Access to Information Requests: lessons from the Privacy Commissioner

On 25 February 2022, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk made a decision that an organisation had interfered with an individual’s privacy by breaching Australian Privacy Principle (APP) 12.

The decision confirms that organisations cannot simply “fob off” information requests on the basis that providing the information would unreasonably impact the privacy of another person.

The facts

The organisation concerned was a hospital where the individual had surgery. The individual requested access to their personal information held by the hospital, but the hospital refused to provide access because:

  1. the material also contained personal information about other individuals and therefore, the provision of material would have an unreasonable impact on the privacy of the other individuals (APP 12.3); and
  2. it was not possible to provide access in a way that could meet both parties’ needs (APP 12.5).

The Privacy Commissioner disagreed with these reasons and declared there had been an interference with privacy and required the hospital to certify in writing that it had provided all information requested. No financial penalty was ordered.

What is APP 12?

APP 12 gives all individuals the right to request access to personal information about them held by organisations subject to the APPs. When individuals make an Access Request, organisations must provide access to the requested information within a reasonable period of time, unless an exception applies. This means organisations may be required to provide information that might be damaging, embarrassing or simply burdensome to collate; as these are not exceptions to APP 12.

The Office of the Australian Information Commissioner (OAIC) provides more detail regarding APP 12 here.

Lessons for your organisation

  • If your organisation provides a health service or holds any health information (exempt employee records), the small business exception for organisations with an annual turnover of less than $3 million does not apply and your organisation is subject to the requirements of APP 12 – regardless of your annual turnover.
  • Individuals can make Access Requests by phone – they do not need to be in writing. Individuals can also expand the scope of the Access Request. When handling Access Requests, it is best practice to acknowledge receipt of the request and confirm what information the Access Request is requesting.
  • Organisations are expected to consult the individual to try to satisfy the Access Request, including the format in which the information is requested.

Redacting names and other information

  • If you choose to refuse access to all information entirely (i.e., not redact) on the basis that it would be unreasonable to disclose the names or identity of staff involved, you need to be able to explain why redaction of the identifying details would not be sufficient to remove the unreasonable impact on those other individuals.
  • Under the APP 12.3(b) exception, you need to be able to explain the impact of disclosing those names, and why that impact would be unreasonable.
  • Where the personal information is someone’s observations of what they heard and saw in relation to the person requesting access (such as an Incident Report), it is not unreasonable for the person requesting access to have this information because this information is about them.
Example
If you are a school that is keeping incident reports that contain personal information about a student, it may be unreasonable to refuse to provide access to this information to the student (or their parents) for the reason of protecting the identity of the teacher involved.

However, mandatory reporting does have protections for the identity of mandatory reporters. You will need to balance up the privacy rights of the student, with any other legal obligations of confidentiality.

How we can help

If you receive an Access Request, Moores can help by:

  • explaining your legal obligations as they specifically relate to your organisation and the Access Request;
  • explain what exceptions or confidentiality requirements may apply to the information subject to the specific Access Request;
  • compile the Access Request and redact documents for you; and
  • provide you with a step by step guide, explaining how to respond to the Access Requests, and a procedure to follow in future.

More information about our Privacy Expertise is here, or reach out to one of our Privacy Team.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Authors