Comment Re:Bull (Score 4, Informative) 94
I'm not an Australian, so I may be misunderstanding some of the terminology involved, but it's my understanding that they actually do owe him that information, based on National Privacy Principle 6 (NPP 6) from Australia's Privacy Act of 1988.
Here's a quick summary over the relevant NPP:
Access and correction
NPP 6 requires an organisation to give a person access to personal information that it holds about them, if requested. If a person establishes that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to correct the information. If the person and the organisation disagree about accuracy, and the person requests it, the organisation is required to include a statement that the individual claims that the information is not accurate, complete or up-to-date.
Organisations may deny an individual’s request for access to information about themselves in a limited range of circumstances. These include if:
- providing access would:
- pose a serious and imminent threat to the life or health of any person (for health information the threat need not be imminent); or
- have an unreasonable impact on other individuals’ privacy; or
- prejudice negotiations between the organisation and the individual; or
- be unlawful; or
- prejudice an investigation of possible unlawful activity; or
- prejudice law enforcement activities; or
- cause damage to Australia’s security;
- the request for access is frivolous or vexatious;
- the law authorises or requires access to be denied; or
- the information relates to existing or anticipated legal proceedings between the organisation and the individual, and would not be accessible by the process of discovery in such proceedings.
An organisation must provide reasons for denial of access or for a refusal to correct personal information. If an organisation charges for providing personal information, those charges must not be excessive and must not apply to lodging a request for access.
Which is to say, unlike in the US, the data actually may be owed to the customer in this case if the customer makes a request for it. The organization may not provide the information, but they have an obligation to have a very good reason for having done so, else they should have provided the data.
Again, I may be misunderstanding things or unaware of later changes to the law, but I'll share what little I know in the hope that someone more knowledgeable can correct me if I'm off-base.