Employee Data Privacy

Australia - Employee Access Rights

 Download as a PDF

Do individuals have the right to access their personal information?


Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.


Companies are required to provide employees and other individuals with access to their personal information upon request. Employees are given this right under the Privacy Act and employment laws. Entities should:

  • state how individuals can request access to their personal data in a Privacy Policy;
  • not require an individual to submit personal information requests in a particular way (i.e. you can provide a form or online portal, but individuals can’t be required to use it to request their data);
  • verify the individual’s identity before releasing any information;
  • provide access or written refusal within a reasonable period (generally 30 days);
  • provide access in the manner requested (if reasonable and practicable); and,
  • in the event of a refusal, provide written notice explaining the reason why the request was refused and inform them of available compliant mechanisms.

Organizations cannot charge individuals for submitting personal information requests, but can charge individuals for providing access, as long as it’s not excessive (and does not exceed the cost incurred by the individual giving access).


Businesses should verify the identity of the individual before providing any information. There are no formal requirements for how a request is made. Companies can refuse access in certain circumstances, including:

  • if access would unreasonably impact the privacy of others;
  • when denying access is required or authorized by law or a court order.

 Note that there are also limitations in terms of providing access in health records legislation.


HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk