Individuals presently have limited rights to access and request the correction of their personal information under the Privacy Act, but the Attorney-General's report on the review of the Privacy Act proposes changing that. The introduction of a raft of new rights for individuals, and their exercise, may give rise to costly legal and operational challenges for many organisations.
What access rights does an individual currently have with respect to their personal information?
An individual currently has a limited right to access their personal information and to request that their personal information be corrected. In its current form, Australian Privacy Principle (APP) 12 (right to access) provides that, upon request, an individual must be granted access to personal information held about them, subject to certain exceptions. APP 13 (correction of personal information) provides that an individual may request the correction of personal information, which must be acted upon where the organisation is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Generally speaking, these rights do not extend to current or former employees, because of the employee records exemption.
What potential future privacy rights may an individual have?
The Report proposes expanding an individual's rights in their personal information to bring Australian privacy law into the digital age, to meet community expectations, and to promote interoperability with other privacy regimes, such as the European Union's GDPR.
These expanded rights would include:
- A broader right of access – APP 12 would be expanded so that an organisation must, in addition to identifying the personal information of the individual that it holds, explain the source of the personal information and what is done with the personal information.
- The right to challenge or object to the collection, use and disclosure of personal information – Modelled on the GDPR's right to object, individuals would be able to request that an organisation cease to process their personal information in certain circumstances, or to object to a particular way in which it is being handled.
- A broader right to correction of their personal information – The proposed expanded right under a modified APP 13 is likely to enable an individual to request the correction of an online publication over which the organisation maintains control.
- The right of erasure – While organisations are already required under APP 11 (security of personal information) to take reasonable steps to destroy or de-identify personal information once it is no longer needed, this proposed right would require an organisation to destroy that personal information if requested by the individual in certain circumstances, such as if an individual ceases to use that organisation's services and the information is sensitive (ie. health information), or the information is about a child.
- The right to seek the de-indexing of internet search results – This proposed right will likely be modelled on the GDPR's "right to be forgotten" and is a sub-category of the right of erasure. The successful exercise of this right would result in the de-indexing or removal of internet search results where the search results contain personal information that is sensitive information, information about a child, excessively detailed or inaccurate, out-of-date, incomplete, irrelevant or misleading. This right would not lead to the removal or deletion of the underlying webpage itself.
Are there any exceptions to these proposed new privacy rights?
While organisations will be expected to act on requests from individuals to exercise their new rights, the Report proposes exceptions which could be relied upon to refuse a request, including:
- Competing public interests – Organisations could seek to balance the public interest in an activity against the public interest in protecting privacy. For example, the public interest in law enforcement may outweigh an individual's right to access their personal information; or the rights to object and erasure may negatively impact health care and research.
- Required or authorised by law, legal relationships, and proceedings – Organisations would be permitted to take into consideration an organisation's legal obligations, whether they be the retention of specific records under a legislative regime, contractual obligations that the organisation must fulfil, or that the information may relate to actual or threatened legal proceedings.
- Technically infeasible – Organisations would be permitted to consider the technical difficulties and disproportionate effort that may be required to comply with an individual's rights, such as a right of access, correction or erasure. For example, these difficulties may arise due to the technical limitations of the software employed by an organisation.
- Frivolous or vexatious requests – The existing exception relying on the frivolous of vexatious nature of requests would be retained and extended to apply to all of an individual's new rights. Examples of a frivolous or vexatious request may include repeated requests in respect of the same personal information or requests made for the purpose of unreasonably interfering with an organisation's operations (although the precise limits have not yet been tested by the Courts).