Chapter 13
Australian Privacy Principle 10–quality of personal information
Introduction
13.1
Australian Privacy Principle 10 (APP 10) ensures that entities
protect the quality of the personal information they collect, use and disclose.
The Companion Guide notes that this principle will promote 'improved
consistency of personal information handling practices by various entities' as
well as reassure the public that entities will not use personal information
that is 'based on misleading or erroneous information'.[1]
Background
13.2
The equivalent data quality principle is National Privacy Principle 3 (NPP 3),
which requires private sector organisations to take reasonable steps to make
sure that the personal information they collect, use or disclose is accurate,
complete and up-to-date.
13.3
There is no equivalent Information Privacy Principle (IPP) which
specifically covers data quality, however there are aspects of IPP 3 and
IPP 8 which relate to data quality. IPP 3 which regulates the general
solicitation of personal information, provides that where an agency collects
personal information, it must:
...take such steps (if any) as are in the circumstances,
reasonable to ensure that, having regard to the purpose for which the
information is collected ... the information collected is relevant to that
purpose and is up-to-date and complete.
13.4
IPP 8 which requires record keepers to check the accuracy of
personal information before it is used, provides that an agency:
...who has possession or control of a record that contains
personal information shall not use that information without taking such steps
(if any) as are, in the circumstances, reasonable to ensure that, having regard
to the purpose for which the information is proposed to be used, the
information is accurate, up-to-date and complete.
13.5
There is currently no principle which regulates agencies at the time of disclosure
of personal information.[2]
13.6
The ALRC stated that 'ensuring the quality of personal information that
is collected, used and disclosed, is recognised as a fundamental obligation of
agencies and organisations under the Privacy Act'. These principles ensure that
personal information handled by organisations and agencies is maintained at a
high standard. In addition, data quality obligations 'will lead to greater
consistency of, and increased public confidence in, the handling of personal
information'[3]
13.7
The ALRC review focussed on:
-
what changes were needed to improve the existing IPP and NPP data
quality requirements into one Unified Privacy Principle; and
-
the interaction of the data quality principle with the provisions
of the other unified privacy principles proposed by the ALRC review.
13.8
The ALRC noted some inconsistencies between the current data quality
requirements of the IPPs and NPPs. For example, IPP 8 imposes obligations
on personal information that has been outsourced to another agency or
organisation, as well as on an agency that holds information only on behalf of
someone else. In addition, the IPPs include a provision that personal information
collected, used or disclosed must be relevant.[4]
The NPPs contain neither of these provisions.[5]
13.9
Furthermore, both IPP 3 and IPP 8 require that collection and
usage occurs with regard to the 'purposes for which the information is
collected', and 'having regard to the purpose for which the information is
proposed to be used'. NPP 3 does not include such strict data quality provisions.
The ALRC commented that these differences between the IPPs and the NPPs needed
to be addressed when creating one universal principle applicable to both organisations
and agencies.[6]
13.10
In regards to IPP 8, the ALRC remarked that this principle applies
only to personal information in the agency's 'possession or control', not
necessarily information being used by the agency. The ALRC was of the view that
including this requirement in the data quality principle would create too high
a compliance burden for agencies and organisations. This could also pose
security risks for individuals as third parties would have to contact
individuals to ensure the personal information they possess is accurate,
up-to-date, complete and relevant.[7]
13.11
To strengthen the current privacy principles, the ALRC stated that the
revised data quality principle should include a clause emphasising that
information collected, used or disclosed should be relevant to the purposes of
the collection, use or disclosure of the information. The ALRC noted that this would
complement the 'Collection' privacy principle as it sets out similar provisions
in relation to data collection. The ALRC also stated that it would be logical
to continue with a principle which limits the use and disclosure of
personal information 'to that which is relevant to the purpose of that use or
disclosure'.[8]
13.12
Furthermore, the ALRC argued that 'the fact that an agency or
organisation has legitimately collected personal information for a permitted
purpose should not mean that it is necessarily allowed to use or disclose all
of that information'.[9]
13.13
There was comment in the ALRC review on whether to allow organisations
and agencies to collect information which is not necessarily relevant until
sometime after it has been collected. The ALRC argued that IPP 3 already
provides that agencies have to collect information that is relevant to the
purpose for which it is collected. Collecting information before it is clear
that the information could be relevant would be in breach of the 'Collection' privacy
principle and the ALRC advised it should also be a breach of the data quality
principle.[10]
13.14
In addition, the ALRC commented that the inclusion of the requirement to
ensure personal information collected, used or disclosed is relevant, 'would
[not] impede the legitimate functions of agencies and organisations'.[11]
13.15
The ALRC noted that submitters to the Office of the Privacy Commissioner
(OPC) 2005 review of the Private Sector Provisions of the Privacy Act had
raised concerns regarding the obligations of the data quality principle. The
Privacy Commissioner review stated that:
Some organisations seem to consider that their obligations
(under NPP 3) to keep personal information accurate, complete and
up-to-date is an absolute obligation. Indeed, that it could be used to justify
intruding upon an individual's privacy. However, obligations under the NPPs are
not absolute.[12]
13.16
Submitters to the ALRC review remarked that it was not necessary to clarify
that the obligations of the data quality principle were not absolute. Guidance
on the issue has been published by OPC and the ALRC commented that this provided
adequate clarification.[13]
Government Response
13.17
The Government accepted the ALRC's recommendations in relation to the data
quality principle. The response noted that the requirements of the recommended
unified principle would apply at the time of collection, use and disclosure.
The Government noted that the inclusion of the phrase 'reasonable steps'
'reflect[ed] the intended proportional approach to compliance with this
principle', including taking no steps if this was appropriate in the circumstances.
Furthermore, the Government suggested the OPC publish guidance on the
application of the data quality principle, including information on what
constitutes reasonable steps.[14]
Issues
13.18
The data quality principle received broad support from many submitters to
this inquiry.[15]
The Office of the Victorian Privacy Commissioner remarked that it largely
mirrors the existing NPP 3 and Victorian IPP 3.[16]
The Health Services Commissioner of Victoria indicated that this principle is
consistent with the equivalent Health Privacy Principle in the Health Services
Act and, as such, was supported by the Commission. Further support
was provided by Professor Greenleaf and Mr Waters, who recommended no changes
to this principle and commented that it is a 'conventional principle of
international standard'.[17]
13.19
The issues canvassed in submissions included the placement of
APP 10 within the legislation, the concept of relevancy, and suggestions
to expand the quality concept.
Structure
13.20
Privacy NSW recommended that if the privacy principles are to better
reflect the information cycle, and how entities use personal information,
APP 10 and APP 11 should be situated after the notification principle
(APP 5) and before the use and disclosure principle (APP 6). Privacy
NSW commented that the processes of ensuring quality and security of personal
information should happen before decisions about use or disclosure of personal
information occur.[18]
Relevance requirement
13.21
APP 10 contains two sections: APP 10(1) requires that entities
take such steps (if any) as are reasonable in the circumstances to ensure that
personal information collected is 'accurate, up-to-date and complete', while
APP 10(2) requires that personal information used or disclosed is
'accurate, up-to-date, complete and relevant'.
13.22
Concerns about the exclusion of the concept of 'relevancy' to the
collection of personal information (APP 10(1)) were raised by Dr Colin
Barnett and the Law Institute of Victoria.[19]
The Institute commented that 'entities should be obliged to collect, use and
disclose only accurate, up-to-date, complete and relevant personal information'.
This would be achieved by merging the two sections of APP 10 and would have
the additional benefit of improve succinctness.[20]
13.23
The Department of the Prime Minister and Cabinet (the department)
provided the committee with an explanation as to why 'relevant' was not
included in proposed APP 10(1). The department stated that the proposed
'Collection' principle provides that personal information collected by an
organisation should be 'reasonably necessary for, or directly related to, one
or more of the entity's functions or activities'. The department submitted that
'including "relevant" in the collection-related data quality
principle would have caused confusion with this overarching requirement in
relation to collection'.[21]
13.24
The OPC commented on the relevance requirement in APP 10(2) and
stated that it is not clear what is referred to by the term 'relevant'. The OPC
went on to state that the 'relevance requirement should be linked to the
purpose of use or disclosure' and that if the word 'relevant' is referring to
the purpose of use or disclosure of information, this should be made
more explicit in the wording of the principle. The OPC concluded that linking
relevance to the purpose may give better effect to the policy intent of the
ALRC's recommendation and the Government's Response to the recommendation which
stated that:
Agencies and organisations should take reasonable steps
to make certain that the personal information they collect, use or disclose is,
with reference to the purposes of that collection, use or disclosure,
accurate, complete, up-to-date and relevant. (emphasis added by the OPC).[22]
13.25
Privacy Law Consulting Australia raised a further matter in relation to
the inclusion of the relevancy requirement in APP 10(2). It argued that
entities adhering to APP 10(2) may be subject to privacy claims by
individuals on new grounds, who could argue 'that a decision was made about
them taking into account irrelevant information'. Privacy Law Consulting used
the example of an insurance company refusing to provide an insurance policy to
an individual, where the individual could claim that the insurer declined the
service based on information not relevant to their application. Privacy Law
Consulting submitted that these possible new grounds for privacy complaints
will have 'significant implications for private sector organisations'. It
argued that if this is not an intention of the principle, further consideration
of the implications for organisations with the addition of the term 'relevant'
should be made.[23]
13.26
In its answers to questions on notice, the department agreed that it would
be possible under proposed APP 10(2) for individuals to make complaints
about organisations if they did not take such steps (if any) as are reasonable
in the circumstances to ensure that the personal information the organisation
uses or discloses is accurate, up-to-date, complete and relevant. The
department noted that this is consistent with ALRC's recommendation that both
organisations and agencies should have a data quality obligation with a
'relevance' element. The ALRC noted that it would complement the requirement in
the 'Collection' principle that personal information collected by an
organisation should be 'necessary for one or more of its functions or
activities'.[24]
Information 'in control of an
entity'
13.27
The Public Interest Advocacy Centre (PIAC) recommended that this
principle should also apply to data already in control of an entity. PIAC
argued that the burden for data quality in relation to sensitive information
should be set higher than for other information and that the exclusion of
information in control of an entity 'reduces the obligations that currently
exist on agencies under IPP 8'. PIAC commented that the ALRC discussion on
this matter did not deal sufficiently with the potential for data quality to be
outside an entities' responsibility when data storage is outsourced. The ALRC
was of the view that extending the principle to cover information in the
control of an entity would impose an unjustified compliance burden on agencies
and organisations (see paragraph 13.10). However, PIAC argued that while there
may be an increased compliance burden on organisations, there would be no
additional burden on agencies and concluded that 'the adoption of UPPs should
not see a reduction in protection in respect of personal information held by
government'.[25]
Misleading information
13.28
The Office of the Information Commissioner Queensland suggested that the
word 'misleading' be included in APP 10 as 'information may be correct,
up-to-date and complete, but may still create a misleading impression in the
mind of the reader'. The Commission remarked that there is a difference between
inaccurate information and misleading information.[26]
Compliance burden
13.29
Coles Supermarkets criticised the requirements of APP 10 to
continually ensure personal information is correct and up-to-date. Coles argued
that this will place high administrative and cost burdens on entities,
particularly large companies which use automated systems like Coles, where
individuals contact the company to ensure the accuracy of their personal
information.[27]
Conclusion
13.30
The committee has considered that issues raised in submissions, the department's
response and views expressed by the ARLC in relation to data quality and makes
the following comments. First, in relation to the expansion of the data quality
obligation to 'information in the control of' an entity, the committee notes that
the ALRC was of the view that this provision would place too high a burden on
entities and could also pose a privacy risk for individuals.[28]
The committee is in concurrence with this view.
13.31
Secondly, in relation to the suggestion that the obligation in APP 10
be expanded to include 'misleading' information, the committee notes that the
Companion Guide states that 'having this principle reassures the public that
the use of their personal information by entities is not based on misleading or
erroneous personal information'.[29]
The committee also notes that the ALRC did not make reference to 'misleading'
information in relation to data quality except to the extent that it commented
on the differences that would arise between the 'Access and Correction'
principle (which contains the reference to 'misleading' information) and the
'Data Quality' principle (which does not contain the reference). The ALRC
stated that it 'considers this discrepancy to be appropriate, however, in light
of the different context in which these principles operate'.[30]
13.32
In response to comments about the exclusion of the term 'misleading' in
relation to the correction principle (APP 13) the department commented
that it was not necessary to include the term 'misleading' in that principle as
it was covered by the terms 'accurate' and 'relevant'. The committee therefore
does not consider that the term 'misleading' needs to be included in
APP 10.
13.33
Thirdly, the committee does not consider that the data quality
provisions will increase the compliance burden for entities and notes that the
requirements in APP 10 largely reflect those already contained in the
National Privacy Principles.
13.34
Finally, in relation to comments about the term 'relevant', the
committee notes that the obligations under APP 3 ensure that entities
collect only personal information that is 'reasonably necessary for, or
directly related to, one or more of the entity's functions or activities', that
is, there is an implication of relevance to the entities functions or
activities. Thus, the inclusion of the term 'relevant' in APP 10(1) is
redundant. However, the committee notes the comments made by the Office of the
Privacy Commissioner in relation to the need to clarify the use of the term
'relevant' in APP 10(2). The committee considers that if the word
'relevant' is referring to the purpose of use or disclosure of
information, then this meaning is unclear and that the provision should be
redrafted to clarify the matter.
Recommendation 23
13.35
The committee recommends that proposed APP 10(2), pertaining to the
quality of personal information disclosed by an entity, be re-drafted to make
clear the intended use of the term 'relevant'.
Navigation: Previous Page | Contents | Next Page