Chapter 13


Chapter 13

Australian Privacy Principle 10–quality of personal information

Introduction

13.1      Australian Privacy Principle 10 (APP 10) ensures that entities protect the quality of the personal information they collect, use and disclose. The Companion Guide notes that this principle will promote 'improved consistency of personal information handling practices by various entities' as well as reassure the public that entities will not use personal information that is 'based on misleading or erroneous information'.[1]

Background

13.2      The equivalent data quality principle is National Privacy Principle 3 (NPP 3), which requires private sector organisations to take reasonable steps to make sure that the personal information they collect, use or disclose is accurate, complete and up-to-date.

13.3      There is no equivalent Information Privacy Principle (IPP) which specifically covers data quality, however there are aspects of IPP 3 and IPP 8 which relate to data quality. IPP 3 which regulates the general solicitation of personal information, provides that where an agency collects personal information, it must:

...take such steps (if any) as are in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected ... the information collected is relevant to that purpose and is up-to-date and complete.

13.4      IPP 8 which requires record keepers to check the accuracy of personal information before it is used, provides that an agency:

...who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up-to-date and complete.

13.5      There is currently no principle which regulates agencies at the time of disclosure of personal information.[2]

13.6      The ALRC stated that 'ensuring the quality of personal information that is collected, used and disclosed, is recognised as a fundamental obligation of agencies and organisations under the Privacy Act'. These principles ensure that personal information handled by organisations and agencies is maintained at a high standard. In addition, data quality obligations 'will lead to greater consistency of, and increased public confidence in, the handling of personal information'[3]

13.7      The ALRC review focussed on:

  • what changes were needed to improve the existing IPP and NPP data quality requirements into one Unified Privacy Principle; and
  • the interaction of the data quality principle with the provisions of the other unified privacy principles proposed by the ALRC review.

13.8      The ALRC noted some inconsistencies between the current data quality requirements of the IPPs and NPPs. For example, IPP 8 imposes obligations on personal information that has been outsourced to another agency or organisation, as well as on an agency that holds information only on behalf of someone else. In addition, the IPPs include a provision that personal information collected, used or disclosed must be relevant.[4] The NPPs contain neither of these provisions.[5]

13.9      Furthermore, both IPP 3 and IPP 8 require that collection and usage occurs with regard to the 'purposes for which the information is collected', and 'having regard to the purpose for which the information is proposed to be used'. NPP 3 does not include such strict data quality provisions. The ALRC commented that these differences between the IPPs and the NPPs needed to be addressed when creating one universal principle applicable to both organisations and agencies.[6]

13.10         In regards to IPP 8, the ALRC remarked that this principle applies only to personal information in the agency's 'possession or control', not necessarily information being used by the agency. The ALRC was of the view that including this requirement in the data quality principle would create too high a compliance burden for agencies and organisations. This could also pose security risks for individuals as third parties would have to contact individuals to ensure the personal information they possess is accurate, up-to-date, complete and relevant.[7]

13.11         To strengthen the current privacy principles, the ALRC stated that the revised data quality principle should include a clause emphasising that information collected, used or disclosed should be relevant to the purposes of the collection, use or disclosure of the information. The ALRC noted that this would complement the 'Collection' privacy principle as it sets out similar provisions in relation to data collection. The ALRC also stated that it would be logical to continue with a principle which limits the use and disclosure of personal information 'to that which is relevant to the purpose of that use or disclosure'.[8]

13.12         Furthermore, the ALRC argued that 'the fact that an agency or organisation has legitimately collected personal information for a permitted purpose should not mean that it is necessarily allowed to use or disclose all of that information'.[9]

13.13         There was comment in the ALRC review on whether to allow organisations and agencies to collect information which is not necessarily relevant until sometime after it has been collected. The ALRC argued that IPP 3 already provides that agencies have to collect information that is relevant to the purpose for which it is collected. Collecting information before it is clear that the information could be relevant would be in breach of the 'Collection' privacy principle and the ALRC advised it should also be a breach of the data quality principle.[10]

13.14         In addition, the ALRC commented that the inclusion of the requirement to ensure personal information collected, used or disclosed is relevant, 'would [not] impede the legitimate functions of agencies and organisations'.[11]

13.15         The ALRC noted that submitters to the Office of the Privacy Commissioner (OPC) 2005 review of the Private Sector Provisions of the Privacy Act had raised concerns regarding the obligations of the data quality principle. The Privacy Commissioner review stated that:

Some organisations seem to consider that their obligations (under NPP 3) to keep personal information accurate, complete and up-to-date is an absolute obligation. Indeed, that it could be used to justify intruding upon an individual's privacy. However, obligations under the NPPs are not absolute.[12]

13.16         Submitters to the ALRC review remarked that it was not necessary to clarify that the obligations of the data quality principle were not absolute. Guidance on the issue has been published by OPC and the ALRC commented that this provided adequate clarification.[13]

Government Response

13.17         The Government accepted the ALRC's recommendations in relation to the data quality principle. The response noted that the requirements of the recommended unified principle would apply at the time of collection, use and disclosure. The Government noted that the inclusion of the phrase 'reasonable steps' 'reflect[ed] the intended proportional approach to compliance with this principle', including taking no steps if this was appropriate in the circumstances. Furthermore, the Government suggested the OPC publish guidance on the application of the data quality principle, including information on what constitutes reasonable steps.[14]

Issues

13.18         The data quality principle received broad support from many submitters to this inquiry.[15] The Office of the Victorian Privacy Commissioner remarked that it largely mirrors the existing NPP 3 and Victorian IPP 3.[16] The Health Services Commissioner of Victoria indicated that this principle is consistent with the equivalent Health Privacy Principle in the Health Services Act and, as such, was supported by the Commission. Further support was provided by Professor Greenleaf and Mr Waters, who recommended no changes to this principle and commented that it is a 'conventional principle of international standard'.[17]

13.19         The issues canvassed in submissions included the placement of APP 10 within the legislation, the concept of relevancy, and suggestions to expand the quality concept.

Structure

13.20         Privacy NSW recommended that if the privacy principles are to better reflect the information cycle, and how entities use personal information, APP 10 and APP 11 should be situated after the notification principle (APP 5) and before the use and disclosure principle (APP 6). Privacy NSW commented that the processes of ensuring quality and security of personal information should happen before decisions about use or disclosure of personal information occur.[18]

Relevance requirement

13.21         APP 10 contains two sections: APP 10(1) requires that entities take such steps (if any) as are reasonable in the circumstances to ensure that personal information collected is 'accurate, up-to-date and complete', while APP 10(2) requires that personal information used or disclosed is 'accurate, up-to-date, complete and relevant'.

13.22         Concerns about the exclusion of the concept of 'relevancy' to the collection of personal information (APP 10(1)) were raised by Dr Colin Barnett and the Law Institute of Victoria.[19] The Institute commented that 'entities should be obliged to collect, use and disclose only accurate, up-to-date, complete and relevant personal information'. This would be achieved by merging the two sections of APP 10 and would have the additional benefit of improve succinctness.[20]

13.23         The Department of the Prime Minister and Cabinet (the department) provided the committee with an explanation as to why 'relevant' was not included in proposed APP 10(1). The department stated that the proposed 'Collection' principle provides that personal information collected by an organisation should be 'reasonably necessary for, or directly related to, one or more of the entity's functions or activities'. The department submitted that 'including "relevant" in the collection-related data quality principle would have caused confusion with this overarching requirement in relation to collection'.[21]

13.24         The OPC commented on the relevance requirement in APP 10(2) and stated that it is not clear what is referred to by the term 'relevant'. The OPC went on to state that the 'relevance requirement should be linked to the purpose of use or disclosure' and that if the word 'relevant' is referring to the purpose of use or disclosure of information, this should be made more explicit in the wording of the principle. The OPC concluded that linking relevance to the purpose may give better effect to the policy intent of the ALRC's recommendation and the Government's Response to the recommendation which stated that:

Agencies and organisations should take reasonable steps to make certain that the personal information they collect, use or disclose is, with reference to the purposes of that collection, use or disclosure, accurate, complete, up-to-date and relevant. (emphasis added by the OPC).[22]

13.25         Privacy Law Consulting Australia raised a further matter in relation to the inclusion of the relevancy requirement in APP 10(2). It argued that entities adhering to APP 10(2) may be subject to privacy claims by individuals on new grounds, who could argue 'that a decision was made about them taking into account irrelevant information'. Privacy Law Consulting used the example of an insurance company refusing to provide an insurance policy to an individual, where the individual could claim that the insurer declined the service based on information not relevant to their application. Privacy Law Consulting submitted that these possible new grounds for privacy complaints will have 'significant implications for private sector organisations'. It argued that if this is not an intention of the principle, further consideration of the implications for organisations with the addition of the term 'relevant' should be made.[23]

13.26         In its answers to questions on notice, the department agreed that it would be possible under proposed APP 10(2) for individuals to make complaints about organisations if they did not take such steps (if any) as are reasonable in the circumstances to ensure that the personal information the organisation uses or discloses is accurate, up-to-date, complete and relevant. The department noted that this is consistent with ALRC's recommendation that both organisations and agencies should have a data quality obligation with a 'relevance' element. The ALRC noted that it would complement the requirement in the 'Collection' principle that personal information collected by an organisation should be 'necessary for one or more of its functions or activities'.[24]

Information 'in control of an entity'

13.27         The Public Interest Advocacy Centre (PIAC) recommended that this principle should also apply to data already in control of an entity. PIAC argued that the burden for data quality in relation to sensitive information should be set higher than for other information and that the exclusion of information in control of an entity 'reduces the obligations that currently exist on agencies under IPP 8'. PIAC commented that the ALRC discussion on this matter did not deal sufficiently with the potential for data quality to be outside an entities' responsibility when data storage is outsourced. The ALRC was of the view that extending the principle to cover information in the control of an entity would impose an unjustified compliance burden on agencies and organisations (see paragraph 13.10). However, PIAC argued that while there may be an increased compliance burden on organisations, there would be no additional burden on agencies and concluded that 'the adoption of UPPs should not see a reduction in protection in respect of personal information held by government'.[25]

Misleading information

13.28         The Office of the Information Commissioner Queensland suggested that the word 'misleading' be included in APP 10 as 'information may be correct, up-to-date and complete, but may still create a misleading impression in the mind of the reader'. The Commission remarked that there is a difference between inaccurate information and misleading information.[26]

Compliance burden

13.29         Coles Supermarkets criticised the requirements of APP 10 to continually ensure personal information is correct and up-to-date. Coles argued that this will place high administrative and cost burdens on entities, particularly large companies which use automated systems like Coles, where individuals contact the company to ensure the accuracy of their personal information.[27]

Conclusion

13.30         The committee has considered that issues raised in submissions, the department's response and views expressed by the ARLC in relation to data quality and makes the following comments. First, in relation to the expansion of the data quality obligation to 'information in the control of' an entity, the committee notes that the ALRC was of the view that this provision would place too high a burden on entities and could also pose a privacy risk for individuals.[28] The committee is in concurrence with this view.

13.31         Secondly, in relation to the suggestion that the obligation in APP 10 be expanded to include 'misleading' information, the committee notes that the Companion Guide states that 'having this principle reassures the public that the use of their personal information by entities is not based on misleading or erroneous personal information'.[29] The committee also notes that the ALRC did not make reference to 'misleading' information in relation to data quality except to the extent that it commented on the differences that would arise between the 'Access and Correction' principle (which contains the reference to 'misleading' information) and the 'Data Quality' principle (which does not contain the reference). The ALRC stated that it 'considers this discrepancy to be appropriate, however, in light of the different context in which these principles operate'.[30]

13.32         In response to comments about the exclusion of the term 'misleading' in relation to the correction principle (APP 13) the department commented that it was not necessary to include the term 'misleading' in that principle as it was covered by the terms 'accurate' and 'relevant'. The committee therefore does not consider that the term 'misleading' needs to be included in APP 10.

13.33         Thirdly, the committee does not consider that the data quality provisions will increase the compliance burden for entities and notes that the requirements in APP 10 largely reflect those already contained in the National Privacy Principles.

13.34         Finally, in relation to comments about the term 'relevant', the committee notes that the obligations under APP 3 ensure that entities collect only personal information that is 'reasonably necessary for, or directly related to, one or more of the entity's functions or activities', that is, there is an implication of relevance to the entities functions or activities. Thus, the inclusion of the term 'relevant' in APP 10(1) is redundant. However, the committee notes the comments made by the Office of the Privacy Commissioner in relation to the need to clarify the use of the term 'relevant' in APP 10(2). The committee considers that if the word 'relevant' is referring to the purpose of use or disclosure of information, then this meaning is unclear and that the provision should be redrafted to clarify the matter.

Recommendation 23

13.35         The committee recommends that proposed APP 10(2), pertaining to the quality of personal information disclosed by an entity, be re-drafted to make clear the intended use of the term 'relevant'.

Navigation: Previous Page | Contents | Next Page