On this page
Show
Australian privacy law gives you a general right to access your personal information. This includes your health information. An organisation or agency must give you access to your personal information when you request it, except where the law allows them to refuse your request. You don’t have a right under Australian privacy law to access other kinds of information, such as commercial information. You also have rights to access government records which contain your personal information under the Freedom of Information Act 1982 (FOI Act). If you want to access records the police hold about you, please contact the Australian Federal Police or the criminal records section of your state or territory police service. How to request accessYou will need to contact the organisation or agency that holds your personal information to request access. Only you or another person you have authorised, such as a legal guardian or authorised agent, can make the request. An organisation or agency must be satisfied the request came from you or a person you authorised. You may be asked to put your request in writing and for information that identifies you. If so, include:
When should you get a response to your request?An organisation must respond to a request for access to personal information within a reasonable period. We think 30 days is a reasonable period. An agency must respond to a request for access to personal information within 30 days. Can an organisation refuse your request?An organisation can refuse to give you access to your personal information if they have a valid reason. Examples of a valid reason include:
An agency can rely on any of the exemptions in the FOI Act to refuse you access. Generally, if an organisation or agency refuses you access to your personal information under Australian privacy law, they must tell you in writing their reasons for refusing and how you can make a complaint. How will you access your personal information?An organisation or agency must give you access to your personal information in the way you asked to access it, if it is reasonable and practical to do so. For example, you may ask to access your personal information by receiving a copy in an email or by post, by being given information over the phone or by inspecting the information in person. If the organisation or agency can’t give you access to your personal information in the way you requested, they must try to give you access in a way that meets both your and their needs. Is there a charge?Requesting your personal information is free. However, an organisation may charge for providing you access, but this charge can’t be excessive. The organisation must tell you there’s a charge and explain the reasons for it. The charge may include the cost of:
An organisation can’t use this charge to discourage you from requesting access to your personal information. If possible, they should tell you the likely amount of the charge when you make the request. They should also discuss with you options for changing your request to minimise the charge. For example, changing the way they give it to you — by email rather than post. An agency can’t charge you for providing access to your personal information.
How long does an organisation have to respond?An organisation normally has to respond to your request within one month. If you have made a number of requests or your request is complex, they may need extra time to consider your request and they can take up to an extra two months to respond. If they are going to do this, they should let you know within one month that they need more time and why. For more on this, see our detailed guidance on time limits. Can an organisation charge a fee?In most circumstances, they should give you a copy of your personal information free of charge. However, an organisation can charge a reasonable fee to cover their administrative costs – if they think your request is ‘manifestly unfounded or excessive’. They can also charge a fee if you ask for further copies of your information following a request. If an organisation can charge a fee, the one-month time limit does not begin until they have received the fee. What should an organisation send back to me?When an organisation responds to your request, they should normally tell you whether or not they process your personal information and, if they do, give you copies of it. The organisation should also include:
If you specifically wish to receive this additional information, we recommend you state this in your request. Will I always receive everything I asked for?Not always. Depending on the circumstances:
An organisation can refuse to comply with your subject access request if they think it is ‘manifestly unfounded or excessive’. There can be other reasons why you may not receive all the information you expect, such as when an exemption applies, or the type of information you asked for is not covered by a subject access request. Frequently asked questionsAm I entitled to receive copies of entire documents? No. Your right of access does not entitle you to receive full copies of original documents held by an organisation – only your personal information contained in the document. Example You make a subject access request to your bank for full copies of your bank statements. Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal data contained within them, for example, by providing you with a list of transactions. By doing so, they have now complied with your subject access request without having to give you a full copy of the original bank statements. What does ‘manifestly unfounded or excessive’ mean? There is no set definition of what makes a subject access request ‘manifestly unfounded or excessive’. It will depend on the particular circumstances of your request. An organisation should explain the reasons for their decision. As an example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ when it is clear that:
To decide this, an organisation must consider each request on a case-by-case basis and be able to explain their reasoning to you. What is an exemption? An organisation may withhold some, or all, of your personal information because of an exemption in data protection law. Exemptions are meant to protect particular types of information, or how certain organisations work. Sometimes an organisation may not even have to let you know whether or not they hold information about you. An organisation may also refuse to give you your information if it also includes personal information about someone else, except where:
In their decision-making, an organisation has to balance your right of access against the other individual’s rights over their own information. This may lead the organisation to refuse your subject access request. Alternatively, the organisation may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’. This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections. In any case, an organisation normally needs to:
See our guidance on exemptions for organisations for more detail on this topic. What happens if the organisation requires proof of ID? ID (identity) checks are usually required for security – they are part of an organisation’s measures to protect your personal data from unauthorised access. If an organisation asks you for proof of ID, the one-month time limit does not begin until they have received it. What information is not covered by my request? The right of access does not cover all types of information or uses of personal information. Some common examples of this include:
Can I submit the same request again? Yes, you can ask an organisation for access to your information more than once. However, they may be able to refuse your request if:
Remember, you can also ask an organisation for further copies of your information following a request, but they can charge a reasonable fee for this. How often must a firm send an account statement?Current NASD Rule 2340 (Customer Account Statements) generally requires each general securities member (as that term is defined in the rule)4 and NYSE Rule 409 (Statements of Account of Customers) generally requires each member organization to send account statements to customers at least quarterly showing security and ...
What is the 5 markup policy?The five percent rule, aka the 5% markup policy, is FINRA guidance that suggests brokers should not charge commissions on transactions that exceed 5%.
How long do blotters general ledgers and stock records need to be maintained?For example, brokers must retain blotters (records containing details of all purchases and sales of securities) for at least six years. But they must keep copies of trade confirmations for only three years.
Which of the following records must be kept for only 3 years?Which of the following records must be kept by a broker-dealer firm for three years? Trial balances, usually run at the end of a reporting period to ensure that the firm's credit and debit columns arrive at identical sums, must be kept for three years after the trial balance was run.
|