Australia - Information Sheet

Private Sector Information Sheet 4 - NPP 6 Access and Correction

Key Messages

National Privacy Principle (NPP) 6 in the Privacy Act 1988 ('Privacy Act') provides individuals with a right of access to information held about them by an organisation. How organisations give access will depend on the circumstances.

In some cases organisations may wish to provide a photocopy or print out of the information they hold about a person. In other cases, it may be appropriate to have a suitably qualified staff member explain the content of the information to the individual if it is complex or overly technical.

The steps an organisation must take to comply with the access and correction principle will vary and depend on the type of organisation and the circumstances.

Establishing the identity of the individual asking for access

An important consideration when providing access to individuals to their personal information is to be sure that the person is who they say they are. There may be a risk that an individual tries to use NPP 6 to access information about another individual. For this reason, organisations should take care to establish the individual's identity before providing access.

Charging fees for access

An organisation must not charge an individual for lodging a request for access but may apply a charge that is not excessive to recover reasonable costs of making information available.

Correcting personal information upon request by the individual

NPP 6 also allows individuals to have their information corrected if it is wrong. Where an individual is able to show that the information the organisation holds about them is not accurate, complete and up-to-date, an organisation must take reasonable steps to correct the information. When responding to requests for correction, organisations should also be mindful of their obligations under NPP 3 to make sure personal information they collect, use or disclose is accurate, complete and up-to-date.

If the organisation and individual disagree about a correction, the individual can ask to have a statement attached to the information stating that the individual believes the information to be incorrect.

Explaining denial of access or refusal to correct information

Under NPP 6, there are a limited number of situations where an organisation may deny an individual access to personal information. Organisations must tell the individual the reasons for denying access to information or for refusing to correct information.

Background

Who is this information sheet for?

This information sheet is for organisations in the private sector that are covered by the Privacy Act.

These organisations must comply with the 10 National Privacy Principles ('NPPs') in the Privacy Act when handling personal information.

'Organisations' are defined in section 6 of the Privacy Act to include:

all businesses with an annual turnover greater than $3 million
all private sector health service providers, regardless of turnover
some small businesses.[1]

What is this information sheet about?

This information sheet provides general guidance and advice on NPP 6 in the Privacy Act.

NPP 6 provides individuals with a right of access to information held about them by an organisation.

This information sheet covers:

Giving individuals access and the factors that might affect access
Responding to requests for access
Charging a fee for access to information
Correcting information when an individual shows information to be inaccurate, incomplete or out-of-date
Attaching a correction statement to a record in the event that the organisation and the individual disagree over a correction
Explaining a denial of access or refusal to correct information.

Giving access to information held by an organisation

Factors affecting access

Various factors could affect the way an organisation provides an individual with access including:

the sort of information requested
the way the individual makes the request
the way the organisation stores the information
the technology available to the individual making the request
the respective locations of the organisation and the individual
the size of the organisation
any exceptions that apply to the information requested.

Ways of giving an individual access to information

Examples of the way an organisation could give access include:

letting the individual inspect all the information the organisation holds about him or her
providing a copy of the information requested
letting the individual take notes on the content of the record
giving the individual a printout of the information if it is in electronic form
letting the individual view the information and have a suitably qualified staff member explain the content
giving the individual an accurate summary of the information
using any other appropriate method to give the individual access to the data.

Generally it's a good idea for the organisation to discuss with the individual the way they would like to receive their information.

This will help make sure that the information is provided in a way that suits the individual and is appropriate for the type of personal information being accessed.

Responding to requests for access

Individuals do not have to give a reason when asking an organisation for access to the personal information an organisation holds about them. They can simply ask for access to the information.

However, an organisation could ask an individual whether they want access to all the information that the organisation holds about them or just some of it.

Establishing the individual's identity

A risk in the access process is that a person may try to use NPP 6 to get access to another individual's information.

To deal with this risk an organisation should have procedures to establish that the individual asking for the information is who they say they are. This will help organisations comply with the requirements of NPP 4.

NPP4 says that organisations must take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.[2]

The way in which an organisation approaches the risk that someone other than the individual accesses the personal information would depend on the organisation and the circumstances. Many organisations will have identity validation procedures already in place as part of their normal business practice.

The way an organisation validates an individual's identity may depend on how the individual approaches the organisation.

For example, the procedures for establishing the identity of an individual face-to-face may differ from the way an organisation validates an identity over the phone or by fax or email.

The identification procedures should be robust enough to satisfy the organisation of the individual's identity.

Other considerations when giving access

To ensure an individual gets an appropriate level of access, an organisation could consider presenting information in a way that takes into account an individual's particular requirements.

Factors to consider when giving access to information include any disability the individual has, or the level of understanding, language or literacy skills of the individual making the request.

Where feasible, organisations could also consider providing a private and convenient area where the individual can inspect the information requested or where the individual can have the information explained to them.

Reasons for considering providing such an area could include that:

it is not appropriate to explain the contents of an individual's personal information (in particular, health information) in a busy, open public space such as a reception counter
it would not ordinarily be reasonable to expect people to inspect large quantities of information while standing at a public counter.

With regard to timing, organisations should consider responding to requests for access in a reasonable amount of time. While no timeframe is provided in the Privacy Act, organisations should generally seek to respond to access requests within 30 days or sooner if possible[3].

Charges and access to information (NPP 6.4)

NPP 6.4 says that organisations are not permitted to charge individuals for lodging a request for access and that the charges for giving access to information should not be excessive.

These provisions aim to ensure that organisations only charge reasonable amounts to avoid discouraging individuals from making requests for access. Generally speaking, an organisation could consider not charging for letting an individual view a screen or for sending information to an individual by email.

When considering how much to charge, an organisation may like to consider:

not charging an individual more than it costs the organisation to give access (for example, an organisation could base charges on the marginal cost of giving that particular access) and
waiving or remitting the cost of providing access (for example, where the organisation is aware that an individual receives a benefit or pension).

Depending on the circumstances, an organisation could charge for the:

staff costs involved in locating and collating information
reproduction costs and
costs involved in having a staff member explain information to an individual.

Other matters to consider when providing access to personal information:

Discuss with the individual what information they want access to, and the likely fees, before undertaking their request for access.
Do not include other outstanding bills in a fee for access.
The cost of legal and other third-party advice shouldn't generally be passed on to a particular individual, even though you may have sought the advice to help assess their access request.
Consider other laws or standards that may relate to fees for access.

Form of request for access

It is up to an organisation to decide how it will manage the process of giving an individual access. It could ask the individual to put a request for access in writing; however, the NPPs do not require this. Reasons why an organisation might want a request for access to be in writing (in a letter, fax or email) could be influenced by a number of factors. For example:

it helps the organisation keep track of a request for access to information which is complex, sensitive or detailed
the organisation receives many requests for access of a similar kind on a regular basis
the organisation holds a lot of information about the individual in a number of different places or
the organisation thinks it may be in its best interests to keep a record of requests for access.

Reasonable steps to correct personal information (NPP 6.5)

NPP 6.5 says that if an individual is able to establish that personal information held about them is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information.

In some cases, individuals may be able to establish that their information is incorrect simply by reporting the problem to the organisation and asking them to fix it.

Example - An individual simply reporting an error can be adequate for an organisation to take steps to correct

Maria receives an email from a florist congratulating her on her forthcoming wedding and drawing her attention to the attached pricelists for wedding bouquets as she requested. Maria is a customer of this florist but is not getting married and did not ask for any pricelists. She suspects the florist has mixed up the email address. She contacts the florist and asks her to correct the information.

It turns out that the intended recipient of the email has a similar name to Maria and the florist has accidentally opened a 'wedding account' under the wrong customer's name.

In this situation, the mistake is obvious and there is no need for Maria to provide further supporting material to prove a correction is required.

In other cases, individuals may need to provide further documents or other material to the organisation to establish that the information is not accurate, complete and up-to-date. This might include letters, receipts, bank statements, diary notes, medical records, photographs and testimonies from a trusted third party.

Remember, if you collect documentation of this type containing personal information, you will need to comply with the NPPs when handling it. That means only collecting the information necessary for you to ascertain whether a correction is necessary. In some cases, sighting the material may be adequate.

Also, if you do need to collect the documentation, do you need all of it? Consider only copying part of it or blocking out the parts that are not relevant. Store the information securely and destroy it as soon as it is no longer needed.

Where an organisation has checked the individual's file and can find no obvious inconsistency or error, it might then be appropriate for the organisation to ask for further material to support the individual's claim that there is an inaccuracy.

The organisation could also consider giving the individual access to the information the organisation holds about them so that the individual can better assess the accuracy of the information in question.

Example - An individual may need to provide supporting material when asking for a correction to be made

Jo is paying off a loan to a bank. She receives a statement from the bank which omits the payment she made the month before and therefore incorrectly shows her to be in arrears on her loan repayments. Jo calls the bank to ask them to correct the mistake.

A customer service clerk at the bank checks Jo's records while she's on the phone. The records continue to show no payment was received and the clerk cannot identify any obvious error in the record.

In this situation, it would be reasonable for the bank to ask Jo for some supporting material to prove that the payment was made, such as an internet transaction receipt or a deposit stub.

The Office of the Privacy Commissioner believes that an individual does not need to prove beyond doubt that an inaccuracy exists. It may be enough for the individual to establish that it is more likely than not that the information is in need of correction.

If the individual establishes that their personal information is more likely than not inaccurate, incomplete or outdated, the organisation needs to take reasonable steps to correct the information. What is reasonable will depend on the circumstances and the type of information needing correction.

When considering what reasonable steps to take in meeting an individual's request to correct personal information, an organisation could consider that:

It has obligations under NPP 3 to take reasonable steps to make sure personal information it collects, uses and discloses is accurate, complete and up-to-date. This means that, when it comes to using or disclosing personal information, the onus is on the organisation to make sure information is correct.[4]
Allowing poor quality information to remain on a record may have adverse consequences for the individual and/or the organisation. For example, organisations may find that, in leaving poor quality information on the record, they breach NPP 3.
Correction is not necessary if the information is no longer being used. However if this is the case, the organisation should consider destroying or de-identifying information it no longer needs (subject to any legal requirements to retain the information). Destroying or permanently de-identifying personal information that is no longer needed is a requirement under NPP 4.2.
An organisation could discuss with the individual concerned the reasons it thinks it is inappropriate to delete or alter the original information. The organisation and individual may then be able to agree on alternative ways of noting the discrepancy regarding the accuracy of the information in a way that satisfies the needs of both parties.
If an individual establishes with an organisation that information about them is incorrect, the organisation should consider correcting the information with any third parties that it has passed the information onto.

Attaching a correction statement to a record (NPP 6.6)

NPP 6.6 applies where the organisation and individual are unable to agree about whether the information should be corrected. Where an agreement can't be reached, the individual can ask the organisation to attach a statement to the record claiming that the information is not accurate, complete and up-to-date. In practice, this could be done by putting a note with the individual's information outlining the individual's claim about the inaccuracy of the information or creating a link between the information and the statement.

An example of when an individual and organisation may be unable to agree over a correction could be if an organisation has recorded an opinion about an individual that the individual disagrees with.

Example - Dealing with an individual's claim that an opinion you hold about them is incorrect

The Privacy Act deals with 'personal information' which in the Act can include information or an opinion about an identifiable individual. An organisation might record an opinion about someone, for example, where an insurance company uses a private investigator to check the veracity of a person's insurance claim. The investigator's opinion may be that the individual is healthy enough to return to work. While the individual may disagree with this opinion, it could be difficult to prove that it is 'incorrect' if it is the true opinion of the investigator.

In this example the individual should be allowed to have a statement linked with the opinion stating that they don't believe the information is accurate.

If an individual asks the organisation to attach a statement to the information stating that they don't believe the information is correct, the Privacy Act says that the organisation must take reasonable steps to do so. Organisations may like to consider the following when considering reasonable steps to take:

If the individual disputing the information provides a very extensive statement that an organisation cannot easily attach, the organisation could put a mark or a note on the information to indicate that the statement exists and where it can be found.
An organisation would ordinarily need to associate the individual's statement about the disputed information in such a way that whenever that information is handled in the future it will be easy to see that the individual does not agree that this particular part of the personal information is accurate, complete or up-to-date.

Giving an explanation instead of access to evaluative information (NPP 6.2)

NPP 6.2 allows an organisation not to release information that will reveal the formulae, or the fine details of the evaluative process the organisation uses in its commercially sensitive business decisions. NPP 6.2 is not aimed at preventing the release of the result of the evaluation nor the factual information about the individual.

Example - Giving an explanation instead of access to evaluative information

An individual has applied for a bank loan. The bank collects information from the individual about income, assets, other loans and employment history. With the individual's consent it might collect other information such as credit worthiness information from other sources.

The bank has an internally derived formula that it uses to make a decision about the loan by giving different weights to each factor. Under NPP 6.2, the bank can withhold the information that would reveal the formula or weightings given to the various factors.

The individual requesting the information would be given access only to the raw facts and opinions that were inputs to the bank's evaluative process and an explanation of any decision based on the formula.

Explaining denial of access or refusal to correct information ( NPP 6.1 and 6.7)

There are a limited number of situations where an organisation may deny an individual access to the personal information it holds about them. NPP 6.1 outlines the situations where the Privacy Act allows an organisation to deny access. Some of these situations include:

providing access to the information would pose a serious and imminent threat to the life and health of any individual
if the information is health information, providing access would pose a serious threat to the life or health of any individual
providing access would have an unreasonable impact upon the privacy of other individuals
providing access would be unlawful
providing access would be likely to prejudice an investigation of possible unlawful activity.

There are a number of other situations where organisations may, under NPP 6.1, deny access or give partial access to personal information. See our NPP Guidelines for further information.[5]

In addition, NPP 6.7 requires an organisation to tell an individual any reasons the organisation has for denying access to information. Generally, when explaining why access is being denied, the organisation should endeavour to tell the individual which exception under NPP 6.1 it is relying on to refuse access.

If the reason for refusal is complex it would be helpful to give the explanation in writing. Organisations must also tell individuals the reasons for refusing to correct personal information. Reasons why an organisation might consider putting this information in writing include that:

it gives the organisation an accountability trail in the event of a complaint
it could help the individual to understand the reasons given by the organisation and so help to avoid unnecessary complaints.

When the organisation tells the individual its reasons for denying access or refusing to attach a correction statement, the organisation may also consider including information about:

any process the organisation has for reviewing the decision
the process the individual can follow if they wish to make an external complaint about the decision.

If the organisation has decided that using an intermediary will provide an alternative means of access, it could tell the individual more about what this involves. (Refer to Information Sheet 5- 2001 Access and the Use of Intermediaries.)

Further Information

For further information check out our Guidelines to the National Privacy Principles available at www.privacy.gov.au/publications/nppgl_01.html and Guidelines on Privacy in the Private Health Sector available at www.privacy.gov.au/publications/hg_01.html.

You may also find our other private sector information sheets useful. They are available at: www.privacy.gov.au/publications/index.html#I.

In particular, information sheets 5, 21 and 22 deal with aspects of access to personal information.

Information Sheet 5 - Access and the Use of Intermediaries is available at www.privacy.gov.au/publications/IS5_01.html
Information Sheet 21 - Denial of access to health information due to a serious threat to life or health is available at http://www.privacy.gov.au/publications/IS21_08.html
Information Sheet 22 - Fees for access to health information under the Privacy Act is available at www.privacy.gov.au/publications/IS22_08.html

Private Sector Information Sheets

Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Privacy Act legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges)

TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Private Sector Information Sheet 4

Web HTML and PDF published May 2009

ISBN 978-1-877079-66-5

www.privacy.gov.au

[1] For a more detailed explanation refer to the Private Sector Information Sheet 12.

[2] For more information about how to comply with the data security requirements of the Privacy Act, see Information Sheet 6 - Security and Personal Information available at http://www.privacy.gov.au/publications/IS6_01.html.

[3] See the discussion in the NPP Guidelines about NPP6.1 for more information about timeframes for access. www.privacy.gov.au/publications/nppgl_01.html

[4] For more information on NPP 3, see Information sheet 28 on data quality, available at http://www.privacyawarenessweek.org/paw/info_sheet28_npp3.html

[5] NPP Guidelines available at www.privacy.gov.au/publications/nppgl_01.html#npp61.