Reading time: 6 minutes

When your business deals with personal information, individuals have the right to access and correct any personal information about them. You should detail this legal right in your privacy policy as well as who your customers can contact to lodge a privacy access request. When individuals make such a request, in most cases, you should grant them that access. Indeed, you also have an obligation to use accurate personal information, so you would generally allow corrections to out of date information. However, you can refuse in some cases. In these cases, note that the Privacy Commission can order compliance if they think your refusal was not for a legitimate reason. This article will outline three steps you should take in response to a privacy access request and your options in this process.

Responding to an Access Request

When you receive a privacy access request, you are operating within a time limit. You should respond as soon as possible within 20 working days of receiving the request. This period can be extended as long as you let the requestor know and give a legitimate reason, such as:

  • you cannot gather the volume of information they require within 20 working days; or
  • the people or databases you need to consult to get the information are not available within 20 working days.

The requester does not have to reference any specific privacy rights, and they do not have to give you a reason for why they want access to their specific personal data. You should log any requests as you get them. If you operate from the private sector, you may be able to charge for access requests.

When you do receive a privacy access request, you can follow the steps below.

1. Confirm Their Identity

Individuals can generally only request personal information about themselves. Individuals can only ask for another person’s personal information when they are the nominated representative of that person, and they have written permission for the request.

Therefore, you need to verify any individual that submits a privacy access request to your business. Ask for identity verification and proof of consent where they are acting on behalf of another person.

2. Investigate the Request and Evaluate

Once you have confirmed their identity, investigate the subject of the request. Locate where you hold the information at your business, and determine whether it is readily retrievable. When doing so, consider:

  • the cost of retrieving the information;
  • the time it would take to retrieve said information;
  • how old the information is; and
  • the manner of information storage.

You only have to give information if it is readily retrievable, not if it is possible to retrieve. For example, it is technically possible to retrieve data you have deleted from a computer, but this involves a specialist process and technical experience you may not have.

As an agency, you should engage due effort to retrieve information subject to an access request. However, if this request becomes an undertaking that detracts from efficient business functioning, then you may have grounds to refuse it. 

Note that you do need to maintain coherent information storage systems. In particular, poor data organisation may not protect you from liability if the Privacy Commission investigates why you could not complete your access request.

Tip: If the information is at another agency, you need to transfer the privacy access request to that agency within ten working days of receiving it.

3. Respond

Once you have located the personal information within your business, you need to determine how you will respond to the access request. If you do not have the information, or it is not readily retrievable, you can refuse the request, but you need to inform the requester.

Otherwise, you have three options for your response:

  • grant the individual access to some or all of their personal information;
  • refuse access to some or all of their personal information; or
  • neither confirm nor deny whether you hold the individual’s personal information.

You should operate from the presumption that you give them access in most cases. However, if you have a legitimate reason to refuse, you may not have to grant access. Among other reasons, you may refuse if granting access to the nominated personal information would:

  • infringe on another person’s privacy rights;
  • harm or threaten the safety of another individual;
  • compromise national security and defence;
  • breach confidentiality;
  • negatively affect the requestor’s mental health; or
  • release trade secrets.

When you provide the information, it needs to be in a readable form that is clear and convenient for the requestor. In most cases, you need to give it in the format the requestor asked for. For example, if they asked for a conversation recording, you need to give them the audio recording rather than a transcript.

If you refuse access, the requestor has the right to complain to the Privacy Commission. They can then investigate and determine whether your reason for refusal was legitimate. 

Key Takeaways

When you receive a privacy access request for personal information that your business holds about a person, you should respond to that request as soon as practicable. Determine whether the information is readily retrievable, and give access to it if there is no justifiable reason not to. If you would like more information or help with privacy access requests within your business, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy access request?

A privacy access request is when someone asks your business to see the personal information that you hold about them.

Can I refuse to give access to any personal information I hold?

You can only refuse access if you have a legitimate and justifiable reason to. For example, if giving access would infringe on another person’s privacy.

What is personal information under the Privacy Act?

Under the Privacy Act, personal information is any information about an identifiable individual. This means that if you use this information, either by itself or together with other information, you can identify who it is about.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards