Privacy Commissioner releases draft guidelines on APP 12 and 13

November 19, 2013 |

Today the Privacy Commissioner released draft guidelines on APPs 12 and 13.  Consultations will be open until 16 December 2013 (with a special note that no extensions will be granted after that date….. A bit of a disappointment for those wanting to type away on 24 December 2013.  Bah Humbug!).  The Draft Guidelines are found here.

The Commissioner included a note to the Guidelines for APP 12 and 13, being:

Note 2: In developing Chapter 12, the OAIC has made some textual changes to the discussion of ‘unlawful’ from that in draft Chapter C (Permitted general situations). Also, in developing Chapter 13, the OAIC has made some textual changes to the discussion of ‘accurate’, ‘up-to-date’, ‘complete’ and ‘relevant’ from that outlined in draft Chapter 10 (Quality of personal information). Neither of these changes reflect a consideration of the submissions received on draft Chapter C or draft Chapter 10, which will be considered in due course.

 The guidelines to APP 12 provides, absent summary and footnotes:

What does APP 12 say?                                                   

12.1          An APP entity that holds personal information about an individual must, on request, give that individual access to the information (APP 12.1). The grounds on which access may be refused differ for agencies and organisations.

12.2          APP 12 also sets out minimum access requirements, including the time period for responding to an access request, how access is to be given, and that a written notice, including the reasons for the refusal, must be given to the individual if access is refused.

12.3          APP 12 operates alongside and does not replace other informal or legal procedures by which an individual can be given access to information. In particular, APP 12 does not prevent an APP entity from giving access to personal information under an informal administrative arrangement, provided the minimum access requirements stipulated in APP 12 have been met.  

12.4          For agencies, APP 12 operates alongside the right of access in the Freedom of Information Act 1982 (the FOI Act). The FOI Act provides individuals with a right of access to documents held by most Australian Government agencies,  including documents containing personal information. The Act sets out comprehensive rules about requesting and providing access to documents, and resolving access disputes. In some circumstances it may be more suitable to process an information access request under the FOI Act than under APP 12, if the individual agrees (see paragraph 12.20).

‘Holds’                                                                                                                                   

12.5          APP 12 only applies to personal information that an APP entity ‘holds’. An APP entity ‘holds’ personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)).

12.6          The term ‘holds’ extends beyond physical possession of a record to include a record that an entity has the right or power to deal with. An example is a record of personal information stored on servers managed by a third party, where the APP entity has the right to deal with that information, such as by accessing and amending the information.

12.7          Upon receiving a request for access, an APP entity should search the records that it possesses or controls to assess whether the requested personal information is contained in those records. For example, an entity may search hard copy records and electronic databases and make enquiries of staff or contractors with relevant knowledge.

Access to ‘personal information’

12.8          APP 12 requires an APP entity to provide access to ‘personal information’. It does not provide a right of access to other kinds of information. ‘Personal information’ is defined in s 6(1) as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not, and
  • whether the information or opinion is recorded in a material form or not.’

12.9          Personal information of one individual may also be personal information of another individual. For example:

  • information in a marriage certificate may be personal information of both parties to the marriage
  • an opinion may be personal information of both the subject and the giver of the opinion.

12.10      APP 12 requires an APP entity to provide access to all of an individual’s personal information it holds, even if that information is also the personal information of another individual, unless a ground to refuse access applies. The grounds are discussed below, and include the ground that giving access would have an unreasonable impact on the privacy of another individual. ‘Personal information’ is discussed in more detail in Chapter B (Key concepts).

12.11      As to other requested information that is not personal information:

  • If the entity is an organisation – it should consider whether the person has a right of access to that information under other legislation. If not, the organisation may make a discretionary decision either to grant access to that other information or to refuse access.
  • If the entity is an agency – it should consider whether access to that information can be granted under the FOI Act, or on an administrative basis. Before refusing access to that other information, the agency should advise the individual to consider making the request under the FOI Act.

Verifying an individual’s identity

12.12      An APP entity must be satisfied that a request for personal information under APP 12 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, as a legal guardian or authorised agent. If an APP entity gives access to the personal information of another person, the disclosure may not comply with APP 6 (see Chapter 6).

12.13      It would generally be impracticable for an APP entity to deal with an anonymous request for personal information. However, it may be practicable to deal with a pseudonymous request, for example, where the individual has previously transacted under that pseudonym and can establish their identity as that individual (see APP 2, Chapter 2 (Anonymity and pseudonymity).

12.14      The steps appropriate to verify an individual’s identity will depend on the circumstances. In particular, whether the individual is already known to or readily identifiable by the entity. The minimum amount of personal information needed to establish an individual’s identity should be sought. Where possible, the information should be sighted rather than copied or collected for inclusion in a record. For example, in a face-to-face dealing with an individual an entity may be able to record that an identity document was sighted without copying the document. In a telephone contact it may be adequate to request information that can be checked against records held by the entity, such as a date of birth or address.

Giving access under APP 12 – processing requirements

12.15      APP 12 requires that personal information be given to an individual ‘on request’. APP 12 does not stipulate formal requirements for making a request, or require that a request be made in writing, or state that it is an APP 12 request.

12.16      It is open to an APP entity to provide access to personal information on an informal basis, provided the minimum access requirements in APP 12 are met. The access requirements in APP 12 relate to response times (see paragraphs 12.56 – 12.59), how access is to be given (paragraphs 12.60 – 12.62), access charges (paragraphs 12.72 – 12.79), and providing a written notice, including the reasons for the refusal, if access is refused (paragraphs 12.80 – 12.86). These are only the minimum requirements – an APP entity should endeavour to provide access in a manner that is as prompt, uncomplicated and inexpensive as possible.

12.17      An APP entity is required by APP 1.4(d) to state in an APP Privacy Policy ‘how an individual may access personal information about the individual’ (see APP 1, Chapter 1 (Open and transparent management of personal information)). If an entity wishes an individual to follow a particular procedure in making a request for access, they should publish that procedure and draw attention to it, for example, by providing a link in the APP Privacy Policy and on the entity’s website homepage to the access procedure, to an online request form, or to an online portal that enables an individual to access their personal information.

12.18      Agencies should ensure that APP 12 access procedures are integrated with FOI Act procedures. An important FOI requirement is that an agency has a duty to take reasonable steps to assist a person to make an access request that complies with the FOI Act access requirements (FOI Act s 15(3)). That means an agency could refer to the FOI Act in the agency’s APP Privacy Policy and, in appropriate circumstances, draw the FOI Act to a person’s attention. Agencies should also consider providing this information through an ‘Access to information’ link on the agency’s website homepage.

12.19      Agencies are not required to advise individuals to request personal information under the FOI Act rather than under an administrative arrangement or by relying on APP 12. As explained in the FOI Guidelines, agencies should consider establishing administrative access arrangements that operate alongside the FOI Act and that provide easier and less formal means for individuals to obtain access to government information, including personal information. Providing access to personal information under an administrative arrangement will fulfil an agency’s obligation under APP 12 to provide access upon request, provided the arrangement meets the minimum access requirements in APP 12.

12.20      In some circumstances it may be preferable for an individual to make an access request under the FOI Act:

  • an FOI access request can relate to any document in the possession of an agency (FOI Act s 15(1)) and is not limited to personal information held in an agency record (APP 12.1)
  • the FOI Act contains a consultation process for dealing with requests for documents that contain personal or business information about a person other than the requester (FOI Act ss 27, 27A)
  • an applicant who applies for access under the FOI Act can complain to the Information Commissioner about an action taken by an agency under that Act (FOI Act s 70)
  • an applicant who is refused access under the FOI Act has a right to apply for internal review or Information Commissioner review of the access refusal decision (FOI Act ss 54, 54L).

When an agency may refuse to give access under APP 12

12.21      An agency is not required by APP 12 to give access to personal information if the agency is required or authorised to refuse access to that information by or under:

  • the FOI Act (APP 12.2(b)(i))
  • any other Act of the Commonwealth, or a Norfolk Island enactment, that provides for access by persons to documents (APP 12.2(b)(ii)).

12.22      The meaning of ‘required or authorised’ is discussed in Chapter B (Key concepts). In summary, an agency is ‘required’ to refuse access by an Act that prohibits the disclosure of the personal information; and an agency is ‘authorised’ to refuse access by an Act that authorises or confers discretion on the agency to refuse a request for access to the personal information.

Authority to refuse access under the FOI Act

12.23      The FOI Act lists several grounds on which an agency can refuse a request under the Act for access to documents. An agency may rely on any of those grounds to refuse access under APP 12. It is nevertheless open to an agency not to rely on any such ground and to provide access upon request, unless disclosure is prohibited, for example, by a secrecy provision.

12.24      The grounds on which an access request can be declined under the FOI Act include:

  • a document is an exempt document under Part IV, Division 2 of the FOI Act – for example, the document is a Cabinet document, is subject to legal professional privilege, contains material obtained in confidence, or a secrecy provision applies
  • a document is a conditionally exempt document under Part IV, Division 3 of the FOI Act – for example, the document contains deliberative matter, or disclosure of the document would involve the unreasonable disclosure of personal information about another person – and it would be contrary to the public interest to release the document at that time
  • the FOI Act does not apply to a document of the kind requested – for example, the document is a document of court that is not of an administrative nature; the document is available for purchase from an agency; or the document is the record of a Royal Commission (ss 5, 6, 6A, 12, 13)
  • the agency to which an access request was made is exempt from the operation of the FOI Act, either wholly or in respect of a document of the kind requested (s 7 and Schedule 2)
  • providing access in the terms requested by a person would substantially and unreasonably divert an agency’s resources from its other operations (s 24AA)
  • processing a person’s request would require an agency to disclose the existence or non-existence of a document, where that would otherwise be exempt information (s 25).

12.25      The FOI Act specifies consultation processes that may apply to requests made under that Act – for example, where a ‘practical refusal reason’ may apply (s 24) to the request, or where a requested document contains a third party’s personal or business information (ss 27, 27A). An agency is not required to undertake any of those consultation processes before refusing access on any of those grounds under APP 12. This is required only if the person opts to make a request under the FOI Act.

12.26      A decision to refuse access under APP 12.2(b)(i) (on one of the FOI grounds listed above) is a decision made under the Privacy Act, not the FOI Act. As required by APP 12.9, the agency must provide the individual with a written notice that sets out the reasons for the refusal and the (see paragraph 12.76 below). The individual may have a right to complain to the Information Commissioner under the Privacy Act, but will not have a right to seek internal review or Information Commissioner review under the FOI Act. 

Required or authorised to refuse access under another Act

12.27      APP 12.2(b)(ii) provides that an agency is not required to give access to personal information if it is required or authorised to refuse to give access by another Act that provides for access by persons to documents. An example is a statutory secrecy provision that requires or authorises that access be refused in certain circumstances.

12.28      A further example is the Archives Act 1983, which provides a right of access to Commonwealth records in the open access period (s 31) that are in the care of the National Archives of Australia and that are not exempt records (s 33). The categories of exempt records include information whose disclosure would constitute a breach of confidence, would involve the unreasonable disclosure of information relating to the personal affairs of any person, or would unreasonably affect a person adversely in relation to his or her business, financial or professional affairs. An agency that has transferred a record of personal information to the National Archives is considered to be the agency that holds the record for the purposes of the Privacy Act (s 10(4) of the Privacy Act).

When an organisation may refuse to give access under APP 12

12.29      APP 12.3 lists ten grounds on which an organisation can refuse to give access to personal information. It is nevertheless open to an organisation not to rely on any such ground and to provide access upon request, unless disclosure is prohibited. Before relying on any of these grounds an organisation should consider whether redacting some information would enable access to be provided (for example, redacting personal information about another person).

12.30      The grounds, which are considered separately below, are:

  • the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety (APP 12.3(a))
  • giving access would have an unreasonable impact on the privacy of other individuals (APP 12.3(b))
  • the request for access is frivolous or vexatious (APP 12.3(c))
  • the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings (APP 12.3(d))
  • giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations (APP 12.3(e))
  • giving access would be unlawful (APP 12.3(f))
  • denying access is required or authorised by or under an Australian law or a court/tribunal order (APP 12.3(g))
  • the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter (APP 12.3(h))
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 12.3(i))
  • giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision?making process (APP 12.3(j)).

Giving access would pose a serious threat to the life, health or safety of any individual or to public health or public safety

12.31      The phrase, ‘serious threats to the life, health or safety of any individual, or to public health or public safety’, is discussed in Chapter C (permitted general situations).

12.32      An example of where this ground might apply is a healthcare provider having reasonable grounds to believe that giving an individual access to their personal information may cause that person significant distress or lead to self-harm or harm to another person.

Giving access would have an unreasonable impact on the privacy of other individuals

12.33      This ground may apply where the record of personal information that a person has requested contains personal information of another individual. As noted above (paragraph 12.10), a record of a person’s opinions or views (for example, a referee comment) may be personal information of that person.

12.34      Before relying on this ground an organisation must be satisfied that giving access would have ‘an unreasonable impact’ on the privacy of another. Factors that may be relevant in deciding that issue include:

  • the nature of the personal information about the other individual; for example, if the information is of a sensitive or confidential nature it may be unreasonable to provide it to others
  • the reasonable expectation of the other individual about how that information will be handled: for example, if both individuals were present when the information was collected, there may be a reasonable expectation that each individual could later access the information
  • the source of the personal information; for example, if the individual requesting access provided the information about the other individual, access may not have an unreasonable impact on that person
  • whether the personal information of another individual could be redacted from the record provided to the individual requesting access
  • whether access could be provided through an intermediary (see paragraphs 12.67–12.70)
  • whether the other individual has or would be likely to consent to access being given to the person requesting access.

12.35      In applying this ground, an organisation may consult the other individual about whether giving access would have an unreasonable impact on their privacy. The view expressed by that individual may be relevant but not determinative. However, before consulting another individual, an organisation should consider whether doing so poses a privacy risk for the individual seeking access.

The request for access is frivolous or vexatious

12.36      A request should not be refused on this ground unless there is a clear and convincing basis for deciding that a request is frivolous or vexatious. It is not a sufficient basis, for example, that a request would cause inconvenience or irritation to an organisation.

12.37      The following are given as examples of requests that may be treated as frivolous or vexatious:

  • repeated requests for access to personal information that has already been provided to the requester
  • a request that contains offensive or abusive language, or that does not appear to be a genuine request for personal information
  • a repeat request for personal information that an organisation has earlier explained to an individual it does not hold, has been destroyed, or cannot be located after a reasonable search
  • a request made for the apparent purpose of harassing or intimidating the staff of an organisation, or interfering unreasonably with its operations.

The information requested relates to an existing or anticipated legal proceeding           

12.38      This ground applies where legal proceedings between the individual and the organisation are underway or anticipated, and the information would not be accessible by the process of discovery in those proceedings. A legal proceeding is anticipated if there is a real prospect of proceedings being commenced, as distinct from a mere possibility.

Giving access would prejudice negotiations between the entity and the individual  

12.39      This ground applies where giving access would prejudice negotiations between the organisation and the individual by revealing the intentions of the organisation in relation to the negotiations. The negotiations may be current or reasonably anticipated.

12.40      An example of where this ground might apply is an organisation negotiating a claim brought by an individual for compensation (for example, for negligence or wrongful dismissal), and releasing the personal information requested by the individual may reveal the organisation’s strategy to settle or defend the claim.

Giving access would be unlawful

12.41      The term ‘unlawful’ is not defined in the Privacy Act. The term ‘Australian law’ is defined as an enactment or rule of common law or equity, but does not include a contract (see Chapter B (Key concepts)). As a general guide, it would be unlawful to provide personal information to an individual if an enactment, legal order or legal obligation (other than a contract) prevents the release of the information.

12.42      Examples of where this ground might apply are where giving access would be a breach of legal professional privilege, a breach of confidence or a breach of copyright.

Denying access is required or authorised by law or a court/tribunal order

12.43      The meaning of ‘required or authorised’ is discussed in Chapter B (Key concepts). This ground applies where an Australian law or court or tribunal order forbids the disclosure of information; or a law or order authorises or confers discretion on an organisation to refuse a request from an individual for access to their personal information. (There is overlap between this ground and the preceding ground – giving access would be unlawful.)

12.44      An example of where this ground might apply is a court order providing that an organisation is not required to provide personal information to an individual who is in the care of or is undergoing treatment by the organisation.

Giving access would likely prejudice the taking of appropriate action in relation to suspected unlawful activity or serious misconduct

12.45      There are a number of separate elements to this ground.

12.46      First, an entity must have reason to suspect that unlawful activity or misconduct of a serious nature is or may be engaged in. The term ‘unlawful activity’ is not defined in the Privacy Act (see paragraph 12.41). An activity is unlawful if it is proscribed by an enactment or is a civil wrong that can be restrained by a court order. Examples of unlawful activity include criminal offences, unlawful discrimination, and trespass.

12.47      Misconduct is defined in s 6(1) to include ‘fraud, negligence, default, breach of trust, breach of duty, breach of discipline or any other misconduct in the course of duty.’ An added requirement of this ground is that the misconduct is of a ‘serious nature’. This excludes minor breaches or transgressions.

12.48      The organisation must have ‘reason to suspect’ the unlawful activity or serious misconduct is being or may be engaged in. This is a different and lesser standard to ‘reasonably believes’, which is used in some other APPs (see Chapter B – Key concepts). There should nevertheless be a reasonable basis for the suspicion.

12.49      The suspected unlawful activity or serious misconduct must relate to the organisation’s functions or activities. As discussed in paragraph 3.14, an organisation’s functions or activities include current, proposed and support functions and activities.

12.50      Lastly, giving access must be likely to prejudice the organisation in taking appropriate action in relation to the suspected unlawful activity or serious misconduct. There should again be a reasonable basis for this expectation of prejudice. The proposed action may include investigation of the activity or misconduct, or reporting it to the police or another relevant person or authority.

12.51      An example of where this ground might apply is where giving access to the requested information would reveal that an organisation is lawfully and covertly investigating suspected misconduct of a client, and disclosure would prejudice the covert investigation.  

Giving access would likely prejudice an enforcement related activity conducted by, or on behalf of, an enforcement body

12.52      ‘Enforcement body’ is defined in s 6(1) as a list of specific bodies. The list includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, the Australian Crime Commission, Customs, the Integrity Commissioner,] the Australian Prudential Regulation Authority, the Australian Securities and Investments Commission and the Immigration Department.

12.53       ‘Enforcement related activity’ is also defined in s 6(1). It includes the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence gathering activities.

12.54      The terms ‘enforcement related activity’ and ‘enforcement body’ are discussed in Chapter B (Key concepts).

12.55      An example of where this ground might apply is an enforcement body asking an organisation not to give an individual access to certain personal information, as doing so would be likely to reveal the existence of a criminal investigation or interfere with preparation for court proceedings.

Giving access would reveal evaluative information in connection with a commercially sensitive decision-making process

12.56      This ground applies if giving access would reveal ‘evaluative information’ generated within an organisation in connection with a commercially sensitive decision-making process. An example of evaluative information is a score card weighting system. The ground applies only to the evaluative information, and not to personal information on which a decision was based.

12.57      APP 12.10 provides that if an organisation refuses to give access to personal information under this ground, its written notice explaining the reasons for refusal may include an explanation for the commercially sensitive decision. This may include explaining the reasons for the decision and giving a copy of the personal information that informed the decision. For discussion of the requirement to give a written notice refusing access, see paragraphs 12.80 – 12.86.

APP 12 minimum access requirements

12.58      APP 12 sets out minimum access requirements that must be met when an entity receives a request from an individual for access to their personal information. The access requirements relate to the response time, how access is to be given, access charges and giving a written notice, including the reasons for refusal, if access is refused.

12.59      An individual may complain under s 36 of the Privacy Act to the Information Commissioner about the failure of an entity to comply with any of the APP 12 minimum access requirements. The Information Commissioner will not investigate a complaint if the person has not first raised the matter with the entity complained about, unless it was not appropriate to require that as a first step (s 40(1A)). When investigating a complaint, the OAIC will initially attempt to conciliate the complaint (s 40A), before considering the exercise of other complaint resolution powers (s 52). These steps in complaint resolution can be relevant to the way that a complaint about timeliness, adequacy of reasons or other access requirements is handled and resolved.

12.60      The APP 12 access requirements and the Privacy Act complaint and review mechanisms[ differ in important respects from those applying to agencies in relation to requests for information received under the FOI Act. For example, the FOI Act requires an agency to acknowledge receipt of an FOI request within 14 days, and to make a decision on the request within 30 calendar days. The processing period can be extended with the agreement of the applicant, to enable an agency to consult a third party, or with the approval of the Information Commissioner for complex and voluminous requests. If an agency fails to make a decision within the statutory processing period (including an authorised extension) the agency is deemed to have made a decision refusing access. The applicant may then apply for internal review or Information Commissioner review, although the OAIC can extend the time for an agency to make a decision on the request. The FOI Act also contains special requirements on charges, the form of access and statements of reasons.

Timeframe for responding to a request for access under APP 12 – agencies

12.61      APP 12.4(a)(i) provides that an agency must ‘respond’ to a request for access within 30 calendar days. The agency must respond by giving access to the personal information that is requested, or by notifying its refusal to give access. If this is impracticable (for example, there is a justifiable need to clarify the scope of an individual’s request, or to locate and assemble the requested information, or to consult a third party), the agency is expected to contact the individual to explain the delay and provide an expected timeframe for finalising the request. As noted at paragraph 12.59, these are matters the Information Commissioner may examine if a complaint is made about an agency’s failure to comply with the timeframe in APP 12.4(a).

Timeframe for responding to a request for access under APP 12 – organisations

12.62      APP 12.4(a)(ii) provides that an organisation must respond ‘within a reasonable period after the request is made’. As with agencies, an organisation must respond by giving access to the personal information that is requested, or by notifying its refusal to give access. Factors that may be relevant in deciding what is a reasonable period include the scope and clarity of a request, whether the information can be readily located and assembled, and whether consultation with the individual or other parties is required. However, as a general guide, a reasonable period should not exceed 30 calendar days.

How access is to be given under APP 12      

12.63      An APP entity must give access to personal information in the manner requested by the individual, if it is reasonable and practicable to do so (APP 12.4(b)). The manner of access may, for example, be by email, by phone, in person, hard copy, or an electronic record.

12.64      Factors relevant in assessing whether it is reasonable and practicable to give access in the manner requested by an individual include:

  • the volume of information requested – for example, it may be impracticable to provide a large amount of personal information in person or by telephone
  • the nature of the information requested – for example, it may be impracticable to give access to digitised information in hard copy
  • any special needs of the individual requesting the information – for example, it may be reasonable to give information in a form that can be accessed via assistive technology where this meets the special needs of the individual; or to send information by email or give it over the telephone if it is difficult or costly for the individual to access the information in person.

Giving access by other means

12.65      APP 12.5 applies where an entity refuses to give access to personal information under APP 12 on a permitted ground, or refuses to give access in the manner requested by the individual. The APP entity must take reasonable steps to give access in a way that meets the needs of the entity and the individual. This should be done within 30 calendar days where practicable. 

12.66      The APP entity is expected to consult the individual to try to satisfy their request. The following are given as examples of alternative manners of access that may meet the needs of the entity and the individual, and in particular result in more rather than less information being provided to an individual:

  • deleting any information for which there is a ground for refusing access and giving the redacted version to the individual
  • giving a summary of the requested information to the individual
  • giving access to the requested information in an alternative format
  • facilitating the inspection of a hard copy of the requested information and permitting the individual to take notes
  • facilitating access to the requested information through a mutually agreed intermediary (see paragraphs 12.67 – 12.70).

Access through an intermediary

12.67      APP 12.6 provides that, without limiting APP 12.5, ‘access may be given through the use of a mutually agreed intermediary’.

12.68      The role of an intermediary is to enable an individual to be given access to their personal information and to have the content of that information explained, where direct access would otherwise be refused. An example is an organisation refusing direct access under APP 12.3(a) on the reasonable belief that access may lead the individual to self-harm, but deciding that access through an intermediary may not pose a similar threat. The role of the intermediary in conveying or explaining the information to the individual will need to be tailored to the nature of the information and any instructions given by the APP entity to the intermediary.

12.69      The intermediary must be acceptable to both the APP entity and the individual. In seeking an individual’s agreement to use an intermediary, an entity should clearly explain the process and the type of access that will be provided through this process. Depending on the nature of the personal information to which access is sought, the intermediary may need particular skills or knowledge. For example, an intermediary may need to be a qualified health service provider if used to give access to health information.

12.70      If an individual does not agree to the use of an intermediary, or agreement cannot be reached on whom to use as the intermediary, the entity must still take reasonable steps to give access through another manner that meets the needs of the entity and the individual.

Access charges under APP 12 – agencies

12.71      An agency cannot impose upon an individual:

  • an application charge for requesting access to personal information
  • a charge for giving access to requested personal information (APPs 12.7 and 12.8), including charges such as copying costs, postage costs and costs associated with using an intermediary.

Access charges under APP 12 – organisations

12.72      An organisation cannot impose upon an individual an application charge for requesting access to personal information. An organisation may, however, impose a charge for giving access to requested personal information, provided the charge is not excessive (APP 12.8). Items that may be charged for include:

  • staff costs in searching for, locating and retrieving the requested personal information, and deciding which information to provide to the individual
  • staff costs in reproducing and sending the information
  • costs of postage or materials involved in giving access
  • costs associated with using an intermediary (see paragraphs 12.67-12.70 above).

12.73      Whether a charge is excessive will depend on the nature of the organisation, including the organisation’s size, resources and functions, and the nature of the personal information held. The following charges may be considered excessive:

  • a charge that exceeds the actual cost incurred by the organisation in giving access
  • a charge associated with obtaining legal or other advice in deciding how to respond to an individual’s request
  • a charge for consulting with the individual about how access is to be given
  • staff costs in explaining information to the individual
  • a charge that reflects shortcomings in the organisation’s information management systems. An  individual should not be disadvantaged because of the deficient record management practices of an organisation.

12.74      A charge by an organisation for giving access must not be used to discourage an individual from requesting access to personal information. To the extent practicable, an organisation should advise an individual in advance if a charge may be imposed, and the likely amount of the charge. The individual should be invited to discuss options for altering the request to minimise any charge. This may include options for giving access in another manner that meets the needs of the entity and the individual (see APP 12.5 and paragraphs 12.65 – 12.66). Any charge that is imposed should be clearly communicated and explained before access is given.

12.75      An organisation should also consider waiving, reducing or sharing any charge that may be imposed. In determining the amount to charge, an organisation should consider:

  • the organisation’s relationship with the individual
  • the circumstances of the individual, including the individual’s financial status
  • any known negative impact on the individual if they do not get access to the information.

Giving written notice where access is refused, or not given in the manner requested under APP 12

12.76      APP 12.9 provides that if an APP entity refuses to give access, or to give access in the manner requested by the individual, the entity must give the individual a written notice setting out:

  • the reasons for the refusal, except to the extent that it would be unreasonable to do so, having regard to the grounds for refusal
  • the complaint mechanisms available to the individual, and
  • any other matters prescribed by regulations made under the Privacy Act. 

12.77      The reasons for refusal should explain, where applicable:

  • that the entity does not hold the requested information
  • the ground of refusal — for example, that the entity is required or authorised by a law referred to in the written notice to refuse access
  • that access cannot be given in the manner requested by the individual, and the reason why
  • that the steps necessary to give access in a way that meets the needs of the entity and the individual under APP 12.5 are not reasonable in the circumstances.

12.78      APP 12.10 additionally provides that, where an organisation relies on the commercially sensitive decision ground in APP 12.3(j), the written notice may provide an explanation for the commercially sensitive decision.

12.79      An APP entity is not required to explain the ground of refusal to the extent that it would be unreasonable to do so. This course should be adopted only in justifiable circumstances. Examples include that an explanation may prejudice action by an organisation to respond to unlawful activity (APP 12.3(h)); may prejudice enforcement action by an enforcement body (APP 12.3(i)); or would reveal the existence of a document whose existence an agency would be entitled to neither confirm nor deny under s 25 of the FOI Act.

12.80      The description of the complaint mechanisms available to an individual should explain the internal and external complaint options, and the steps that should be followed. In particular, the individual should be advised that:

  • a complaint should first be made in writing to the APP entity (s 40(1A))
  • the entity should be given a reasonable time (usually 30 days) to respond
  •  a complaint may then be taken to a recognised external dispute resolution scheme of which the entity is a member (if any), and
  • lastly, a complaint may be made to the Information Commissioner (s 36).
The draft guidelines for APP 13 provides, absent summary and footnotes:

What does APP 13 say?

13.1          APP 13.1 provides that an APP entity must take reasonable steps to correct personal information it holds, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held. The shorthand expression used in this chapter is that an APP entity is required to correct ‘faulty personal information’.

13.2          The requirement to take reasonable steps applies in two circumstances:

  • where an APP entity is satisfied, independently of any request, that personal information it holds is faulty, or
  • where an individual requests an APP entity to correct their personal information.

13.3          APP 13 also sets out other minimum procedural requirements in relation to correcting personal information. An APP entity must:

  • upon request by an individual whose personal information has been corrected, take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided to that other entity (APP 13.2)
  • give a written notice to an individual when a correction request is refused, including the reasons for the refusal and the complaint mechanisms available to the individual (APP 13.3)
  • upon request by an individual whose correction request has been refused, take reasonable steps to associate a statement with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading (APP 13.4)
  • respond in a timely manner to an individual’s request to correct personal information or to associate a statement with the information (APP 13.5(a))
  • not charge an individual for making a request to correct personal information or associate a statement, or for making a correction or associating a statement (APP 13.5(b)).

Interaction of APP 13 and other correction procedures

13.4          APP 13 operates alongside and does not replace other informal or legal procedures by which an individual can request that personal information be corrected. In particular, APP 13 does not prevent an APP entity from correcting personal information under an informal administrative arrangement, provided the arrangement satisfies the requirements of APP 13.

13.5          For agencies, APP 13 operates alongside the right to amend or annotate personal information in Part V of the Freedom of Information Act 1982 (FOI Act). The FOI Act procedures, criteria and review mechanisms differ in important respects from those applying under APP 13 and the Privacy Act. These differences, and when it is more appropriate to use one Act rather than another, are considered below at paragraphs 13.19-13.23.

Interaction of APP 13 and other APPs

13.6          The correction requirements in APP 13 complement and overlap the requirements in other APPs, including APP 10 (quality of personal information) and APP 11 (security of personal information).

13.7          APP 10 provides that an APP entity must take reasonable steps to ensure the quality of personal information it collects, uses or discloses (see Chapter 10). If reasonable steps are taken to comply with APP 10, this reduces the likelihood that personal information will need correction under APP 13. Similarly, by taking reasonable steps to correct personal information under APP 13, an APP entity can better ensure that it complies with APP 10 by ensuring that information is accurate, up-to-date, complete and relevant when it is used or disclosed. 

13.8          APP 11.2 provides that an APP entity must take reasonable steps to destroy or de-identify personal information that it no longer needs for any purpose for which it may be used or disclosed. This requirement does not apply where the information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the information (see Chapter 11). When taking steps to identify and correct faulty personal information under APP 13, an entity should consider whether it still needs the information for a permitted purpose, or whether reasonable steps must be taken to destroy or de-identify the information under APP 11.2.

‘Holds’         

13.9          APP 13 only applies to personal information that an APP entity ‘holds’. An APP entity ‘holds’ personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)).

13.10      The term ‘holds’ extends beyond physical possession of a record to include a record that an entity has the right or power to deal with. An example is a record of personal information stored on servers managed by a third party, where the APP entity has the right to deal with that information, such as by accessing and amending the information.

13.11      Upon receiving a request for correction, an APP entity should search the records that it possesses or controls to assess whether the personal information to be corrected is contained in those records. For example, an entity may search hard copy records and electronic databases and make enquiries of staff or contractors with relevant knowledge.

When an APP entity must take reasonable steps to correct personal information

13.12      APP 13.1 requires an APP entity to take reasonable steps to correct personal information it holds, in two circumstances: on its own initiative, and at the request of the individual to whom the information relates.

Correcting at the APP entity’s initiative

13.13      An APP entity is required to take reasonable steps to correct personal information it holds if the entity is satisfied, having regard to a purpose for which the personal information is held, that it is inaccurate, out-of-date, incomplete, irrelevant or misleading (that is, the information is faulty). Implicit in that requirement is that an entity should be alert to the possibility that personal information it holds is faulty and may require correction.

13.14      An entity may become aware in various ways that an item of personal information may require correction. Examples include:

  • information provided to the entity by the individual or a third party may be inconsistent with other personal information held by the entity – for example, an identity document, letter, medical record or photograph
  • the personal information was collected from a third party and may be less reliable than similar information collected directly from an individual, or a long time has elapsed since the personal information was collected 
  • a court or tribunal has made a finding about the information, in a case involving the entity or in another case that comes to the entity’s notice
  • the entity may be notified by another entity or person that the information is faulty, or that similar information held by the other entity has been corrected
  • a practice, procedure or system  the entity has implemented in compliance with APP 1.2 (such as an auditing or monitoring program) indicates that  personal information the entity holds requires correction.

Correcting at the individual’s request

13.15      An APP entity is required by APP 13.1 to take reasonable steps to correct an individual’s personal information to ensure  it is not faulty when the individual ‘requests’ the entity to do so. APP 13 does not stipulate formal requirements for making a request, or require that a request be made in writing, or state that it is an APP 13 request. 

13.16      An APP entity is required by APP 1.4(d) to state in an APP Privacy Policy how an individual may seek the correction of their personal information held by the entity. If an entity wishes an individual to follow a particular procedure in making a correction request, the entity should publish that procedure and draw attention to it, for example, by providing a link on the entity’s website homepage and in the APP Privacy Policy to the request procedure, to an online request form, or to an online portal that enables an individual to access and correct their personal information. Agencies should also consider providing this information through an ‘Access to information’ link on the agency’s website homepage.

13.17      An APP entity must be satisfied that a request to correct personal information under APP 13 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian or authorised agent. The steps appropriate to verify an individual’s identity will depend on the circumstances, and in particular, whether the individual is already known to or readily identifiable by the entity. The discussion in Chapter 12 (Access to personal information) of steps that can be taken to verify the identity of an individual seeking access to their personal information apply also to APP 13.

13.18      APP 13 stipulates minimum procedural requirements that must be met by an entity when dealing with a request to correct personal information. These are discussed later in this chapter, and include taking reasonable steps if requested by the individual to notify other APP entities when a correction is made (see paragraphs 13.43 to 13.46), providing an individual with a written notice that includes the reasons for refusal if a correction request is refused (see paragraphs 13.47 to 13.55), response times (see paragraphs 13.56 to 13.57 below) and charging (see paragraph 13.57 below). Provided an entity meets those minimum requirements, it may choose the arrangements (including an informal arrangement) for receiving and acting upon correction requests.  An online portal through which individuals can access and correct their personal information is an example of an informal arrangement that provides a fast and easy means of correction.

Agencies – comparison of APP 13 and FOI Act procedures

13.19      For agencies, APP 13 operates alongside the right to amend or annotate personal information in Part V of the Freedom of Information Act 1982 (FOI Act). There is substantial overlap between the APP 13 and the FOI Act procedures, but also some noteworthy differences.

13.20      The FOI Act provides that a person may apply to an agency to amend or annotate a record of personal information about that person, to which they have lawfully had access under the FOI Act or otherwise (s 48). The application must be in writing, specify as far as practicable how and why the record should be amended or annotated, and provide a return address to which notices can be sent (ss 49, 51A). The grounds on which such an application may be made are that the record of personal information ‘is incomplete, incorrect, out of date or misleading’ (s 48(a)). The record must also have been used or be available for use by the agency ‘for an administrative purpose’ (s 48(b)). The agency may act upon an application by altering or adding a note to a record, but as far as practicable must not obliterate the text of the record as it existed prior to the amendment (s 50). An applicant whose application is not accepted may provide a statement specifying their disagreement with the decision, and the agency must annotate the record by attaching that statement (ss 51, 51B). The time period for making a decision on an applicant’s application is 30 calendar days. An applicant may apply for internal review or Information Commissioner review of an adverse decision.

13.21      While APP 13 sets out minimum procedural requirements (see paragraph 13.3 above), these are not as detailed as in the FOI Act. However, in two respects APP 13 goes further than the FOI Act:

  • The grounds for correction in APP 13 are that the personal information is ‘inaccurate, out-of-date, incomplete, irrelevant or misleading’. The main additional ground in this list is that the information is ‘irrelevant’. The other wording difference – ‘inaccurate’ in APP 13, ‘incorrect’ in the FOI Act – is textual rather than substantive.
  • If an agency corrects personal information, the agency must, if requested by the individual, take reasonable steps under APP 13 to notify that change to any APP entity to which the information was previously disclosed, unless it is unlawful or impracticable to do so (see paragraphs 13.43-13.46 below). Where an agency amends personal information under the FOI Act, an agency could consider providing similar notification on request from the individual.

13.22      The complaint options available to the individual under the FOI Act and APP 13 also differ. Under the FOI Act, a person may apply for Information Commissioner review of an agency’s or Minister’s failure to amend or annotate a record in accordance with the person’s request. The Commissioner may exercise the agency’s or Minister’s discretion to amend or annotate a record. Under the Privacy Act, a person may complain to the Information Commissioner about an APP entity’s failure to take reasonable steps to correct personal information to ensure it is not faulty. After investigation, the Commissioner may find that an agency has failed to take reasonable steps to correct faulty personal information or to comply with the minimum procedural requirements (see paragraphs 13.47-13.57) under APP 13.

13.23      It is open to an individual to decide whether to make an application under the FOI Act or a request under APP 13. Agencies should ensure, in appropriate cases, that people are made aware of both options and the substantive differences. An agency could refer to the FOI Act in the agency’s APP Privacy Policy. More detailed information could be provided by an agency in other ways – such as a separate document that sets out the procedure for requesting correction of personal information (see paragraph 13.13 above), through an ‘Access to information’ icon on the agency’s website,  on a case-by-case basis as the need arises. An agency may draw attention to the more flexible procedure for which APP 13 provides. As explained in the FOI Guidelines, agencies should consider establishing administrative access arrangements that operate alongside the FOI Act and that provide an easier and less formal means for individuals to make information access requests (including requests to correct personal information). Correcting or annotating personal information under an administrative arrangement is consistent with an agency’s obligations under APP 13, provided the agency meets the minimum procedural requirements stipulated in APP 13.

Grounds for correcting personal information

13.24      The five grounds listed in APP 13 –‘accurate’, ‘up-to-date’, ‘complete’, ‘relevant’ and ‘not misleading’ – are not defined in the Privacy Act. The first four terms are listed in APP 10.1, which deals with the quality of personal information that an APP entity can collect, use and disclose. Similar terms are used also in Part V of the FOI Act concerning a person’s right to apply to an agency to amend or annotate personal information (see paragraph 13.20 above).

13.25      The following analysis of each term draws on the ordinary dictionary meaning of the terms, as well as case law concerning the meaning of those terms in the FOI Act and other legislation. As the analysis indicates, there is considerable overlap in the meaning of the terms.

13.26      In applying the terms to personal information, it is necessary to have regard  to ‘the purpose for which it is held’.  Personal information may be faulty having regard to one purpose for which it is held, but not another. For a discussion of relevant considerations where personal information is held for multiple purposes, see paragraph 13.40 below.

Accurate

13.27      Personal information is inaccurate if it contains an error or defect. An example is incorrect factual information about a person’s name, date of birth, residential address or current or former employment.

13.28      An opinion about an individual given by a third party is not inaccurate by reason only that the individual disagrees with that opinion or advice. For APP 13 purposes, the opinion may be ‘accurate’ if it is presented as an opinion and not objective fact, it accurately records the view held by the third party, and is an informed assessment that takes into account competing facts and views.  Other matters to consider under APP 13, where there is disagreement with the soundness of an opinion, are whether the opinion is ‘up-to-date’, ‘complete’, ‘not misleading’ or ‘relevant. If an individual disagrees with an opinion that is otherwise not faulty, the individual may associate a statement with the record of the opinion (see paragraphs 13.52-13.54 below).

13.29      In relation to a similar issue, s 55M of the FOI Act provides that the Information Commissioner (in conducting an IC review) cannot alter a record of opinion unless satisfied that it was based on a mistake of fact, or the author of the opinion was biased, unqualified to form the opinion or acted improperly in conducting the factual inquiries that led to the formation of the opinion.

Up-to-date

13.30      Personal information is out-of-date if it contains facts, opinions or other information that is no longer current. An example is a statement that an individual lacks a particular qualification or accreditation that the individual has subsequently obtained.

13.31      Personal information about a past event may have been accurate at the time it was recorded, but has been overtaken by a later development. Whether that information is out-of-date will depend on the purpose for which it is held. If current information is required for the particular purpose, the information will to that extent be out-of-date. Personal information held by an entity that is no longer needed for any purpose, may need to be destroyed or de-identified under APP 11.2 (Chapter 11).

Complete

13.32      Personal information is incomplete if it presents a partial or misleading picture, rather than a true or full picture. An example is a tenancy database which records that a tenant owes a debt, which in fact has since been repaid. The statement will be incomplete under APP 13 if the tenancy database is held for the purpose of assessing the tenancy record or reliability of individuals recorded in the database. Similarly, a statement that a person has only two rather than three children will be incomplete under APP 13 if that information is held for the purpose of, and is relevant to, assessing a person’s eligibility for a benefit or service.

Relevant

13.33      Personal information is irrelevant if it does not have a bearing upon or connection to the purpose for which the information is held.

Not misleading

13.34      Personal information is misleading if it conveys a meaning that is untrue or inaccurate or could lead a reader into error. An example is a statement that is presented as a statement of fact but in truth is a record of the opinion of a third party. In some circumstances an opinion may be misleading if it fails to include information about the limited facts on which the opinion was based or the context or circumstances in which the opinion was first recorded.

13.35      A statement may also be misleading by failing to include other relevant information. An example is a statement that a dismissed employee was reinstated, without explaining that this followed the ruling of a court or tribunal that the dismissal was legally flawed.

Being satisfied and taking reasonable steps

13.36      An APP entity is required to take ‘reasonable steps’ to correct personal information when ‘satisfied’ that it is inaccurate, out-of-date, incomplete, irrelevant or misleading for the purpose for which it is held.

Being satisfied

13.37      This requirement will not always involve distinct analysis or decision by an entity. For example, if an entity maintains an online portal through which a person can access and correct their personal information, no additional step may be required by the entity. Correction may similarly be a straightforward process in other situations where, for example, an individual presents documents or other information to indicate that their name has been misspelt or their family composition is out-of-date in an entity’s records.

13.38      If an entity requires further information or explanation before it can be satisfied that personal information is faulty, the entity should clearly explain to the individual what additional information or explanation is required or why the entity cannot act on the information already provided. The entity could also advise where additional material may be obtained. The individual should be given a reasonable opportunity to comment on the refusal or reluctance of the entity to make a correction without further information or explanation from the individual.

13.39      An entity should also be prepared in an appropriate case to search its own records or other readily-accessible sources to find any information in support of, or contrary to the individual’s request. For example, an entity could take into account a finding of an Australian court or tribunal relating to the personal information that has a bearing on whether it is or is not faulty.

13.40      Where personal information is held for multiple purposes, an entity need only be satisfied that the information requires correction having regard to one of the purposes for which it is held, not all purposes.

Reasonable steps to correct

13.41      A decision as to what constitutes ‘reasonable steps’ to correct faulty information spans a range of options. These include making appropriate additions, deletions or alterations to a record, or declining to correct faulty personal information if it would be unreasonable to take such steps. In some instances it may be appropriate to destroy or de-identify the personal information (there are separate requirements to destroy or de-identify personal information in APPs 4 and 11 – see Chapters 4 and 11 respectively). The reasonable steps that an entity should take will depend upon considerations that include:

  • the sensitivity of the personal information – more rigorous steps may be required if the faulty information is sensitive information or other personal information of a sensitive nature
  • the possible adverse consequences for an individual if a correction is not made – more rigorous steps may be required as the risk of adversity increases
  • the practicability, including ease and cost, of correcting the information, or of making the correction requested by the individual – however, an entity is not automatically excused from correcting personal information by relying on the inconvenience or cost of doing so
  • the likelihood that the entity will use or disclose the information – for example, the likelihood of the entity using or disclosing the information may be relevant if it would be difficult or costly to make the correction requested by an individual
  • the purpose for which the information is held – as noted at paragraph 13.26, information may be held for multiple purposes, and require correction for one purpose but not for another purpose.  Reasonable steps in these circumstances may require the entity to retain the original record of personal information for one purpose and correct it for another.

13.42      Special considerations apply to Commonwealth records held by agencies. A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with s 24 of the Archives Act 1983 (for further discussion see APP 4.3, Chapter 4 and APP 11.2, Chapter 11). Further, s 26 of the Archives Act makes it an offence to alter a government record that is over 15 years old. In relation to such records, and more generally, it may be reasonable (and consistent with statutory requirements) to:

  • retain a version of a record which contains faulty personal information (see paragraph 13.38 above)
  • make a note explaining that, having regard to the purpose for which the information is held, the information is not accurate, up-to-date, complete, relevant or is misleading, and cross referencing where the correct information is held (such as in an attachment to the record).

Reasonable steps to notify another APP entity

13.43      APP 13.2 provides that an APP entity must, on request, take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided to that entity, unless it is impracticable or unlawful to do so. An APP entity should inform the individual that they can make such a request, at the time, or as soon as practicable after a correction is made.

13.44      The reasonable steps for an entity will depend upon considerations that include:

  • the sensitivity of the personal information – more rigorous steps may be required for sensitive information or other personal information of a sensitive nature
  • the possible adverse consequences for an individual if notice is not provided to the other entity – more rigorous steps may be required as the risk of adversity increases
  • the nature or importance of the correction – for example, it may not be reasonable to provide notice of a small typographical error that does not materially affect the quality of the personal information
  • the length of time that has elapsed since the information was disclosed to the other entity, and the likelihood that it is still being used or disclosed by the other entity
  • the practicability, including ease and cost, of providing a notice to all entities to which the personal information was previously provided – however, an entity is not automatically excused from giving notification by relying on the inconvenience or cost of doing so .
  • the practicability of providing notice to another entity – for example, it may be impracticable to do so if the other entity has ceased carrying on business or has been substantially restructured

13.45      An APP entity is not required to provide notice of a correction if it would be impracticable or unlawful to do so. Impracticability is addressed in the list at paragraph 13.44 above. An example of when it would be unlawful to provide notification is when a statutory secrecy provision may prevent this step.

13.46      An APP entity that is notified of a correction should, in turn, consider whether to correct the personal information that it holds. As noted at paragraphs 13.11-12, an APP entity is required on its own initiative to take reasonable steps to correct faulty personal information.

APP 12 minimum procedural requirements

Giving written notice where correction is refused

13.47      APP 13.3 provides that if an APP entity refuses to correct personal information as requested by an individual, the entity must give the individual a written notice setting out:

  • the reasons for the refusal, except to the extent that it would be unreasonable to do so
  • the complaint mechanisms available to the individual, and
  • any other matters prescribed by regulations made under the Privacy Act.

13.48      The reasons for refusal should explain, where applicable:

  • that the entity does not hold the personal information that the individual wishes to correct
  • that the entity is satisfied that the personal information it holds is accurate, up-to-date, complete, relevant and not misleading having regard to the purposes for which it is held, or
  • that the steps necessary to correct the information as requested are not reasonable in the circumstances.

13.49      An APP entity is not required to provide its reasons for refusing to correct personal information to the extent that it would be unreasonable to do so. This course should be adopted only in justifiable circumstances. An example would be where providing reasons would prejudice an investigation of unlawful activity, or prejudice enforcement action by an enforcement body.

13.50      The description of the complaint mechanisms available to an individual should explain the internal and external complaint options, and the steps that should be followed. In particular, the individual should be advised that:

  • a complaint should first be made in writing to the APP entity (s 40(1A))
  • the entity should be given a reasonable time (usually 30 days) to respond
  • a complaint may then be taken to a recognised external dispute resolution scheme of which the entity is a member (if any), and
  • lastly, that a complaint may be made to the Information Commissioner (s 36).

13.51      Other information can also be included in the notice advising an individual that a request to correct personal information has been refused. The individual can be advised of the right under APP 13.4 to request the entity to associate a statement with the personal information (see paragraphs 13.52-13.54 below). An agency may also advise an individual of the parallel right under the FOI Act to apply for a record to be amended or annotated, and of the right to Information Commissioner review of an adverse decision under that Act (see paragraph 13.22 above).

Reasonable steps to associate a statement

13.52      APP 13.4 provides that if an APP entity refuses to correct personal information as requested by an individual, the individual can request the entity to associate a statement that the individual believes the information to be inaccurate, out-of-date, incomplete, irrelevant or misleading. The APP entity must take reasonable steps to associate the statement in a way that will make it apparent to users of the information. The statement should be associated with all records containing personal information claimed to be faulty.

13.53      The content and length of any statement will depend on the circumstances, but it is not intended that the statement be unreasonably lengthy.  For example, a reasonable length may be no more than 250 words, however a longer statement may be appropriate in some instances, such as where there is a large volume of personal information that the entity has refused to correct.

13.54      The reasonable steps for an entity will depend upon considerations that include:

  • the information management practices of the APP entity – for example, a statement may be attached physically to a paper record, or by an electronic link to a digital record of personal information
  • whether content in a statement may be irrelevant, defamatory, offensive, abusive or breach an individual’s privacy – it may be unreasonable to associate a statement containing that content, however the individual should be given the option of revising the statement
  • whether it would be impracticable to associate a statement – however, an entity is not automatically excused from associating a statement by relying on the inconvenience or cost of doing so.

Timeframe for responding to a request for correction under APP 13

13.55      APP 13.5 provides that an agency must respond to a request to correct a record or to associate a statement within 30 calendar days. An organisation must respond within a reasonable period after the request is made. As a general guide, a reasonable period should not exceed 30 calendar days.

13.56      The entity must respond by correcting the personal information as requested by the individual, or by notifying the individual of its refusal to correct it.

Access charges under APP 13

13.57      An APP entity cannot impose upon an individual:

  • an application charge for requesting correction of personal information
  • a charge for correcting the personal information or for associating a statement with the personal information (APP 13.5(b)).

Leave a Reply