The Law Handbook 2024

1104 Section 12: Government and the individual • the resources required to ensure the quality of the information over time. APP 11: Security of personal information APP 11 concerns the security of personal information held by APP entities. It requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss and from unauthorised access, modification and disclosure. The term ‘holds’ extends beyond the possession of a record to include records an APP entity has the right or power to deal with. For example, where an entity has outsourced storage of its records to a third party but retains the right to deal with the information. Further, an APP entity must take reasonable steps to destroy or de-identify information it no longer needs. This requirement does not apply to personal information contained in a Commonwealth record, or if a court or tribunal requires the information to be retained. Commonwealth information is dealt with under the Archives Act 1983 (Cth). A more detailed discussion of the requirements of APP 11 can be found in the OAIC’s Guide to Securing Personal Information (published June 2018) (available at www.oaic.gov.au/privacy/privacy-guidance-for- organisations-and-government-agencies/handling- personal-information/guide-to-securing-personal- information) . APPs 12 and 13: Access to, and correction of, personal information APP 12 states that an APP entity must, upon request, give an individual access to any personal information that the entity holds about them. An entity ‘holds’ personal information if it has possession or control over it. The information does not have to be in the physical possession of the entity (e.g. where it has outsourced storage of the information but retains control over it). All APP entities must allow individuals to request access to their personal information for free. Australian Government agencies must also provide access for free. Whereas, private sector organisations may charge for providing access, but the charge cannot be excessive. The APP guidelines suggest that a charge is excessive if it exceeds the actual cost of giving access. APP 12 sets time periods within which entities must respond to requests for access. AustralianGovernment agencies must respond to requests within 30 days of the request. Private sector organisations must deal with requests within a reasonable time period. APP entities must take reasonable steps to give access, which may mean providing access through an agreed intermediary. If the entity refuses access on the basis of an exception, the individual is entitled to receive a written notice setting out the reasons for the refusal and how they can complain about the refusal. There are several exceptions to APP 12 that permit an entity to refuse access to personal information. These exceptions differ depending on whether the entity is a private sector organisation or an Australian Government agency. This is because agencies have responsibilities to provide access to information under other Commonwealth legislation, such as the FoI Act (Cth). The intention of APP 12 is that individuals should rely on the FoI Act (Cth) as the primary way to seek access to their personal information held by agencies. APP 12 lists several grounds upon which an agency can refuse access, which cross-reference the FoI Act (Cth) and other Commonwealth legislation. However, a request for access under APP 12 is a matter to be decided under the PA 1988, not the FoI Act (Cth), and so the agency is still obliged to provide reasons for the refusal, and an individual is entitled to complain to the Privacy Commissioner. Private sector organisations can also refuse access in some circumstances – for example, if: • it would be unlawful to provide the information; • it would have an unreasonable impact on the privacy of another individual; • it would pose a serious and imminent threat to the life or health of any individual; • the request is frivolous or vexatious; or • giving access would reveal evaluative information in connection with a commercially sensitive decision (in which case the entity’s reasons for refusal may include an explanation for the commercially sensitive decision). APP 13 requires an APP entity to take reasonable steps to correct any personal information it holds if it is satisfied that the information is out of date, inaccurate, incomplete, irrelevant or misleading, or if an individual requests the information to be corrected. On request from the individual, the