Rules Mate

APP 12 & APP 13 access and correction requests

Individuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.

highcurrentevent driven

Who must comply

All APP entities.

What triggers it

Receiving an access or correction request.

When due

Access: 30 days (private sector). Correction: reasonable timeframe; statement of correction if disagreement.

Evidence required

Request register, response letters, correction logs.

Max penalty

Civil penalty exposure for systemic failure to respond; complaint-handling by OAIC

Summary

APP 12 requires entities to give an individual access to their personal information held by the entity on request, within 30 days (private sector). Limited exceptions (e.g. serious risk, frivolous, breach of others' privacy). APP 13 requires entities to take reasonable steps to correct personal info that is inaccurate, out of date, incomplete, irrelevant or misleading.

Enforced by

Source legislation

Topics

privacyappaccesscorrection

Related obligations

Frequently asked questions

Who must comply with APP 12 & APP 13 access and correction requests?
All APP entities.
What triggers APP 12 & APP 13 access and correction requests?
Receiving an access or correction request.
When is APP 12 & APP 13 access and correction requests due?
Access: 30 days (private sector). Correction: reasonable timeframe; statement of correction if disagreement.
What is the maximum penalty for APP 12 & APP 13 access and correction requests?
Civil penalty exposure for systemic failure to respond; complaint-handling by OAIC
What evidence is required for APP 12 & APP 13 access and correction requests?
Request register, response letters, correction logs.

Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-12-app-12-access-to-personal-information. Rules Mate is not a law firm. Always verify against the live regulator source before acting.