Chapter 16
Australian Privacy Principle 13–correction of personal information
Introduction
16.1
Australian Privacy Principle 13 (APP 13) defines when, and how,
individuals can have personal information which is held about them corrected if
it is inaccurate, out-of-date, incomplete or irrelevant. The Companion Guide notes
that online technological advances are allowing individuals greater ease in
gaining access to their own personal information through personal profiles on
websites. The Companion Guide commends the online personal profile approach as
'good privacy practice' as it 'ensures individuals have control of their
personal information'.[1]
Background
16.2
Access to, and correction of, personal information held by agencies is
currently regulated by a combination of provisions of the Freedom of
Information Act 1982 (FOI Act) and Information Privacy Principles 6 and 7
(IPP 6 and IPP 7). IPP 7 provides that an agency must take such
steps, if any, as are reasonable to ensure that personal information recorded
is accurate and relevant, up-to-date, complete and not misleading. This
provision is subject to any applicable limitation in a law of the Commonwealth
that provides a right to require the correction or amendments of documents. IPP 7
also provides that, if the agency is not willing to amend a record as requested
by an individual, then the individual may request that a statement be attached
to the record and the agency must take reasonable steps to comply with this
request.
16.3
Access to, and correction of, personal information held by organisations
is currently regulated under National Privacy Principle (NPP 6). NPP 6.5
provides that an organisation must take reasonable steps to correct personal
information that it holds, if the individual to whom it relates is able to
establish that it is not accurate, complete and up-to-date. If there is a
disagreement about the accuracy of the information, the individual may request that
the organisation attach a statement to the information and the organisation
must take reasonable steps to do so.[2]
16.4
The Australian Law Reform Commission (ALRC) recommended that the access
and correction principles be formulated to apply to both agencies and
organisations in one unified principle.[3]
The ALRC also addressed the following issues:
-
the criteria by which personal information is assessed as being
'correct', including how these criteria are assessed;
-
any burden of proof an individual must meet to establish that
personal information that an agency or organisation holds about him or her is
not 'correct';
-
the manner of correcting personal information that has been found
not to meet the correction criteria; and
-
the relationship between the correction requirements under the
Privacy Act and other federal laws.[4]
16.5
The ALRC accepted that individuals should be provided with the right to
correct personal information held about them by agencies and organisations
where the information is misleading or not accurate, relevant, up-to-date or
complete. The ALRC noted that while these elements are the same as those in the
IPPs, they impose two additional elements on organisations – the elements of
'relevant' and 'not misleading'.[5]
16.6
In relation to the burden of proof to establish that personal
information is not correct, the ALRC noted that IPP 7 and NPP 6
contain different obligations: the NPP requires that the individual to whom the
information relates must establish that it is not accurate, complete and
up-to-date, while the IPP places a positive obligation on agencies to take
steps to ensure that the personal information they hold is correct. The ALRC
concluded that the provisions of the NPP results in uncertainty in the event of
a complaint and, therefore, the positive obligation to hold correct personal
information should apply to both agencies and organisations. In addition, the
ALRC stated that it did not anticipate that this change 'will affect
significantly the practical operation of the correction requirements for
organisations'.[6]
16.7
There are a number of ways in which personal information may be
corrected including by amending the record, deleting the incorrect material or
adding to the material. The ALRC recommended that the Office of the Privacy
Commissioner (OPC) develop guidance to address the manner in which personal information
can be corrected. The ALRC also commented that guidance should discuss
potential conflicts between the requirements of the principle and other record
keeping obligations including those under the Archives Act 1983.[7]
16.8
In addition, the ALRC considered the issue of notification of third
parties where an entity has corrected personal information. This matter was
discussed widely with stakeholders during the review, with the ALRC concluding
that if an entity has corrected information it should be required to notify any
other entities to which it has disclosed the information of the correction, if
requested to do so by the individual. While stakeholders raised concerns about
the cost this requirement may impose on entities, the ALRC was of the view that
the 'reasonable steps' requirement would offer sufficient flexibility to cover
all situations adequately.[8]
16.9
Other issues addressed by the ALRC were as follows:
-
in relation to a statement provided by an individual concerning
disputed information, the ALRC was of the view that the statement should be
'associated' with relevant record, as provided for in NPP 6 rather than
'attached' to the relevant record as provided for in IPP 7;[9]
and
-
where an entity has made a decision to refuse to correct personal
information, procedural fairness requires that the individual should be
provided with the reasons for an adverse decision as well as the avenues for
complaint.[10]
Government response
16.10
The Government accepted that the right of an individual to access and
correct personal information should apply to both agencies and organisations
and that it be provided for under a single principle. In relation to the
correction element of the principle, the Government accepted the recommendation
in relation to correction of information and notification of third parties. The
Government accepted in principle the ALRC's recommendation relating to the
association of a statement with a record which contains personal information
which the entity is not willing to correct, if requested to do so by the
individual concerned. However, in the Government's view the part of the
recommendation referring to agencies was unnecessary because of impending
amendments to the FOI Act.[11]
16.11
The ALRC's recommendation that when an entity refuses to make corrections,
the entity must notify the individual of the reasons for the refusal and of potential
avenues for complaint was accepted with amendment. The Government noted that the
principle should explicitly provide for situations where providing reasons for
the refusal to make corrections would undermine the reasons for denying the
request, for example, in instances where providing information to the
individual would prejudice a criminal investigation.[12]
Issues
16.12
Submitters generally supported the provisions of APP 13.[13]
Yahoo!7, for example, noted that APP 13 'recognises that the timing and
nature of consent will require a flexible approach'.[14]
Similarly, Westpac supported the approach of 'reasonableness' when determining
timeframes for responses to individuals, rather than the inclusion of specified
timeframes. Westpac further suggested that the OPC work closely with industry
in developing flexible and appropriate guidance on applying 'reasonableness' to
response timeframes.[15]
The Office of the Health Services Commissioner (OHSC), Victoria, also supported
the correction principle and noted that APP 13 is consistent with current
standards under the Health Records Act (Vic).[16]
16.13
However, the National Australia Bank (NAB) identified two concerns with
APP 13: first, the new obligation that where an entity is satisfied that
information held is inaccurate, out-of-date, incomplete or irrelevant
(APP 13(1)(b)(i)) it must take steps to correct the information. NAB argued
that this may conflict with the obligation in APP 3(5) to only collect
information from the individual (unless unreasonable or impractical to do so)
and gave the example of an entity learning from a third party that information
is inaccurate or out-dated. Secondly, NAB submitted that it should not be open
to individuals to determine or decide whether an entity holds 'relevant'
information as individuals cannot be expected to know or decide on behalf of an
entity what types of information are relevant for it to hold (APP 13(1)(b)(ii)).[17]
NAB gave the example of a former address which may be irrelevant for some
purposes but relevant for others. NAB concluded that 'the protections sought by
this reform are already inherent within draft Australian Privacy Principles 3
and 11 in prohibiting entities from collecting "unnecessary"
information and in the obligation to destroy or de-identify information if it
is no longer needed for any purpose'.[18]
16.14
Privacy Law Consulting Australia raised issue with 'correcting'
information to ensure that it is relevant. Privacy Law Consulting Australia argued
that:
It is unclear what is meant by "correct" in this
context since privacy issues posed by use of irrelevant information are not
addressed through correction. The terminology should be amended accordingly.[19]
Correction–APP 13(1)
16.15
In relation to APP 13(1) – the obligation to ensure that personal
information is accurate, up-to-date, complete and relevant – comments went to
the compliance burden and the need to include 'misleading' information in this
APP.
16.16
Coles Supermarkets (Coles) voiced concern about the burden imposed by
the obligation. Coles noted that it relies on information that it collects
being accurate at the time of its collection. It has processes that enable
individuals to contact Coles or access Coles' systems to correct errors in
their personal information. However, given the size of its operations, Coles
commented that it is likely that it would be impractical to check the ongoing accuracy
of personal information it has collected.[20]
16.17
The Australian Bankers' Association (ABA) argued that the obligation to
correct information may be interpreted in such a way as to require an entity to
'continuously monitor and review personal information that it holds whether
prompted to do so or not'. The ABA went on to comment that it did not believe
that this was the intention of this principle and sought clarification. The ABA
also submitted that banks should be able to comply with this obligation through
appropriate review processes, reasonably designed to address the risk of
obsolete information being used inappropriately. Otherwise:
...the costs to banks of routinely reviewing personal
information held by them compared to the negligible benefit to their customers
would be unjustifiable on any costs and benefits assessment.[21]
16.18
The Financial Services Council suggested that entities should be obliged
to correct personal information only when requested by the individual as 'this
ensures that the individual has confirmed that the information is inaccurate
and should be amended or deleted'.[22]
16.19
Both the OPC and the Office of the Information Commissioner, Queensland,
(OIC) noted that APP 13 does not include a reference to 'misleading'
personal information. The OPC noted that ALRC's accepted by the Government
proposed that 'misleading' information should also be corrected.[23]
The OIC commented that situations may arise where information may be correct,
up-to-date and complete, but may still create a misleading impression in the
mind of a reader. The OIC went on to comment:
There is a distinction between a misleading impression and an
inaccuracy, although there will often be significant overlap; inaccurate facts
may well be misleading. However, accurate facts may also give a misleading
impression, either because they are incomplete or because the language used in
recording the facts could convey a misleading impression.[24]
16.20
The OPC concluded that it may be preferable to include the term
'misleading'.[25]
16.21
In response to concerns that 'misleading' information may not be caught
within this obligation, the Department of the Prime Minister and Cabinet (the
department) acknowledged that the ALRC recommended a 'misleading' element be
included within the 'Access and Correction' principle. However, the department
went on to state that:
During the course of drafting the provisions, it became clear
that it was not necessary to include "misleading" as it was covered
by "accurate" and "relevant", and it would create an
inconsistency with APP 10 about quality of personal information, in which
entities have to ensure the personal information they use or disclose is "accurate,
up-to-date, complete and relevant".[26]
Notification of correction to third
parties–APP 13(3)
16.22
Similar to the comments received about APP 13(1), submitters raised
concern about the compliance burden imposed by the obligation to notify third
parties of correction to personal information when requested to do so by an
individual. In addition, submitters commented on the need for an individual to
request notification of third parties and the potential for frivolous or unduly
onerous requests.
16.23
Coles argued that the obligation to advise individuals and third parties
of corrections under APP 13(3) is 'likely to be administratively
burdensome for large organisations with automated systems and raises real
concerns regarding compliance and the cost of compliance with these obligations
for organisations like Coles'.[27]
This concern was supported by the Communications Council which stated that such
an obligation 'raises real concerns regarding compliance costs'.[28]
The Law Council of Australia (LCA) added its concern on this issue and
commented that the obligation to notify third parties would not only impose a
'potentially heavy burden', but also may actually discourage entities from
keeping records of disclosures, so as to make it 'impracticable' to notify
third party entities of corrections.[29]
16.24
Privacy Law Consulting Australia also suggested that, for many entities,
updating policies, procedures and systems to record the parties to whom
information is disclosed would be a logistically complex and financially
burdensome process. Privacy Law Consulting Australia suggested that:
...to ensure entities are not put to unnecessary expense in
the belief that a higher level of obligation exists than that which actually
applies, the meaning of "reasonable in the circumstances" and
"impracticable" should be clarified.[30]
16.25
The Financial Services Council (FSC) raised a concern similar to that
raised by Privacy Law Consulting Australia: in order to comply with
APP 13(3), entities would need to maintain lists of third party
disclosures, and of the particular personal information disclosed. The FSC
considered maintaining such lists would 'create a particularly onerous
administrative burden on FSC members, and is likely to result in significant
compliance costs for the financial services industry'.[31]
16.26
Qantas submitted that an exception should be added to APP 13(3),
regulating 'frivolous or unduly onerous requests':
To prevent the scope for misuse, Qantas submits that there
should be exceptions for frivolous or unduly onerous requests. For example, in
the case of a name change due to marriage, the responsibility to notify such
changes to relevant parties should remain with the individual, rather than the
entity.[32]
16.27
The department responded to concerns about compliance burden and
commented that it believed that the qualifications in APP 13(3) of
'reasonable steps (if any)' and 'practicability' will provide the necessary
flexibility in the obligation to ensure it does not create an onerous
compliance burden. In addition, it is anticipated that guidance from the Australian
Information Commissioner (AIC) will be necessary to assist agencies and
organisations to comply with the obligation.
16.28
The department noted that the ALRC report found factors that should be
addressed when assessing whether it would be reasonable and practicable to
notify third parties that it has disclosed incorrect information. These factors
include whether the agency or organisation has an ongoing relationship with the
entity to which it has disclosed the information, the materiality of the
correction, the length of time that has elapsed since the information was
disclosed and the likelihood that it is still in active use by the third party,
the number of entities that would need to be contacted by the agency or
organisation and the potential consequence for the individual of the use and
disclosure of the incorrect information.[33]
16.29
Professor Graham Greenleaf and Mr Nigel Waters supported the obligation
to notify third parties, however, they submitted that 'it still leaves it to
the individual to identify the recipient, rather than to request "please
notify all previous recipients of the incorrect information".'[34]
This matter was also the subject of comment by the Law Institute of Victoria
(LIV). The LIV stated:
The LIV questions why an individual should have to request
this notification, particularly where the individual is unaware of the error or
to whom the entity has disclosed information or even that information has been
disclosed. Entities should be expected to have better records of disclosures to
other entities than individuals. The LIV therefore submits that the obligation
should be on entities to notify everyone to whom it has disclosed information
of the correction.[35]
Refusal to correct information
16.30
Telstra submitted that the obligation on entities under APP 13(4)
to provide individuals with written notification of refusals to correct
information would render the process of refusing to make corrections more
complex than need be and commented that 'in our experience a refusal to correct
information is often quite straight forward and a verbal explanation of the
reasons would be sufficient'. Telstra suggested that entities should
provide individuals with written notice of refusals only when the individual
requests written notification. Providing automatic written notification at
every instance 'would slow down the process and more than likely inconvenience
the person while increasing the compliance burden on us'.[36]
16.31
The LIV suggested that additional guidance be provided on the grounds
for entities to refuse to make corrections.[37]
Conclusion
16.32
The Government response to the ALRC recommendations indicated that it
accepted that a unified 'Access and Correction' principle shall apply to both
agencies and organisations. However, the exposure draft provides for separate
access and correction principles. The committee supports this change as it
provides clear and easy reference to the obligations to correct personal information
if it is inaccurate, out-of-date, incomplete or irrelevant.
16.33
In relation to the inclusion of the term 'misleading' in APP 13,
the committee notes that both the OIC and OPC supported this approach.
Submitters also pointed out that the term 'misleading' is currently contained
in IPP 7 and was included in the ALRC's recommended 'Access and
Correction' privacy principle UPP 9. The committee notes that the
department's comments that it found that the term 'misleading' was not
necessary as 'misleading information' could be covered by 'accurate' and
'relevant' and its inclusion would lead to an inconsistency with APP 10. However,
the ALRC considered the effect of differences that would arise between the
'Access and Correction' principle and the 'Data Quality' principle
(APP 10) if the term misleading was used in the 'Access and Correction'
principle and stated that it 'considers this discrepancy to be appropriate,
however, in light of the different context in which these principles operate'.[38]
In addition, the credit reporting exposure draft contains reference to
'misleading' information. Therefore, the committee remains to be persuaded by
the department's argument in relation to this matter and considers that the
decision to omit the term 'misleading' from APP 13 should be
re-considered.
Recommendation 29
16.34
That the decision to omit the term 'misleading' in APP 13, relating
to the correction of personal information, be reconsidered.
16.35
The committee acknowledges concerns raised in submissions that the
obligations contained in APP 13(1) and APP 13(3) may increase
compliance burdens for entities, in particular large commercial organisations. However,
the committee supports the ALRC's and Government's view that an individual has
a right to correct personal information held by an entity and that the
correction should be made known to third parties if requested by the
individual.[39]
While there may be an increased compliance burden in some instances, both
APP 13(1) and APP 13(3) contain the qualification of 'reasonable
steps (if any)' and 'practicability'. The committee considers that the
inclusion of these qualifications will allow sufficient flexibility (including the
option not to take any steps) to ensure that compliance does not become overly
burdensome. The committee therefore regards the current wording of
APP 13(1) and APP 13(3) adequately balances the interests of individuals
and the concerns of entities.
Navigation: Previous Page | Contents | Next Page