Introduction

29.1 Australian law sets out rights and obligations in relation to an individual’s access to, and correction of, personal information held by an agency or organisation. The access and correction provisions generally reflect the ‘Individual Participation Principle’ in the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines).[1] They also reflect a core principle in the European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995) (EU Directive)—namely, that

the data subject should have a right to obtain a copy of all data relating to him/her that are processed, and a right to rectification of those data where they are shown to be inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to him/her.[2]

29.2 The regimes governing access to, and correction of, personal information currently differ as between agencies and organisations. Access to, and correction of, personal information held by agencies is regulated by provisions of the Freedom of Information Act 1982 (Cth)(FOI Act) and the Information Privacy Principles (IPPs) of the Privacy Act 1988 (Cth)—specifically, IPPs 6 and 7. Access to, and correction of, personal information held by organisations is governed by the National Privacy Principles (NPPs) of the Privacy Act.

29.3 In this chapter, the ALRC recommends that the model Unified Privacy Principles (UPPs)[3] should contain an ‘Access and Correction’ principle that sets out a predominantly unified scheme for access to, and correction of, personal information held by agencies and organisations. Some differences have been recommended, however, in the access and correction regimes for agencies, as distinct from organisations. These differences primarily concern the exceptions to the obligation on agencies and organisations to provide individuals with access to their personal information.

29.4 The ALRC also recommends that new obligations be imposed on agencies and organisations responding to a request for access, including that an agency or organisation should respond to a request for access in a timely manner and, where reasonable, provide access in the form requested by the individual. Finally, the ALRC recommends that, where personal information held by an agency or organisation is shown to be incorrect, that agency or organisation should be required, in certain circumstances, to notify third parties to whom the information has been disclosed.

[1] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 13.

[2] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 12.

[3] The ALRC recommends that the IPPs and NPPs should be consolidated into a single set of privacy principles, the UPPs, which generally would be applicable to agencies and organisations: see Rec 18–2.