29.183 The ninth principle in the model UPPs should be called ‘Access and Correction’. It may be summarised as follows.
UPP 9. Access and Correction
9.1 If an agency or organisation holds personal information about an individual and the individual requests access to the information, it must respond within a reasonable time and provide the individual with access to the information, except to the extent that:
Where the information is held by an agency:
(a) the agency is required or authorised to refuse to provide the individual with access to that personal information under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents; or
Where the information is held by an organisation:
(b) providing access would be reasonably likely to pose a serious threat to the life or health of any individual;
(c) providing access would have an unreasonable impact upon the privacy of individuals other than the individual requesting access;
(d) the request for access is frivolous or vexatious;
(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings;
(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations;
(g) providing access would be unlawful;
(h) denying access is required or authorised by or under law;
(i) providing access would be likely to prejudice an investigation of possible unlawful activity;
(j) providing access would be likely to prejudice the:
(i) prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) protection of the public revenue;
(iv) prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
9.2 Where providing access would reveal evaluative information generated within the agency or organisation in connection with a commercially sensitive decision-making process, the agency or organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
Note: The mere fact that some explanation may be necessary in order to understand information should not be taken as grounds for withholding information under UPP 9.2.
9.3 If an agency or organisation is not required to provide an individual with access to his or her personal information it must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.
9.4 If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
Note: Agencies are not permitted to charge for providing access to personal information under UPP 9.4.
9.5 An agency or organisation must provide personal information in the manner requested by an individual, where reasonable and practicable.
9.6 If an agency or organisation holds personal information about an individual that is, with reference to a purpose for which it is held, misleading or not accurate, complete, up-to-date and relevant, the agency or organisation must take such steps, if any, as are reasonable to:
(a) correct the information so that it is accurate, complete, up-to-date, relevant and not misleading; and
(b) notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practicable in the circumstances.
9.7 If an individual and an agency or organisation disagree about whether personal information is, with reference to a purpose for which the information is held, misleading or not accurate, complete, up-to-date or relevant and:
(a) the individual asks the agency or organisation to associate with the information a statement claiming that the information is misleading or not accurate, complete, up-to-date or relevant; and
(b) where the information is held by an agency, no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;
the agency or organisation must take reasonable steps to do so.
9.8 Where an agency or organisation denies a request for access or refuses to correct personal information it must provide the individual with:
(a) reasons for the denial of access or refusal to correct the information, except to the extent that providing such reasons would undermine a lawful reason for denying access or refusing to correct the information; and
(b) notice of potential avenues for complaint.