Skip to content
LegalVision

My Business Has Received a Privacy Access Request. What Do I Do?

Avatar photo

By Tim Jones
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

As a business that collects customers’ personal information, you may receive a privacy access request from a customer. How your business should respond to a privacy access request will depend on what privacy laws apply to you and where the individual making the access request is located. This article will outline what a privacy access request is and what you should do if you receive one. 

What is a Privacy Access Request?

A privacy access request is an application by someone for access to the personal information your business has collected and stored about them. The privacy access request may relate to the following: 

  • all of the relevant personal information; or
  • specific personal information, such as a particular call recording. 

Personal information includes any details that someone may use to identify a person. For instance, this may be individual pieces of information or a set of details that, when together, can identify a person.

Examples of personal information include a person’s:

  • name;
  • contact details;
  • bank account details; and
  • preferences and opinions. 

Does My Business Need to Reply to a Privacy Access Request?

The first step in determining how to respond to a privacy access request is understanding how Australian privacy laws apply to your business. Under the law, certain businesses must comply with a privacy access request. Whether your business must comply is determined according to set criteria.

Examples of these criteria are whether your business: 

  • has an annual turnover of over $3 million; 
  • provides a health service or trades in personal information; or
  • is a contracted service provider under a Commonwealth contract. 

Generally, you must take practical steps to respond to a privacy access request. Even if there is no legal requirement compelling your business, responding to a customer’s request is usually the best practice.

If you are required to respond to a request for access to personal information, you must do so within a reasonable period, which the OAIC suggests is within 30 days.

Continue reading this article below the form
Loading form

Steps To Take in Response to a Privacy Access Request

Identify the Individual

First, you should ensure that the person requesting access to personal information is the person the information relates to. In most cases, you should only disclose personal information to the relevant person. Nevertheless, an exception may apply where you receive a request from a legal guardian or attorney under a power of attorney. 

You can verify the person’s identity by asking to see current identity documentation (ID). However, you should not ask for a copy or make copies of the ID. This is because you should only hold personal information that your business needs. 

Suppose you must share personal information with a third party, such as a parent or guardian. In that case, ensure that this person is authorised to act on behalf of the relevant person.

Request an Administrative Fee

Under Australian law, you may ask for a reasonable fee to cover your administrative costs. However, if you wish to do so, you must provide an upfront quote to the person making the request, and they must agree to it before you give access to their information.

The fee may include the cost of: 

  • locating and retrieving the information;
  • reproducing the information; and 
  • the postage required to send the information.
Front page of publication
Directors' Duties Complete Guide

If you are a company director, complying with directors’ duties are core to adhering to corporate governance laws.
This guide will help you understand the directors’ duties that apply to you within the Australian corporate law framework.

Download Now

Locate the Relevant Personal Information

Once you have verified the identity of the person requesting the information, you will need to locate the relevant information. 

Ensure you source all of the personal information you hold about that individual, such as:

  • their customer profile;
  • any logs of their interaction with your business; and 
  • your email correspondence with them. 

You may also need to locate any further information that a third party, such as a contractor, holds on your behalf. 

Do not provide personal information about individuals other than the person requesting the information.

Provide the Information

Whenever possible, provide the personal information in the form requested by the individual. For example, you should provide a hard copy if they request a hard copy. However, if it is impractical for you to do so, you may provide an electronic copy of the information. For example, this could be the case if you do not have access to a printer or the customer refuses to pay for your printing costs.

What is the Turnaround Time?

There are no set time constraints for responding to a privacy access request. Instead, the time will depend on factors like how much information is requested and how easy it is for you to access that information. 

The Office of the Australian Information Commissioner (OAIC) previously stated that it could take businesses at least a few days to respond to a simple access request.

Can I Deny a Privacy Access Request?

According to the law, you may deny an access request on specific grounds. For example, you may not have to comply if the request:

  • poses a risk to life;
  • would result in an unreasonable impact on the privacy of others;
  • risks revealing commercially sensitive information;
  • relates to legal proceedings;
  • is unlawful; or
  • is unreasonable. 

Before denying a request, you should consider whether there are any legal grounds for denying the request. If you are unsure, you should speak to your lawyer.

For example, suppose you believe that the request poses a risk to the privacy of others or to sharing confidential information. In that case, consider redacting certain parts of the information before providing access.

It may be inappropriate or even impossible to give access directly to the individual. If this is the case, you may be able to provide access via an intermediary. For example, an intermediary could be a medical professional. 

If you deny an individual’s request, you must notify them and provide a written explanation for why you have rejected the request.

Key Takeaways

Proper preparation can allow your business to process privacy access requests quickly and efficiently. First, you should find out what steps to take if you do face a request, what information you will need to source and whether you will need to deny the request. Additionally, it is essential you comply with any privacy obligations you may have.

If you need help designing your access request response plan or developing a guide for customers, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

Does every business have to comply with a privacy access request?

Not every business is required to comply with a privacy access request, but even if your business is not legally required to do so, it usually is best practice to respond to a customer’s request for commercial reasons.

Can I charge customers who make a privacy access request?

Businesses can charge customers for accessing their personal information, but this fee cannot be excessive. If you decide to charge, you must notify the individual that there is a cost and outline the reasons for the cost. You cannot use the fee to discourage individuals from making privacy access requests, and you should provide alternative options to reduce cost, such as delivering the information by electronic means rather than by post or limiting the scope of the request.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Tim Jones

Tim Jones

Senior Lawyer | View profile

Tim is a Senior Lawyer in LegalVision’s Employment, Corporate and Commercial teams.

Qualifications: Bachelor of Laws, Bachelor of International Studies, Macquarie University.

Read all articles by Tim

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Can Businesses Protect Confidential Information?

What’s the Difference Between Personal and Sensitive Information?

5 Key Areas to Review in an IT Services Contract

Privacy, Data and Business Considerations for an Instagram Account

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards