B
Boring DSAR

DSAR Requirements Under the Australian Privacy Act

Australian Privacy Act access request requirements: individual rights, 30-day response deadline, APP 12, OAIC enforcement, and penalties.

Last updated: 2026-03-29

Individual Rights That Trigger Access Requests

Under the Australian Privacy Principles (APPs), individuals can submit requests to:

  • Access personal information held about them by an organization or agency (APP 12)
  • Correct inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13)
  • Be informed about the kinds of personal information held, why it is held, and how it was collected (APP 12.4)

The Privacy Act does not grant standalone rights to deletion, portability, or opt-out of sale. However, proposed reforms may introduce a right to erasure in future amendments.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your organization.

Response Deadline

30 calendar days from receipt of the request. The Privacy Act itself requires organizations to respond "within a reasonable period," and the OAIC's APP Guidelines establish 30 days as the benchmark for what constitutes reasonable.

If the request is complex or involves a large volume of information, you should still aim to respond within 30 days. Where you cannot, you must contact the individual within the 30-day period to explain the delay and provide an expected timeframe.

Failure to respond at all is treated as a refusal, which triggers the individual's right to complain to the OAIC.

Identity Verification

Organizations may require individuals to provide enough information to verify their identity before responding to an access request. The Privacy Act does not prescribe a specific verification method, but the OAIC recommends that any verification process be:

  • Proportionate to the sensitivity of the information being requested
  • Not more intrusive than necessary -- do not collect additional personal information beyond what is needed to confirm identity
  • Reasonable -- organizations should accept government-issued identification or other reasonable proof

If the individual makes the request through a channel where their identity is already established (for example, a logged-in account), additional verification may not be necessary.

Cost

Organizations may charge a reasonable fee for providing access to personal information under APP 12.8. However:

  • The fee must not be excessive
  • The fee must not apply to the making of the request itself -- you can only charge for the cost of providing access
  • Australian Government agencies must not charge for access requests under the Privacy Act (fees for FOI requests are governed separately under the Freedom of Information Act)

In practice, most private-sector organizations provide access at no cost.

The 13 Australian Privacy Principles

The APPs are the cornerstone of privacy regulation under the Privacy Act. They are grouped into five categories:

  1. APP 1 -- Open and transparent management of personal information through a clearly expressed, up-to-date privacy policy
  2. APP 2 -- Anonymity and pseudonymity -- individuals must have the option to interact anonymously or using a pseudonym where practicable
  3. APP 3 -- Collection of solicited personal information -- only collect information that is reasonably necessary (or directly related, for agencies) to your functions or activities
  4. APP 4 -- Dealing with unsolicited personal information -- if you receive information you did not solicit, you must determine whether you could have collected it under APP 3 and, if not, destroy or de-identify it
  5. APP 5 -- Notification of collection -- take reasonable steps to notify the individual about the collection, including the purpose, who you will disclose to, and their rights
  6. APP 6 -- Use or disclosure -- personal information may only be used or disclosed for the primary purpose for which it was collected, or a directly related secondary purpose the individual would reasonably expect
  7. APP 7 -- Direct marketing -- organizations must not use personal information for direct marketing unless an exception applies, and must always provide an opt-out mechanism
  8. APP 8 -- Cross-border disclosure -- before disclosing personal information overseas, take reasonable steps to ensure the recipient complies with the APPs
  9. APP 9 -- Adoption, use, or disclosure of government-related identifiers -- organizations must not adopt government identifiers (such as tax file numbers) as their own identifier
  10. APP 10 -- Quality -- take reasonable steps to ensure personal information is accurate, up-to-date, complete, and relevant
  11. APP 11 -- Security -- take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure
  12. APP 12 -- Access -- individuals have the right to request access to their personal information; organizations must provide access unless a specific exception applies
  13. APP 13 -- Correction -- organizations must correct personal information they hold if the individual requests it and the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading

APP 12 is the principle most directly relevant to access requests. It requires organizations to provide access in the manner requested by the individual (such as copies, inspection, or a summary) if it is reasonable and practicable to do so.

Penalties

Since the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, maximum penalties for serious or repeated interferences with privacy are:

  • AUD 50 million, or
  • Three times the value of the benefit obtained through the misuse of information, or
  • 30% of the entity's adjusted turnover in the relevant period

Whichever of these three amounts is greatest applies. These penalty levels were significantly increased from the previous maximum of AUD 2.22 million following high-profile data breaches at Optus and Medibank in 2022.

The OAIC enforces the Privacy Act through several mechanisms:

  • Complaint investigations -- any individual can lodge a complaint with the OAIC
  • Commissioner-initiated investigations -- the OAIC can investigate potential breaches on its own initiative
  • Enforceable undertakings -- the OAIC can accept binding commitments from organizations to take specific steps
  • Determinations -- the Commissioner can make a determination that an organization has interfered with privacy and order remedies including compensation
  • Civil penalty proceedings -- the OAIC can apply to the Federal Court for civil penalties in cases of serious or repeated interference

There is no private right of action under the current Privacy Act. Individuals must complain to the OAIC rather than suing organizations directly. However, proposed reforms include a statutory tort for serious invasions of privacy, which would give individuals a direct right to sue.

When You Can Refuse Access

APP 12.3 sets out specific grounds for refusing an access request. Organizations may refuse where:

  • Providing access would pose a serious threat to the life, health, or safety of any individual or to public health and safety
  • Providing access would have an unreasonable impact on the privacy of other individuals
  • The request is frivolous or vexatious
  • The information relates to existing or anticipated legal proceedings and would not be accessible through the discovery process
  • Providing access would reveal the organization's commercially sensitive decision-making process or intentions
  • Providing access would be unlawful or would be contrary to an Australian court order or tribunal order
  • Denying access is required or authorized by law
  • The organization suspects that unlawful activity or serious misconduct relates to the organization's functions or activities, and giving access would be likely to prejudice the taking of appropriate action
  • An enforcement body requests that access not be provided on law enforcement grounds

When refusing access, the organization must:

  1. Give the individual written notice of the refusal within 30 days
  2. State the reasons for the refusal (unless providing reasons would undermine the basis for refusal)
  3. Inform the individual of their right to complain to the OAIC

Who This Applies To

The Privacy Act applies to:

  • Australian Government agencies -- all federal departments and agencies
  • Private-sector organizations with an annual turnover of more than AUD 3 million
  • All private health service providers, regardless of turnover
  • All organizations that trade in personal information, regardless of turnover
  • All organizations related to a body corporate with turnover exceeding AUD 3 million
  • Organizations that hold tax file number information, regardless of turnover

The Small Business Exemption

Organizations with annual turnover of AUD 3 million or less are generally exempt from the Privacy Act, unless they fall into the categories listed above. This is one of the most significant gaps in Australian privacy law.

The Attorney-General's Privacy Act Review Report (2023) recommended removing the small business exemption entirely. The Australian Government has agreed in principle, and as of early 2026, the removal is included in proposed amendments progressing through Parliament. If enacted, all private-sector organizations would be subject to the Privacy Act regardless of turnover. Organizations currently relying on the exemption should begin preparing for compliance.

Extraterritorial Application

The Privacy Act has limited extraterritorial reach. Since 2014, the Act applies to overseas organizations that have an "Australian link" -- meaning they are incorporated in Australia, carry on business in Australia, or collect or hold personal information in Australia. However, enforcement against offshore entities remains challenging in practice.

Related Guides