Subject Access Request (Australia)

A Subject Access Request in Australia is a legally binding written instrument.

APP 12 applies to APP entities — which include businesses with an annual turnover of more than $3 million, all health service providers (regardless of turnover), government agencies, credit reporting bodies, and certain other categories of organisation defined in Section 6C of the Privacy Act 1988 (Cth). Under APP 12.1, an APP entity that holds personal information about an individual must give that individual access to the information on request. The entity must respond within a reasonable time — the OAIC guidance suggests 30 days as a reasonable period in most cases. The entity may charge a reasonable fee for providing access, but must not make the fee so high as to effectively deter the individual from exercising their right.

Refusals are only permitted in limited circumstances under APP 12.3. Grounds for refusal include: granting access would pose a serious threat to the life, health, or safety of any individual or to public health or safety; the request is frivolous or vexatious; the information relates to existing or anticipated legal proceedings and was prepared in connection with those proceedings; granting access would reveal evaluative information prepared in connection with a commercially sensitive decision-making process; and certain law enforcement-related grounds. If an entity refuses access, it must give written reasons for the refusal and inform the individual of the complaint mechanisms available — including the right to complain to the OAIC under Part V of the Privacy Act 1988 (Cth).

Australia's subject access framework differs from the European General Data Protection Regulation (GDPR) system. Australia does not have a general right to data portability or a right to erasure equivalent to GDPR Articles 20 and 17. However, APP 13 gives individuals the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading, and the entity must take reasonable steps to correct the information within a reasonable period. Where an organisation is a credit provider or credit reporting body, additional access rights apply under Part IIIA of the Privacy Act 1988 (Cth) and the Privacy (Credit Reporting) Code 2014 (Version 2.1). Section 20R of the Privacy Act 1988 (Cth) requires credit reporting bodies to provide individuals with free access to their credit information file once every 12 months and at any time following a credit refusal. The OAIC has published the APP Guidelines (March 2023) setting out detailed guidance on access rights under APP 12. The forms-legal.com Subject Access Request (Australia) template cites APP 12 of the Privacy Act 1988 (Cth) and is designed for use by individuals seeking access to their personal information from any Australian APP entity, including employers, healthcare providers, financial institutions, and technology companies operating in Australia.

A Subject Access Request should be submitted in Australia whenever an individual wants to know what personal information a specific organisation holds about them, how that information is being used and disclosed, and who it has been shared with.

Common situations where an SAR is needed include: reviewing information held by a current or former employer — particularly where an employee suspects their personal information has been mishandled, recorded inaccurately on a personnel file, or shared without authorisation; requesting access to information held by a bank, insurer, or credit provider — particularly where the individual believes incorrect credit information has been recorded by a credit reporting body under Part IIIA of the Privacy Act 1988 (Cth), or where they have been denied credit and wish to understand the basis for the decision; obtaining records from a healthcare provider — for example, a hospital, general practitioner, specialist, or health insurer — where the individual needs their own health records for a second medical opinion, insurance claim, or legal proceeding; and reviewing data held by an online service, social media platform, or technology company about the individual's usage history, purchases, location data, or communications.

An SAR is also appropriate when an individual suspects a data breach has occurred involving their personal information and wants to confirm what information was held at the time of the breach. Under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth), APP entities must notify both the OAIC and affected individuals when an eligible data breach involving personal information is likely to result in serious harm. Submitting an SAR following a data breach notification enables the individual to understand the full scope of their exposed information.

For employment-related SARs, employers in Australia hold significant amounts of employee personal information — including tax file numbers, bank account details, superannuation fund details, performance review records, disciplinary records, and health information. The Privacy Act 1988 (Cth) section 7B(3) exempts certain employee records from some APP obligations where the information is directly related to the employment relationship. However, this exemption has limits, and individuals should submit an SAR to confirm what employment records are held and how they are being used. The OAIC's APP Guidelines provide detailed guidance on the employment records exemption. If an organisation fails to respond to an SAR within a reasonable period or unreasonably refuses access, the individual can lodge a complaint with the OAIC under section 36 of the Privacy Act 1988 (Cth). The OAIC can investigate the complaint and, if necessary, make a determination requiring the organisation to provide access.

A Subject Access Request for Australia must include specific information to enable the organisation to locate the relevant records and respond to the request under APP 12 of the Privacy Act 1988 (Cth).

Requestor identification: The individual's full legal name; current address; email address and phone number; and any additional identifying information that will help the organisation locate the relevant records — for example, a customer account number, employee ID, patient file number, or date of birth. Under APP 12, the entity is entitled to verify the identity of the person making the request before providing access, to prevent unauthorised disclosure to a third party. Section 6C of the Privacy Act 1988 (Cth) defines which entities are bound by the Australian Privacy Principles.

Scope of the request: A clear description of the categories of personal information being requested — for example, all personal information held in the organisation's customer relationship management system, all employment records held on the individual's personnel file, all health records held by the healthcare provider, or all data collected through the organisation's website or mobile application. A specific request is more likely to receive a timely and complete response than a vague or overly broad request.

Time period: Where relevant, the time period to which the request relates — for example, records collected during a specific period of employment, or all health records from a particular period of treatment.

Preferred format: The format in which the individual would like to receive the information — for example, printed copies, digital copies by email, access to inspect records in person, or a data export in a machine-readable format. The entity must provide access in the format requested if it is reasonable and practicable to do so under APP 12.5 of the Privacy Act 1988 (Cth).

Disclosure information: A request for the organisation to identify any third parties to whom the personal information has been disclosed, including the date of disclosure and the purpose — particularly relevant where the individual suspects unauthorised disclosure to a data broker, overseas recipient (triggering APP 8 obligations under Section 16C of the Privacy Act 1988 (Cth)), or government agency.

Privacy Act 1988 citation: An express reference to Australian Privacy Principle 12 under the Privacy Act 1988 (Cth) and the individual's right to access their personal information, inviting the organisation to respond within 30 days as recommended by the OAIC APP Guidelines. Under Section 36 of the Privacy Act 1988 (Cth), individuals may lodge a complaint with the OAIC if the organisation fails to respond or unreasonably refuses access. The OAIC Commissioner has power under Section 40 to investigate complaints and under Section 52 to make determinations requiring the organisation to take remedial action, including providing access and paying compensation of up to $2,500 for non-economic loss.

Escalation notice: A statement that if the organisation fails to respond within a reasonable time or refuses access without lawful grounds, the individual intends to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) under Section 36 of the Privacy Act 1988 (Cth). The forms-legal.com Subject Access Request (Australia) template includes all these elements and is suitable for use with any Australian APP entity, whether a large corporation regulated by the Australian Securities and Investments Commission (ASIC) or a health service provider regulated by the Australian Health Practitioner Regulation Agency (AHPRA).