Customer Data Access & Correction Policy¶
| Code | PRI-006 |
| Domain | Privacy & Data Rights |
| Owner | Privacy Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD01 |
| Review date | 2027-03-25 |
Regulations: Privacy Act 2020 · Privacy Act 1988 · Consumer Data Right (CDR) — Open Banking¶
Purpose¶
Govern the platform's obligations for handling requests from individuals to access, correct, or delete their personal information under the NZ Privacy Act 2020 and AU Privacy Act 1988.
Scope¶
All requests from individuals to access, correct, or delete personal information held by the platform in NZ and AU, received through any channel.
Policy statements¶
The platform SHALL maintain a process for receiving, acknowledging, and responding to individual privacy requests. The process SHALL be clearly communicated to customers in the platform's privacy policy and accessible via the platform's website and app.
Access requests SHALL be responded to within 20 working days of receipt in NZ (Privacy Act 2020) and within 30 days in AU (Privacy Act 1988). Where additional time is required, the customer SHALL be notified within the initial response period with the reason and an extended timeframe.
The platform SHALL verify the identity of the requestor before providing access to personal information. Identity verification SHALL be proportionate to the sensitivity of the information requested.
Access requests SHALL NOT be refused without a lawful basis. Where access is refused in whole or in part, the reason SHALL be provided to the requestor, and the requestor SHALL be informed of their right to complain to the Privacy Commissioner or OAIC.
Correction requests SHALL be responded to within 20 working days in NZ and 30 days in AU. Where the correction is made, the requestor SHALL be notified. Where correction is refused, the reason SHALL be provided and the requestor may require the platform to attach a statement of the requested correction to the records.
Deletion requests SHALL be assessed against the platform's retention obligations. Where deletion is not possible due to a legal obligation to retain, the customer SHALL be informed of the retention basis and the expected date of deletion.
All privacy requests and their outcomes SHALL be recorded in the data subject rights register. The register SHALL be reviewed monthly by the Privacy Officer and reported to the BRC annually.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-148 | Privacy access request (DSAR) workflow | AUTO |
DSAR workflow assembles the complete data inventory held about a customer across all platform systems — subject access fulfilment is automated, not manual. |
Part of Privacy & Data Rights · Governance overview
Compiled 2026-05-22 from source/entities/policies/PRI-006.yaml