Chapter 16


Chapter 16

Australian Privacy Principle 13–correction of personal information

Introduction

16.1      Australian Privacy Principle 13 (APP 13) defines when, and how, individuals can have personal information which is held about them corrected if it is inaccurate, out-of-date, incomplete or irrelevant. The Companion Guide notes that online technological advances are allowing individuals greater ease in gaining access to their own personal information through personal profiles on websites. The Companion Guide commends the online personal profile approach as 'good privacy practice' as it 'ensures individuals have control of their personal information'.[1]

Background

16.2      Access to, and correction of, personal information held by agencies is currently regulated by a combination of provisions of the Freedom of Information Act 1982 (FOI Act) and Information Privacy Principles 6 and 7 (IPP 6 and IPP 7). IPP 7 provides that an agency must take such steps, if any, as are reasonable to ensure that personal information recorded is accurate and relevant, up-to-date, complete and not misleading. This provision is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendments of documents. IPP 7 also provides that, if the agency is not willing to amend a record as requested by an individual, then the individual may request that a statement be attached to the record and the agency must take reasonable steps to comply with this request.

16.3      Access to, and correction of, personal information held by organisations is currently regulated under National Privacy Principle (NPP 6). NPP 6.5 provides that an organisation must take reasonable steps to correct personal information that it holds, if the individual to whom it relates is able to establish that it is not accurate, complete and up-to-date. If there is a disagreement about the accuracy of the information, the individual may request that the organisation attach a statement to the information and the organisation must take reasonable steps to do so.[2]

16.4      The Australian Law Reform Commission (ALRC) recommended that the access and correction principles be formulated to apply to both agencies and organisations in one unified principle.[3] The ALRC also addressed the following issues:

  • the criteria by which personal information is assessed as being 'correct', including how these criteria are assessed;
  • any burden of proof an individual must meet to establish that personal information that an agency or organisation holds about him or her is not 'correct';
  • the manner of correcting personal information that has been found not to meet the correction criteria; and
  • the relationship between the correction requirements under the Privacy Act and other federal laws.[4]

16.5      The ALRC accepted that individuals should be provided with the right to correct personal information held about them by agencies and organisations where the information is misleading or not accurate, relevant, up-to-date or complete. The ALRC noted that while these elements are the same as those in the IPPs, they impose two additional elements on organisations – the elements of 'relevant' and 'not misleading'.[5]

16.6      In relation to the burden of proof to establish that personal information is not correct, the ALRC noted that IPP 7 and NPP 6 contain different obligations: the NPP requires that the individual to whom the information relates must establish that it is not accurate, complete and up-to-date, while the IPP places a positive obligation on agencies to take steps to ensure that the personal information they hold is correct. The ALRC concluded that the provisions of the NPP results in uncertainty in the event of a complaint and, therefore, the positive obligation to hold correct personal information should apply to both agencies and organisations. In addition, the ALRC stated that it did not anticipate that this change 'will affect significantly the practical operation of the correction requirements for organisations'.[6]

16.7      There are a number of ways in which personal information may be corrected including by amending the record, deleting the incorrect material or adding to the material. The ALRC recommended that the Office of the Privacy Commissioner (OPC) develop guidance to address the manner in which personal information can be corrected. The ALRC also commented that guidance should discuss potential conflicts between the requirements of the principle and other record keeping obligations including those under the Archives Act 1983.[7]

16.8      In addition, the ALRC considered the issue of notification of third parties where an entity has corrected personal information. This matter was discussed widely with stakeholders during the review, with the ALRC concluding that if an entity has corrected information it should be required to notify any other entities to which it has disclosed the information of the correction, if requested to do so by the individual. While stakeholders raised concerns about the cost this requirement may impose on entities, the ALRC was of the view that the 'reasonable steps' requirement would offer sufficient flexibility to cover all situations adequately.[8]

16.9      Other issues addressed by the ALRC were as follows:

  • in relation to a statement provided by an individual concerning disputed information, the ALRC was of the view that the statement should be 'associated' with relevant record, as provided for in NPP 6 rather than 'attached' to the relevant record as provided for in IPP 7;[9] and
  • where an entity has made a decision to refuse to correct personal information, procedural fairness requires that the individual should be provided with the reasons for an adverse decision as well as the avenues for complaint.[10]

Government response

16.10         The Government accepted that the right of an individual to access and correct personal information should apply to both agencies and organisations and that it be provided for under a single principle. In relation to the correction element of the principle, the Government accepted the recommendation in relation to correction of information and notification of third parties. The Government accepted in principle the ALRC's recommendation relating to the association of a statement with a record which contains personal information which the entity is not willing to correct, if requested to do so by the individual concerned. However, in the Government's view the part of the recommendation referring to agencies was unnecessary because of impending amendments to the FOI Act.[11]

16.11         The ALRC's recommendation that when an entity refuses to make corrections, the entity must notify the individual of the reasons for the refusal and of potential avenues for complaint was accepted with amendment. The Government noted that the principle should explicitly provide for situations where providing reasons for the refusal to make corrections would undermine the reasons for denying the request, for example, in instances where providing information to the individual would prejudice a criminal investigation.[12]

Issues

16.12         Submitters generally supported the provisions of APP 13.[13] Yahoo!7, for example, noted that APP 13 'recognises that the timing and nature of consent will require a flexible approach'.[14] Similarly, Westpac supported the approach of 'reasonableness' when determining timeframes for responses to individuals, rather than the inclusion of specified timeframes. Westpac further suggested that the OPC work closely with industry in developing flexible and appropriate guidance on applying 'reasonableness' to response timeframes.[15] The Office of the Health Services Commissioner (OHSC), Victoria, also supported the correction principle and noted that APP 13 is consistent with current standards under the Health Records Act (Vic).[16]

16.13         However, the National Australia Bank (NAB) identified two concerns with APP 13: first, the new obligation that where an entity is satisfied that information held is inaccurate, out-of-date, incomplete or irrelevant (APP 13(1)(b)(i)) it must take steps to correct the information. NAB argued that this may conflict with the obligation in APP 3(5) to only collect information from the individual (unless unreasonable or impractical to do so) and gave the example of an entity learning from a third party that information is inaccurate or out-dated. Secondly, NAB submitted that it should not be open to individuals to determine or decide whether an entity holds 'relevant' information as individuals cannot be expected to know or decide on behalf of an entity what types of information are relevant for it to hold (APP 13(1)(b)(ii)).[17] NAB gave the example of a former address which may be irrelevant for some purposes but relevant for others. NAB concluded that 'the protections sought by this reform are already inherent within draft Australian Privacy Principles 3 and 11 in prohibiting entities from collecting "unnecessary" information and in the obligation to destroy or de-identify information if it is no longer needed for any purpose'.[18]

16.14         Privacy Law Consulting Australia raised issue with 'correcting' information to ensure that it is relevant. Privacy Law Consulting Australia argued that:

It is unclear what is meant by "correct" in this context since privacy issues posed by use of irrelevant information are not addressed through correction. The terminology should be amended accordingly.[19]

Correction–APP 13(1)

16.15         In relation to APP 13(1) – the obligation to ensure that personal information is accurate, up-to-date, complete and relevant – comments went to the compliance burden and the need to include 'misleading' information in this APP.

16.16         Coles Supermarkets (Coles) voiced concern about the burden imposed by the obligation. Coles noted that it relies on information that it collects being accurate at the time of its collection. It has processes that enable individuals to contact Coles or access Coles' systems to correct errors in their personal information. However, given the size of its operations, Coles commented that it is likely that it would be impractical to check the ongoing accuracy of personal information it has collected.[20]

16.17         The Australian Bankers' Association (ABA) argued that the obligation to correct information may be interpreted in such a way as to require an entity to 'continuously monitor and review personal information that it holds whether prompted to do so or not'. The ABA went on to comment that it did not believe that this was the intention of this principle and sought clarification. The ABA also submitted that banks should be able to comply with this obligation through appropriate review processes, reasonably designed to address the risk of obsolete information being used inappropriately. Otherwise:

...the costs to banks of routinely reviewing personal information held by them compared to the negligible benefit to their customers would be unjustifiable on any costs and benefits assessment.[21]

16.18         The Financial Services Council suggested that entities should be obliged to correct personal information only when requested by the individual as 'this ensures that the individual has confirmed that the information is inaccurate and should be amended or deleted'.[22]

16.19         Both the OPC and the Office of the Information Commissioner, Queensland, (OIC) noted that APP 13 does not include a reference to 'misleading' personal information. The OPC noted that ALRC's accepted by the Government proposed that 'misleading' information should also be corrected.[23] The OIC commented that situations may arise where information may be correct, up-to-date and complete, but may still create a misleading impression in the mind of a reader. The OIC went on to comment:

There is a distinction between a misleading impression and an inaccuracy, although there will often be significant overlap; inaccurate facts may well be misleading. However, accurate facts may also give a misleading impression, either because they are incomplete or because the language used in recording the facts could convey a misleading impression.[24]

16.20         The OPC concluded that it may be preferable to include the term 'misleading'.[25]

16.21         In response to concerns that 'misleading' information may not be caught within this obligation, the Department of the Prime Minister and Cabinet (the department) acknowledged that the ALRC recommended a 'misleading' element be included within the 'Access and Correction' principle. However, the department went on to state that:

During the course of drafting the provisions, it became clear that it was not necessary to include "misleading" as it was covered by "accurate" and "relevant", and it would create an inconsistency with APP 10 about quality of personal information, in which entities have to ensure the personal information they use or disclose is "accurate, up-to-date, complete and relevant".[26]

Notification of correction to third parties–APP 13(3)

16.22         Similar to the comments received about APP 13(1), submitters raised concern about the compliance burden imposed by the obligation to notify third parties of correction to personal information when requested to do so by an individual. In addition, submitters commented on the need for an individual to request notification of third parties and the potential for frivolous or unduly onerous requests.

16.23         Coles argued that the obligation to advise individuals and third parties of corrections under APP 13(3) is 'likely to be administratively burdensome for large organisations with automated systems and raises real concerns regarding compliance and the cost of compliance with these obligations for organisations like Coles'.[27] This concern was supported by the Communications Council which stated that such an obligation 'raises real concerns regarding compliance costs'.[28] The Law Council of Australia (LCA) added its concern on this issue and commented that the obligation to notify third parties would not only impose a 'potentially heavy burden', but also may actually discourage entities from keeping records of disclosures, so as to make it 'impracticable' to notify third party entities of corrections.[29]

16.24         Privacy Law Consulting Australia also suggested that, for many entities, updating policies, procedures and systems to record the parties to whom information is disclosed would be a logistically complex and financially burdensome process. Privacy Law Consulting Australia suggested that:

...to ensure entities are not put to unnecessary expense in the belief that a higher level of obligation exists than that which actually applies, the meaning of "reasonable in the circumstances" and "impracticable" should be clarified.[30]

16.25         The Financial Services Council (FSC) raised a concern similar to that raised by Privacy Law Consulting Australia: in order to comply with APP 13(3), entities would need to maintain lists of third party disclosures, and of the particular personal information disclosed. The FSC considered maintaining such lists would 'create a particularly onerous administrative burden on FSC members, and is likely to result in significant compliance costs for the financial services industry'.[31]

16.26         Qantas submitted that an exception should be added to APP 13(3), regulating 'frivolous or unduly onerous requests':

To prevent the scope for misuse, Qantas submits that there should be exceptions for frivolous or unduly onerous requests. For example, in the case of a name change due to marriage, the responsibility to notify such changes to relevant parties should remain with the individual, rather than the entity.[32]

16.27         The department responded to concerns about compliance burden and commented that it believed that the qualifications in APP 13(3) of 'reasonable steps (if any)' and 'practicability' will provide the necessary flexibility in the obligation to ensure it does not create an onerous compliance burden. In addition, it is anticipated that guidance from the Australian Information Commissioner (AIC) will be necessary to assist agencies and organisations to comply with the obligation.

16.28         The department noted that the ALRC report found factors that should be addressed when assessing whether it would be reasonable and practicable to notify third parties that it has disclosed incorrect information. These factors include whether the agency or organisation has an ongoing relationship with the entity to which it has disclosed the information, the materiality of the correction, the length of time that has elapsed since the information was disclosed and the likelihood that it is still in active use by the third party, the number of entities that would need to be contacted by the agency or organisation and the potential consequence for the individual of the use and disclosure of the incorrect information.[33]

16.29         Professor Graham Greenleaf and Mr Nigel Waters supported the obligation to notify third parties, however, they submitted that 'it still leaves it to the individual to identify the recipient, rather than to request "please notify all previous recipients of the incorrect information".'[34] This matter was also the subject of comment by the Law Institute of Victoria (LIV). The LIV stated:

The LIV questions why an individual should have to request this notification, particularly where the individual is unaware of the error or to whom the entity has disclosed information or even that information has been disclosed. Entities should be expected to have better records of disclosures to other entities than individuals. The LIV therefore submits that the obligation should be on entities to notify everyone to whom it has disclosed information of the correction.[35]

Refusal to correct information

16.30         Telstra submitted that the obligation on entities under APP 13(4) to provide individuals with written notification of refusals to correct information would render the process of refusing to make corrections more complex than need be and commented that 'in our experience a refusal to correct information is often quite straight forward and a verbal explanation of the reasons would be sufficient'. Telstra suggested that entities should provide individuals with written notice of refusals only when the individual requests written notification. Providing automatic written notification at every instance 'would slow down the process and more than likely inconvenience the person while increasing the compliance burden on us'.[36]

16.31         The LIV suggested that additional guidance be provided on the grounds for entities to refuse to make corrections.[37]

Conclusion

16.32         The Government response to the ALRC recommendations indicated that it accepted that a unified 'Access and Correction' principle shall apply to both agencies and organisations. However, the exposure draft provides for separate access and correction principles. The committee supports this change as it provides clear and easy reference to the obligations to correct personal information if it is inaccurate, out-of-date, incomplete or irrelevant.

16.33         In relation to the inclusion of the term 'misleading' in APP 13, the committee notes that both the OIC and OPC supported this approach. Submitters also pointed out that the term 'misleading' is currently contained in IPP 7 and was included in the ALRC's recommended 'Access and Correction' privacy principle UPP 9. The committee notes that the department's comments that it found that the term 'misleading' was not necessary as 'misleading information' could be covered by 'accurate' and 'relevant' and its inclusion would lead to an inconsistency with APP 10. However, the ALRC considered the effect of differences that would arise between the 'Access and Correction' principle and the 'Data Quality' principle (APP 10) if the term misleading was used in the 'Access and Correction' principle and stated that it 'considers this discrepancy to be appropriate, however, in light of the different context in which these principles operate'.[38] In addition, the credit reporting exposure draft contains reference to 'misleading' information. Therefore, the committee remains to be persuaded by the department's argument in relation to this matter and considers that the decision to omit the term 'misleading' from APP 13 should be re-considered.

Recommendation 29

16.34         That the decision to omit the term 'misleading' in APP 13, relating to the correction of personal information, be reconsidered.

16.35         The committee acknowledges concerns raised in submissions that the obligations contained in APP 13(1) and APP 13(3) may increase compliance burdens for entities, in particular large commercial organisations. However, the committee supports the ALRC's and Government's view that an individual has a right to correct personal information held by an entity and that the correction should be made known to third parties if requested by the individual.[39] While there may be an increased compliance burden in some instances, both APP 13(1) and APP 13(3) contain the qualification of 'reasonable steps (if any)' and 'practicability'. The committee considers that the inclusion of these qualifications will allow sufficient flexibility (including the option not to take any steps) to ensure that compliance does not become overly burdensome. The committee therefore regards the current wording of APP 13(1) and APP 13(3) adequately balances the interests of individuals and the concerns of entities.

Navigation: Previous Page | Contents | Next Page