Access to personal information: general framework

29.21 This section considers how the access provisions of the ‘Access and Correction’ principle should be framed, including whether access should:

• be an obligation imposed on an agency or organisation or an entitlement of the individual;

• apply to information ‘held’ by an agency or organisation or information in its ‘possession or control’; and

• include a provision for agencies to provide access to documents otherwise than as required by the Privacy Act.

29.22 Issues about access to personal information also arise in relation to exceptions to the requirement to provide access and alternative ways to provide individuals with access to personal information—namely, providing access through intermediaries. These issues are considered in following sections of this chapter.

An obligation or a right?

29.23 IPP 6 provides an individual with a right to obtain access to his or her personal information. In contrast, NPP 6 imposes an obligation on organisations to provide access to personal information.

29.24 In DP 72, the ALRC noted that it had not formed a strong view as to whether the provision dealing with access to personal information held by agencies should be expressed so as to grant an individual a right, or impose an obligation on an agency. Ultimately, it proposed that the access and correction provisions that apply to agencies should be expressed as an obligation on the agency, rather than an entitlement of an individual. That is, if an agency holds personal information about an individual the agency must, if requested to do so by the individual, provide the individual, with access to the information, subject to the relevant exceptions.^[22]

Submissions and consultations

29.25 Several stakeholders supported the proposal.^[23] The Office of the Privacy Commissioner (OPC) supported the proposal but submitted that the nature of the proposed exceptions would have a significant bearing on whether the intent of the proposal was achieved.^[24] Privacy NSW supported the proposal on the proviso that the existing provision in the FOI Act be referred to in the UPP itself, or that it be annexed to the Privacy Act.^[25]The Australian Communications and Media Authority (ACMA) and the Australian Federal Police (AFP) argued for appropriate exemptions for law enforcement and regulatory functions.^[26] No stakeholders opposed this proposal.

ALRC’s view

29.26 The ‘Access and Correction’ principle in the model UPPs should provide that agencies and organisations must, if requested by the individual, provide the individual with access to his or her personal information (subject to the relevant exceptions). This approach was supported by a number of stakeholders. It also is consistent with the terminology that has been used in the other model UPPs.

‘Possession or control’ of personal information

29.27 IPPs 6 and 7 apply when personal information is in an agency’s ‘possession or control’. By contrast, NPP 6 applies when personal information is ‘held’ by an organisation. ‘Possession and control’ may be broader than the term ‘held’. For example, an agency could administer a database—and therefore retain substantive control over it—but outsource physical possession of the database to another agency or organisation. In these circumstances, the agency would still have ‘possession or control’ for the purposes of IPPs 6 and 7. It is unclear, however, whether the agency ‘holds’ the information.

29.28 There is no clear guidance on when information is ‘held’ by an organisation for the purposes of NPP 6. Some direction may be provided, however, from judicial interpretation of documents ‘in the possession of an agency’ in the context of the FOI Act.^[27] In Beesley v Australian Federal Police, Beaumont J held that documents in the possession of an agency included those documents in its ‘constructive possession’—that is, where the agency had a right or power to deal with the document in question.^[28] This precedent, however, was limited to records held in electronic form. Beaumont J expressly declined to overrule earlier cases which held that ‘possession’, when used in the context of access to hard copies of documents under the FOI Act, meant documents in the physical possession of an agency.^[29]

ALRC’s view

29.29 Where personal information is under the control of one agency or organisation but in the possession of another, an individual should have the right under the Privacy Act to request access either from the administering agency or organisation or the agency or organisation that has actual possession of the information.

29.30 One way to achieve the above policy outcome is by interpreting documents ‘held’ by an agency or organisation as including those documents in its ‘constructive possession’. This interpretation is consistent with case law about ‘documents in the possession of an agency’ for the purpose of the FOI Act. Retaining the term ‘held’ in the ‘Access and Correction’ principle also is consistent with the wording used in a number of other UPPs.^[30]

29.31 If, however, Parliamentary Counsel does not consider the term ‘held’ to be broad enough to support access to personal information that is in the constructive possession of an agency or organisation, then the principle should be drafted in another way to include this concept. This could include, for example, applying expressly the ‘Access and Correction’ principle to personal information in the constructive possession of an agency or organisation.

29.32 The ALRC recommends, below, that the OPC should provide guidance on the ‘Access and Correction’ principle. This guidance should address the issue of when personal information is ‘held’ by agencies and organisations.^[31]

Access other than under the Privacy Act

29.33 The FOI Act specifically permits an agency to provide access to documents otherwise than in accordance with the Act’s requirements, provided that the agency can ‘properly do so’ or where such access is ‘required by law’.^[32] This provision may allow, for example, access to documents that are exempt under the FOI Act, such as internal working documents or documents relating to business affairs.^[33] It also may permit access to documents without recourse to the (sometimes cumbersome) processes of the FOI Act.

Submissions and consultations

29.34 In DP 72, the ALRC expressed the preliminary view that an equivalent provision should be included in the Privacy Act.^[34]

29.35 The OPC supported this proposal, but was concerned that the word ‘properly’ could have several meanings. It suggested that it be replaced with the word ‘lawfully’ or be clarified in some way.^[35] The Department of Human Services submitted that the use of the term ‘publishing’ was inappropriate, given that personal information is rarely ‘published’, and suggested that the word ‘communicates’ may be preferable.^[36]

ALRC’s view

29.36 The ALRC’s view on this issue has changed from that expressed in DP 72. The purpose of s 14 of the FOI Act is to ensure that an agency has the authority to publish or make government documents available, where appropriate, either on its own initiative or in response to a particular request, without recourse to the processes of the FOI Act. Such a provision is not required in the context of the Privacy Act, which is designed to provide a simple and user-friendly mechanism for individuals to access and correct their own personal information. Accordingly, the ALRC does not recommend that s 14 of the FOI Act be mirrored in the Privacy Act.