We have seen a steady rise in information requests being made by parents, clients and other individuals connected to our clients across education, housing, not-for-profit and community health organisations. Information requests – or access requests – most commonly arise when there has been a breakdown of trust, and can be a pre-litigation measure.
What is an information request?
The right for individuals to make requests of organisations for access to information about themselves comes from the Australian Privacy Principles (APPs), or other privacy principles that might be applicable in different states.
The Access Right
If an organisation holds personal information about an individual, the organisation must, on request by the individual, give the individual access to the information.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not.
There are some exclusions which might apply, for example, the employee records exemption.
Breakdown of trust
There is no tort of privacy in Australia, however, privacy is recognised as a human right and is enforced in Australia through various privacy principles – the most well known are the Australian Privacy Principles in the Privacy Act 1988.
The right to make information requests recognises that privacy is fundamentally about power. When organisations hold personal information about an individual, the organisation can construct an image of that person and make inferences about their identity, needs and wants. When there is a breakdown in the relationship between the individual and organisations, individuals make information requests in order to regain control over their information, and by extension, identity.
Privacy is fundamentally about power.
A breakdown in trust is also exacerbated by data breaches, ransomware and hacking. Look out for our lessons from the recent data breach in the headlines.
Fishing expedition
Information requests can also be made as a pre-litigation measure to gather information in order to be better positioned to commence a claim against the organisation. This can be concerning for organisations, and make it difficult to balance individual privacy rights with organisational commercial and strategic objectives.
There is an ability for organisations to refuse a “frivolous or vexatious” (APP 12.3(c)), but this should be treated with caution. There are no published decisions where the Australian Information Commissioner has found a request to be frivolous or vexatious, and the APP Guidelines say:
“A request should not be refused on this ground unless there is a clear and convincing basis for deciding that a request is frivolous or vexatious. It is not a sufficient basis, for example, that a request would cause inconvenience or irritation to an organisation.”
Lessons from the Privacy Commissioner
Earlier in the year we reported on decision made by the Australian Information Commissioner about an information request that involved personal information of another person. The decision confirmed organisations cannot simply “fob off” information requests on the basis that providing the information would unreasonably impact the privacy of another person.
In the most recent decision, published in June 2022, a not-for-profit agency (Relationships Australia) was found to have interfered with an individual’s privacy by not providing all the information requested, and not providing access in the manner requested. The not-for-profit agency also did not adequately explain the exceptions it considered applied in responding to the individual.
Organisations must give access to the information in the manner requested by the individual if it is reasonable and practicable to do so (APP 12.4). In this decision, the individual had requested the information by post. The not-for-profit agency only offered to provide access to the information in person by viewing the documents at their office, as the information was sensitive and this was a more trauma-informed approach. While the trauma-informed approach was recognised by the Information Commissioner, ultimately the organisation had an obligation to provide the information by post, as the individual had rejected the suggested trauma-information approach.
While organisations can offer to provide access in different ways, they cannot refuse a method of access requested by an individual unless it is unreasonable or unpracticable.
How we can help
Moores can support your organisation to respond to the rise in information requests by:
- Providing training on privacy in general, and information requests in particular;
- Developing a procedure to help staff respond to information requests; and
- Support correspondence with individuals to address the breakdown of trust and mitigate risks of information requests excavating to the Information Commissioner.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.