Having a self-updating Australian Privacy Policy on your website is one thing, but now you are a responsible data holder you need to know what to do when you get a request from a third party about their data.
The Australia Privacy Act 1988 covers the processing and or use of personal information. An APP entity is a broad umbrella term referring to an organization that can include an individual, a body corporate, a partnership, any other unincorporated association, or a trust. An APP entity also refers to governmental agencies in Australia. However, this article will focus on APP entities as they relate to organizations. The thirteen Australian Privacy Principles (AAPs) enshrined in the Privacy Act include rights consumers have with respect to making requests to their information. This article will focus on how an organization must respond to consumer requests. There are three main consumer requests: requests to access personal information, requests to update personal information, and requests to opt-out of direct marketing.
Australia Privacy Act consumer request to access personal information
If an individual has requested to see what personal information an entity has on them, the entity must comply with this request. There are various exceptions to this rule. An entity is not required to give an individual access to the personal information requested if:
- The entity reasonably believes that giving access would pose a threat to the life, health, or safety of any individual, or to public health or public safety; or
- giving access would have an unreasonable impact on the privacy of other individuals; or
- the request for access is frivolous or vexatious; or
- the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or
- giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
- giving access would be unlawful; or
- denying access is required or authorised by or under an Australian law or a court/tribunal order; or
- both of the following apply:
- the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
- giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
- giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
- giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
Regardless if an exception applies, the entity must respond to the request for access to personal information. The Privacy Act stipulates that an organization should respond within “a reasonable period of time” (not exceeding thirty days) after the request is made. If an exception does not apply, then the entity is responsible for answering the request in the manner requested by the individual, if it is reasonable and practicable to do so. The APP entity is allowed to charge the individual if the entity provides access to the information requested, but this charge must not apply to the making of the request and cannot be an excessive charge. If an exception does apply, then the entity, in their response, must take steps to give access in a way that meets the needs of the entity and individual, if possible.
If an entity refuses to give access to the personal information because an exception does apply, or if the entity refuses to give access in the manner requested by the individual, then the entity must answer with a written notice that states:
- The reasons for the refusal; unless it would be unreasonable to do so; and
- The mechanisms available to complain about the refusal; and
- Any other matter prescribed in the regulations, such as, for example, explaining why giving access to the request would reveal evaluative information generated within the entity in connection with the commercially sensitive decision.
In either scenario, it is crucial that the entity responds to the individual’s request. Not responding to a consumer’s data request also implicates the Australian Consumer Data Right law (CDR). If a data holder refuses to disclose information that has been requested by a consumer, or frustrates the disclosure process, by intentionally ignoring the Data Standards when a consumer has made a valid request, and where a refusal not to disclose is not permitted, then this will significantly compromise the integrity of the CDR regime. Moreover, there are significantly fewer exceptions to an entity circumventing the obligation to share DCR data in response to a valid request from a consumer. The Australian Competition and Consumer Commission (ACC) and the Office of the Australian Information Commissioner (OAIC) are more likely to take enforcement action against such an entity in this scenario.
Request to update personal information
In a similar vein to requesting access to personal information, an individual can also make an Australia Privacy Act consumer request to correct their information. Under APP 10, entities are responsible for ensuring the personal information they retain is accurate, up to date, complete, relevant, and not misleading. Therefore, the entity must take reasonable steps to correct the information based on the individual request. If the individual has requested that the entity notify a third party of the correction, the entity must also comply in updating the third party.
Similar to a request to access personal information, an entity also can refuse to update personal information based on an individual’s request but must provide a written notice to the individual for the refusal. The written notice must include:
- The reasons for the refusal, unless it would be unreasonable to do so; and
- The mechanisms available to complain about the refusal; and
- Any other matter prescribed by the regulations.
While the Privacy Act does not provide individuals with an express right to require the erasure of their personal information, entities do have a duty to take reasonable steps to de-identify or destroy personal information when it is no longer needed for the purpose of which it was intended.
Australian privacy act consumer request to opt-out of direct marketing
Direct marking is the use or disclosure of personal information to communicate directly with an individual to promote goods or services. Communication can occur through telephone, text message, mail, email, social media, and online advertising. Generally, APP 7 states that an organization that retains personal information about an individual may not use or disclose that information for the purposes of direct marketing. There is, however, an exception. An organization may use or disclose an individual’s personal information (other than sensitive information) about an individual, so as long as:
- The organization collected the information from the individual; and
- The individual would reasonably expect the organization to use or disclose the information for the intended purpose; and
- The organization provides a simple means by which the individual may easily request not to receive direct marketing communications from the organization; and
- The individual has not made such a request to the organization.
If an individual has made an Australia Privacy Act consumer request not to receive direct marketing communications, then the organization must comply with this request. Because an organization can also use or disclose personal information about an individual for the purpose of facilitating direct marketing by other organizations, an individual can also request the organization not to use or disclose the information to the other organization. If either request is made, the organization cannot charge the individual making the request. The Privacy Act stipulates the organization has a reasonable amount of time to comply with the request after the request is made. An individual can also request the organization to disclose the source of personal information. In that scenario, the Privacy Act also states that the organization must, within a reasonable period after the request is made, notify the individual of its source unless it is impractical or unreasonable to do so.
Request to see APP Privacy Policy
While an APP entity’s privacy policy should already be easily accessible on the entity’s website or app, if a person requests a copy of the APP privacy policy in a particular form, the entity must comply with the request in a reasonable amount of time. This should be done free of charge. It is important that entities craft an APP privacy policy that contains pertinent information, including the types of personal information it collects, as well as how an individual may complain about a breach of the APPs. To help craft your Australia Privacy Act of 1988 Privacy Policy, use Termageddon’s Website Privacy Policy generator.
This article was originally published by the team at Termageddon, and has been reposted with permission.
This article is not legal advice.
