24/7/365 First Response Hotline

If you have concerns about a potential cyber incident, contact us 24/7/365 to access our First Response team – we will guide you through a triage process and help you take decisive action on next steps.

response@atmosgroup.com.au
response@atmosgroup.co.nz

Australia

1800 737 667

New Zealand

0800 200 027
16:36

Auckland

14:36

Sydney/Melbourne

14:36

Brisbane

14:06

Adelaide

05:36

London

article

The practical complexities and risks (and best ways) of dealing with the changing use of access requests

20 June 2025

|

Authors: Anna Koleth and Alec Christie

As is well known, under APP 12 individuals have the right to access the personal information about them held by the organisation (Requests). However, to date and despite the actual requirements of APP 12, in many cases organisations have simply provided full copies of all documents/records where the requestor’s name appears. This approach risks disclosing the personal and, sometimes, sensitive information of others in breach of the organisation’s privacy obligations. It is not a good look to report an eligible data breach caused solely by the organisation due to the unauthorised disclosure of others’ personal information in response to a Request. But then again, failure to notify such an eligible data breach will breach the privacy obligations of the organisation and enliven the infringement notice regime.

In addition, over the last 12 -18 months we have seen the developing use of Requests as both: (a) an unofficial means of pre-claim ‘discovery’ or a fishing expedition; and (b) a way of ‘punishing’ the organisation, stretching its resources (perhaps diverting them from other tasks) or as a bargaining ploy by organising multiple co-ordinated access requests. The ‘weaponising’ of Requests has been developing in the EU/UK and US, especially in relation to class actions in the US, for a number of years and is likely to continue to grow in Australia.

Ensuring that Requests are appropriately considered, ensuring no others’ personal information is disclosed, that digital images are appropriately redacted and ammunition for a potential claim is not inadvertently provided where the requestor is not entitled to such can severely tax an organisation’s resources. It is essential to have appropriate practical measures in place to efficiently address Requests without bringing the organisation to a stop.

What is the access right?

The access right only concerns access to the personal information about the requestor themselves and not the record or document in which that personal information is held. For example, in an email, notes of a discussion or even in a video, not all of the content is necessarily personal information or personal information about the requestor. Also, in practice, such records usually contain the personal information of other individuals. If an organisation were to disclose the personal information of other individuals in responding to an access request, this may result in an eligible data breach requiring notification to the OAIC and all affected individuals.

Organisations must first assess what information the individual is entitled to receive, in order to confine the scope of the information that is theoretically accessible by the requestor under APP 12.1. Then the organisation should consider if any grounds for refusal apply (the most common noted below) in the specific circumstances. If a ground of refusal applies and/or to avoid disclosing other than the personal information about the requestor, an organisation will need to consider the best way to make such available: extraction from or redaction of the records/documents.

What are the common grounds for refusal of an access request?

An organisation may refuse an access request on any of ten specific grounds including, those most often relied on and often the most contentious in practice, where:

  • providing access would have an unreasonable impact on the privacy of any other individual(s); or
  • the access request is frivolous or vexatious; or
  • the organisation has a reasonable suspicion that unlawful activity or misconduct relating to its functions or activities is being engaged in and providing access would prejudice the taking of appropriate action.

Before refusing all access relying on any of these grounds, the organisation must consider whether the extraction of the relevant information from the records into a separate document or redaction of some of the information in the document would enable access to be provided.

Responding to Requests

An organisation must respond within a reasonable period after the request is made (generally, 30 days) and provide access in the manner requested by the individual, if it is reasonable and practicable to do so. In practice, it will be a rare occurrence that the entire records/documents in which the relevant personal information is contained should be disclosed and it is likely that extraction will be a better approach.

Substantial resources are often required to deal with Requests in a way that does not contravene other privacy obligations or provide ammunition to support a claim. This complexity is further compounded where an organisation holds the information across disparate and often unconnected systems, including attachments to emails. In the absence of proper data governance, this will inevitably increase the operational costs, complexities and risks associated with responding to access requests.

Critically, as access requests are increasingly being utilised for ulterior purposes as noted, it is imperative that organisations do not give the entire record or document in which the relevant personal information is contained, unless some form of redaction has been implemented.

How to best to address Requests in practice and manage the privacy risks

Organisations should assess and take measures to implement the right systems, policies and procedures to govern the information they hold effectively, such that access requests can be dealt with efficiently and effectively and within the appropriate time frame. In practice, such measures should address how to delimit the scope of an access request to only the personal information about the requestor and include developing a playbook, the categorisation of the main types of personal information held and the types of individuals the organisation mainly deals with and a starting position as to what will be disclosed and when a relevant exception is likely to apply. In addition, the streamlining of records management, including a robust deletion/de-identification program, as required under APP 11.2, will both reduce the accessible information and enable searching for the relevant personal information to be done more efficiently.

We are happy to discuss how Atmos can assist your organisation to put in place practical procedures to better manage Requests and mitigate the privacy risks that arise from such.

To hear more or to organise a chat, get in touch:

info@atmosgroup.com.au