‘Trust is built here’: responding to requests for personal information and handling privacy complaints

APP 12 provides individuals with a right to access their personal information held by an APP entity. When a business receives a request, whether formal or informal, it must respond. There is no requirement for the individual to cite APP 12 or use legal terminology – a request made by email, phone or verbally triggers the obligation.  

APP 12 operates alongside and does not replace other informal or legal procedures through which individuals can obtain access to information. This means that businesses should seek to resolve straightforward requests for personal information without unnecessary formality, particularly when compared with the rigidity of requests under the Freedom of Information Act 1982 (Cth), provided the minimum requirements are met.

APP 12 requirements

The key requirements under APP 12 include:

• no formality required from individuals: a request for personal information need not refer to APP 12 or use legal terminology, and may be made informally;
• timeframes: organisations must respond to the requests for access to personal information within a reasonable period. OAIC guidance states this should not exceed 30 days after the request is made for corporations (government agencies must respond within 30 days);
• manner of access: access must be provided in the manner requested, where it is reasonable and practicable to do so. This may include consideration of factors such as the volume and nature of the information request and any special needs of the individual requesting the information; and
• refusal of access: where access is refused, written reasons must be given along with information about available complaint avenues.

APP 12 exceptions – limited reasons for refusing access 

APP 12 recognises that access to personal information may be refused in limited circumstances. Permissible grounds for refusal include (but are not limited to) where:

• giving access would pose a serious threat to the life, health or safety of any individual or to public health or public safety;
• giving access would have an unreasonable impact on the privacy of others;
• the request for access is frivolous or vexatious;
• the information requested relates to an existing or anticipated legal proceeding, so long as that information would not be accessible by the process of discovery in those proceedings;
• giving access would prejudice negotiations between the APP entity and the individual, for example by revealing the intentions of the APP entity in relation to the negotiations; or
• giving access would be unlawful, or denying access is required or authorised by law or a court or tribunal order.

Privacy complaints often arise from a poorly handled access request, but they may also emerge from cyber-attacks or data breaches, or from broader concerns about how personal information is collected, used or disclosed. Regardless of the source, how a business responds to a privacy complaint is a critical trust signal.

Under section 36 of the Privacy Act 1988 (Cth), the OAIC will generally not investigate a complaint unless the individual has first raised the matter directly with the entity concerned. This allows businesses to have an opportunity to resolve concerns internally before regulatory involvement.

Complaints may arise where:

• a request has not been responded to within a reasonable time or there has been no communication about the status of a request with the individual (APP 12);
• a business uses personal information for a purpose other than the primary purpose for which it was collected, without consent or an applicable exception (APP 6);
• a business has failed to take reasonable steps to:
  • protect personal information from misuse, interference, loss, or unauthorised access, disclosure, or modification (APP 11.1); or
  • delete or de-identify that personal information when the entity cannot use it for any purpose under the APPs and is no longer required to retain it by law (APP 11.2),
• a business uses personal information for direct marketing where the individual has not consented or has opted out (APP 7). 

Effective complaint handling involves several key steps:

• Acknowledge promptly: individuals should receive a timely acknowledgement that their complaint has been received, reducing the likelihood of a complaint to the OAIC.
• Triage and assign: complaints should be triaged by reference to their nature and severity. A designated privacy officer or complaints handler with appropriate knowledge of the Privacy Act 1988 (Cth) and the APPs should be assigned responsibility for investigating and responding to the complaint.
• Investigate fairly: businesses should investigate the complaint, gather relevant information, and form a view on whether the individual’s concerns are substantiated. In certain circumstances, a fair investigation may also involve consulting with the individual to understand the nature of their request and the form in which they seek access to the personal information.
• Respond in writing: once the investigation is complete, individuals should receive a clear, written response setting out the outcome of the investigation, the reasons for any decision, and the steps the business has taken (or will take) in response. Where the complaint is not upheld, reasons must be clearly explained.
• Advise of external complaint rights: if the complainant remains dissatisfied, the business should advise the individual of their right to complain to the OAIC.

Where the OAIC becomes involved, the Commissioner will generally first seek to conciliate the complaint. Early and constructive engagement in that process can help resolve matters efficiently and avoid the exercise of more formal complaint resolution powers.

Importantly, OAIC investigations and their outcomes are often made public. A complaint that could have been resolved through a respectful, timely internal process can become a matter of public record and the consequential reputational harm could far outweigh the cost of getting the initial response right.

The OAIC’s Privacy Awareness Week 2026 theme, ‘Trust is built here’, carries an important lesson – trust is not built only in the moment a complaint arrives. It is built through the systems, training and culture that a business puts in place before an access request or complaint is received. Best practice means being proactive and ready to respond, not merely reactive.

APP 1 requires entities to take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and enable inquiries or complaints to be managed effectively.  Businesses must also maintain a clearly expressed APP privacy policy that, among other things, explains how individuals may access their personal information and how complaints will be dealt with. 

Failure to maintain an appropriate privacy policy may result in regulatory action, including legal proceedings, or immediate fines of up to $19,800 for unlisted companies and $66,000 for listed companies.

A well-designed privacy policy and complaints process is more than a compliance document – it is a legal requirement and signals respect for individuals’ privacy and confidence in internal systems designed to protect personal information. 

Businesses seeking to embed best practice should consider the following measures:

• Train staff to recognise APP12 requests: staff should be trained to identify requests to access personal information and privacy complaints regardless of how they are framed.
• Develop internal templates and procedures: prepare internal templates for acknowledging requests for access to personal information and complaints. Develop standard procedures and flow charts for complaint handling, including the appointment of a Privacy Officer to manage complaints.
• Conduct regular privacy compliance reviews: periodically review privacy policies, data handling practices and complaint processes to ensure they remain fit for purpose and reflect any changes in the law or business operations.
• Track and report on complaints data: maintain records of access requests and complaints, including response times, outcomes and any systemic issues identified. 

Privacy Awareness Week 2026 is an important reminder that privacy compliance is an ongoing operational responsibility with direct implications for public trust, business reputation and stakeholder relationships. Businesses that treat privacy merely as a legal obligation risk falling behind those that recognise it as a competitive advantage.

Organisations that take a proactive approach to access and complaint handling processes are well placed to:

• resolve complaints early, reducing the volume and severity of complaints escalated to the OAIC and associated reputational impacts;
• demonstrate compliance and accountability to regulators in the event of an investigation;
• protect and enhance their commercial reputation and public standing; and
• build lasting trust with customers, employees and the communities they serve.

Each access request provides an opportunity for businesses to demonstrate that trust is indeed ’built here’. For commercial organisations, privacy is no longer a back-office compliance task – it is a governance issue that affects reputation, customer confidence and the organisation’s licence to operate. 

Privacy Awareness Week is a timely prompt for organisations to test whether their access request and complaints processes are practical, resourced and understood across the business, so they can respond quickly, consistently and lawfully when issues arise – and reinforce trust in the way they do business.