If someone requests their personal information, do we have to give it to them?

If you are an organisation, business or other agency, you have to comply with the Privacy Act and respond to a request for personal information from the person within a reasonable time. 

Principle 6 of the Privacy Act says if an agency holds personal information in a way that it can be readily be retrieved, it should confirm to the person asking for the information that it holds that information and give the person access to the information. The person requesting their information does not have to give a reason why they want access to it.

You can only withhold someone’s personal information from them if you can rely on one of the withholding grounds set out in sections 49-53 of the Privacy Act or if there is another law which overrides the Privacy Act (for instance because it says you must not disclose specific information). 

The Privacy Commissioner can direct an agency to provide an individual with access to their personal information under section 92. The organisation will be able to appeal the access direction within 20 working days and appeals are heard by the Human Rights Review Tribunal. 

Find out more about Access Directions(external link)

You can learn more about principle 6 and the right of access to information here.

The Privacy Commissioner can investigate agency responses to information access requests(external link) and whether they comply with the Privacy Act.