacted’.[48] This did not happen when the Privacy Act was enacted in 1988. The Freedom of Information Annual Report notes that 1,379 FOI requests related to the correction of personal information in 2006–07.[49]

15.34 Part V sets out that an application for correction or annotation of personal information must satisfy a number of requirements, including:

  • an individual must have been lawfully provided with the document under the FOI Act or otherwise;

  • the document must have been used, be being used or be available for use, for an ‘administrative purpose’; and

  • the individual must apply in writing, the application must specify certain matters, and the application must be sent by post or hand delivered and specify a return address. [50]

15.35 The Part also provides that, to the extent that it is practicable, an agency must amend the document in a way that does not obliterate the text as it stood before the amendment.[51] Section 51 of the FOI Act provides that where an agency or minister decides not to amend a document or official documents under the Act, the agency or minister must take such steps as are reasonable in the circumstance to enable the applicant to provide a statement and annotate the document or official document with that statement.

Addressing the overlap

15.36 The access, correction and annotation provisions raise issues related to the overlap of the Privacy Act and the FOI Act and how the two Acts interact with each other. This section of the Chapter deals with the overlap of the two Acts. The interaction between the Acts is discussed later in the Chapter.

15.37 In ALRC 77, the ALRC and the ARC considered the overlap of the Privacy Act and FOI Act provisions relating to access to, and correction and annotation of, personal information, and concluded that it did not give rise to any major difficulties.[52] Submissions to this Inquiry have noted, however, that the overlap can lead to confusion for agencies and the public.[53]

15.38 In DP 72, the ALRC expressed the preliminary view that an individual’s right to obtain access to, or correct of, his or her own personal information held by an agency should be dealt with under a new Part in the Privacy Act. The ALRC proposed that:

  • the Privacy Act be amended to include a new Part dealing with access to, and correction of, personal information held by an agency;

  • the FOI Act be amended to provide that an individual’s right to obtain access to, or correction of, his or her own personal information is dealt with under the Privacy Act; and

  • Part V of the FOI Act be repealed.[54]

Submissions and consultations

15.39 A number of stakeholders supported these proposals.[55] Others submitted, however, that access to, and correction of, personal information held by agencies should be regulated by the ‘Access and Correction’ principle. It was submitted that having separate access and correction provisions for agencies and organisations in the Privacy Act would create confusion;[56] contradict the aim of creating a single set of privacy principles;[57] and would not address the problems caused by requests for access to documents containing personal and non-personal information,[58] or a mix of personal information about two or more individuals.[59] It was also noted that it is important that rules relating to health records were the same for the public and private sectors.[60]

15.40 Privacy NSW submitted that the proposed ‘Access and Correction’ principle should be divided into two sections, the first relating to organisations and the second to agencies.[61] The Social Security Appeals Tribunal (SSAT) suggested that the individual’s ‘right’ to correction, or the agency’s ‘obligation’ to correct, be set out in the Privacy Act and that the process provisions be retained in the FOI Act.[62]

15.41 Some stakeholders argued against the repeal of Part V of the FOI Act. Centrelink and the SSAT preferred the current arrangements where access and correction are dealt with under the FOI Act, noting that the FOI Act is already adequately structured to accommodate the access and correction process.[63] The OPC submitted that it would be more appropriate to expand the correction rights under the FOI Act to be consistent with those in the Privacy Act.[64]

15.42 National Legal Aid submitted that the proposal has implications in relation to national consistency of privacy laws relating to the federal and state and territory public sectors. It noted that some state privacy laws are subordinated to freedom of information laws and access to personal information is subject to FOI exemptions.[65]

Options for reform

15.43 In the ALRC’s view, individuals should have access to a simple and user-friendly process to obtain access to, and correction of, their own personal information. The ALRC has considered various models for dealing with the overlap between the FOI Act and the Privacy Act in relation to access to, and correction of, personal information, including those contained in legislation in the United Kingdom, New Zealand and Canada.[66]

15.44 As outlined above, in DP 72, the ALRC proposed that the Privacy Act and the FOI Act be amended to provide that access to, and correction of, personal information be covered solely under a new Part in the Privacy Act. The ALRC modelled this proposal on the arrangements under the Privacy Act 1993 (NZ) and the Official Information Act 1982 (NZ).

15.45 One alternative is that access to, and correction of, personal information could be dealt with exclusively under the FOI Act. The ALRC is conscious, however, that the access procedures under the FOI Act can be cumbersome.[67]

15.46 Another alternative would be for access to personal information to be covered by the FOI Act, and correction of personal information to be covered by the Privacy Act. In the ALRC’s view, however, it would be confusing for agencies and the public to have access to, and correction of, personal information covered by more than one Act.

15.47 A further option is to maintain the status quo. The ALRC notes, however, submissions from stakeholders that the current arrangements create confusion for agencies and the public. Another option is to maintain the current arrangements, but to modify the interaction between the access and correction provisions under the Privacy Act and the FOI Act. This option is discussed further below.

ALRC’s view

15.48 The right to access and correct personal information held by an agency should not be dealt with solely under the Privacy Act. The existing arrangements whereby individuals have rights to obtain access to, and correction of, personal information under both the Privacy Act and the FOI Act should remain. In the ALRC’s view, however, the provisions that deal with the interaction between the access and correction provisions under both Acts should be modified. This issue is discussed further below.

15.49 An agency’s obligation to provide access to, and to correct, an individual’s own personal information should not be dealt with under a separate Part of the Privacy Act. The ALRC agrees with stakeholders that such a proposal contradicts the aim of creating a single set of privacy principles to cover both agencies and organisations and could create confusion for agencies.

15.50 Instead the ‘Access and Correction’ principle should set out the requirements applicable to agencies in respect of personal information that they hold. It also is preferable that a single regime applies to access to, and correction of, personal information in the public and private sector. The ‘Access and Correction’ principle is discussed in detail in Chapter 29.

15.51 Further, Part V of the FOI Act should be retained. As noted above, the ALRC has received Terms of Reference to review the operation of the FOI Act and related laws. This review could consider amending the FOI Act so that it no longer regulates access to, and correction of, personal information and is limited to regulating access to information about third parties and the deliberative processes of government. The ALRC notes that this model operates effectively under the Privacy Act 1993 (NZ) and the Official Information Act 1982 (NZ).[68]

15.52 The FOI Act also could be amended to provide a simpler and more user-friendly process for obtaining access to, and correction of, personal information. Other options for consideration include amendment of the exemptions under the FOI Act to deal with requests to obtain access to personal information and expansion of the correction rights under the FOI Act to accord with those under the Privacy Act.[69]

Interaction between the Privacy Act and the FOI Act

15.53 While the ALRC is of the view that the current overlap of the access and correction provisions under the Privacy Act and the FOI Act should remain, the ALRC has concluded that the provisions that cover the interaction between the Privacy Act and the FOI Act require some amendment. In particular, an individual’s right to correct his or her personal information under the Privacy Act should no longer be subject to the limitations that exist under the FOI Act. This view is reflected in the recommended ‘Access and Correction’ principle outlined in Chapter 29.

Access provisions

15.54 As noted above, the right of access to personal information under IPP 6 is subject to the exemptions under the FOI Act. In Chapter 29, the ALRC concludes that the exemptions under the FOI Act should apply to agencies when granting access to personal information under the Privacy Act. The ALRC expresses the view that individuals should not be able to obtain access to information under the Privacy Act that would be the subject of an exemption under the FOI Act. Section 34 reflects this by prohibiting the Privacy Commissioner from providing certain information about documents if they would be exempt documents under the FOI Act.

Correction provisions

15.55 IPP 7.2 provides that the obligation imposed on an agency to correct personal information in IPP 7.1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents. As noted above, the effect of this provision is that the right to correction under IPP 7.1 will be subject to the requirements for an application for correction under Part V of the FOI Act. These requirements are that:

  • an individual must have been lawfully provided with the document under the FOI Act or otherwise; and

  • the document must have been used, be being used or be available for use, for an ‘administrative purpose’.

15.56 The Part also imposes a number of procedural requirements, including: requirements of an application for correction and annotation of records; transfer of requests; and how records are to be corrected, including correction in a way that does not obliterate the text of the record as it existed prior to the correction. [70]

15.57 The ALRC has concluded that an agency’s obligation to correct personal information largely should be separated from the limitations outlined under Part V of the FOI Act. These limitations are considered below.

Lawfully provided with the document under the FOI Act or otherwise

15.58 In DP 72, the ALRC expressed the preliminary view that the Privacy Act should not provide that lawful access is a prerequisite to the correction of personal information.[71] The OPC submitted that individuals should have the right to request the correction of personal information in an agency’s possession regardless of whether access has first been sought formally. This could occur, for example, if an agency sends the individual a letter containing incorrect personal information, such as a misspelled name or address, or containing any number of other types of inaccuracies.[72]

15.59 In ALRC 77, the ALRC and ARC recommended that the requirement of lawful access should be removed from the FOI Act.[73] The ALRC and ARC noted that:

Access as a prerequisite to seeking amendment or annotation under the FOI Act arises from the fact that amendment rights were first introduced in the FOI Act which deals primarily with access and were regarded as complementary to the right of access. It has been presumed that the only way an individual would know that information was incomplete, incorrect, out of date or misleading would be if they had access to the document.[74]

15.60 The Freedom of Information (Open Government) Bill 2000 (Cth) included an amendment to remove the requirement for lawful access to correct and annotate records under the FOI Act. The Senate Legal and Constitutional Legislation Committee did not support this amendment.[75]

15.61 Lawful access should not be a prerequisite to the correction of an individual’s personal information. Lawful access therefore is not a requirement under the recommended ‘Access and Correction’ principle outlined in Chapter 29. An individual should have a right to insist on correction if they find out by informal means, or reasonably suspect, that personal information is incorrect. There may be situations in which a person legitimately is denied access to a document because it is exempt, but they are sufficiently aware of the contents of the document to know or suspect that it contains false or inaccurate information. The ALRC also notes that lawful access is not a requirement before exercising the rectification right under art 12(b) of the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.[76]

15.62 The ALRC acknowledges concerns by regulators and law enforcement agencies that such a proposal could enable a person who is the subject of current enforcement action at any stage of that process to demand correction of personal information held by the agency. The ALRC notes, however, that the obligation under the principle is that the agency must take ‘reasonable steps’ to correct personal information. What is reasonable would depend on the particular circumstances in question.

Administrative purpose

15.63 Under IPP 7.2, the obligation of an agency to correct personal information under IPP 7.1 is subject to the limitation under s 48(b) of the FOI Act. This provides that before a document containing personal information can be corrected, the document must contain personal information about that person that has been used, is being used, or is available for use by the agency or minister for an administrative purpose.

15.64 In Slezankiewicz v Australian and Overseas Telecommunications Corporation, Deputy President Thompson stated that ‘administrative purpose’ means:

a purpose that has to do with the management of the agency in whose possession a document is held. That management extends at least to all its internal activities, including financial control and activities of an operation nature as well as the employment and management of staff.[77]

15.65 While the ALRC does not recommend that this limitation apply under the ‘Access and Correction’ principle outlined in Chapter 29, it is the ALRC’s view that agencies should not be obliged to correct information that will not be used or disclosed.

15.66 The ‘Access and Correction’ principle only requires an agency to correct personal information which is, ‘with reference to a purpose for which it is held’, misleading or not accurate, complete, up-to-date and relevant. In the ALRC’s view, the requirement that the information is misleading, not accurate, complete, up-to-date or relevant ‘with reference to a purpose for which it is held’ would mean that an agency often will not be required to correct personal information that is not being used or disclosed.

Procedural requirements

15.67 As noted above, the obligation of an agency to correct personal information under IPP 7 is subject to various procedural requirements under Part V of the FOI Act. In Chapter 29, the ALRC recommends that the OPC develop and publish guidance on the ‘Access and Correction’ principle. This guidance should address the requirements for an application for correction and annotation of a record, transfer of requests and how records are to be corrected.

Annotation provisions

15.68 IPP 7.3 provides for the annotation of personal information in certain circumstances, subject to the proviso that the personal information has not been amended, wholly or partly, in accordance with an individual’s request under the applicable provisions of a law of the Commonwealth. The limitation in IPP 7.3 is reflected in s 35 of the Privacy Act, which stipulates when the Privacy Commissioner may annotate personal information following an unsuccessful application under the FOI Act.

15.69 While Part V of the FOI Act remains in operation, an agency’s obligation to correct or annotate personal information under the ‘Access and Correction’ principle should continue to be limited by IPP 7.3 and s 35 of the Privacy Act. IPP 7.3 is an appropriate limitation on an agency’s obligation to annotate personal information—an agency should not have to annotate personal information if that information has already been corrected, wholly or partly, in accordance with the FOI Act. Section 35 compliments the limitation under IPP 7.3 and should be retained.

15.70 These provisions would not be required if the FOI Act did not regulate the correction of personal information. These provisions should be considered as part of the ALRC’s review of the FOI Act and related laws.

Mixed applications

15.71 Applications for access and correction may include a mixture of personal and non-personal information. An agency could deal with such applications solely under the FOI Act, or alternatively, under the Privacy Act and the FOI Act. These issues also can be dealt with administratively by agencies—for example, by designing forms to allow for applications relating to personal and non-personal information to be dealt with together. An agency should provide an individual with a ‘one stop shop’ to obtain access to, and correction of, his or her personal information. The ALRC notes that New Zealand public sector agencies have taken administrative measures to deal with applications for access to documents that include a mixture of personal and non-personal information, and has been advised that this arrangement is working satisfactorily.[78]

Review and complaints

15.72 Under the FOI Act a person may seek internal review and review by the Administrative Appeals Tribunal (AAT) of an agency’s decision under the Act not to grant access and amendment of personal information.[79] A complaint about an agency’s decision in relation to the access to, and correction of, personal information under the Privacy Act are dealt with by the OPC. There currently is no general right of appeal to the AAT. Complaints can be made to the Commonwealth Ombudsman about decisions made under both the Privacy Act and the FOI Act.

15.73 The OPC generally will decline to investigate a complaint about access to, and correction of, personal information held by an agency if the complainant has not exhausted all FOI Act processes. An applicant therefore will first have to utilise the application processes of the FOI Act and then complain to the Privacy Commissioner if an applicant wishes to seek:

  • correction on the grounds that the information is irrelevant;

  • deletion of personal information; or

  • correction of personal information in a record to which he or she has not been provided lawful access.

15.74 While the Privacy Commissioner has the power to order compensation under the Privacy Act,[80] the AAT does not have this power under the FOI Act. If an applicant seeks compensation for a failure by an agency to provide access to, or correction of, personal information, the applicant will have to use the FOI Act to obtain access to, and correction of, the personal information, and then the Privacy Act process to seek compensation.

15.75 In DP 72, the ALRC expressed the view that this process is needlessly cumbersome, and that the proposed Part dealing with access to, and correction of, personal information in the Privacy Act should provide for a simplified review and complaints mechanism. The ALRC therefore proposed that the Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide for: internal review by an agency of a decision made under the Part; review by the AAT of a decision made under the Part (including the power to make an order for compensation); [81] and complaints to the Commonwealth Ombudsman.[82]

15.76 The ALRC also expressed the preliminary view that the Privacy Commissioner should have an oversight and educational role in relation to access to, and correction of, personal information held by agencies. The ALRC therefore proposed that the OPC should issue guidelines on access to, and correction of, records containing personal information held by an agency.[83]

Submissions and consultations

15.77 A number of stakeholders supported the proposal.[84] Privacy NSW noted that it mirrored the current review and complaint mechanism under the FOI Act and considered that individuals should be able to seek an internal review.[85] The AAT noted that it already reviews decisions of this kind under the FOI Act, and that it currently has the power to review certain decisions of the Privacy Commissioner under the Privacy Act.[86] The AAT submitted that it has the capacity to deal with a jurisdiction of this kind and would not oppose its conferral.[87]

15.78 The OPC supported the right to internal review by an agency, review by the AAT and to lodge a complaint with the Commonwealth Ombudsman regarding the administrative actions of agencies. The OPC submitted, however, that the most appropriate jurisdiction to lodge a complaint regarding an interference with privacy in relation to access to, and correction of, personal information held by an agency would be the OPC.[88]

15.79 PIAC submitted that the legislation should specify clearly whether pursuing one avenue of complaint necessarily rules out another and time limits for carrying out internal review.[89] One stakeholder noted that if application for review by the AAT of any decision by the Privacy Commissioner is to be available, a separate AAT review process as described in the proposal would seem unnecessary.[90]

15.80 The Office of the Victorian Privacy Commissioner (OVPC) suggested that consideration should be given to making the Privacy Commissioner in each jurisdiction the regulator over access to, and correction of, personal information. It noted the New Zealand scheme, under which the Privacy Commissioner and the Ombudsman share the tasks in what may be termed ‘information cases’. The OVPC suggested that this type of scheme would mean that the individual’s right to obtain access to, and correction of, his or her own information and the process by which this occurs is, as far as possible, the same, regardless of whether it is held in the public or private sector.[91]

15.81 A number of stakeholders, including the OPC,[92] supported the proposal for the OPC to issue guidelines on access to, and correction of, records containing personal information held by an agency.[93] The Australian Federal Police supported the proposal on the basis that the guidelines were developed in consultation with affected agencies.[94]

ALRC’s view

15.82 The same complaint and review mechanisms should apply to agencies as to organisations under the ‘Access and Correction’ principle. That is, complaint to the OPC and review by the AAT. The current arrangements where complaints may be made to the Ombudsman also should be retained.

15.83 Review and complaints will be dealt with more effectively if the Australian Government establishes a Freedom of Information Commissioner as outlined below. The ALRC is attracted to the arrangement in New Zealand where legislation provides for the body responsible for privacy and the body responsible for freedom of information to refer matters to each other and to consult with each other.[95] This process allows for the body responsible for privacy and the body responsible for freedom of information to consult and consider the views of the other body when dealing with complaints under the relevant legislation. This process would be particularly useful when the Privacy Commissioner and the Freedom of Information Commissioner receive a complaint concerning access to, or correction of, the same personal information or a mixture of personal and non-personal information.

15.84 In the election policy document, Government Information: Restoring Trust and Integrity, the Australian Labor Party announced a range of reforms to the FOI Act, including bringing together the functions of privacy protection and freedom of information in an Office of the Information Commissioner. Under this proposal, the existing role of the Privacy Commissioner would be preserved as a statutory office holder responsible for federal privacy laws. A Freedom of Information Commissioner also would be appointed as a statutory office holder responsible for freedom of information law, similar to the Privacy Commissioner. It was further proposed that the Freedom of Information Commissioner would substitute for AAT review of decisions under the FOI Act, with a review lying directly to the Federal Court of Australia or the Federal Magistrates Court.[96] These proposals would also go some way to streamlining the different complaint and review avenues available under the Privacy Act and the FOI Act.

[37] The heading in IPP 7 refers to ‘alteration’; Part V of the FOI Act refers to ‘amendment’ of personal information. NPP 6 and the recommended ‘Access and Correction’ principle, however, refer to ‘correction’ rather than ‘amendment’.

[38]Privacy Act 1988 (Cth) s 34.

[39] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; S v Various Commonwealth Agencies [2004] PrivCmrA 8; Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 13. Section 41(1) of the Privacy Act provides that the Privacy Commissioner may decide not to investigate or not to investigate further a complaint if it is satisfied that the act or practice is the subject of an application under another Commonwealth enactment and the complaint has been or is being dealt with adequately under that enactment; or another Commonwealth enactment provides for a more appropriate remedy.

[40] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. The OPC has declined these complaints under s 41(1)(f) of the Privacy Act on the grounds that the complaint would best be dealt with under another law.

[41] M Paterson, Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State (2005), [4.17].

[42] See Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 18. See also M Paterson, Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State (2005), [4.23]–[4.24].

[43]Freedom of Information Act 1982 (Cth) ss 48–50. See Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 18. See also M Paterson, Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State (2005), [4.23]–[4.24].

[44]Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 21.

[45]Freedom of Information Act 1982 (Cth) s 11.

[46] A request for personal information means a request for documents which contain information about a person: Australian Government Attorney-General’s Department, Freedom of Information Annual Report 2006–2007 (2007),[1.9]–[1.31].

[47]Freedom of Information Act 1982 (Cth) s 48.

[48]Parliament of Australia—Senate Standing Committee on Legal and Constitutional Affairs, Freedom of Information Act 1982—The Operation and Administration of the Freedom of Information Legislation (1987), [15.7].

[49] Australian Government Attorney-General’s Department, Freedom of Information Annual Report 2006–2007 (2007),[1.9]–[1.32].

[50]Freedom of Information Act 1982 (Cth) ss 48–50.

[51]Ibid s 50(3).

[52]Australian Law Reform Commission and Administrative Review Council, Open Government: A Review of the Federal Freedom of Information Act 1982, ALRC 77 (1995), [5.17].

[53]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007; D Hall, Submission PR 61, 27 November 2006.

[54]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 12–6 and 12–7.

[55] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[56]Confidential, Submission PR 570, 13 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.

[57]Medicare Australia, Submission PR 534, 21 December 2007.

[58] See, eg, Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007.

[59]Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[60]Medicare Australia, Submission PR 534, 21 December 2007.

[61]Privacy NSW, Submission PR 468, 14 December 2007. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[62]Social Security Appeals Tribunal, Submission PR 478, 17 December 2007.

[63]Australian Government Centrelink, Submission PR 555, 21 December 2007; Social Security Appeals Tribunal, Submission PR 478, 17 December 2007.

[64]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[65] National Legal Aid, Submission PR 521, 21 December 2007.

[66] Including the Data Protection Act 1998 (UK); Official Information Act 1982 (NZ); Privacy Act 1993 (NZ); Privacy Act 1985 (Canada); Access to Information Act 1985 (Canada); Freedom of Information and Protection of Privacy Act 1990 (Ontario); Freedom of Information and Protection of Privacy Act 1996 (British Columbia).

[67] The Attorney-General’s Department recently reported that 67% of requests for correction of personal records took over 60 days to process: Australian Government Attorney-General’s Department, Freedom of Information Annual Report 2006–2007 (2007), [1.32].

[68] Office of the Privacy Commissioner of New Zealand, Consultation, (by telephone), 27 February 2008.

[69] The difference between the right to correct personal information under the Privacy Act and the FOI Act is discussed below.

[70]Freedom of Information Act 1982 (Cth) ss 48–50.

[71]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 12–9.

[72]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[73]Australian Law Reform Commission and Administrative Review Council, Open Government: A Review of the Federal Freedom of Information Act 1982, ALRC 77 (1995), Rec 77.

[74]Ibid, [12.9].

[75]Parliament of Australia—Senate Legal and Constitutional Legislation Committee, Inquiry into the Freedom of Information Amendment (Open Government) Bill 2000 (2001), [3.69]. The Committee did not provide reasons why it did not support this amendment.

[76]European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[77] Slezankiewicz v Australian and Overseas Telecommunications Corporation [1992] AATA 204, [46].

[78] Office of the Privacy Commissioner of New Zealand, Consultation, (by telephone), 27 February 2008.

[79]Freedom of Information Act 1982 (Cth) s 55.

[80]Privacy Act 1988 (Cth) s 52.

[81] Decisions of the AAT are reviewable by the Federal Court of Australia: Administrative Appeals Tribunal Act 1975 (Cth) pt IVA.

[82]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 12–12.

[83]Ibid, Proposal 12–13.

[84] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Federal Police, Submission PR 545, 24 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[85]Privacy NSW, Submission PR 468, 14 December 2007.

[86] See, eg, Rummery and Federal Privacy Commissioner [2004] AATA 1221.

[87]Administrative Appeals Tribunal, Submission PR 481, 17 December 2007.

[88]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007.

[89]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[90] Confidential, Submission PR 570, 13 February 2008.

[91]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[92]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[93] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[94]Australian Federal Police, Submission PR 545, 24 December 2007. See also Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[95] Privacy Act 1993 (NZ) s 72; Official Information Act 1982 (NZ) s 29B.

[96] K Rudd and J Ludwig, Government Information: Restoring Trust and Integrity, Election 2007 Policy Document (2007).