Access rights in practice: reflections from 60 data access requests

In Australia, you have the right to access the personal information an organisation holds about you under Australian Privacy Principle 12 (APP 12). Over the past year, I’ve made 60 data access requests to a range of organisations, including charities, major retailers, and data brokers. The process revealed as much about organisational governance and privacy maturity as it did about the data itself.

In Australia, you have the right to access the personal information an organisation holds about you under Australian Privacy Principle 12 (APP 12). Over the past year, I’ve made 60 data access requests to a range of organisations, including charities, major retailers, and data brokers. The process revealed as much about organisational governance and privacy maturity as it did about the data itself.

Some of the issues I encountered were explored in recent Crikey reporting focused on the charity sector. This post takes a different view, reflecting on patterns that emerged across many requests in different sectors. If you’re making a data access request yourself, it might help you know what to expect.

I’m not a lawyer, just a pedant with a special interest in privacy. For that reason, I’m not making claims about legal compliance. Where relevant, I instead highlight points where organisations appeared to hold rather different interpretations of their privacy obligations or took internally inconsistent positions.

What is APP 12?

APP 12 gives you the right to access the personal information an organisation holds about you. It applies to any organisation subject to the Privacy Act, which generally means those with annual turnover over $3 million, plus some smaller organisations in specific circumstances (such as health service providers).

In theory, a data access request should show you what personal information an organisation holds about you and give you the opportunity to identify and correct any errors.

For official guidance on how to make an APP 12 request and what APP 12 requires, you should refer to the OAIC’s information on how to access your personal information and their guidelines on APP 12.

For concrete examples of what access requests can uncover, you might be interested in Crikey’s reporting on profiling practices in the charity sector and which charities use profiling tools.

Recurring patterns in access requests

Privacy inboxes were sometimes unmonitored or non-functional

In at least ten cases, the email address listed in the organisation’s privacy policy for access requests was either unmonitored or non-functional. This included emails that bounced, emails sent to spam folders, emails that received no response, and cases where the organisation later confirmed the inbox wasn’t being monitored.

In most cases I eventually found another way to make contact and have my request actioned, but this created friction at the very first step of the process. Spoiler: this sets the tone for much of what follows.

Identity verification requirements varied widely

Organisations are allowed to verify identity before providing personal information, though the privacy regulator’s guidelines say verification should be proportionate to the sensitivity of the information held.

In practice, requirements varied considerably. Many organisations accepted the contact details I pre-emptively provided in my access request as sufficient. Others wanted video calls to sight ID, or scanned copies of documents. One requested a 100-point check and a statutory declaration, though they dropped the 100-point check requirement when I pushed back.

Access requests were sometimes confused with deletion requests

In several cases, organisations responded to my access request by confirming they would action my deletion request. To my knowledge only one organisation actually deleted my personal information while my request was active, but the confusion suggests others might have if I hadn’t quickly clarified.

Organisations disagreed on what counts as personal information

“Personal information” is foundational to the Privacy Act, so it was surprising how widely interpretations varied. This matters because APP 12 only gives you a right to access personal information. If an organisation doesn’t consider something personal information, they may not provide it or even acknowledge holding it.

Some organisations framed their response in terms of “personally identifiable information” (PII), even though this is a narrower concept than personal information that isn’t relevant to Australian privacy law. Others provided profiling scores or segment labels but explicitly denied holding “inferred” or “derived” personal information, suggesting confusion about what those terms mean. Some didn’t consider third-party data to be personal information if the third party wasn’t given my identifying details even where the third-party data was linked to my record.

Several organisations also made blanket claims that certain data types could never be personal information, including location data accurate enough to identify my home address, hashed identifiers, and device identifiers. Regulator guidance suggests all of these can be personal information depending on context.

Access charges were rarely requested

Organisations are allowed to charge for providing access, as long as the charge isn’t excessive. In a pleasant surprise, only two organisations suggested a payment.

One initially provided partial access, then proposed a $780 charge to search for additional categories of information after I followed up. Another quoted up to $7,200 (plus GST) before even confirming they held my information, claiming the search would require over 40 hours of manual work. I didn’t proceed with that one.

Initial responses were often incomplete or inaccurate

My biggest frustration was that initial responses often didn’t include everything. Sometimes the person processing my request only searched one system despite personal information being stored across several. Sometimes requests were handled by staff without knowledge or visibility of all systems, making a complete response impossible. In other cases organisations initially claimed certain data wasn’t personal information, then provided it after I pushed back.

This meant obtaining my information often required multiple follow-ups over several months. In some cases I only received data after finding vendor case studies or social media posts confirming the organisation used a specific platform, then asking whether it had been included in the search. Even then, I was often left unsure whether I’d received everything or if the person handling my request had simply lost patience with me.

Exemptions were cited but often abandoned

There are legitimate reasons to withhold personal information, and the Privacy Act includes specific exemptions for these cases. Eight organisations cited exemptions to withhold information. In most cases it was unclear what was actually being withheld, making it difficult to assess whether the exemption applied.

The most common was APP 12.3(j), which allows an organisation to withhold information if “giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.” Interestingly, this was invoked by several charities.

One organisation cited an exemption related to suspected unlawful activity. Another argued that providing hashed identifiers would “pose a serious threat to the life, health or safety of any individual.”

In many cases, when I challenged whether the exemption actually applied, the organisation backed down and provided the information without explanation.

My requests were sometimes treated with suspicion

In some cases my requests were met with suspicion and heightened scrutiny. Some suggested I might be engaged in phishing or attempting to extract commercially sensitive information under the guise of an access request, and required additional identity verification as a result. One organisation refused to even attempt to verify my identity, apparently because the nature of my request had made them too suspicious to proceed.

How access works in practice

There’s no way to know what’s missing

The core problem with data access requests is that there’s no way to verify a response is complete. This asymmetry is fundamental: the organisation knows what it holds (hopefully), and you don’t. I sometimes only received information after specifically asking about a named platform, but requiring individuals to guess what an organisation holds defeats the purpose of APP 12.

In some cases I suspect there are gaps in what I received. But making a complaint to the regulator would likely require evidence that something was withheld. If you could prove that, you probably wouldn’t need the access request.

This isn’t just a small organisation problem

The same issues occurred across relatively small not-for-profits and large, well-resourced companies. The difficulties weren’t a function of size or capacity, but of whether privacy and data governance were treated as organisational priorities. Large organisations have compliance teams, legal departments, and dedicated IT functions, but privacy still often appeared to be under-resourced. Where staff lacked visibility of data flows or didn’t know where personal information was stored, responses were inevitably incomplete.

Several large companies hadn’t even assigned anyone to monitor the privacy inbox. That says it all.

Privacy policies are a weak guide to actual data practices

In theory, privacy policies should tell you what data will be collected and how it will be used, letting you make an informed decision before engaging with an organisation. In practice, policies were often too vague to tell me whether specific practices like profiling were in use. Many appeared designed to be broad enough to cover any possible future practice rather than to specifically describe current ones.

Some policies described practices organisations weren’t actually engaging in, such as obtaining data from brokers. More commonly, actual practices weren’t described in terms most people would understand. We already know privacy policies are too dense and lengthy to read for every service we use, but these observations suggest that even careful reading often provides little clarity.

Access is much harder than it should be

It’s worth stating clearly: this was difficult. In most cases it was a frustrating, convoluted process requiring multiple follow-ups, a solid understanding of privacy rights, and a willingness to argue. I have a background in data and more familiarity with the Privacy Act than most, and I still found it challenging. This is not something most people can reasonably be expected to do.

I persisted because I came to see the difficulty itself as part of the data. My original goal was to learn what organisations held about me, but documenting how hard the process is became at least as important. Where requests encountered repeated friction such as delays, narrowing of scope, and dubious exemptions, this was often more revealing than the information eventually disclosed.

Sara Ahmed’s Complaint! helped me make sense of this. Ahmed writes about institutional complaint processes, not privacy, but her core insight translates well: friction and resistance are not incidental failures of process. They reveal how systems are oriented, what they are designed to absorb, and where they become brittle when confronted with demands they are not well set up to handle. I found the same dynamic at work in access requests.

Notably, multiple systematic studies of data access requests have been done in the EU, where GDPR provides stronger access rights (the usual GDPR envy applies). However, I couldn’t find equivalent research in Australia. Having now attempted it, I can see why.

Final thoughts

Obtaining access to my personal information from dozens of organisations required specialist knowledge and considerable persistence. I don’t think this should be the case.

There were some bright spots. Two organisations genuinely helped me exercise my access rights. They were consistently patient and thorough with what was admittedly a complex request. Two out of 60 isn’t great, but it’s better than zero. A handful of others didn’t get things right initially, but acknowledged gaps and committed to improvements when I raised concerns. Getting things right the first time matters, but a genuine willingness to improve is a strong second-best option.

These examples show it’s possible to do better, which makes it harder to excuse the rest. The problem isn’t just that access rights are hard to implement. It’s that privacy often isn’t valued enough for organisations to bother getting them right.