Australia — Data Subject Rights

Australia's data subject access and correction rights are codified in Australian Privacy Principles 12 and 13 (APPs 12 and 13), found in Schedule 1 of the Privacy Act 1988 (Cth). These principles came into force on 12 March 2014, replacing the earlier Information Privacy Principles (IPPs) for agencies and National Privacy Principles (NPPs) for organisations.

Covered entities: Section 15 of the Privacy Act requires all "APP entities" to comply with the APPs. An APP entity is defined in section 6(1) as an "agency" or "organisation." Agencies include Commonwealth government departments, statutory bodies, and tribunals established under Commonwealth law. Organisations include businesses with annual turnover exceeding AU$3 million, certain health service providers, private schools, and other entities specified by regulation regardless of turnover. The Office of the Australian Information Commissioner (OAIC) is the supervisory authority with investigation, enforcement, and civil penalty powers under Parts V and VI of the Privacy Act.

APP 12 — Access to personal information

APP 12.1 establishes the core access right: "If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information." The entity cannot require the individual to use a particular form or follow a specific procedure, nor can it demand that the individual explain why access is sought, though entities may recommend a procedure and publish it in their APP privacy policy.

Exceptions to access are set out in APP 12.3. An APP entity may refuse to give access to personal information in circumstances including (but not limited to):

• Giving access would pose a serious threat to the life, health, or safety of any individual, or to public health or public safety (APP 12.3(a));
• Giving access would have an unreasonable impact on the privacy of other individuals (APP 12.3(b));
• The request for access is frivolous or vexatious (APP 12.3(c));
• The information relates to existing or anticipated legal proceedings and would not be accessible under discovery (APP 12.3(d));
• Giving access would be unlawful (APP 12.3(h));
• Denying access is required or authorised by or under an Australian law or a court/tribunal order (APP 12.3(i)).

Additional grounds apply specifically to enforcement-related information (APP 12.3(e)–(f)), commercially sensitive evaluative information (APP 12.3(j)), and certain agency operations.

Response requirements: Under APP 12.4, if an APP entity refuses to give access or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out the reasons for the refusal (except to the extent it would be unreasonable to do so), the mechanisms available to complain about the refusal, and any other matter prescribed by regulation. APP 12.5 requires the entity to respond to the request for access "within a reasonable period after the request is made." The OAIC Guidelines indicate that 30 days is ordinarily reasonable for straightforward requests, though complex requests may take longer.

Manner of access and charging: APP 12.6 states that access must be given in the manner requested by the individual if it is reasonable and practicable to do so. APP 12.7 addresses charges: an entity must not impose a charge for giving access unless the charge is not excessive and does not apply to lodging the request itself. Agencies are generally prohibited from charging except in limited circumstances. The OAIC Guidelines note that organisations have greater latitude to charge for the costs of providing access (e.g., photocopying, postage) but cannot charge for processing the request or searching for the information.

APP 13 — Correction of personal information

APP 13.1 imposes a duty to correct personal information: "If an APP entity holds personal information about an individual; and either (a) the entity is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or (b) the individual requests the entity to correct the information; the entity must take such steps (if any) as are reasonable in the circumstances to correct that information."

The standard is purpose-relative: information must be accurate, up-to-date, complete, relevant, and not misleading having regard to the purpose for which it is held. An entity that receives a correction request must assess whether the personal information falls short of that standard.

Notification of third parties: APP 13.3 provides that if an APP entity corrects personal information that it previously disclosed to another APP entity, and the individual requests the entity to notify the other entity of the correction, the first entity must take reasonable steps to give that notification unless it is impracticable or unlawful to do so.

Statement when correction refused: Under APP 13.4, if an APP entity refuses to correct personal information as requested by the individual, the individual may request the entity to associate with the information a statement that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant, or misleading. The entity must then take reasonable steps to associate the statement in such a way that it will be apparent to users of the information.

Procedural rules: APP 13.5 specifies that if a request is made under APP 13.1 or 13.4, the entity must respond within a reasonable period and must not charge the individual for making the request, for correcting the information, or for associating a statement with the information. APP 13.6 requires that if the entity refuses (in whole or in part) to correct information or to associate a statement, it must give the individual a written notice setting out the reasons for the refusal (except to the extent unreasonable to do so), the complaint mechanisms available, and any prescribed matter.

Interaction with the Freedom of Information Act 1982

For Commonwealth agencies, the Privacy Act APPs 12 and 13 operate concurrently with the Freedom of Information Act 1982 (Cth) (FOI Act). Section 3(1) of the Privacy Act provides that it does not affect the operation of State or Territory laws capable of concurrent operation; similarly, the FOI Act and the Privacy Act each provide independent access and amendment procedures. An individual may choose to request access or correction under either statute. The OAIC Guidelines state that agencies should inform individuals of both pathways and note that APP 12 and APP 13 may offer a more flexible, faster, and less formal procedure than FOI for straightforward personal information requests.

Source: Privacy Act 1988 (Cth) Source: Australian Privacy Principles, Schedule 1 to the Privacy Act 1988 Source: OAIC, APP Guidelines Chapter 12: APP 12 — Access to personal information Source: OAIC, APP Guidelines Chapter 13: APP 13 — Correction of personal information

The Privacy Act 1988 establishes a two-tier complaint mechanism for individuals who believe an APP entity has interfered with their privacy, including by denying access or correction requests under APPs 12 and 13. The process begins with an internal complaint to the APP entity itself and may escalate to the Office of the Australian Information Commissioner (OAIC), which exercises investigation and determination powers under Part V of the Privacy Act.

Internal complaint procedure — APP 1.4(b) requirement

APP 1.4(b) requires every APP entity to include in its APP privacy policy "the process for making a complaint about a breach of the APPs and how the entity will respond." The Privacy Act mandates that an individual who considers an APP entity has interfered with their privacy should first complain directly to that entity and give it an adequate opportunity to respond — generally 30 days — before escalating to the OAIC. The APP entity must have published procedures for handling privacy complaints, including access and correction disputes. The entity is not required to resolve the complaint in the individual's favor, but it must handle the complaint and provide a substantive response within the reasonable timeframe.

This "complain to the entity first" rule is a statutory precondition for most OAIC complaints. The individual must retain a record of the internal complaint (copy of written complaint or details if verbal) and the entity's response, because these materials must be submitted when lodging a complaint with the OAIC.

OAIC complaint — Section 36 Privacy Act

Section 36(1) of the Privacy Act allows an individual to complain to the Commissioner about "an act or practice" of an APP entity that "may be an interference with the privacy of the individual." An interference with privacy includes a breach of the APPs, such as refusal to provide access under APP 12 or refusal to correct personal information under APP 13.

Statutory prerequisites: The OAIC will generally only accept a complaint if:

• The complainant first complained to the APP entity and allowed at least 30 days for a response, or the entity failed to respond within that time;
• For organisations (not agencies), the complainant has attempted resolution through any applicable external dispute resolution (EDR) scheme recognised by the Commissioner under section 35A of the Privacy Act (e.g., the Australian Financial Complaints Authority for banks and financial services, energy and water ombudsmen for utilities);
• The matter occurred within the last 12 months from the date the complainant became aware of the issue (section 41(1)(c) gives the OAIC discretion to decline complaints outside this window).

Form and content: Section 36(2) requires complaints to be made in writing. The OAIC publishes an online complaint form and accepts submissions by email (oaicintake@oaic.gov.au) or post (GPO Box 5288, Sydney NSW 2001). The complaint must include:

• The name of the APP entity (essential — the OAIC cannot progress a complaint without identifying the respondent);
• A description of the alleged privacy interference (what happened, when, and the impact);
• A copy of the internal complaint and the entity's response (or evidence of no response after 30 days);
• Any reference numbers from the internal complaint process;
• Evidence or documentation supporting the allegation;
• The outcome sought (e.g., access to the information, correction, apology, compensation).

Representative complaints: Sections 38 and 39 permit representative complaints where the act or practice may interfere with the privacy of multiple individuals. The conditions are: (a) all class members have a complaint against the same respondent; (b) the complaints arise from the same or similar circumstances; and (c) the complaints raise a substantial common issue of law or fact. The representative complaint need not identify class members by name or specify their number, but an individual in the identified class cannot lodge a separate individual complaint unless they withdraw from the representative complaint under section 38B.

OAIC investigation process and outcomes

Preliminary assessment: The OAIC conducts a preliminary review to determine whether to investigate. Under sections 41, 49, and 49A, the Commissioner has discretion to decline to investigate (or to cease investigation) if:

• There is no reasonable basis to suggest an interference with privacy occurred;
• The entity or an EDR scheme has adequately dealt with the complaint;
• The complaint is frivolous, vexatious, misconceived, or lacking in substance;
• The complainant has not first complained to the entity or waited a reasonable period for a response;
• The matter occurred more than 12 months before the complainant became aware of it;
• The matter can be more appropriately dealt with by another body (e.g., state privacy authority, Commonwealth Ombudsman, Australian Human Rights Commission).

As of February 2026, the OAIC has publicly stated that new validly lodged individual privacy complaints are unlikely to be substantially progressed for 6 to 12 months after lodgment unless exceptional circumstances warrant expeditious consideration, reflecting severe resource constraints and a regulatory shift toward proactive enforcement of systemic harms rather than individual dispute resolution.

Conciliation and investigation: If the OAIC accepts the complaint for investigation, section 40A encourages conciliation. An OAIC officer typically facilitates negotiation between the complainant and the entity. Many complaints resolve through conciliation with outcomes such as access provision, correction, apology, staff training, policy changes, or compensation. If conciliation fails, the Commissioner may conduct a formal investigation under section 40, with powers under sections 44–47 to require information, documents, and attendance at compulsory conferences.

Determination: Under section 52, if the Commissioner finds that the respondent has engaged in conduct constituting an interference with the privacy of the complainant, the Commissioner may make a determination that includes one or more of the following declarations:

• That the respondent has interfered with the complainant's privacy;
• That the respondent must take specified steps to ensure the conduct is not repeated or continued;
• That the respondent must redress any loss or damage suffered by the complainant (section 52(1)(b)(ii));
• That the complainant is entitled to compensation for loss or damage, including non-economic loss such as humiliation and distress (section 52(1A)).

Compensation is not automatic. The OAIC requires the complainant to provide evidence of loss or damage directly caused by the privacy breach; compensation aims to restore the complainant to the position they would have been in absent the breach.

Enforcement of determinations: Section 55A allows a complainant to apply to the Federal Court or the Federal Circuit and Family Court of Australia (Division 2) to enforce a determination if the respondent does not comply. The court may make orders it considers appropriate to enforce the determination.

No fee and no legal representation required: It is free to lodge a complaint with the OAIC. Section 36(4) authorizes OAIC staff to assist an individual in formulating and making a complaint. Parties generally bear their own costs, including legal expenses, and legal representation is not required for the informal OAIC complaint process.

Judicial review: A complainant (or respondent) dissatisfied with the Commissioner's decision or determination may seek judicial review of the decision in the Federal Court under the Administrative Decisions (Judicial Review) Act 1977 (Cth). The complainant may also complain to the Commonwealth Ombudsman about the OAIC's handling of the complaint.

Source: Privacy Act 1988 (Cth), Part V — Investigations Source: OAIC, Guide to Privacy Regulatory Action — Chapter 1: Privacy complaint handling process Source: OAIC, Before you lodge a privacy complaint with us Source: OAIC, Complain to an organisation or agency

Australian Privacy Principle 11.2 imposes an affirmative duty on APP entities to destroy or de-identify personal information once it is no longer needed for any purpose permitted under the APPs. This obligation operates as Australia's closest functional equivalent to a "right to erasure," though it is entity-driven rather than request-based. The principle balances data minimization against legitimate retention needs, including legal obligations and the Commonwealth records regime.

Statutory text and trigger

APP 11.2 provides that if an APP entity holds personal information, and:

• The entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under Schedule 1 (the APPs), and
• The information is not contained in a Commonwealth record, and
• The entity is not required by or under an Australian law, or a court/tribunal order, to retain the information,

then the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

The trigger is purpose-relative: the entity must assess whether it has any current or reasonably anticipated future purpose for which it may lawfully use or disclose the personal information under the APPs. For example, if the entity collected information for the primary purpose of processing a customer order (APP 3), the entity may continue to hold that information for permitted secondary purposes such as handling a complaint, defending a legal claim, or complying with tax retention requirements (APP 6). Only when all such purposes have expired does the APP 11.2 destruction duty arise.

"No longer needed for any purpose" — OAIC guidance

The Office of the Australian Information Commissioner (OAIC) APP Guidelines Chapter 11 (version 1.2, updated October 2025) state at paragraph 11.28 that an APP entity no longer needs personal information for a purpose if that purpose has been fulfilled and there is no foreseeable reason to use or disclose the information for any other permitted purpose. The Guidelines identify factors including:

• Whether the primary purpose of collection has been satisfied (e.g., the service has been delivered, the transaction completed);
• Whether any permitted secondary purpose continues to exist (e.g., direct marketing under APP 7, research under APP 6.2(e), or an enforcement-related activity);
• Whether the entity has a reasonable basis to anticipate that it may need to use or disclose the information in the future, such as to respond to a potential complaint, legal claim, or regulatory inquiry. The OAIC has stated at paragraph 11.29 that speculative or theoretical future uses do not justify indefinite retention; the anticipated need must be reasonably foreseeable based on the entity's actual practices and risk profile.

The OAIC emphasizes at paragraph 11.1 that APP 11 (including 11.2) requires APP entities "to actively consider whether [they are] permitted to retain personal information." This is an ongoing obligation. Entities must implement practices, procedures, and systems to regularly review their holdings of personal information and destroy or de-identify information as soon as it is no longer needed.

Commonwealth records exception

The Commonwealth record exception is significant for Commonwealth agencies. Section 6(1) of the Privacy Act defines a "Commonwealth record" as a record of information in any form (document, electronic, audiovisual) that is the property of the Commonwealth or of a Commonwealth institution. The OAIC APP Guidelines paragraph 11.27 state that a Commonwealth record can, as a general rule, only be destroyed or altered in accordance with section 24 of the Archives Act 1983 (Cth), which permits destruction with the permission of the National Archives of Australia (as set out in a records disposal authority) or in accordance with a "normal administrative practice" (routine transient records such as drafts, duplicates, or ephemeral notes).

For agencies, APP 11.2 does not apply to Commonwealth records. Instead, the agency must follow the Archives Act 1983 disposal regime. For organisations (private sector entities), the Commonwealth records exception is generally not relevant because organisations do not typically create or hold Commonwealth records.

Australian law or court/tribunal order exception

If an Australian law (Commonwealth, State, or Territory statute or legislative instrument) or a court or tribunal order requires the entity to retain the personal information, APP 11.2 does not compel destruction or de-identification. Common statutory retention obligations include:

• Corporations Act 2001 (Cth), section 286: companies must retain financial records for seven years after the transactions are completed;
• A New Tax System (Goods and Services Tax) Act 1999 (Cth), section 382-5: entities must retain GST records for five years after the completion of the transactions or acts to which they relate;
• Fair Work Act 2009 (Cth), section 535: employers must retain employee records for seven years;
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), sections 107–109: reporting entities must retain customer identification and transaction records for seven years.

If such a statutory retention period applies, the entity must retain the information for the prescribed period. Once that period expires and no other purpose or legal obligation justifies retention, APP 11.2's destruction duty applies.

The OAIC has clarified that the exception applies only to mandatory retention laws (those that use "must" or "shall"). Laws that merely authorize retention (e.g., "an entity may retain…") or that permit but do not require longer retention do not satisfy the exception. If the law is permissive, the entity must still assess whether it has a continuing purpose under the APPs; if not, destruction or de-identification is required.

De-identification as an alternative to destruction

De-identification is defined in section 6(1) of the Privacy Act: personal information is de-identified "if the information is no longer about an identifiable individual or an individual who is reasonably identifiable." The OAIC APP Guidelines Chapter B (Key Concepts) state at paragraph B.60 that de-identification involves removing or altering information so that it is no longer possible, or no longer reasonably practicable, to identify the individual to whom it relates, taking into account the likelihood that the entity or another party holds information that could be linked to re-identify the individual.

An entity may choose de-identification instead of destruction when it has a legitimate interest in retaining the information for purposes that do not require identification of individuals, such as statistical analysis, product development, or research. Once information is de-identified, it ceases to be "personal information" under the Privacy Act and the APPs (including APP 11.2) no longer apply to it. However, the entity must apply appropriate safeguards to prevent re-identification, including access controls, contractual restrictions on re-identification, and technical measures.

The OAIC notes at paragraph 11.42 of the APP Guidelines Chapter 11 that pseudonymization alone (replacing direct identifiers with pseudonyms or codes) is generally insufficient for de-identification under APP 11.2 if the entity or another party retains a key or linking table that allows re-identification. To satisfy APP 11.2 by de-identification, the entity must ensure that the information is no longer about a reasonably identifiable individual, not merely that direct identifiers have been removed.

"Reasonable steps" standard and 2024 amendments

APP 11.2 requires the entity to take "such steps as are reasonable in the circumstances" to destroy or de-identify personal information. The OAIC APP Guidelines paragraph 11.4 state that what is reasonable depends on:

• The volume, nature, and sensitivity of the personal information. More sensitive information (e.g., health information, financial information, biometric data) and larger volumes require more rigorous destruction or de-identification measures;
• The form in which the information is held (paper, electronic, backup systems, archives);
• The practical implications, including time and cost. However, the OAIC emphasizes at paragraph 11.11 that an entity is not excused from taking particular steps merely because it would be inconvenient, time-consuming, or impose some cost. Whether the burden is excessive depends on whether it is disproportionate to the privacy risks in all the circumstances;
• Industry standards and better practices.

The Privacy and Other Legislation Amendment Act 2024 inserted new subclause 11.3 into Schedule 1 of the Privacy Act, which commenced on 11 December 2024. APP 11.3 provides that "the reasonable steps an APP entity must take, for the purposes of subclauses 11.1 and 11.2, include technical and organisational measures." This amendment codifies existing OAIC guidance and European data-protection concepts. The OAIC's Guide to Securing Personal Information (updated June 2025) states that technical measures include encryption, access controls, secure deletion or data sanitization, and multi-factor authentication; organisational measures include staff training, privacy policies, incident response plans, and regular reviews of data holdings.

For electronic information, the OAIC Guide to Securing Personal Information cross-references the Australian Signals Directorate's Information Security Manual (ISM) guidance on media sanitization (available at asd.gov.au). The ISM recommends techniques such as cryptographic erasure (if the data is encrypted and the keys are securely destroyed) or multiple-pass overwriting for magnetic media. Simply deleting files or moving them to a recycle bin does not satisfy APP 11.2 because the information remains recoverable. For physical destruction of hardware, the ISM recommends degaussing or physical destruction of storage media.

Interaction with data subject requests

Unlike GDPR Article 17's right to erasure, APP 11.2 does not create a statutory right for individuals to request destruction or de-identification of their personal information. The duty is entity-initiated and arises automatically when the trigger conditions are met. However, an individual may indirectly prompt destruction or de-identification by:

• Withdrawing consent (if the information was collected or is being used on the basis of consent under APP 3 or APP 6), thereby removing the lawful basis for continued holding;
• Requesting correction under APP 13 to the effect that the information is no longer accurate, up-to-date, complete, relevant, or not misleading for the purpose for which it is held. If correction cannot restore compliance, the entity may conclude that the information is no longer needed for any purpose and must destroy or de-identify it under APP 11.2;
• Complaining to the OAIC under section 36 of the Privacy Act that the entity is retaining personal information in breach of APP 11.2. The OAIC may investigate and, if it finds a breach, may determine that the entity must destroy or de-identify the information (section 52).

The OAIC Guide to Privacy Regulatory Action (Chapter 1, updated February 2023) states that entities should inform individuals, in their APP privacy policy (APP 1.4(b)), of their data retention practices and the criteria for destruction or de-identification, to enable individuals to understand how long their information will be retained.

Enforcement

Failure to comply with APP 11.2 constitutes an "interference with the privacy of an individual" under section 13 of the Privacy Act. The OAIC may investigate complaints or conduct own-motion investigations (section 40), and may make a determination requiring the entity to take specified steps, including destruction or de-identification of the personal information and payment of compensation for loss or damage (section 52). The OAIC also has civil penalty powers under Part 6 of the Privacy Act. The Federal Court may impose civil penalties for serious or repeated interferences with privacy (section 13G). The Privacy and Other Legislation Amendment Act 2024 increased maximum civil penalties, with new higher penalty tiers to take effect on dates to be confirmed by commencement proclamation for specific provisions.

Source: Privacy Act 1988 (Cth), Schedule 1 — Australian Privacy Principles Source: OAIC, APP Guidelines Chapter 11: APP 11 — Security of personal information Source: OAIC, Guide to Securing Personal Information

The Privacy Act 1988 (Cth) imposes statutory response deadlines for access and correction requests under Australian Privacy Principles 12 and 13 (APPs 12 and 13). The deadlines differ by entity type: Commonwealth and state agencies face a hard 30 calendar-day statutory deadline, while organisations (private-sector entities) must respond within a reasonable period that ordinarily should not exceed 30 days. These timelines commence the day after the request is received and require either a substantive response (granting access, making the correction) or a written refusal notice, not merely an acknowledgment.

Agencies — 30 calendar days (statutory deadline)

APP 12.4(a)(i) provides that an agency must respond to a request for access to personal information within 30 calendar days. APP 13.5 imposes an identical 30-day deadline for agencies to respond to requests to correct personal information or to associate a statement disputing the accuracy of information that the agency has refused to correct.

The Office of the Australian Information Commissioner (OAIC) APP Guidelines Chapter 12 (version 1.2, updated October 2023) state at paragraph 12.66 that the 30-day period commences on the day after the day the agency receives the request. The agency must respond by either:

• Giving access to the personal information requested (APP 12), or correcting the information or associating a statement (APP 13), or
• Notifying the individual in writing of its refusal to give access or to correct, with the reasons for refusal (except to the extent unreasonable to provide them), the available complaint mechanisms, and any other matter prescribed by regulation.

A mere acknowledgment of receipt does not satisfy the statutory deadline. The OAIC Guidelines paragraph 12.66 emphasize that the agency must provide substantive access or a substantive refusal decision within the 30-day window.

Impracticability and delay: The OAIC Guidelines paragraph 12.66 recognize that meeting the 30-day deadline may be impracticable in certain circumstances, such as when there is a justifiable need to clarify the scope of the individual's request, to locate and assemble the requested information across multiple systems or divisions, or to consult a third party whose interests may be affected by disclosure (for example, another individual whose personal information is intermingled with the requester's). In such cases, the agency is expected to contact the individual within the 30-day period to explain the delay and provide an expected timeframe for finalizing the request. The agency cannot unilaterally extend the statutory deadline, but proactive communication demonstrating good faith and a realistic completion date may mitigate a subsequent finding of breach if a complaint is lodged with the OAIC. The OAIC Guidelines state at paragraph 12.66 that "these are matters the Information Commissioner may examine if a complaint is made about an agency's failure to comply with the timeframe in APP 12.4(a)."

No formal extension mechanism: Unlike the Freedom of Information Act 1982 (Cth) (FOI Act), which provides statutory extension-of-time mechanisms (sections 15(6), 15AA, and 15AB of the FOI Act permit extensions for consultation, applicant agreement, or a practical-refusal-reason notice), the Privacy Act APPs 12 and 13 contain no statutory extension provisions. An agency that requires additional time beyond 30 days must either negotiate informally with the individual (obtaining the individual's consent to the delay, documented in writing) or accept the risk of a breach determination if the OAIC investigates a complaint.

Organisations — reasonable period (ordinarily 30 days)

APP 12.4(a)(ii) provides that an organisation must respond to a request for access within a reasonable period after the request is made. APP 13.5 imposes the same "reasonable period" standard for correction requests by organisations.

The OAIC APP Guidelines Chapter 12 paragraph 12.67 (access) and Chapter 13 paragraph 13.63 (correction) state the same interpretive standard: "As a general guide, a reasonable period should not exceed 30 calendar days." This is not a hard statutory floor—it is an objective standard applied in light of the circumstances—but the OAIC has consistently signaled that 30 days is the outer boundary for straightforward requests.

Factors determining reasonableness: The OAIC APP Guidelines paragraph 12.67 identify factors relevant to assessing whether a period is reasonable:

• The scope and clarity of the request. A vague or overbroad request ("all my personal information") may require correspondence with the individual to narrow the scope, which extends the reasonable period.
• Whether the information can be readily located and assembled. Information stored in legacy paper systems, archived databases, or third-party contractors' systems may take longer to retrieve.
• Whether consultation with the individual or other parties is required. For example, an organisation may need to clarify the individual's identity, verify the scope of the request, or consult another entity that contributed the personal information.

The OAIC has emphasized in its Guide to Privacy Regulatory Action (Chapter 1, updated February 2023) that entities bear the burden of justifying any delay beyond 30 days; a conclusory assertion of "complexity" without evidence of the retrieval steps taken, the volume of records searched, and the personnel allocated to the request will not satisfy the reasonableness standard if the OAIC investigates a complaint.

Response obligation: As with agencies, an organisation must respond by providing substantive access or correction, or by issuing a written refusal notice that complies with APP 12.4(b) (for access) or APP 13.6 (for correction). The written refusal notice must set out the reasons for refusal (except to the extent unreasonable to provide them), the mechanisms available to complain about the refusal, and any other prescribed matter. An acknowledgment of receipt, a promise to "look into it," or a request for additional fees without a substantive decision does not constitute a response under the APPs.

Charging and the no-fee rule for requests

APP 12.8 prohibits an APP entity from charging an individual for making the request for access to personal information. An entity may charge for giving access—for example, photocopying costs, postage, or the cost of converting the information into the requested format—but the charge must not be excessive. Agencies are generally prohibited from charging for access except in limited circumstances; the OAIC Guidelines paragraph 12.76 note that agencies should provide access free of charge in almost all cases, reflecting the public-sector duty of transparency.

Organisations have greater latitude to charge for the costs of providing access, but the OAIC Guidelines paragraph 12.79 state that charges must be limited to the actual, reasonable costs incurred (clerical labor for photocopying or printing at clerical rates; professional time for reviewing a file to redact third-party information at a proportionate professional rate; postage or courier fees). Charging for the time spent searching for or locating the information, or for the time spent making the access decision, is not permitted under APP 12.8; the prohibition on charging for "making the request" extends to processing the request.

APP 13.5 imposes an absolute no-fee rule for correction requests: an APP entity must not charge the individual for making the request, for correcting the personal information, or for associating a statement with the information (if the entity has refused to correct and the individual has requested that a statement disputing the accuracy be associated with the record). This rule applies equally to agencies and organisations.

An entity that refuses to process an access or correction request unless the individual pays an upfront fee (other than a reasonable fee for giving access under APP 12.8) breaches the APPs. The OAIC Guide to Privacy Regulatory Action (Chapter 1) states that refusal to process a request on grounds of non-payment of an improper fee constitutes a separate breach of APP 12 or APP 13, in addition to any breach of the charging rules.

Interaction with the Freedom of Information Act 1982 and dual pathways for agencies

For Commonwealth agencies, the Privacy Act APPs 12 and 13 operate concurrently with the Freedom of Information Act 1982 (Cth). Section 3(1) of the Privacy Act provides that the Privacy Act does not affect the operation of other laws capable of concurrent operation. An individual seeking access to or correction of their own personal information held by a Commonwealth agency may choose to proceed under:

• The Privacy Act APPs 12 and 13 (informal, generally faster, no application fee, 30-day response deadline, free of charge for agencies), or
• The FOI Act (formal, 30-day decision period with statutory extension provisions, application fee may apply though waived for personal-information requests, more detailed merits-review and appeal pathways under Part VI of the FOI Act).

The OAIC APP Guidelines paragraph 12.64 and the OAIC FOI Guidelines Part 3 (updated February 2026) state that agencies should inform individuals of both pathways and explain that APP 12 and APP 13 may offer a more flexible, faster, and less formal procedure for straightforward personal-information requests. Many agencies publish administrative-access policies that encourage individuals to use the APP pathway first and to escalate to a formal FOI request if dissatisfied with the outcome or if the request involves documents beyond personal information (such as policy documents, briefings, or third-party information).

Timeframe comparison: Under the FOI Act section 15(5), an agency must make a decision on an FOI access request within 30 days after the day the agency receives the request (the same calculation method as APP 12.4(a)(i)). However, the FOI Act provides multiple extension mechanisms (sections 15(6), 15AA, 15AB) that permit the agency to extend the decision period by up to 30 additional days (or longer with the agreement of the applicant or if a practical-refusal-reason notice is issued), whereas the Privacy Act APP 12 and APP 13 contain no statutory extension provisions. Agencies that anticipate delays beyond 30 days for personal-information access or correction requests may advise the individual to lodge a formal FOI request to access the FOI Act's extension mechanisms, or may invite the individual's written consent to an informal extension of the APP response deadline.

Consequences of delay — complaint to the OAIC

Failure to respond to an access or correction request within the statutory (agencies) or reasonable (organisations) timeframe constitutes an interference with the privacy of an individual under section 13 of the Privacy Act. The individual may complain to the Office of the Australian Information Commissioner under section 36 of the Privacy Act.

Preconditions: The OAIC Guide to Privacy Regulatory Action (Chapter 1, updated February 2023) and the OAIC complaint-lodgment guidance (updated March 2026) state that the individual should generally allow the APP entity the full statutory or reasonable period to respond before lodging a complaint. For agencies, the individual should wait at least 30 days from the date the agency received the request. For organisations, the OAIC advises waiting at least 30 days and, if no response is received, sending a follow-up reminder to the organisation before escalating to the OAIC. If the organisation has still not responded 60 days after the original request, the OAIC will ordinarily accept the complaint for investigation.

Investigation and determination: If the OAIC investigates and finds that the entity failed to respond within the required timeframe, the OAIC may make a determination under section 52 of the Privacy Act that:

• Declares that the entity has interfered with the individual's privacy;
• Requires the entity to provide access to the personal information or to correct the information (or to associate a statement) within a specified period;
• Requires the entity to take steps to ensure the conduct is not repeated, such as implementing systems to track and triage access and correction requests and training staff on the statutory deadlines;
• Requires the entity to pay compensation for any loss or damage suffered by the individual, including humiliation, distress, or out-of-pocket costs incurred as a result of the delay (section 52(1A)).

The OAIC's published determinations (available at oaic.gov.au) include cases in which entities were ordered to pay compensation for delay in responding to access requests, particularly where the individual required the information urgently for litigation, employment proceedings, or medical treatment and the delay caused demonstrable harm.

Deemed refusal: Unlike the FOI Act, the Privacy Act does not recognize a statutory "deemed refusal" if an entity fails to respond within the deadline. However, the OAIC Guide to Privacy Regulatory Action (Chapter 1) states that an individual who has received no response after a reasonable period (ordinarily 30 days for organisations, 30 days for agencies) may lodge a complaint with the OAIC on the basis that the failure to respond constitutes a constructive refusal of access or correction and an interference with privacy. The OAIC will investigate the complaint and, if the entity fails to respond during the investigation, the OAIC may draw adverse inferences and make a determination requiring access or correction.

Calendar-day calculation and the day-after rule

Both the agency and organisation deadlines are calculated in calendar days, not business days. The 30-day period for agencies commences on the day after the day the agency or organisation receives the request. The OAIC APP Guidelines paragraph 12.66 (agencies) and paragraph 12.67 (organisations) confirm this calculation method, which mirrors the FOI Act section 15(5) calculation.

Example: If an agency receives an access request by email on Monday, 2 June 2025, the 30-day clock starts on Tuesday, 3 June 2025, and expires at the end of Wednesday, 2 July 2025. If 2 July 2025 falls on a Saturday, Sunday, or public holiday, the deadline is extended to the next day that is not a Saturday, Sunday, or public holiday (consistent with section 36 of the Acts Interpretation Act 1901 (Cth), which applies to the Privacy Act).

Mode of receipt: The request is "received" when it is delivered to the entity. For postal requests, this is the date the letter is delivered to the entity's business address. For email requests, the OAIC has stated that receipt occurs when the email enters the entity's mail server, not when an employee first opens or reads it. Entities that publish an APP privacy policy under APP 1.4(b) should specify the preferred method and address for lodging access and correction requests (email address, postal address, online portal) to minimize disputes about the date of receipt.

Source: Privacy Act 1988 (Cth), Schedule 1 — Australian Privacy Principles Source: OAIC, APP Guidelines Chapter 12: APP 12 — Access to personal information, paragraphs 12.66–12.67 Source: OAIC, APP Guidelines Chapter 13: APP 13 — Correction of personal information, paragraphs 13.63–13.64 Source: OAIC, Dealing with requests for access to personal information Source: OAIC, Dealing with requests for correction of personal information

The Privacy Act 1988 (Cth) and Australian Privacy Principles 12 and 13 (APPs 12 and 13) do not prescribe specific identity documents or verification procedures that an APP entity must follow when receiving an access or correction request. Instead, the entity has discretion to determine what steps are "appropriate to verify an individual's identity" in the circumstances, subject to a reasonableness standard and a data-minimization obligation enforced by the Office of the Australian Information Commissioner (OAIC). The entity must be satisfied that the request is made by the individual to whom the personal information relates (or by an authorized representative) before releasing the information, but it must not require more personal information than is necessary to confirm identity.

Statutory foundation and the duty to verify identity

APP 12.15 of the OAIC APP Guidelines (version 1.2, updated October 2023) states that "an APP entity must be satisfied that a request for personal information under APP 12 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney or authorised agent." The OAIC emphasizes that the entity must not disclose personal information if it is not sure of the individual's identity. This obligation arises from the entity's duty under APP 11.1 to take reasonable steps to secure personal information from unauthorized access and disclosure; releasing information to an unverified requester would breach both APP 11.1 (security) and APP 12 (access control).

The same identity-verification requirement applies to correction requests under APP 13. Paragraph 13.23 of the OAIC APP Guidelines Chapter 13 (version 1.1, February 2014) provides that "an APP entity must be satisfied that a request to correct personal information under APP 13 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian or authorised agent." Paragraph 13.23 cross-references the Chapter 12 guidance on identity verification and states that "the steps appropriate to verify an individual's identity will depend on the circumstances, and in particular, whether the individual is already known to or readily identifiable by the entity."

Context-sensitive reasonableness standard

Paragraph 12.17 of the OAIC APP Guidelines Chapter 12 establishes a context-sensitive reasonableness test. The paragraph states:

> "The steps appropriate to verify an individual's identity will depend on the circumstances. In particular, whether the individual is already known to or readily identifiable by the APP entity, the sensitivity of the personal information and the possible adverse consequences for the individual of unauthorised disclosure. The minimum amount of personal information needed to establish an individual's identity should be sought."

The OAIC identifies three principal factors that govern the appropriate level of verification:

1. Whether the individual is already known to or readily identifiable by the entity. If the entity has an existing relationship with the individual (for example, the individual is a current customer, employee, patient, or student), the entity may already hold sufficient identifying information (such as the individual's name, date of birth, address, customer account number, or employee ID) to confirm identity with minimal additional information. The OAIC's own Privacy Policy (updated October 2025) provides an example: "During a telephone contact it may be adequate for the OAIC to request information like your name and date of birth for that information to be checked against its records." In this scenario, the entity asks the individual to provide two pieces of information that can be cross-checked against the entity's existing records, without requiring production of identity documents.

1. The sensitivity of the personal information requested. More sensitive information (health records, financial information, police records, child-protection information, genetic information, or biometric data) justifies more rigorous identity verification. For example, paragraph 12.69(b) of the OAIC APP Guidelines Chapter 12 notes that "it may be unreasonable to give access to information of a highly sensitive nature by telephone if the APP entity cannot sufficiently verify the individual's identity over the telephone." Conversely, if the personal information is low-sensitivity administrative information (for example, a mailing address or a subscription preference), a simpler verification process may be reasonable.

1. The possible adverse consequences for the individual of unauthorized disclosure. If unauthorized disclosure could cause serious harm to the individual (identity theft, financial fraud, stalking, domestic violence risk, reputational harm, or discrimination), the entity must apply stricter verification. The OAIC APP Guidelines paragraph 12.17 explicitly references "the possible adverse consequences for the individual of unauthorised disclosure" as a factor determining the appropriate verification steps. For example, an entity holding victim-services records or domestic-violence-support records should apply more stringent verification to prevent an abusive partner from impersonating the individual to obtain their contact information or service-use history.

Data minimization obligation — "minimum amount of personal information"

Paragraph 12.17 of the OAIC APP Guidelines imposes an affirmative data-minimization obligation: "The minimum amount of personal information needed to establish an individual's identity should be sought." This principle is reiterated in the OAIC's practical guidance publication Dealing with requests for access to personal information (updated July 2025), which states at step 2 ("Verify identity"): "Ask the individual for any evidence you may reasonably need to confirm their identity. However, sufficient flexibility should be provided to enable individuals who may not have a particular form of identification to be able to access their own personal information."

The data-minimization obligation has two operational consequences:

• The entity cannot require a specific form of identification if an alternative method would be sufficient. For example, the entity cannot require a driver's license if the individual does not drive and can instead provide a passport, Medicare card, or other government-issued identifier. The OAIC guidance emphasizes "sufficient flexibility" to accommodate individuals who may not possess the entity's preferred form of ID.

• The entity should avoid collecting or retaining copies of identity documents if sighting the document is sufficient. Paragraph 12.17 of the APP Guidelines states (in the full version 1.0 PDF, February 2014): "Where possible, the personal information should be sighted rather than copied or collected for inclusion in a record. For example, in a face-to-face dealing with an individual, an entity may be able to record that an identity document was sighted without" [retaining a copy]. The OAIC's Dealing with requests for access guidance reiterates this at step 2: "It is preferable to simply sight identity documents, rather than make copies and retain these in your records." If the entity collects a copy of the identity document (for example, a photocopy or scan of a driver's license or passport), the entity creates a new record of personal information subject to the full suite of APPs, including APP 11 security obligations, APP 11.2 destruction obligations once no longer needed, and APP 12 and APP 13 access and correction rights. To avoid this compliance burden, entities should sight and verify identity documents in real time (in person or via video call) and record only a notation that verification was completed (for example, "ID verified: sighted driver's license number ending [last 4 digits] on [date]"), rather than retaining a full copy of the document.

Examples of reasonable verification methods

The OAIC has not published a prescriptive list of acceptable identity documents or verification procedures, reflecting the context-sensitive standard under paragraph 12.17. The OAIC's published guidance and enforcement determinations identify the following verification methods as reasonable in various contexts:

For low-sensitivity information and known individuals (existing customers, employees, members):

• Knowledge-based verification: Ask the individual to confirm two or more pieces of information already held by the entity (full name, date of birth, account number, employee ID, address, recent transaction details, or the answer to a security question set during account creation). This method is common for telephone or online portal requests and is illustrated by the OAIC's own practice (OAIC Privacy Policy, October 2025: "request information like your name and date of birth for that information to be checked against its records").

• Multi-factor authentication (MFA) via an existing account: If the entity operates a secure online portal with multi-factor authentication (username/password plus SMS verification code, authenticator app, or email confirmation link), successful login to the portal may constitute sufficient verification for routine access requests. The individual's successful authentication proves possession of the registered credentials and the second factor (mobile phone or email account).

For sensitive information, new requesters, or remote requests where the individual is unknown to the entity:

• Government-issued photo identification: Sight (in person or via a secure video call) or receive a certified copy of a driver's license, passport, national identity card, proof-of-age card, or other government-issued photo ID. The entity should verify that the photograph, name, date of birth, and document number match the request and, where possible, should not retain a photocopy of the entire document but instead record the type of document, the document number (or last four digits), and the date of verification.

• Document Verification Service (DVS): For entities that are approved Gateway Service Providers (GSPs) or business users of the Australian Government's Document Verification Service (DVS), the entity may submit the individual's name, date of birth, and document details (driver's license number, passport number, Medicare card number, or visa grant number) to the DVS for real-time matching against the issuing agency's records (state/territory driver-license registries, Department of Foreign Affairs and Trade passport records, or Department of Home Affairs visa records). The DVS returns a "verified" or "not verified" result without disclosing the full record. The OAIC has conducted multiple assessments of DVS GSPs (VIX Verify / greenID, Trulioo, Data Zoo) and has found this method to be consistent with the APPs when the GSP and the entity (business user) provide individuals with appropriate APP 5 notification of the DVS check and obtain consent where required by the DVS Terms and Conditions.

• 100-point identification check: Some entities (particularly financial institutions and telecommunications providers subject to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) customer-due-diligence requirements) apply a 100-point identification standard, in which the individual provides combinations of primary documents (passport, birth certificate, citizenship certificate: 70 points each), secondary documents (driver's license, proof-of-age card: 40 points), and tertiary documents (Medicare card, utility bill, bank statement: lower point values) to reach a cumulative total of 100 points. The OAIC has not prescribed this method for APP 12 or APP 13 purposes, but entities may choose to apply it for consistency with their AML/CTF identity-verification procedures, provided the method satisfies the reasonableness and data-minimization requirements of paragraph 12.17. The OAIC's Template privacy collection notice for reporting entities under the AML/CTF Act (updated April 2026) illustrates that entities subject to AML/CTF customer-due-diligence obligations collect personal information "to establish and verify your identity before providing certain services to you" and may disclose information "to third-parties to assist with AML/CTF obligations including identity verification."

For high-risk situations (suspected impersonation, domestic-violence context, or child-protection records):

• In-person verification with photo ID: Require the individual to attend a physical office or service center and present government-issued photo identification for face-to-face verification by trained staff.

• Certified copy by authorized certifier: Require the individual to provide a certified copy of identity documents, certified by a Justice of the Peace, lawyer, pharmacist, or other authorized certifier under the Statutory Declarations Act 1959 (Cth) or state/territory certification schemes.

• Video verification: Conduct a live video call (via a secure platform) during which the individual displays their government-issued photo ID to the camera, allowing the entity's staff to compare the photograph to the live image and verify the document details in real time.

Authorized representatives — third-party requests

An APP entity must release personal information to an authorized representative of the individual if the representative can establish their authority and identity. Paragraph 12.15 of the OAIC APP Guidelines Chapter 12 and paragraph 13.23 of Chapter 13 recognize that a request may be made "by another person who is authorised to make a request on [the individual's] behalf, for example, a legal guardian, power of attorney or authorised agent."

The entity must verify both (a) the identity of the representative, and (b) the representative's authority to act on behalf of the individual. Examples of authorized representatives and the documentation the entity may reasonably require include:

• Parent or legal guardian of a child under 18 (or under the age of capacity in the relevant state or territory): The entity may request the child's birth certificate (naming the parent as the parent) or a court order granting guardianship, plus photo ID for the parent.

• Attorney under an enduring power of attorney or general power of attorney: The entity may request a certified copy of the power-of-attorney instrument (showing the authority to access personal information or handle the individual's affairs generally) and photo ID for the attorney. The OAIC APP Guidelines do not specify whether the power of attorney must expressly authorize requests for personal information, but best practice is to verify that the instrument's scope covers the subject matter of the request (for example, a medical power of attorney for health records, or a financial power of attorney for financial records).

• Executor or administrator of a deceased estate: The entity may request a copy of the grant of probate or letters of administration, plus photo ID for the executor. Note that once the individual is deceased, information about the deceased is no longer "personal information" under section 6(1) of the Privacy Act (which defines personal information as information about an "individual," and section 6C defines "individual" to mean "a natural person"), and the APPs no longer apply. However, many entities choose to apply APP-equivalent procedures administratively when releasing information about deceased individuals to executors or next of kin.

• Authorized agent retained by the individual: The entity may request a signed written authorization from the individual (on letterhead or with a wet signature, or digitally signed), specifying that the agent is authorized to request access to or correction of the individual's personal information, plus photo ID for the agent. The entity should verify the individual's signature or confirm the authorization directly with the individual (for example, by calling the individual at a telephone number already on file and asking the individual to confirm that they have authorized the agent).

The OAIC Dealing with requests for access guidance states at step 2: "You must ensure that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney or authorised agent."

No formal procedure; entity may recommend but cannot require a specific process

APP 12 does not stipulate formal requirements for making a request, and the entity cannot require the individual to use a particular form, method, or procedure. Paragraph 12.18 of the OAIC APP Guidelines Chapter 12 (version 1.0, February 2014) states: "There are no formal requirements under APP 12 for an individual to make an access request. You may ask an individual to follow a particular procedure, such as filling out a form, but you cannot require individuals to do this." The OAIC's Dealing with requests for access guidance (July 2025) reiterates: "You may ask an individual to follow a particular procedure, such as filling out a form, but you cannot require individuals to do this. However, developing a simple process may assist both yourself and the individual when dealing with access requests."

This means the entity may recommend or invite the individual to complete a request form (which may include fields for identity verification, such as name, date of birth, account number, and a declaration that the requester is the individual or an authorized representative), but the entity must accept requests made by email, letter, telephone, or in person, even if the individual does not use the entity's preferred form. If the entity receives an informal request, the entity may respond by asking the individual to provide additional information for identity verification, but the entity must process the request once the individual has provided sufficient information to verify identity and specify the personal information sought.

Pseudonymous requests and APP 2

Paragraph 12.16 of the OAIC APP Guidelines Chapter 12 addresses pseudonymous access requests. The paragraph states: "It would generally be impracticable for an APP entity to deal with an anonymous request for personal information. However, it may be practicable to deal with a pseudonymous request, for example, where the individual has previously transacted under that pseudonym, can establish their identity as that individual and the request for access relates to information about that pseudonymous identity (see Chapter 2 (APP 2))."

If the entity has collected and holds personal information about an individual under a pseudonym (for example, a username, alias, or code), and the individual can establish that they are the person who transacted under that pseudonym, the entity may give access to the pseudonymous record without requiring the individual to reveal their legal name or other government-issued identity. The individual must still verify their identity as the pseudonymous user — for example, by logging into the account with the username and password, or by answering security questions associated with the pseudonym. This principle accommodates individuals who have a legitimate privacy interest in maintaining pseudonymity (for example, users of domestic-violence support services, LGBTQ+ support services, or whistleblower hotlines).

Consequences of inadequate verification — breach of APP 11.1 and APP 12

If the entity releases personal information to a requester without adequate identity verification, and the requester is not in fact the individual to whom the information relates, the entity commits an interference with the privacy of the individual under section 13 of the Privacy Act. The disclosure constitutes a breach of APP 11.1 (failure to take reasonable steps to protect personal information from unauthorized access, modification, or disclosure) and may also breach APP 6.1 (use or disclosure of personal information for a purpose other than the primary purpose of collection, absent an exception).

The individual may complain to the OAIC under section 36 of the Privacy Act. The OAIC may investigate and, if it finds a breach, may make a determination under section 52 requiring the entity to take steps to prevent recurrence (such as implementing stricter identity-verification procedures, staff training, and audit controls) and to pay compensation for any loss or damage suffered by the individual, including non-economic loss such as humiliation, distress, or anxiety arising from the unauthorized disclosure. The OAIC may also exercise civil-penalty powers under Part 6 of the Privacy Act if the breach was serious or repeated.

The OAIC's published determinations (available at oaic.gov.au) include cases in which entities were found to have breached APP 11.1 by releasing personal information to third parties without adequate identity verification, resulting in orders for compensation and systemic remediation.

Interaction with APP 11 security obligations and privacy-invasive verification

Paragraph 11.9 of the OAIC APP Guidelines Chapter 11 (version 1.3, updated October 2025) cross-references the identity-verification guidance in Chapter 12 and cautions that "while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (APP 12))."

This caution reinforces the data-minimization obligation in paragraph 12.17. The entity must strike a balance: verification must be rigorous enough to prevent unauthorized disclosure (APP 11.1), but it must not be so onerous or intrusive that it collects excessive personal information in the verification process itself (APP 3.1 and APP 3.3, which prohibit collection of personal information unless it is reasonably necessary for the entity's functions or activities). An entity that demands biometric scans, full copies of multiple identity documents, utility bills, bank statements, and statutory declarations for a routine low-sensitivity access request would likely breach the reasonableness and data-minimization obligations under paragraphs 11.9 and 12.17.

Source: Privacy Act 1988 (Cth), Schedule 1 — Australian Privacy Principles Source: OAIC, APP Guidelines Chapter 12: APP 12 — Access to personal information, paragraphs 12.15–12.17 Source: OAIC, APP Guidelines Chapter 13: APP 13 — Correction of personal information, paragraph 13.23 Source: OAIC, Dealing with requests for access to personal information Source: OAIC, APP Guidelines Chapter 11: APP 11 — Security of personal information, paragraph 11.9 Source: OAIC Privacy Policy (identity verification example)

APP entities responding to access and correction requests under Australian Privacy Principles 12 and 13 (APPs 12 and 13) must verify the identity of the requester before disclosing personal information, but the verification burden must be proportionate to the sensitivity of the information and the risk of unauthorized disclosure. The Privacy Act 1988 (Cth) imposes no formal identity-proofing requirements; instead, the Office of the Australian Information Commissioner (OAIC) applies a reasonableness standard that balances security against accessibility, with particular emphasis on avoiding disproportionate barriers for vulnerable individuals who may lack standard government-issued identification.

Statutory foundation — implied verification duty

Neither APP 12 (access) nor APP 13 (correction) explicitly states that an entity must verify the requester's identity. However, the OAIC APP Guidelines Chapter 12 (version 1.2, updated October 2023) state at paragraph 12.15 that "an APP entity must be satisfied that a request for personal information under APP 12 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney, or authorised agent." The APP Guidelines Chapter 13 (correction) contain an identical requirement at paragraph 13.23.

This duty arises implicitly from APP 11.1, which requires APP entities to take reasonable steps to protect personal information from unauthorized access, modification, or disclosure. Disclosing personal information to an imposter in response to a purported access request would constitute a breach of APP 11.1 (security) and potentially APP 6.1 (use or disclosure for a secondary purpose without a permitted basis). The OAIC has stated in enforcement proceedings that entities bear the burden of implementing identity verification processes sufficient to prevent unauthorized access, and that failure to do so may result in an interference-with-privacy determination under section 13 of the Privacy Act and, in serious cases, civil penalties under section 13G.

Proportionality and risk-based standard — OAIC Guidelines paragraphs 12.17 and 13.23

The OAIC APP Guidelines Chapter 12 paragraph 12.17 provide the interpretive standard: "The steps appropriate to verify an individual's identity will depend on the circumstances. In particular, whether the individual is already known to or readily identifiable by the APP entity, the sensitivity of the personal information and the possible adverse consequences for the individual of unauthorised disclosure."

Factors determining the appropriate level of verification:

• Pre-existing relationship: If the individual is an existing customer, employee, or client and the request is made through a known communication channel (e.g., the individual telephones from their registered phone number, emails from their registered email address, or attends in person and is recognized by staff), minimal additional verification may be required. The OAIC's Dealing with requests for access to personal information (July 2025) states that "if a regular client requests access during an appointment, it is unnecessary to verify identity further."

• Sensitivity of the personal information: The OAIC APP Guidelines paragraph 12.17 and the OAIC's Guide to Securing Personal Information (June 2025) state that highly sensitive information — including health information (medical diagnoses, treatment records, mental health assessments), financial information (bank account numbers, credit card details, tax file numbers), biometric data, or information about children — requires more rigorous verification. The APP Guidelines paragraph 12.17 specifically state that "it may be unreasonable to give access to information of a highly sensitive nature by telephone if the APP entity cannot sufficiently verify the individual's identity over the telephone."

• Adverse consequences of unauthorized disclosure: If unauthorized disclosure could cause serious harm — for example, disclosure of a domestic violence victim's address, a whistleblower's identity, or confidential commercial information in a business context — the entity must employ stronger verification measures. The OAIC has emphasized in enforcement determinations that entities handling sensitive information must apply a higher bar for identity verification and must document the verification steps taken.

• Mode of the request: In-person requests at a physical location where staff can sight government-issued photo identification (driver's licence, passport) present lower impersonation risk than remote requests by email, telephone, or web portal. However, the OAIC Guidelines paragraph 12.15 and the OAIC's practical guidance state that entities may not require an in-person appearance as the sole method of verifying identity; they must accommodate remote requests and apply verification methods appropriate to the channel.

Minimum-information principle — APP Guidelines paragraph 12.17

The OAIC APP Guidelines Chapter 12 paragraph 12.17 impose a data minimization obligation on identity verification: "The minimum amount of personal information needed to establish an individual's identity should be sought." This principle reflects APP 3 (collection), which requires entities to collect only personal information that is reasonably necessary for one or more of their functions or activities.

Practical implications:

• An entity should not demand production of multiple forms of government-issued identification (passport, driver's licence, birth certificate) if one suffices, unless the sensitivity of the information or the risk profile justifies layered verification.
• An entity should sight identity documents rather than copy or retain them, where practicable. The APP Guidelines paragraph 12.17 state: "Where possible, the personal information should be sighted rather than copied or collected for inclusion in a record." The OAIC's Dealing with requests for access to personal information (July 2025) reinforces this at paragraph 2.3: "It is preferable to simply sight identity documents, rather than make copies and retain these in your records."
• If the entity does copy an identity document (for example, when the request is made remotely and the individual emails a scan of their driver's licence), the entity must comply with APP 11.2 and destroy or de-identify the copy once the verification is complete and the copy is no longer needed for any permitted purpose (including defense of a complaint about the access decision).

Flexible verification methods — accommodating individuals without standard ID

The OAIC has consistently emphasized that entities must offer flexible verification pathways to avoid excluding individuals who lack government-issued photo identification, including homeless individuals, survivors of domestic violence who have fled without documents, recent migrants or refugees, elderly individuals who do not drive and do not hold a passport, and individuals with disabilities.

The OAIC's Dealing with requests for access to personal information (July 2025) states at paragraph 2.3: "Sufficient flexibility should be provided to enable individuals who may not have a particular form of identification to be able to access their own personal information." The APP Guidelines Chapter 12 do not prescribe specific acceptable forms of identification, instead requiring a functional approach focused on whether the entity has reasonable grounds to believe the requester is the individual to whom the personal information relates.

Alternative verification methods recognized by the OAIC:

• Knowledge-based authentication: The entity asks the individual to provide information that only the true individual would know, such as recent transaction details, account numbers, dates of service, or answers to security questions previously set by the individual. The OAIC's own privacy policy (updated October 2025) states: "During a telephone contact it may be adequate for the OAIC to request information like your name and date of birth for that information to be checked against its records."
• Document alternatives: If the individual does not have a driver's licence or passport, the entity may accept other forms of identity documents including Medicare card, utility bills showing name and address, bank statements, payslips, or a statutory declaration made by a justice of the peace or other authorized witness attesting to the individual's identity.
• Trusted intermediary or advocate: For individuals who cannot verify their identity through standard channels (e.g., individuals with cognitive disability, individuals experiencing homelessness), the entity may accept a request made through a legal guardian, advocate, case worker, or authorized representative, provided the entity verifies the authority of the intermediary to act on behalf of the individual (for example, by sighting guardianship orders, power of attorney documentation, or written authorization from the individual).

The OAIC has stated in its Privacy compliance and enforcement policy (February 2023) that an entity that refuses to process an access or correction request on the ground that the individual cannot produce government-issued photo identification, without offering alternative verification pathways, may breach APP 12 or APP 13. The entity must demonstrate that it made reasonable efforts to accommodate the individual's circumstances before refusing the request on identity-verification grounds.

Verification in remote and digital contexts — email, web portal, telephone

As access requests increasingly arrive via email, web portal, or telephone, entities must adapt identity verification to remote channels. The OAIC APP Guidelines and practical guidance recognize that the same proportionality standard applies, but the verification methods differ by medium.

Email requests: If an individual emails a request from an email address that is not registered with the entity, the entity should respond by asking the individual to confirm additional identifying information (e.g., date of birth, account number, recent transaction details) or to provide a copy of photo identification. If the individual emails from their registered email address on file with the entity, that fact provides a degree of assurance (the individual has access to the email account associated with their record), but the entity should assess whether the sensitivity of the information justifies additional verification. The OAIC's AML/CTF guidance for financial institutions (April 2026) states: "The information you have collected and verified about the customer for the purposes of complying with your customer due diligence obligations may help you do this, as the individual's identity will already be known to you."

Web portals and online self-service: Many entities offer online portals where individuals can log in with a username and password (or multi-factor authentication) to view and update their personal information. The OAIC APP Guidelines Chapter 13 paragraph 13.23 recognize that "an online portal through which individuals can access and correct their personal information is an example of an informal arrangement that may provide a fast and easy means of correction, and that can qualify as an APP 13 'request' procedure." If the individual has authenticated to the portal using credentials that the entity previously verified (e.g., by email confirmation, SMS one-time passcode, or knowledge-based authentication at account setup), the entity has satisfied the verification requirement for subsequent requests made through the portal. However, the entity must ensure the authentication mechanism is proportionate to the sensitivity of the personal information accessible through the portal. For highly sensitive information (health records, financial account details), the OAIC expects multi-factor authentication or equivalent strong controls.

Telephone requests: The OAIC APP Guidelines paragraph 12.17 state that entities should be cautious about disclosing highly sensitive information over the telephone if they "cannot sufficiently verify the individual's identity over the telephone." Acceptable telephone verification methods include asking the individual to confirm details from their record (account number, recent transaction, date of birth, address), comparing the caller's voice to previous interactions if the entity has voice records, or calling the individual back on a registered phone number. An entity may decline to provide highly sensitive information by telephone and instead offer to send the information by secure post to the individual's registered address, or invite the individual to attend in person or to submit a written request with identity documentation.

Authorized representatives — legal guardians, powers of attorney, agents

The OAIC APP Guidelines Chapter 12 paragraph 12.15 and Chapter 13 paragraph 13.23 recognize that requests may be made by "another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney, or authorised agent." The entity must verify both the identity of the representative and the representative's authority to act on behalf of the individual.

Verification of authority depends on the type of representative:

• Legal guardian (appointed under state or territory guardianship legislation for a person with impaired decision-making capacity): The entity should sight the guardianship order or appointment documentation issued by the relevant state or territory tribunal (e.g., Victorian Civil and Administrative Tribunal, NSW Civil and Administrative Tribunal, Queensland Civil and Administrative Tribunal). The order will specify the scope of the guardian's powers, including whether the guardian has authority to access and correct personal information.
• Attorney under power of attorney (enduring power of attorney or general power of attorney): The entity should sight the power of attorney instrument. An enduring power of attorney for personal or health matters typically authorizes the attorney to access health information and make health decisions on behalf of the principal. A general power of attorney for financial matters authorizes the attorney to deal with the principal's financial affairs, including accessing financial records. The entity must confirm that the power of attorney is valid (not revoked), that it covers the type of personal information being requested, and (for enduring powers) that any activation conditions have been met (e.g., loss of capacity by the principal, as certified by a medical practitioner if required by the instrument).
• Authorized agent (a person authorized by the individual in writing to make the request): The entity should sight written authorization from the individual, signed and dated, specifying the agent's name and the scope of authority (e.g., "I authorize [Agent Name] to request access to my account records held by [Entity] on my behalf"). The entity may contact the individual directly (by telephone or email to a registered contact) to confirm that they have authorized the agent, particularly if the information is highly sensitive.
• Parent or legal guardian of a child: For requests concerning a child's personal information, the entity must determine whether the requester has parental responsibility or guardianship. The OAIC APP Guidelines Chapter B (Key Concepts) state that a parent generally has authority to access a child's personal information, but the entity should consider the child's age and maturity: for older children (particularly teenagers), the entity should, where practicable, seek the child's consent to disclosure to the parent, or should provide the information directly to the child if the child is capable of understanding the request and the Privacy Act does not require parental consent. The entity should sight a birth certificate, court order, or other documentation evidencing parental responsibility if there is any uncertainty (for example, where separated parents dispute access, or where a non-parent claims guardianship).

The entity must apply the same proportionality principle to verification of representatives: the OAIC expects more rigorous verification of authority when the information is highly sensitive or when there is a risk of unauthorized access by a person falsely claiming to be a representative.

Consequences of inadequate or excessive verification

Inadequate verification — disclosing personal information to an imposter because the entity failed to verify identity — constitutes a breach of APP 11.1 (security) and potentially APP 6.1 (unauthorized use or disclosure). The individual whose information was wrongly disclosed may complain to the OAIC under section 36 of the Privacy Act. The OAIC may investigate and, if it finds an interference with privacy, may make a determination under section 52 requiring the entity to pay compensation for loss or damage (including humiliation and distress), to implement stronger identity verification procedures, and to provide staff training. In serious cases (particularly involving sensitive information or a pattern of failures), the OAIC may seek civil penalties under section 13G, which were significantly increased by the Privacy and Other Legislation Amendment Act 2024.

Excessive verification — refusing to process a request because the individual cannot satisfy disproportionately stringent identity requirements, or because the entity demands forms of identification that are not reasonably necessary in the circumstances — constitutes a breach of APP 12 (access) or APP 13 (correction). The OAIC's Guide to Privacy Regulatory Action (Chapter 1, updated February 2023) and published determinations make clear that an entity cannot refuse an access or correction request merely because the individual lacks government-issued photo identification if the entity has not offered alternative verification pathways appropriate to the individual's circumstances. The individual may complain to the OAIC, which may investigate and determine that the entity must process the request using alternative verification methods and must pay compensation for any delay or harm caused by the refusal.

Privacy-invasive security measures — APP 11.1(c)

The OAIC APP Guidelines Chapter 11 (Security) paragraph 11.9 and Chapter 12 paragraph 12.17 incorporate a proportionality limitation derived from APP 11.1(c), which requires entities to consider "whether a security measure is in itself privacy invasive." The APP Guidelines state: "While an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity."

Practical implications:

• An entity should not require an individual to provide their tax file number, biometric data (fingerprint, facial scan), or other highly sensitive information for identity verification purposes unless the nature of the personal information being requested is equally or more sensitive and the risk profile justifies the intrusive verification method. For example, a health provider might reasonably use knowledge-based authentication (confirm date of birth and recent appointment date) rather than demanding production of a passport for routine access to appointment records, but might require stronger verification (photo ID and Medicare card) for access to HIV test results or mental health records.
• An entity should not collect and retain copies of identity documents in its records as a standard practice if sighting the document and recording the verification (e.g., "Driver's licence [number] sighted on [date] by [staff member]") suffices. Retaining the copy creates an ongoing security obligation under APP 11.1 and a destruction obligation under APP 11.2 once the copy is no longer needed.

Source: OAIC, APP Guidelines Chapter 12: APP 12 — Access to personal information, paragraphs 12.15–12.17 Source: OAIC, APP Guidelines Chapter 13: APP 13 — Correction of personal information, paragraph 13.23 Source: OAIC, Dealing with requests for access to personal information Source: Privacy Act 1988 (Cth), Schedule 1 — Australian Privacy Principles