If someone requests their personal information, do we have to give it to them?

If you are an organisation, business or other agency, you have to comply with the Privacy Act and respond to a request for personal information from the person within a reasonable time. 

Principle 6 of the Privacy Act says if an agency holds personal information in a way that it can be readily be retrieved, it should confirm to the person asking for the information that it holds that information and give the person access to the information. The person requesting their information does not have to give a reason why they want access to it.

You don’t need to comply if there is another law which overrides the Privacy Act (for instance because it says you must not disclose specific information). Otherwise, you can only withhold someone’s personal information from them if you can rely on one of the withholding grounds set out in sections 27-29 of the Privacy Act. 

You can learn more about principle 6 and the right of access to information here.