APP entities that hold personal information about individuals
must give individuals access to that personal information on
request (whether in writing or otherwise informally).
Applications for access requests must be free of charge, and
any charges relating to providing the information must not be
The right to access information under APP 12 operates alongside
other legal procedures, e.g., the Freedom of Information Act (FOI
APP entities can refuse to grant access to information by
providing the individual written notice justifying the
circumstances for refusal. These circumstances include the grounds
for refusing consent under the FOI Act, as well as the following:
Reasonable belief that giving access would pose a serious
threat to life, health or safety of an individual
Access would have unreasonable impact on privacy of other
The request is frivolous or vexatious
Information relates to anticipated or existing legal
proceedings and would not be disclosable under discovery
Access would reveal intention of negotiations with the
individual or would prejudice enforcement activities for
Access would reveal information in connection with a
commercially sensitive decision-making process
Giving access would be unlawful
APP entities must respond to access requests within 30 calendar
days by either providing a notice of refusal or granting access in
the manner requested by individual.
They key points to note from APP 13:
APP entities must take reasonable steps to correct personal
information to ensure information held is accurate, up-to-date,
relevant and not misleading.
Privacy policies must provide a mechanism for individuals to
make a request to an APP entity for correction of their personal
Reasonable steps must be taken to notify other APP entities of
Individuals who request that their information be corrected but
are refused must be provided with a complaint mechanism and written
notice of the grounds for the refusal to correct the
It is not permissible to impose any charge on individuals for
requesting the correction of their personal information.
APP entities must respond to requests for correction within 30
calendar days by either correcting the information or notifying the
individual of the grounds for refusing the correction.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The exposure draft addresses the cyber risks around online database storage of personal information in electronic form.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”