The Australia Privacy Act 1988 covers the processing and or use of personal information. An APP entity is a broad umbrella term referring to an organization that can include an individual, a body corporate, a partnership, any other unincorporated association, or a trust. An APP entity also refers to governmental agencies in Australia. However, this article will focus on APP entities as they relate to organizations. The thirteen Australian Privacy Principles (AAPs) enshrined in the Privacy Act include rights consumers have with respect to making requests to their information. This article will focus on how an organization must respond to consumer requests. There are three main consumer requests: requests to access personal information, requests to update personal information, and requests to opt-out of direct marketing.
Australia Privacy Act consumer request to access personal information
If an individual has requested to see what personal information an entity has on them, the entity must comply with this request. There are various exceptions to this rule. An entity is not required to give an individual access to the personal information requested if:
- The entity reasonably believes that giving access would pose a threat to the life, health, or safety of any individual, or to public health or public safety; or
- giving access would have an unreasonable impact on the privacy of other individuals; or
- the request for access is frivolous or vexatious; or
- the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or
- giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
- giving access would be unlawful; or
- denying access is required or authorised by or under an Australian law or a court/tribunal order; or
- both of the following apply:
- the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
- giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
- giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
- giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
Regardless if an exception applies, the entity must respond to the request for access to the personal information. The Privacy Act stipulates that an organization should respond within “a reasonable period of time” (not exceeding thirty days) after the request is made. If an exception does not apply, then the entity is responsible for answering the request in the manner requested by the individual, if it is reasonable and practicable to do so. The APP entity is allowed to charge the individual if the entity provides access to the information requested, but this charge must not apply to the making of the request and cannot be an excessive charge. If an exception does apply, then the entity, in their response, must take steps to give access in a way that meets the needs of the entity and individual, if possible.
If an entity refuses to give access to the personal information because an exception does apply, or if the entity refuses to give access in the manner requested by the individual, then the entity must answer with a written notice that states:
- The reasons for the refusal; unless it would be unreasonable to do so; and
- The mechanisms available to complain about the refusal; and
- Any other matter prescribed in the regulations, such as, for example, explaining why giving access to the request would reveal evaluative information generated within the entity in connection with the commercially sensitive decision.
In either scenario, it is crucial that the entity responds to the individual’s request. Not responding to a consumer’s data request also implicates the Australian Consumer Data Right law (CDR). If a data holder refuses to disclose information that has been requested by a consumer, or frustrates the disclosure process, by intentionally ignoring the Data Standards when a consumer has made a valid request, and where a refusal not to disclose is not permitted, then this will significantly compromise the integrity of the CDR regime. Moreover, there are significantly less exceptions to an entity circumventing the obligation to share DCR data in response to a valid request from a consumer. The Australian Competition and Consumer Commission (ACC) and the Office of the Australian Information Commissioner (OAIC) are more likely to take enforcement action against such an entity in this scenario.
Request to update personal information
In a similar vein to requesting access to personal information, an individual can also make an Australia Privacy Act consumer request to correct their information. Under APP 10, entities are responsible for ensuring the personal information they retain is accurate, up to date, complete, relevant, and not misleading. Therefore, the entity must take reasonable steps to correct the information based on the individuals request. If the individual has requested that the entity notify a third party of the correction, the entity must also comply in updating the third party.
Similar to a request to access personal information, an entity also can refuse to update personal information based on an individual’s request, but must provide a written notice to the individual for the refusal. The written notice must include:
- The reasons for the refusal, unless it would be unreasonable to do so; and
- The mechanisms available to complain about the refusal; and
- Any other matter prescribed by the regulations.
While the Privacy Act does not provide individuals with an express right to require the erasure of their personal information, entities do have a duty to take reasonable steps to de-identify or destroy personal information when it is no longer needed for the purpose for which it was intended.
Australia privacy act consumer request to opt out of direct marketing
Direct marking is the use or disclosure of personal information to communicate directly with an individual to promote goods or services. The communication can occur through telephone, text message, mail, email, social media, and online advertising. Generally, APP 7 states that an organization that retains personal information about an individual may not use or disclose that information for the purposes of direct marketing. There is, however, an exception. An organization may use or disclose an individual’s personal information (other than sensitive information) about an individual, so as long as:
- The organization collected the information from the individual; and
- The individual would reasonably except the organization to use or disclose the information for the intended purpose; and
- The organization provides a simple means by which the individual may easily request not to receive direct marketing communications from the organization; and
- The individual has not made such a request to the organization.
If an individual has made an Australia Privacy Act consumer request not to receive direct marketing communications, then the organization must comply with this request. Because an organization can also use or disclose personal information about an individual for the purpose of facilitating direct marketing by other organizations, an individual can also request the organization not to use or disclose the information to the other organization. If either request is made, the organization cannot charge the individual making the request. The Privacy Act stipulates the organization has a reasonable amount of time to comply with the request after the request is made. An individual can also request the organization to disclose the source of the personal information. In that scenario, the Privacy Act also states that the organization must, within a reasonable period after the request is made, notify the individual of its source unless it is impractical or unreasonable to do so.
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.