The ‘Access and Correction’ principle

Background

Agencies

29.5 As noted above, access to, and correction of, personal information held by agencies is regulated by a combination of provisions of the FOI Actand IPPs 6 and 7. IPP 6 provides that an individual is entitled to access a record containing his or her personal information, where it is in the possession or control of a record-keeper, except to the extent that the record-keeper is required or authorised to refuse access under any law of the Commonwealth that provides for access by persons to documents. Accordingly, IPP 6 provides individuals with the same right of access to information as is available under the FOI Act.[4]

29.6 IPP 7 provides that a record-keeper who has possession or control of a record containing personal information must take such steps, if any, as are reasonable to ensure that the record is accurate and is relevant, up-to-date, complete and not misleading. If the record-keeper is not willing to amend a record as requested by an individual, and is not required to amend it by a decision or recommendation under applicable Commonwealth law, the record-keeper must, if requested by the individual concerned, take reasonable steps to attach to the record any statement by the individual of the correction, deletion or addition sought.

Organisations

29.7 Access to, and correction of, personal information held by organisations currently is governed by NPP 6. NPP 6.1 provides that, if an organisation holds personal information about an individual, generally it must provide the individual with access to the information. It then lists a number of situations where access can be denied or limited. Where an organisation is not required to provide access under NPP 6.1, it must consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.[5] NPP 6.2 permits an organisation to give an individual an explanation for a decision, rather than direct access to personal information, where providing direct access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process.

29.8 NPP 6.5 provides that an organisation must take reasonable steps to correct personal information that it holds, if the individual to whom the information relates is able to establish that it is not accurate, complete and up-to-date. If the individual and the organisation disagree about the accuracy of the information, and the individual asks the organisation to associate with the information a statement claiming the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to comply with the request.[6] Finally, NPP 6.7 provides that an organisation must provide reasons for denial of access or a refusal to correct personal information.

A unified principle?

29.9 As noted above, different regimes currently apply to access to, and correction of, personal information held by agencies and organisations. In particular, these differences accommodate the overlap between the Privacy Act and the FOI Act, where personal information is held by agencies.

29.10 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC expressed the preliminary view that different access and correction regimes should continue to apply to agencies and organisations. The proposed regimes were as follows:

  • provisions in a separate Part of the Privacy Act dealing with access to, and correction of, personal information held by agencies;[7] and

  • an ‘Access and Correction’ principle in the proposed UPPs dealing with access to, and correction of, personal information held by organisations.[8]

ALRC’s view

29.11 As discussed in Chapter 15, the ‘Access and Correction’ principle can be formulated to apply both to agencies and organisations. This is consistent with the ALRC’s recommendation that, unless there is a sound policy reason to the contrary, the privacy principles should apply equally to agencies and organisations.[9]

29.12 Differences between the current access and correction obligations on agencies and organisations are discussed in later sections of this chapter. Where there is a good policy reason for these discrepancies, agency-specific and organisation-specific requirements have been included within the ‘Access and Correction’ principle.[10]

Structure of the principle

29.13 The access and correction principles provided in the IPPs and the NPPs have significantly different structures. NPP 6 is an example of a ‘hybrid principle’—that is, it contains some general, high-level provisions and some detailed, relatively prescriptive provisions.[11] NPP 6 first sets out the general rule that an organisation must provide an individual with access to personal information it holds about the individual. It then sets out an exhaustive list of exceptions to, qualifications of, and derogations from, this general rule, as well as a number of procedural provisions.

29.14 In comparison, IPPs 6 and 7 are limited to the general rules according to which an agency should provide an individual with access to, or permit correction of, personal information. The IPPs do not set out directly any exceptions to these rules. Rather, they defer to exceptions to access to, and correction of, personal information under any other ‘law of the Commonwealth’.[12] In particular, this accommodates the exemptions from access and correction obligations set out in the FOI Act. The IPPs also do not include any procedural provisions for access to, and correction of, personal information. The Privacy Commissioner has advised, however, that agencies generally should process requests for access and correction under the Privacy Act in accordance with the administrative machinery set out in the FOI Act.[13]

29.15 This raises a question as to what is the appropriate structure for the ‘Access and Correction’ principle in the model UPPs.

29.16 In DP 72, the ALRC came to the preliminary view that the ‘Access and Correction’ principle in the UPPs generally should replicate the structure of NPP 6.[14] In particular, the ALRC noted that moving the detailed provisions of the ‘Access and Correction’ principle—for example, into another part of the Privacy Act or into regulation—would require the provisions to be redrafted so that they operate as conventional statutory provisions, as distinct from principles.[15]

ALRC’s view

29.17 NPP 6 provides an appropriate template for the ‘Access and Correction’ principle. Basing the ‘Access and Correction’ principle on NPP 6 is consistent with the ALRC’s view that the NPPs should form the general template in drafting and structuring the UPPs.[16] In particular, the ALRC notes that the general structure of the NPPs largely has been effective. Furthermore, adopting a radically different structure from the NPPs would involve a greater compliance burden, particularly on organisations that would have to update their privacy protection regimes.

Application to third parties

29.18 Currently, the privacy principles only provide individuals with rights to obtain access to, and correction of, their personal information.[17] An agency is not required to provide an individual with access to a document if its disclosure would involve the unreasonable disclosure of personal information about any person, including a deceased person.[18] An organisation also is not required to provide access where providing such access would have an unreasonable impact on the privacy of other individuals.[19]

29.19 In its submission on DP 72, the Human Rights and Equal Opportunity Commission (HREOC) suggested that the proposed ‘Access and Correction’ principle should not ‘unduly inhibit the ability of Indigenous people to access information needed to identify their natural families or communities’. HREOC submitted that agencies and organisations should be required to provide Indigenous persons with access to information that they need to identify their natural family or community—even if this involves an infringement of a third person’s privacy.[20]

ALRC’s view

29.20 In Chapter 7, the ALRC considers whether the protection of the Privacy Act should extend to groups and, in particular, Indigenous groups. The ALRC does not recommend that the Privacy Act be extended to provide direct protection to Indigenous orother racial, cultural or ethnic groups. It recommends, however, that information privacy rights and interests of Indigenous groups should be provided with additional protection—in particular, through thedevelopment of privacy protocols that respond to the particular privacy needs of such groups. If appropriate, these protocols could enable an individual to obtain access to personal information about another individual in certain circumstances.[21]

Recommendation 29-1 The model Unified Privacy Principles should contain a principle called ‘Access and Correction’ that, subject to Recommendation 29–2, applies consistently to agencies and organisations.

[4]Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 13. Another law of the Commonwealth that provides access by persons to documents is the Archives Act 1983 (Cth).

[5]Privacy Act 1988 (Cth) sch 3, NPP 6.3. Compare also s 18H, which provides that, in certain circumstances, an individual’s rights of access to credit information files and credit reports may be exercised by another person authorised in writing by the individual.

[6] Ibid sch 3, NPP 6.6.

[7]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 12–6.

[8]Ibid, Ch 26.

[9] Rec 18–2.

[10] See, for example, Rec 29–2.

[11] For discussion of the overall structure of the privacy principles, see Ch 18.

[12] See: Privacy Act 1988 (Cth) s 14, IPPs 6, 7.2, 7.3(b).

[13]Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 13.

[14]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [26.11]–[26.13].

[15] The differences between principles-based regulation and rules-based regulation is discussed in Ch 4.

[16] See Ch 18.

[17]Privacy Act 1988 (Cth) s 14, IPP 6; sch 3, NPP 6.

[18]Ibid, IPP 6, Freedom of Information Act 1982 (Cth) s 41.

[19]Privacy Act 1988 (Cth) sch 3, NPP 6.1(c). This exception has been retained in the model UPPs.

[20]Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007.

[21] Rec 7–1.