APP 12 & APP 13 access and correction requests
Individuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.
Who must comply
All APP entities.
What triggers it
Receiving an access or correction request.
When due
Access: 30 days (private sector). Correction: reasonable timeframe; statement of correction if disagreement.
Evidence required
Request register, response letters, correction logs.
Max penalty
Civil penalty exposure for systemic failure to respond; complaint-handling by OAIC
Summary
APP 12 requires entities to give an individual access to their personal information held by the entity on request, within 30 days (private sector). Limited exceptions (e.g. serious risk, frivolous, breach of others' privacy). APP 13 requires entities to take reasonable steps to correct personal info that is inaccurate, out of date, incomplete, irrelevant or misleading.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- CWLTHProvide an APP 5 collection notice at or before collectionAPP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- CWLTHAPP 8 cross-border disclosureBefore disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.
- CWLTHAPP 7 direct marketingAPP 7 restricts using or disclosing personal information for direct marketing and requires a simple opt-out — when it applies, the exceptions and penalties.
- CWLTHAPP 2 — anonymity + pseudonymity for individualsWhere reasonable, individuals must be able to deal with you anonymously or under a pseudonym.
Frequently asked questions
- Who must comply with APP 12 & APP 13 access and correction requests?
- All APP entities.
- What triggers APP 12 & APP 13 access and correction requests?
- Receiving an access or correction request.
- When is APP 12 & APP 13 access and correction requests due?
- Access: 30 days (private sector). Correction: reasonable timeframe; statement of correction if disagreement.
- What is the maximum penalty for APP 12 & APP 13 access and correction requests?
- Civil penalty exposure for systemic failure to respond; complaint-handling by OAIC
- What evidence is required for APP 12 & APP 13 access and correction requests?
- Request register, response letters, correction logs.
Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-12-app-12-access-to-personal-information. Rules Mate is not a law firm. Always verify against the live regulator source before acting.