Accessing Government Information: Know Your Rights

If you’ve ever felt stuck waiting for answers from a government department, you’re not alone. The good news is that, in Australia, you have strong rights to request and access government-held information - and in many cases, you can correct it if it’s about you.

Whether you’re a small business owner checking what data a regulator holds, a contractor seeking tender documents, or a founder wanting clarity on a decision that impacts your licence or grant, understanding these rights can save you time, reduce costs, and help you make informed decisions.

In this guide, we break down the Freedom of Information (FOI) framework across Australia, what you can (and can’t) access, how to make a request that actually gets results, and what to do if you’re refused. We’ll also cover privacy law pathways to access and correct your personal information, which often sit alongside FOI and can be faster.

What Is Freedom Of Information (FOI) In Australia?

Freedom of Information laws give you the legal right to request access to information held by government agencies. At the Commonwealth level, this is set out in the Freedom of Information Act 1982 (Cth). Each state and territory has equivalent laws that apply to their own public sector bodies (and sometimes local councils).

In simple terms, FOI laws aim to make government more transparent and accountable. They allow people and businesses to:

• Request copies of documents held by agencies (emails, reports, briefings, contracts, file notes, and more)
• Ask for reasons behind administrative decisions affecting them
• Seek correction of personal information that is inaccurate, out of date, incomplete or misleading

FOI rights are broad - but they’re not unlimited. Certain documents are exempt (for example, those affecting national security, cabinet deliberations, or someone else’s personal privacy). We’ll unpack these below so you know what to expect.

Which Law Applies To You?

Your rights depend on the level of government and the agency you’re dealing with. As a rule of thumb:

• Commonwealth agencies (e.g. ATO, ASIC, ACCC, Services Australia): Freedom of Information Act 1982 (Cth).
• New South Wales public sector and local councils: Government Information (Public Access) Act 2009 (NSW) - often called GIPA.
• Queensland: Right to Information Act 2009 (Qld) and Information Privacy Act 2009 (Qld) for personal information.
• Victoria: Freedom of Information Act 1982 (Vic).
• Other states and territories: Similar FOI or Right to Information legislation applies.

Not sure which agency holds the information? Start by identifying the decision, program, licence or interaction you’re asking about, then work out which level of government is responsible. If in doubt, call the agency’s FOI or Right to Information team - they can usually point you in the right direction or help you re-direct your request.

It’s also worth remembering that FOI is only one pathway. If you’re seeking your personal information, privacy law often provides a parallel right of access (and correction) that can be more streamlined. For example, an agency’s Privacy Policy usually explains how to request access to your data without using FOI.

What Can You Access - And What’s Excluded?

FOI covers “documents” in the agency’s possession, which is interpreted widely. It can include:

• Emails and correspondence (including attachments)
• Briefings, reports, memos and meeting minutes
• Contracts, tender documents and procurement records
• Policies, procedures and guidance materials
• Audio, video or photographic records
• Datasets and spreadsheets (where they already exist in that form)

However, there are common exemptions and practical limits:

• Deliberative processes: Drafts or opinion documents prepared to help a decision-maker form a view may be exempt if disclosure would harm frank discussion.
• Cabinet and national security: Cabinet-related papers and material affecting defence or national security are typically exempt at the Commonwealth level.
• Personal privacy: Information about other individuals is often redacted unless disclosure is reasonable and lawful.
• Commercial-in-confidence: Sensitive business information (including trade secrets) may be exempt if disclosure would unreasonably affect a person or company.
• Legal professional privilege: Confidential lawyer-client communications and legal advice are generally exempt.
• Unreasonable diversion of resources: Very broad requests can be refused if processing them would substantially and unreasonably divert the agency’s resources.

For small businesses, the commercial-in-confidence and personal privacy exemptions are the ones you’ll encounter most. If you’re seeking competitor or supplier information within a government contract, expect some redactions where disclosure would cause harm. If you’re after your own submissions or correspondence, those are usually easier to obtain.

Some information may be published proactively. Many agencies release reports and contracts above certain thresholds (sometimes called “disclosure logs” or “contracts registers”). It’s worth checking the agency’s website first - you might not need to lodge a request at all.

How Do You Make An FOI Request That Works?

Getting clear about what you actually need is half the battle. A focused request can save weeks of back-and-forth and reduce fees. Here’s a practical process that works well.

1) Define Your Purpose And Narrow The Scope

Start by writing down why you want the information. Then list the specific documents likely to exist (for example, “the briefing prepared for the delegate who decided our grant application in March 2024” or “email correspondence between and concerning from 1 Jan to 31 Mar 2024”).

Narrowing by date range, subject matter, and custodians (names or teams) will help the agency find your documents without triggering a refusal for being too broad.

2) Check If The Information Is Already Public

Search the agency’s disclosure log, contracts register and publications. If the information is published, you can access it immediately without a formal request. Some agencies also publish decision-making principles or standard operating procedures that answer many common questions.

3) Use The Right Channel And Include Essentials

Most agencies have an online FOI form or a dedicated email address listed on their website. In your request, include:

• Your name and contact details
• A statement that you’re making a request under the relevant FOI/Right to Information law
• A clear description of the documents you’re seeking (dates, subjects, teams, names)
• Your preferred access method (copies via email are common)
• Any request for fee reduction or waiver (for example, financial hardship or public interest)

For personal information, agencies may ask you to verify your identity. Having a simple, standardised Access Request Form for your own business can also streamline requests you receive from customers or staff.

4) Engage Early To Refine Your Request

Agencies will often contact you to clarify scope or to suggest a narrower request to avoid heavy fees. Be responsive. It’s usually better to split a broad request into phases than risk a refusal on “diversion of resources” grounds.

If you need to understand the agency’s systems to refine your request, ask for a phone call. A 10-minute chat can save weeks of processing time.

5) Track Timeframes And Keep Records

FOI laws set statutory timeframes for acknowledging and deciding requests (often around 30 days, with extensions available). Keep a simple timeline of what you’ve sent and when responses are due. If the agency seeks an extension or third-party consultation, make sure you understand the new due date.

If you’re running a business that handles personal information, pair your external requests with internal housekeeping. Strong data retention practices and a clear Privacy Policy will make it easier to locate and review your own records when customers exercise their rights.

Fees, Refusals And Reviews: What Are Your Options?

Agencies can charge fees for search, decision-making and copying (particularly for non-personal information). In some jurisdictions, there’s no fee to request personal information, and you can ask for fee reductions on hardship or public interest grounds. If you get a fee estimate that looks high, ask the agency to help you narrow the scope before you commit.

If an agency refuses access (or gives only partial access), it must explain the reasons and the exemptions relied upon. You usually have multiple review options:

• Internal review within the agency (a different decision-maker reconsiders the decision)
• External review by the relevant Information Commissioner or a tribunal (e.g. OAIC for Commonwealth FOI)
• Complaint pathways for process issues (e.g. delays or poor handling)

When preparing a review, focus on why disclosure wouldn’t cause the harm claimed by the exemption, or why the public interest balances in favour of release. Pointing to material already in the public domain (like contract summaries or policy statements) can be persuasive.

For privacy-related refusals (access to your personal information), there are additional avenues under privacy frameworks. Having a documented Privacy Complaint Handling Procedure in your business is a smart way to manage issues before they escalate - and it’s something regulators look for if a complaint progresses.

FOI Vs Privacy: Accessing And Correcting Your Personal Information

FOI isn’t your only option, especially when the request is about your own personal information. Australia’s privacy laws (the Privacy Act 1988 (Cth) and state privacy laws) include rights to access and correct personal information held by many public and private organisations.

If your request is clearly personal information (for example, your file notes, application records, or call logs about you), the privacy pathway can often be faster and may have no fees. It’s also the primary route for access to personal information held by private sector organisations.

For businesses, it’s essential to set up internal processes to handle these requests from customers and staff. That usually includes a concise Privacy Collection Notice, a transparent Privacy Policy, and a practical Access Request Form so you can verify identity, locate records and respond on time.

It’s common to see confusion between “privacy” and “confidentiality”. Privacy relates to personal information about individuals, while confidentiality is about keeping certain information secret under contract or duty - both matter when responding to requests. If this distinction is new to you, it’s worth reading about the difference between privacy and confidentiality.

You might also hear about the “right to be forgotten.” While Australian law doesn’t use that exact phrase the way the EU does, there are circumstances where individuals can request deletion or de-indexing. We cover the Australian position here: Right To Be Forgotten.

If your request is complex, involves multiple third parties, or could impact ongoing investigations, it’s a good idea to get tailored privacy advice before you proceed. A short consult can help you choose the best pathway, refine your scope, and avoid unnecessary delay or cost.

Tips To Maximise Your Chances Of Success

A bit of planning goes a long way with FOI and privacy requests. Here are practical tips we share with business owners.

• Be precise, not exhaustive: Ask for the key decision brief rather than “all documents” about a topic. You can always make a second request if needed.
• Use time and custodian filters: Limit your request by date range and relevant teams to avoid diversion-of-resources refusals.
• Ask for administrative release first: Many agencies will provide some information informally without a formal FOI process, particularly for simple items.
• Choose the right pathway: Use FOI for general government documents and the privacy access route for your personal information.
• Mind third-party interests: If your request touches on a vendor’s trade secrets or another person’s privacy, expect consultation and potential redactions.
• Keep your own house in order: Clear data maps, retention policies and request-handling processes make it easier to comply when someone asks your business for information. If you’re building or updating governance, start with a fit-for-purpose Privacy Policy and internal procedures.
• Know when to escalate: If a deadline is missed or the response is incomplete, use the review options - they exist to keep the system working.

If you handle personal information as part of your business, it’s wise to train your team on receiving and escalating requests promptly. Pair that with a practical policy set and you’ll reduce risk and response time. If you’re setting up or refreshing your privacy framework, a quick chat with a data privacy lawyer can help you prioritise what to implement first.

Common Pitfalls (And How To Avoid Them)

Even well-prepared requests can hit speed bumps. Here are traps we see - and how to steer clear.

• Overly broad wording: “All documents about since 2015.” Fix it by defining a tight date range, naming the decision, and identifying the teams or decision-makers involved.
• Fishing expeditions: FOI isn’t a substitute for discovery. Start with known touchpoints (briefs, decision records, communications with your business) before expanding.
• Missing the right agency: Spend an extra 10 minutes confirming which body holds the records. If multiple agencies are involved, file parallel requests - don’t assume they’ll move it for you.
• Ignoring charge estimates: If a fee estimate looks high, ask for help to refine scope. You may find 80% of what you need sits in a single briefing package or decision record.
• Conflating privacy and FOI: Use privacy access rights for your personal information and FOI for broader records. They’re different tools - pick the one that fits the job.

For businesses, the most common internal pitfall is not having a clear playbook when a customer or employee asks for their information. A straightforward Access Request Form, a central contact point, and a documented response process will make your life easier - and put you in a strong position if a regulator ever asks how you handle requests.

Key Takeaways

• Australia’s FOI and Right to Information laws give you strong rights to access government-held information, with separate privacy access rights for personal data.
• Scope is everything: precise requests by timeframe, topic and custodians move faster and cost less than broad “all documents” requests.
• Expect some exemptions (privacy, commercial-in-confidence, legal privilege); if refused, you can seek internal and external review.
• For personal information, the privacy pathway is often quicker - pair your approach with clear internal processes and a transparent Privacy Policy.
• Set your business up to respond efficiently to requests with an Access Request Form and a practical complaint handling procedure.
• If your matter is sensitive or complex, getting targeted privacy advice early can save time and avoid missteps.

If you’d like a consultation on accessing government information or setting up your privacy and request-handling framework, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.