I’ve received a Privacy Act request – what do I do next?

9 September 2022

Sports and recreation organisations regularly collect, use and store personal information, including personal information about their participants and members, which is subject to the Privacy Act 2020.

As an organisation that handles personal information, you may receive information requests.  Under Principle 6 of the Privacy Act, people have the right to ask for access to their own personal information.  This article covers some commonly asked questions when receiving a request under the Act.

  1. Does the person have to provide a reason for requesting their personal information? No – any person is entitled to access their own personal information.
  2. What is the timeframe to respond to a privacy request? If you do not transfer the request to another organisation (see question 4 below), you need to respond to the request within 20 working days of receiving it.
  3. What if it’s going to take more than 20 working days to respond? You can extend time limits under the Act but only for certain circumstances, such as: if the request is for a large amount of information or requires a search through a large amount of information; or
    a. if the request is for a large amount of information or requires a search through a large amount of information; or
    b. you need to consult before making a decision; or 
    c. processing the request raises issues of complexity.
  4. What do you do if you don’t hold the information requested, but you believe the information is held by another organisation? Don’t ignore it – you must transfer the request to that organisation within 10 working days of receiving the request and you must inform the person making the request that you have done so.
  5. Do you have to provide the requested information? It depends. Information can be withheld if you rely on the withholding grounds in sections 49-53 of the Act or if another law overrides the Privacy Act. Here is a non-exhaustive list of examples of why information can be withheld:

a. The information isn't readily available
b. Releasing the information would be a serious threat to life, health, or safety
c. Releasing the information would breach somebody else's privacy
d. The information was provided in confidence
e. The information does not exist or cannot be found
f. The Request is frivolous, vexatious or trivial
g. Releasing the information would breach legal professional privilege

 6. How do you respond to a Privacy Act request?

Step 1: check the identity of the person making the request. Is the information about themself or for someone else? A person cannot request personal information about someone else unless they are acting on that person’s request or there is written permission to do so.

Step 2: check to see if you have the information requested. If you do, do any of the reasons listed in question 5 above apply to if you have to provide the requested information? If not, work through the information to see if you need to redact. Redact means to censor or obscure the information usually in black so the information cannot be read but the requestor can see when information has been redacted and the reason why).

Step 3: Provide the requested information to the requestor.

The Office of the Privacy Commissioner can be contacted if you have any questions about privacy. We at Gibson Sheat are also here to help if you have questions about a privacy matter.