Knowledge Update - Processing requests for personal information
This publication is currently under review
Read the document below or download it here Knowledge Update - Processing requests for personal information November 2017
Requests for access to personal information held by a government agency may be made under either the Privacy and Personal Information Protection Act 1998 (PPIP Act) or the Government Information (Public Access) Act 2009 (GIPA Act).
This knowledge update provides a general overview of the key issues that arise when processing requests for personal information.
Are agencies required to process a request for personal or health information under the GIPA Act or PPIP Act?
If the applicant specifies which legislation they are making the application under, the agency should process the application under that legislation.
If the applicant does not specify which legislation they are making the request under, it would be good practice for an agency to process it under the PPIP Act wherever possible because that means no cost to the applicant. If there are different timeframes for processing requests under the two Acts, agencies should let the applicant know.
To assist members of the public understand the difference between requesting personal information under the GIPA Act or PPIP Act, agencies may refer them to the IPC fact sheet on how to access your personal information.
Processing personal information requested under the GIPA Act or PPIP Act and what agencies need to know
Who is seeking the information?
If the applicant for the information is either the person the information is about or their authorised representative, the application may be dealt with under the PPIP Act.
If the applicant is a third party, the application may only be dealt with under the GIPA Act, in which case the agency will need to apply the public interest test (please see the IPC fact sheet what is the public interest test for further information).
An individual may authorise any third party (such as a relative, interpreter, medical practitioner, legal representative, employer or insurer) to have access to their personal information. In some cases, a Member of Parliament may also make a representation on behalf of a constituent, including in relation to personal information.
The law also recognises certain persons as able to act on behalf of another person. These include:
- a person acting under an enduring power of attorney
- a person having parental responsibility for the individual, if the individual is a child
- a guardian or person responsible within the meaning of the Guardianship Act 1987. This may include an individual’s legally appointed guardian, spouse or partner if the spouse or partner is close and the relationship is continuing, or, in some circumstances, a close friend or relative of the individual
- a person empowered under law to act as an individual’s agent. For example, a financial manager appointed by a court or tribunal might be able to request access to the individual’s financial information.
For advice on handling personal information for adults with decision-making disabilities, please see the IPC Best Practice Guide on Privacy and People with Decision-Making Disabilities.
Definition of personal information differs between the PPIP Act and GIPA Act
The PPIP Act defines personal information as information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes an individual’s fingerprints, retina prints, body samples and genetic characteristics. However, the PPIP Act contains a number of exclusions to this definition, including that personal information does not include health information.
Examples of other exceptions include:
- information about an individual that is contained in a publicly available publication
- information which may have been obtained or accessed for law enforcement or public safety purposes
- certain information in relation to adoption
- cabinet information
- public interest disclosure information
- requests for information relating to suitability for employment of a public servant.
Health information is covered by the Health Records and Information Privacy Act 2002 (HRIP Act) and is defined as information relating to:
- the physical or mental health or a disability of an individual, or
- an individual’s express wishes about the future provision of health services to him or her, or
- a health service provided, or to be provided, to an individual, including personal information collected to provide, or in providing, a health service, or
- organ donation or donation of other body parts or body substances of an individual, or
- other genetic information about an individual, or
- healthcare identifiers.
If an agency receives an application for health information as defined by the HRIP Act, the agency cannot process the application under the PPIP Act but must do so under the HRIP Act.
The definition of personal information under the GIPA Act, on the other hand, encompasses health information. The definition of personal information under the GIPA Act is very similar to the PPIP, however, fewer exclusions apply. Under the GIPA Act the following is not considered personal information:
- information about an individual who has been dead for more than 30 years
- information about an individual (comprising the individual’s name and non-personal contact details) that reveals nothing more than the fact that the person was engaged in the exercise of public functions
- information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of clause 4(3) of the Act.
Which definition of personal information applies to a request?
If the request is made or processed under the PPIP Act, agencies must apply the definition of personal information under the PPIP Act. If a request for personal information is specifically made and processed under the GIPA Act, the agency must apply the definition of personal information under the GIPA Act.
If an application is processed under the PPIP Act, does the GIPA public interest test apply?
Generally, the GIPA public interest test is not relevant to a PPIP Act application. The fact that personal information may not have been released under a GIPA application does not prevent it being released under the PPIP Act.
Section 10 of the GIPA Act makes it clear that GIPA is not intended to be used as a ‘shield’ against disclosure under other legislation.
However, in certain limited circumstances GIPA Act considerations may apply in accordance with section 20(5) of the PPIP Act. These essentially mirror the exceptions under the PPIP Act.
Schedule 1 of the GIPA Act lists sensitive information the disclosure of which may jeopardise public safety, law enforcement, child safety or Cabinet confidentiality, as well as documents created by specialist law enforcement bodies and information prohibited by legislation.
Most of the information contained in Schedule 1 of the GIPA Act corresponds with the limitation provisions contained in Part 2 Division 3 of the PPIP Act.
Therefore, personal information which could not be released under the PPIP Act could not be released under the GIPA Act, and vice versa.
Some information contained in Schedule 1 of the GIPA Act may still be released under certain circumstances. For example, information that attracts legal professional privilege may be released if the person in whose favour the privilege exists chooses to waive the privilege. In this scenario, the agency would need to consult the person who has the benefit of the privilege before making any decision whether to release the personal information.
Schedule 2 of the GIPA Act lists functions of agencies that are excluded from disclosure provisions. However, these provisions concern information that relates to specific functions of prescribed agencies. Requests for personal information about the applicant which the PPIP Act applies to would not ordinarily relate to Schedule 2 information.
Section 14 of the GIPA Act lists public interest considerations against disclosure which may be taken into account. However, section14 is not a limitation to disclosure but rather lists considerations that must be weighed against the strong presumption in favour of disclosure.
A request under the PPIP Act can only be made for the applicant’s personal information. Hence, section 14 of the GIPA Act would not be a provision capable of preventing access under the PPIP Act.
The application form
The PPIP Act does not specify how an application for personal information must be made. Agencies may have developed their own process for taking requests, such as having the applicant complete an application form.
Agencies should assist an applicant as much as possible in making a request. If an agency uses a standard form, good practice would be to allow a person who has difficulty completing a form to request their information informally, or help them to fill in the form.
Agencies should include information about their policies and processes in relation to access requests under the PPIP Act in their Privacy Management Plan.
Under the GIPA Act, an individual may request their personal information informally or using a formal application. Agencies should process a request for access informally wherever possible unless:
- there is an overriding public interest consideration against disclosure. This requires the agency to take into account schedule 1 and section 14 of the GIPA Act
- the applicant would like to have the decision reviewed if they are unhappy with the agency’s decision. Under the GIPA Act, a right of review only applies for formal applications. The agency should advise the applicant of this and allow the applicant to choose whether they would prefer the agency to process the request informally, which is free of charge, or as a formal application.
The agency should advise the applicant that a formal application needs to be in writing. It must state that it is an access application under the GIPA Act, include a postal address where all correspondence relating to the application can be sent to, and provide sufficient information to allow the agency to find the personal information that is being applied for. It must also include a $30 application fee.
Regardless of which legislation a request is made under, an agency has an obligation to protect personal information against unauthorised access, use, modification or disclosure, and must not disclose personal information except in accordance with the information protection principles (IPPs) contained in the PPIP Act.
For this reason proof of identity showing a signature and/or current address with or without a photo may be sought prior to releasing the information. Under the GIPA Act, the agency may request the applicant to provide proof of his or her identity under section 55(5) of the GIPA Act. However, sufficient flexibility should be provided to enable persons who may not have a particular form of identification to still be able to access their own personal information themselves or through their authorised representative.
Cost of making an application
Access to personal information under the PPIP Act is free of charge regardless of how long it takes the agency to process the request.
Under the GIPA Act, the first 20 hours of processing time for personal information requests is free of charge. If it takes the agency more than 20 hours to process the application, then it may charge at a maximum rate of $30 per hour for each hour of processing time after 20 hours.
The agency may only charge for processing time covered in section 64(2) of the GIPA Act, which is the total amount of time that is necessary to be spent by any officer of the agency in:
(a) dealing efficiently with the application (including consideration of the application, searching for records, consultation, decision-making and any other function exercised in connection with deciding the application), or
(b) providing access in response to the application (based on the lowest reasonable estimate of the time that will need to be spent in providing that access).
Time limits for processing applications
While the PPIP Act does not prescribe any processing time limits, IPP 7 requires a government agency to provide access to personal information without excessive delay or expense.
If an applicant believes that an agency is taking too long to provide access to their personal information, and the applicant decides as a result that access has been refused, they can request an internal review from the agency or make a complaint to the NSW Privacy Commissioner.
If an application is made and processed under the GIPA Act, the government agency must process the request within the following timeframes.
- must notify the applicant whether the application is a valid application within five working days after the application is received;
- make a decision whether to provide access to personal information and notify the applicant of the decision within 20 working days after the agency receives the application. If it does not make a decision within 20 working days (unless an extension is validly made), the application is treated as a deemed refusal to deal with the application, and the applicant has the right to seek a review of the deemed refusal;
- may extend the period for making a decision by up to 10 working days either to consult another party as required by the GIPA Act or to retrieve records from archive. Where the agency has reason to both consult and retrieve records from archive, the agency may extend the period for making a decision by a maximum of 15 working days.
Alternatively, an agency may extend the period for making a decision by obtaining the applicant’s agreement. However, an agency cannot require the applicant to agree to an extension.
How access can be provided
Under the PPIP Act, there is a presumption in favour of giving an individual access to their information. Failure to provide access is considered a deemed refusal that gives the applicant a right to request an internal review from the agency or make a complaint to the NSW Privacy Commissioner. However, under the legislation and the Privacy Commissioner’s complaints protocol, internal review by the agency is the preferred first option.
An agency may provide access to the information in a form the agency considers appropriate as long as the form selected would not lead to excessive delay or expense for the applicant.
Under the GIPA Act, the agency must provide access to personal information by:
- allowing the applicant to inspect the record containing the information, together with any facilities to enable the information to be read, viewed or listened to as appropriate, or
- providing a copy of the information, or
- providing a written transcript of the information
The agency must provide access in the form requested by the applicant unless it would unreasonably interfere with the operations of the agency or pose unreasonable additional costs to the agency, be detrimental to the proper preservation of the record, breach copyright, or result in an overriding public interest against disclosure of the information (section 72(2) GIPA Act).
The GIPA Act requires that agencies must provide access without placing a condition on how to use the personal information, once released. However, agencies may impose conditions if it is necessary for the purposes of avoiding an overriding public interest against disclosure of the information (section 73 GIPA Act).
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679