Based on double-blind, peer-reviewed data from our July survey of Australian privacy professionals, most Aussie organizations do not charge processing fees for data subject access requests.
Full disclosure: there was no peer review. Australia's IAPP Knowledge Network chairs didn't use anything remotely scientific to come to that conclusion. We did, however, have a great turnout for our July Knowledge Network virtual meeting. Roughly 90 privacy pros participated in our "to charge or not to charge" discussions. Interestingly, most participants indicated their organizations, or those they worked with, contemplated charging fees. Some had gone as far as establishing fee schedules, but virtually none of the attendees put those procedures into practice. That begs the question, why?
On one hand, there are clear reasons to charge processing fees for DSARs. The most obvious is that private sector organizations and Australian government agencies dedicate significant resources, staff, information technology funds, security control efforts and a host of other costs to ensure compliance with the Australian Privacy Principles. As flagged in one breakout room, APP organizations almost certainly bake those costs into their products or service offerings. In other words, we all pay for the exercise of DSAR rights but, arguably, those making the DSARs should shoulder more of the actual costs.
On the other hand, DSARs are a core part of the government's policy objective of enabling individuals to control their personal information. According to many, privacy is a human right. And it follows that individuals should not be charged fees for exercising those rights. The Attorney-General's Privacy Act Review Report strongly signals that fees would act as a disincentive to exercising those rights.
The report recommends continuing with the Privacy Act's status quo, where government agencies cannot charge DSAR application fees or levy processing charges. In the private sector, the privacy reforms will bar APP organizations from charging application fees. However, private sector entities may charge nominal processing fees that are not excessive, where the organization has "produced a product" for DSAR applicants. Alliteration aside, that "product" is presumably some digital copy or other documentation.
Those terms spawn a host of other questions, both practical and theoretical, including: what is nominal or not excessive? And according to whom? The reasonable person is the common standard, which often creates more confusion than clarity. Besides the interpretative challenges, it would take a brave company to charge DSAR processing fees in light of Australia's recent spate of high-profile data breaches. Just imagine the complaints leveled at call center operators as they try to explain their company's policy is to charge a nominal fee for DSARs.
At the same time, companies have valid reasons to limit the scope of excessive DSARs, particularly those that can all but shut them down due to the breadth of the materials sought. Many participants flagged DSARs as often part of a wider dispute or grievance. Commonly, these are human resources and related employment matters, not to mention cheap forms of disclosure in the lead-up to litigation or preliminary "feelers" in a class action lawsuit. And the list goes on.
Adding to that list are thorny questions about where to draw the line between being a good corporate citizen and monopolizing the organization's time and resources with a minority of vocal DSAR applicants. One meeting participant flagged this as a particularly salient issue for not-for-profits and smaller organizations that do not have the expertise and resources to manage complex DSAR applications. Considering the impending demise of the small business as well as the employee records exemptions, and the expansion of DSARs under the privacy reforms, clear and effective guidance is needed to manage these issues.
The privacy reforms speak to these issues and have expanded the current APP "frivolous and vexatious" refusal standard to include a series of "technical exemptions," including DSARs that are "technically impossible, or unreasonable, and frivolous or vexatious to comply with the request."
I have a bit of experience in relation to these issues in the world of freedom of information, which has similar concepts, like substantial and unreasonable diversion of resources, for limiting the scope of FOI applications. While that may be a good starting point, there is limited case law on these issues. Plus, the Office of the Australian Information Commissioner's guidance is that a SUDR finding will depend on a variety of factors, including organization size, staffing, resources, and so forth. In other words, it depends.
Considering the private sector will be faced with a raft of changes with the reforms, it is unclear that "it depends" will suffice. My thought is that privacy professionals will need to tease out these issues themselves as we move forward with the privacy reform efforts. We will also need to develop protocols and standards for charging "nominal fees" and determining what constitutes a vexatious, technically impossible or unreasonable DSAR.
Another issue flagged at the July event is that organizations need to be honest and forthright in approaching these issues. That should help avoid running the gauntlet of furious customers, apoplectic members of the public and board members.
In my opinion, the golden rule is to communicate early and often. Spell out how your organization will deal with these issues in clear terms. Flag your policies on a public web page. Reiterate the policy or approach in all correspondence to DSAR applicants. And then rinse and repeat for every bit of correspondence to applicants.
A related issue is the need to ensure your organization keeps track of time spent on these matters. There's no point in establishing a policy limit for an "unreasonable" DSAR unless your privacy team logs the time spent at every step in the process. Translation: you'll need an audit trail. Cue the collective sigh.
But wait, there is an upside! The data can double as key performance indicators, talking points and ways to celebrate your organization's commitment to privacy principles and transparency on your website in annual reports and media releases. Finally, organizations should test their policies or standards regarding what is unreasonable and flag how the public can request fee waivers if they are suffering financially.
Do these points sound familiar? Particularly if you've worked in the FOI space or other right-to-information or RTI regimes? They should. I personally think these regimes will be logical touchpoints for managing DSARs when the privacy reforms become law.
DSARs are not an issue Australian privacy pros will be able to ignore. Why? In an IAPP seminar during 2023 Privacy Awareness Week in Sydney, our EU-based colleagues referred to DSARs as one of the biggest sleeper issues faced by privacy pros following the introduction of the EU General Data Protection Regulation. No need to despair, though. Forewarned is forearmed. We plan to hold monthly discussions focused on practical, nuts-and-bolts issues arising from the Australian government's plans to reform the Privacy Act and swap notes with other privacy pros.
Our next event 3 Aug. focuses on artificial intelligence, with some brilliant guests on tap. Our Aussie KNet chairs look forward to seeing you there. So register at the link and please watch this space.
If you want to comment on this post, you need to login.