APP 12: Individual Right of Access to Personal Information

Scope of the access right

APP 12.1 mandates that an organisation, termed an APP entity, must provide an individual with access to their personal information upon request. To be subject to this obligation, the APP entity must ‘hold’ the information. The Privacy Act defines ‘holds’ as having possession or control of a record containing the personal information.

The manner in which access is provided must be reasonable and practicable, and should align with the individual’s request (APP 12.4). This recognises that individuals may prefer certain formats or methods of receiving their information. Individuals seeking access to personal information should also be aware that this right operates alongside the *Freedom of Information Act*.

Commonwealth agencies are subject to both APP 12 and the *Freedom of Information Act*. An individual can choose to pursue access through either avenue, but cannot use APP 12 to circumvent exemptions that would apply under the *Freedom of Information Act*. Furthermore, individuals may also have the right to APP 13 correction of personal information if the information is inaccurate.

Response timeframes

APP 12.4(a) mandates that agencies must respond to a request for access to personal information within 30 days of the request’s submission. This timeframe applies specifically to entities classified as agencies.

Organisations, as opposed to agencies, are required to respond within a reasonable period. The Office of the Australian Information Commissioner (OAIC) clarifies that, in most circumstances, a reasonable period for an organisation will not exceed 30 calendar days.

The response provided to the individual will either grant access to the information or notify the individual of a refusal, in accordance with APP 12.10.

Grounds for refusal

APP 12.2 outlines circumstances where an agency may refuse access to personal information. These grounds are consistent with exemptions found in the Freedom of Information Act, and include considerations relating to national security and law enforcement.

APP 12.3 details ten specific grounds upon which an organisation can refuse access. These include situations where providing access would create a serious threat to the life, health or safety of an individual, or to public health or public safety. Other refusal grounds encompass concerns about the privacy of other individuals, frivolous or vexatious requests, ongoing legal proceedings, negotiations, unlawful activity, law enforcement, and legal denials.

Furthermore, an organisation may refuse access if it would likely prejudice action on a matter or involve commercial-in-confidence information. Even where a refusal is necessary, APP 12.5 mandates consideration of providing access in a way that meets the needs of both the individual and the organisation, potentially through a mutually agreed intermediary.

Charges and refusal notices

APP 12.7 prevents organisations from charging a fee for processing a request for access or providing access to information. However, APP 12.8 permits a charge for providing access, but this charge must not be excessive.

If an organisation refuses to grant access to information, or to provide it in the manner requested, it must provide a written refusal notice. This notice must explain the reasons for the refusal, unless providing those reasons would be unreasonable. The notice must also detail the avenues available for complaining about the refusal. Refusal to provide access can be investigated by the Office of the Australian Information Commissioner (OAIC) as an interference with privacy under section 13 OAIC investigation powers and s 52 determinations.