- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 5 - 2001: Access and the Use of Intermediaries
The following information is provided to assist organisations when they are considering ways to comply with National Privacy Principle 6.3 (NPP 6.3). This principle allows an individual to be given access to information through an intermediary.
Role of an intermediary
NPP 6.3 requires that an organisation must consider using an intermediary to allow limited access to information that would otherwise be denied to an individual by one of the exceptions under NPP 6.1.
An intermediary is a person or persons acceptable to both the organisation and the individual asking for access. The role of the intermediary is to enable an individual to get access to and have the content of the personal information explained where access would otherwise have been denied. What the intermediary explains to the individual will depend on the instructions the organisation gives the intermediary. The organisation's instructions will be determined by what the exception allows.
Before using an intermediary
An organisation may have explored other ways of providing limited access to the information a person has requested before deciding to use an intermediary. These may include:
- giving access to the information but blocking out the information covered by the exception;
- giving a summary of the information excluding the information covered by the exception; or
- any other ways which would meet the needs of the organisation and the person making the request for access.
Considerations in deciding to use an intermediary
An organisation may decide it is not possible to give either direct access or the limited access to personal information described above. NPP 6.3 then requires that the organisation must consider, if reasonable, whether the use of an intermediary to provide access to the information requested is an option. The organisation and the individual seeking access need to agree on the intermediary.
Factors that an organisation may consider when deciding whether to use an intermediary could include:
- the nature of the exception under which an organisation may deny access. In some circumstances such as NPP 6.1(i), using an intermediary will not be appropriate;
- whether the intermediary would meet the needs of both the organisation and the individual requesting access;
- whether giving access through an intermediary would lessen a threat to life or health that the organisation believes will arise if direct access is given to the individual (where NPP 6.1(a) or (b) is the relevant exception);
- whether using an intermediary would enable a level of access acceptable to the individual without revealing personal information that is covered by any exception and which the organisation does not want disclosed;
- whether a suitable intermediary, likely to be acceptable to both the organisation and the individual, is available; and
- the cost of using an intermediary (either to the organisation or the individual requesting access (see below)).
Cost of providing access via an intermediary
There may (but not always) be a cost involved when giving access to information via an intermediary. The NPPs do not say who must bear the cost of using an intermediary. An organisation may, depending on the circumstances, decide to waive the cost or share the cost of the intermediary. Factors affecting this decision may include the organisation's relationship with the individual, the individual's financial status (for example, if the individual is receiving a benefit) or the importance of the information to the individual.
If the organisation expects the individual to bear the cost of the intermediary then it would be good practice to tell the individual this and the amount involved before agreeing to use an intermediary.
Steps if using an intermediary
It is up to the organisation to decide what steps it will take once a decision has been reached about using an intermediary. Factors may include the kind of relationship the organization has with the individual, the exception that will deny the individual direct access and the sensitivity of the information requested. The Privacy Commissioner suggests the following steps.
- Notify the individual of the organisation's decision. An organisation could do this orally or in writing, stating the exception that prevents direct access and suggesting the use of a mutually acceptable intermediary.
- Explain in an easily understood way:
- the role of the intermediary;
- what kind of access the intermediary will give the individual to personal information about them; and
- how the procedure would work.
- Explain any costs that the individual will incur if an intermediary is used.
- Explain what the individual needs to do next.
Steps if not using an intermediary
If the organisation decides not to use an intermediary, then NPP 6.7 would require the organisation to provide reasons for denial of access. This would involve contacting the individual orally or in writing and explaining why the request for access has been denied. An organisation could also explain any processes it has for reviewing its decision.
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner ISBN 1 - 877079 - 27 - 8 Privacy Hotline 1300 363 992 (local call charge)