The Situation
What They Said
“We don't have to show you what information we hold about you.”
Access to personal information is a foundational privacy right — it is the mechanism through which individuals can check what organisations know about them, identify errors that affect their interests, and monitor whether their information is being handled appropriately. Without this access, all other privacy rights become difficult to enforce: you cannot correct information you cannot see, challenge uses you are not aware of, or identify breaches you have no knowledge of.
Despite being a clear statutory right under the Privacy Act 1988 (Cth), access requests are frequently refused, delayed, or responded to incompletely. Common refusal grounds offered by organisations include claims that the request is too broad, that locating the information would be unreasonably burdensome, that the information is covered by legal professional privilege, or simply that they do not provide this service. Some organisations genuinely do not understand their obligations; others deliberately resist because disclosure would reveal poor data practices, errors, or sharing arrangements they do not want scrutinised.
The OAIC regularly receives complaints about access request refusals and delays. Under the Privacy Act, organisations must respond to access requests within 30 days, must give access unless a specific exception applies, and must not charge an excessive fee for access. Where access is refused, the organisation must tell the individual which exception they are relying on and advise that the individual may make a complaint to the OAIC. Many individuals who receive a flat refusal with no explanation do not know this pathway exists.
The Fallacy
Organisational Data Sovereignty Fallacy
The organisation is asserting that personal information it holds is its own property to manage as it sees fit — including by refusing the subject of that information the right to see it. This is a fundamental mischaracterisation of the legal relationship between an organisation and the personal information it collects. Under Australian privacy law, personal information about an individual does not become the exclusive property of the entity that holds it. The individual whose information it is retains significant rights over it — including the right of access under APP 12.
The fallacy is reinforced by the bureaucratic confidence with which it is often delivered. A flat 'we don't have to show you' sounds authoritative. But it is only accurate if the organisation can identify a specific, lawful exception to the access right under the Privacy Act — and even where an exception applies, the organisation must tell the individual which exception they are relying on, cannot simply refuse without explanation, and cannot use the exception more broadly than the law allows.
This fallacy also suppresses the individual's ability to enforce their other privacy rights. An organisation that refuses access is effectively insulating itself from scrutiny — the individual cannot identify errors, challenge misuse, or understand what information is being shared if they cannot see the information in the first place. The access right is the gateway right, and organisations that refuse it without lawful grounds are obstructing the entire privacy framework.
What the Law Says
Your Legal Foundation
Privacy Act 1988 (Cth)
Australian Privacy Principle 12 — Access to Personal Information — Individual's Right to Access Their Personal Information
“If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information. The entity must respond to the request within a reasonable period (not exceeding 30 days) and must give access in the manner requested if it is reasonable and practicable to do so.”
APP 12 creates a clear and enforceable right: if the organisation holds your personal information, you can ask to see it, and they must provide it within 30 days. The right is not conditional on the individual proving they need the information or providing a reason for the request. The burden is on the organisation to identify a lawful exception if it refuses — not on the individual to justify the request.
Privacy Act 1988 (Cth)
Australian Privacy Principle 12.3 — Exceptions to the Right of Access — Limited Grounds for Refusing Access
“An APP entity may refuse to give access if access would pose a serious threat to the life, health or safety of any individual; access would have an unreasonable impact on the privacy of other individuals; the request is frivolous or vexatious; the information relates to anticipated legal proceedings; the information is subject to legal professional privilege; disclosure is unlawful; or the information is evaluative information in connection with a commercially sensitive decision-making process.”
The exceptions to APP 12 are specific and limited. A general claim that the organisation does not provide access, or that it would be difficult or inconvenient, does not meet any of the statutory exceptions. If an organisation refuses access, it must state which exception it is relying on. A refusal without specifying the applicable exception is itself a breach of the Privacy Act.
Privacy Act 1988 (Cth)
Section 36 — Complaints to the OAIC — Complaint to the Office of the Australian Information Commissioner
“An individual may complain to the Commissioner about an act or practice of an agency or organisation that may be an interference with the privacy of the individual. A complaint may be made where an organisation has refused access to personal information in breach of APP 12.”
An individual whose access request has been refused without valid legal grounds can lodge a complaint with the OAIC. The OAIC has power to investigate the complaint, require the organisation to provide access, and in serious cases to seek civil penalty orders against the organisation. The complaint process is free and the OAIC's website provides a straightforward guide to submitting a complaint online.
What Scripture Says
God's Word on This
Luke 8:17 (NIV)
“For there is nothing hidden that will not be disclosed, and nothing concealed that will not be known or brought out into the open.”
Jesus' principle of disclosure applies with particular force to those who hold information about others. Information that shapes a person's life — their credit record, their health data, their employment file — cannot ethically be kept secret from the very person it concerns. The right of access under the Privacy Act expresses the same principle: what is held about you should not be concealed from you.
Proverbs 12:17 (NIV)
“An honest witness tells the truth, but a false witness tells lies.”
An organisation that holds incorrect personal information about an individual — and refuses to allow that individual to see and correct it — may be allowing false information to circulate unchallenged, affecting the individual's reputation, credit, employment, or insurance. The right of access exists to enable individuals to ensure that the information affecting their life is accurate and true, which is a matter of basic honesty that Scripture affirms.
🔒
You Know the Law — But Do You Know What to Say?
Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.
Unlock This Scenario — R89/month
Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime
Not ready to subscribe? Get the free checklist first.
10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.
What They'll Say Next
Common Counter-Arguments
After you respond, they may push back with these arguments. Members get the full rebuttal for each.
They might say: “We charge a $50 fee for access requests — that's our policy.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
They might say: “The information you're asking about is held by our overseas parent company, not us — we don't hold that information.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
Know Your Rights. Know Your Word.
149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.
Try Free — Identity & Dignity
No credit card · Upgrade anytime for all 17 domains