Procedural requirements for access and correction requests

29.139 Where an individual exercises his or her right to obtain access to, and correction of, personal information, the agency or organisation that holds the information must comply with a number of procedural requirements. For organisations, these requirements are set out in NPP 6. NPP 6.4, for example, limits the charge that an organisation can levy for providing an individual with access. NPP 6.7 requires an organisation to provide reasons for denial of access, or refusal to correct, personal information. The IPPs do not include equivalent procedural obligations. The Plain English Guidelines to Information Privacy Principles 4–7, however, note that, where an agency processes a request for access under the Privacy Act, it should comply with the administrative machinery set out in the FOI Act.^[155]

29.140 In this section, the ALRC considers whether unified procedural requirements should apply to agencies and organisations and, if so, what should be the content of any such obligations. In particular, what requirements, if any, should apply to agencies and organisations:

• to minimise barriers associated with exercising access and correction rights; and

• for procedural fairness?

Unified procedural requirements for agencies and organisations?

29.141 As noted above, when processing requests for access to, and correction of, personal information under the Privacy Act, agencies generally are required to comply with the administrative processes set out in the FOI Act.^[156]

29.142 In DP 72, the ALRC expressed the preliminary view that the Privacy Act should set out the procedure to be followed when dealing with a request to access or correct personal information held by agencies. The ALRC suggested that these procedures could be similar to, but less onerous than, those set out in the FOI Act, including:

• steps to be taken by an individual making an application for correction or annotation of personal information;

• the time to be taken to process a request to access or correct personal information;

• the transfer of a request to access or correct personal information to another agency;

• how personal information should be made available to the individual;

• how corrections should be made to personal information; and

• when incorrect information should be deleted.^[157]

Submissions and consultations

29.143 Privacy NSW supported the proposal, provided the existing provisions in the FOI Act are referred to in the ‘Access and Correction’ principle itself or that these provisions be annexed to the Privacy Act.^[158] The AFP supported the proposal and noted that the OPC should develop guidance in consultation with agencies.^[159] The Public Interest Advocacy Centre (PIAC) submitted that procedures for correction should take into account a number of additional matters, including that, unless there is a very good reason to the contrary, individuals should always be given full access to the original record.^[160] Medicare Australia agreed that the procedural details should be included in a new Part of the Privacy Act.^[161]

29.144 The OPC submitted that the procedures to be followed should be clear, but noted that it was less convinced that all procedural matters needed be set out in legislation, as opposed to being subject to guidance. The OPC suggested that, where possible, the relevant provisions of the Privacy Act should mirror the proposed ‘Access and Correction’ principle for organisations. Where necessary, guidance could be issued by the OPC about certain procedures. In the OPC’s view, only in circumstances where it is deemed essential should the prescriptive provisions of the FOI legislation be incorporated into the Privacy Act.^[162]

ALRC’s view

29.145 An individual seeking access to personal information held by an agency should not be subject to the FOI Act processes where a simpler process can be established. Providing agencies with the discretion afforded by principles-based provisions allows agencies to develop administrative processes that are simpler than those imposed under the FOI Act and are appropriate to that agency and the personal information that it holds.

29.146 It is appropriate, therefore, that procedures imposed on organisations under the ‘Access and Correction’ principle in the model UPPs also should apply to access to, and correction of, personal information held by agencies. The appropriate content for a number of procedural issues associated with access and correction is considered below.

Barriers to access and correction

Background

29.147 For individuals to exercise control over their personal information, access and correction rights—as well as being available in principle—must be meaningful in practice. The OECD Guidelines, for example, state that where an individual is entitled to access personal information about him or her, this should include the right to have it communicated:

• within a reasonable time;

• at a charge, if any, that is not excessive;

• in a reasonable manner; and

• in a form that is readily intelligible to him …^[163]

29.148 The NPPs include provisions addressing some of these barriers to access. Under NPP 6.4, if an organisation charges for providing access to personal information, the charges must not be excessive and must not apply to lodging a request for access. The OPC has advised that an organisation should take the following factors into account if it charges an individual for access to personal information: staff costs involved in locating and collating information; reproduction costs; and costs involved in having someone explain information to an individual. The OPC also has advised that an organisation should not charge an individual more than it costs the organisation to give access.^[164]

29.149 Concern has been expressed, however, that a wide variety of fees may be charged for access to personal information because there is no maximum fee or schedule of fees in the Privacy Act. The OPC Review noted evidence of wide discrepancies in the fees charged by organisations for access to personal information and recommended that it should provide guidance to the private sector on fee structures.^[165]

29.150 NPP 6 does not deal expressly with the remaining barriers to access set out in the OECD Guidelines—that is, that access to personal information should be provided within a reasonable time, in a reasonable manner, and in a form that is readily intelligible. This is in contrast to, for example, the Health Records and Information Privacy Act 2002 (NSW), which provides that a request for access to health information must be responded to within 45 days of receipt.^[166] Access also generally must be provided in the form requested by the individual.^[167] Similarly, Victorian privacy law sets out specifically the timeframe within which a request for access to, or correction of, personal information must be acted upon.^[168]

29.151 Arguably, NPP 6 can be interpreted to minimise some barriers to access. In B v Surgeon, for example, a patient brought a complaint about the form in which a surgeon offered to provide access to personal information. The Privacy Commissioner advised that—although NPP 6 does not specify the form in which access should be provided—‘it is the Commissioner’s view that access should generally be provided in the form requested by the individual’.^[169]

29.152 The OPC also has suggested appropriate timeframes for access to personal information in its Guidelines to the National Privacy Principles. The Guidelines suggest the following response times, as a starting point for organisations:

• If the individual has made a written request for access, acknowledging the request as soon as possible or at least within 14 days could, in many cases, be appropriate.

• If granting access is straightforward, it would often be appropriate for an organisation to grant access within 14 days, or if giving it is more complicated, within 30 days.^[170]

29.153 The OPC notes, however, that the appropriate response time will depend on a number of factors, including

The method of communication, the type or amount of personal information requested, how the personal information is held, how complex an organisation’s functions and activities are and how the personal information is to be provided to the individual making the request.^[171]

29.154 Some of these potential barriers to access also are provided for under the FOI Act’s administrative machinery. For example, where an individual requests access in a particular form, agencies generally are required to comply with that request.^[172] The FOI Act also sets out prescriptive timeframes within which agencies must respond to requests for access to personal information.^[173]

Submissions and consultations

29.155 In DP 72, the ALRC proposed that the ‘Access and Correction’ principle should provide that an organisation must respond within a reasonable time to a request from an individual for access to personal information held by the organisation. The ALRC also proposed that the OPC should provide guidance about the meaning of ‘reasonable time’ in this context.^[174]

29.156 The majority of stakeholders that commented on this issue supported the ALRC’s proposal.^[175] A number of stakeholders, however, suggested that there should be greater clarity about the timeframe for response.^[176] The Office of the Victorian Privacy Commissioner (OVPC) suggested that the Information Privacy Act 2000 (Vic)—which requires Victorian agencies to respond as soon as is reasonably practicable, but by a maximum of 45 days—could provide an appropriate framework.

This does not mean that the agency is required to have updated the personal information or even to have made a decision as to whether the information will be corrected within 45 days (although this may be the case). Instead, the agency is required to have responded to the request for access or correction within 45 days, and, ideally, to have provided a timeline for their response to the individual within that time.^[177]

29.157 PIAC supported incorporating other aspects of the OECD Guidelines^[178] into the ‘Access and Correction’ principle, including that the organisation should respond: in a reasonable manner; at a charge, if any, that is not excessive; and in a form that is readily intelligible to the individual. It suggested that the ‘Access and Collection’ principle should specify a maximum fee for access, or that a schedule of fees should be included in the regulations.^[179] Privacy advocates also supported introducing binding benchmarks for fees.^[180]

29.158 The OPC suggested that an organisation should be under an obligation to provide the personal information in the form requested by the individual, where practicable and reasonable. In addition, the form of access should

have regard for any disability the individual may have, as well as their literacy and other matters, such as the individual’s level of understanding of what the information relates to. For example, if the information is highly technical in nature and cannot be interpreted easily, the individual may request it in a translated form.^[181]

ALRC’s view

Fees

29.159 Currently, where an organisation imposes any charge for providing access to personal information, this charge must not be excessive and must not apply to lodging a request for access.^[182] This provision should be included in the ‘Access and Correction’ principle.

29.160 Agencies presently are not permitted to charge an individual for providing access to personal information under the Privacy Act. The ALRC has not been made aware of any issues with agencies not being able to levy such a charge. In Chapter 32, the ALRC supports the general objective that individuals should not be unfairly disadvantaged by seeking to assert their privacy interests—and expresses the view that this requirement should be incorporated, where appropriate, into the privacy principles.

29.161 In light of the public interest in an individual being able to access and correct personal information that an agency holds about him or her, the ALRC considers that agencies should continue to fund the associated costs. The ALRC does not recommend, therefore, that the charging provisions should be extended to apply to agencies. This is consistent with the ALRC’s conclusion in its Report, Open Government (ALRC 77), that access to one’s own personal information under the FOI Act generally should be free.^[183]

Timeliness of response

29.162 The ‘Access and Correction’ principle should include a requirement that agencies and organisations must respond to requests for access to personal information within a reasonable time. As responding to requests for access in a timely manner already may have been implied into the requirements of NPP 6 and has been recognised as ‘best practice’,^[184] making this requirement explicit in the ‘Access and Correction’ principle will not require a change in practice for the vast majority of organisations. Further—as this requirement generally would not impose higher obligations on an agency than those timeframes required under the FOI Act—it also will not require a change in practice for agencies.

Manner of providing access

29.163 The ‘Access and Correction’ principle should require agencies and organisations to take reasonable steps to provide access in the manner requested by the individual. It is arguable that a requirement for organisations to provide access in the manner requested by the individual already can be implied into the ‘Access and Correction’ principle. This inference, however, is not self-evident. Expressly including a provision in relation to the manner of providing access therefore would promote clarity in the access and correction requirements. Such a provision also is consistent with present requirements for agencies under the FOI Act.

Generally understandable

29.164 In Chapter 10, the ALRC notes that it has not received evidence that indicates that information is being provided to individuals in an unintelligible form. The ALRC also considers it to be implicit within the concept of access that, where practicable, information should be provided in an intelligible form. The ALRC, therefore, does not recommend that the ‘Access and Correction’ principle should include a specific requirement for information to be provided in a form that is readily intelligible.

Level of detail of the provisions

29.165 There is a question of how prescriptive the procedural requirements in the ‘Access and Correction’ principle should be—for example, should the principle include maximum timeframes for responding to requests for access or a schedule of fees?

29.166 There are a number of practical difficulties with implementing binding schedules or frameworks in this context. For example, an appropriate timeframe to respond to an individual’s request for access will depend on a myriad of factors.^[185] It is therefore difficult to prescribe firm rules regarding the procedures to be followed when an individual seeks access to his or her personal information. Setting out the provisions to remove barriers to access as high-level principles, rather than in the form of prescriptive obligations, also is consistent with the ALRC’s broader approach to privacy regulation.^[186]

29.167 The ALRC recommends, below, that the OPC should develop guidance for agencies and organisations about their obligations under the ‘Access and Correction’ principle.^[187] It is appropriate for the requirements to minimise barriers to individuals seeking to obtain access to, or correction of, personal information to be addressed in this guidance.

Reasons for decision and avenues of complaint

29.168 NPP 6.7 requires organisations to provide reasons for ‘denial of access or a refusal to correct personal information’. It does not provide any further guidance on how reasons should be given, how detailed the reasons should be, or whether there are any circumstances in which reasons can be refused.

29.169 No limitations on the requirement to give reasons are included expressly in the provision. The Revised Explanatory Memorandum for the private sector provisions, however, states that NPP 6.7 generally will require an organisation to tell the individual which exception it is relying upon to refuse access.^[188] Further, it states that an organisation would not be required to give reasons ‘where such a disclosure would prejudice an investigation against fraud or other unlawful activity’.^[189] The OPC also has issued guidance that:

Where access is denied on the basis of a serious threat to life or health, [a health provider] need not specify the precise provision relied upon if they are concerned this would cause the very harm which the denial of access is meant to correct.^[190]

29.170 The FOI Act provides that, where an agency has made a decision to refuse to grant access to a document, it must give notice in writing of the decision.^[191] This notice is not required to contain any matter that is of such a nature that its inclusion would cause that document to be exempt under the Act.^[192] By virtue of s 51D of the FOI Act, this requirement also applies to a decision to refuse to amend or annotate a record.

Submissions and consultations

29.171 Although no proposal was directed specifically to this issue, some stakeholders made submissions on the requirements for procedural fairness under the ‘Access and Correction’ principle.

29.172 Privacy advocates submitted that the obligation to give reasons needed to be more specific in requiring an organisation to specify which of the exceptions it has relied on to deny access or correction.^[193]

29.173 The AGD noted that requiring organisations to provide a reason for the denial of access may prejudice investigations or prosecutions in relation to mutual assistance or extradition. It suggested that there should be an exception from the requirement to provide a reason for denial of access where the reason for denial is because of one or more of paragraphs 9.1(f) to (j) of the proposed ‘Access and Correction’ principle.^[194] The Department of Human Services questioned whether informal processes for providing reasons to deny a request to access personal information would be sufficient under the Privacy Act.^[195]

29.174 The OVPC suggested that, where organisations decide to refuse access, they should be required to advise individuals about how this decision can be appealed.^[196] Liberty Victoria expressed the view that individuals who are refused access to personal information should have an independent review process available to them.^[197]

ALRC’s view

29.175 Where an agency or organisation has made an adverse decision in relation to a request for access to personal information that it holds about an individual, or a decision to correct such information, it is an important element of procedural fairness for the individual to be provided with the reason for the adverse decision. This generally will require the agency or organisation to tell the individual which exception it is relying upon to refuse access. The process for providing reasons should be as informal as possible to ensure that reasons are given quickly and to reduce compliance costs.

29.176 There may be some situations, however, where providing reasons would undermine the very reason that the agency or organisation has denied the individual access to the information or has refused to make the requested correction. In these situations it may not be appropriate for reasons to be provided. The ‘Access and Correction’ principle should explicitly provide for these situations.

29.177 At the time that an individual is provided with an adverse decision relating to his or her right of access and correction, it is appropriate that the relevant agency or organisation provide that individual with information about the avenues of complaint or review. The ALRC recommends that agencies and organisations provide information about avenues of complaint available to an individual in their Privacy Policies. Provided this Privacy Policy is readily available, it would be open to an agency or organisation to meet its requirements under the ‘Access and Correction’ principle by referring individuals to the relevant section of this document.

Notification of access and correction rights

29.178 The FOI Act requires agencies to publish information about the documents that are maintained by the agency and the facilities provided by the agency to enable individuals to access these documents.^[198] There currently is no obligation under the Privacy Act or the FOI Act, however, to advise an individual that he or she may request the correction of his or her personal information where that individual has been given access to that information.^[199]

29.179 In DP 72, the ALRC proposed that the Privacy Act should provide that, where an agency gives an individual access to personal information, it also must advise the individual that he or she may request the correction of that information.^[200]The ALRC did not make an equivalent proposal for information held by organisations—rather, it suggested that the proposed ‘Notification’ and ‘Openness’ principles would cover adequately the notification requirements in this context.^[201]

29.180 The OPC and Australia Post supported the ALRC’s proposal.^[202] The AFP supported the proposal in principle, on the basis that there would be appropriate exemptions to enable the AFP and other law enforcement agencies to properly perform all of their functions.^[203] ACMA was concerned that the proposal may compromise the law enforcement and regulatory functions of agencies, and have resource implications.^[204]

ALRC’s view

29.181 Agencies and organisations should take steps to inform individuals of their access and correction rights. This includes advising individuals who have obtained access to their personal information that they have the right to seek correction of this information. In the ALRC’s view, however, this obligation does not need to be set out in the Privacy Act. Notification of access and correction rights is sufficiently encompassed by the ALRC’s recommendation that, at or before the time that an agency or organisation collects personal information about an individual, it must take steps to make the individual aware of certain matters, including his or her rights of access to, and correction of, the information.^[205]