Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy Act 2020

Print | Email this page

Factsheet 5: Responding to access and correction requests

Download a copy of this factsheet (opens to PDF, 253KB).

Access and correction requests – Rule 6 and Rule 7

This factsheet covers:

  • Rule 6: Access to biometric information
  • Rule 7: Correcting biometric information

This factsheet provides a summary of our guidance on rules 6 and 7. See the full guidance for more detailed information.

Rule 6: Access requests

Under rule 6 of the Code, people are entitled to receive from an organisation, on request:

  • confirmation of whether the organisation holds any biometric information about them; and 
  • confirmation of the type of biometric information the organisation holds about them; and
  • access to their biometric information.

If an organisation receives a request for biometric information, even if the requestor doesn’t mention the Biometrics Code or the Privacy Act, the organisation needs to determine whether it holds any biometric information about that person, what type of information it is and then decide whether and how to provide the person with access to their information.

Confirming the type of biometric information means telling the person what kind of biometric information the organisation holds about the person – for example, a biometric sample (e.g. a facial image or fingerprint scan) or a biometric template or model (e.g. numerical representation of their facial features or fingerprint ridges).

If an organisation holds information about the person requesting access, the organisation must provide the individual with access to their information unless one of the exceptions applies (for example, if providing the person with access to their information would likely to cause a serious threat to someone’s life, health or safety).

Part 4 of the Privacy Act has more information about how organisations must respond to access requests.

Rule 7: Responding to correction requests

Under rule 7, a person has the right to ask an organisation to correct information about them if they think it’s wrong. If the organisation doesn’t agree that the information needs correcting, the individual can ask the organisation to attach a statement of correction to their records and the organisation must take reasonable steps to do so.

If an organisation corrects someone’s biometric information or attaches a statement of correction to it, it must also take reasonable steps to inform every other person the organisation disclosed that person’s biometric information to about the correction.

Correcting someone’s biometric information could involve:

  • Completely removing the individual’s information from the organisation’s system and re-enrolling them with new information, e.g. a new image or biometric sample.
  • Removing someone entirely from the system if they have been incorrectly identified and should not be enrolled.
  • Adding a person’s statement of correction alongside their biometric information within the system, so it’s always read alongside that information.
  • Regenerating a biometric template based on an existing biometric sample, for example if there have been updates to the biometrics system.

Where to go for more information

Back to top