-
On this page
Version 1.1
Key points
- APP 13 requires an APP entity to take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading.
- This requirement applies where:
- the APP entity is satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held, or
- the individual requests the entity to correct the personal information.
- Special considerations apply to Commonwealth records, which can only be destroyed or altered in accordance with the Archives Act 1983 (Archives Act).
- APP 13 also sets out other minimum procedural requirements in relation to correcting personal information, including when an APP entity must:
- take reasonable steps to notify other APP entities of a correction
- give notice to the individual which includes reasons and available complaint mechanisms if correction is refused
- take reasonable steps to associate a statement with personal information it refuses to correct
- respond to a request for correction or to associate a statement, and
- not charge an individual for making a request, correcting personal information or associating a statement.
- APP 13 operates alongside and does not replace other informal or legal procedures by which an individual can seek correction of their personal information, including informal arrangements and, for agencies, the Freedom of Information Act 1982 (FOI Act).
What does APP 13 say?
13.1 APP 13.1 provides that an APP entity must take reasonable steps to correct personal information it holds, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held. The shorthand expression used in this chapter is that an APP entity is required to correct ‘incorrect personal information’.
13.2 The requirement to take reasonable steps applies in two circumstances:
- where an APP entity is satisfied, independently of any request, that personal information it holds is incorrect, or
- where an individual requests an APP entity to correct their personal information.
13.3 Special considerations apply to Commonwealth records. A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with the Archives Act (see paragraph 13.48).
13.4 APP 13 also sets out other minimum procedural requirements in relation to correcting personal information. An APP entity must:
- upon request by an individual whose personal information has been corrected, take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided to that other entity (APP 13.2)
- give a written notice to an individual when a correction request is refused, including the reasons for the refusal and the complaint mechanisms available to the individual (APP 13.3)
- upon request by an individual whose correction request has been refused, take reasonable steps to associate a statement with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading (APP 13.4)
- respond in a timely manner to an individual’s request to correct personal information or to associate a statement with the personal information (APP 13.5(a))
- not charge an individual for making a request to correct personal information or associate a statement, or for making a correction or associating a statement (APP 13.5(b)).
Interaction of APP 13 and other correction procedures
13.5 APP 13 operates alongside and does not replace other informal or legal procedures by which an individual can request that personal information be corrected. In particular, APP 13 does not prevent an APP entity from correcting personal information under an informal administrative arrangement, provided the arrangement satisfies the requirements of APP 13. For example, an entity may allow individuals to correct their personal information by providing updated information through an online portal.
13.6 For agencies, APP 13 operates alongside the right to amend or annotate personal information in Part V of the Freedom of Information Act 1982 (FOI Act). The FOI Act procedures, criteria and review mechanisms differ in important respects from those applying under APP 13 and the Privacy Act. These differences, and when it is more appropriate to use one Act rather than another, are considered below at paragraphs 13.25–13.29.
Interaction of APP 13 and other APPs
13.7 The correction requirements in APP 13 complement and overlap with the requirements in other APPs, including APP 10 (quality of personal information) and APP 11 (security of personal information).
13.8 APP 10 provides that an APP entity must take reasonable steps to ensure the quality of personal information it collects, uses or discloses (see Chapter 10 (APP 10)). If reasonable steps are taken to comply with APP 10, this reduces the likelihood that personal information will need correction under APP 13. Similarly, by taking reasonable steps to correct personal information under APP 13, an entity can better ensure that it complies with APP 10 by ensuring that information is accurate, up-to-date, complete and relevant when it is used or disclosed.
13.9 APP 11.1 provides that an APP entity must take reasonable steps to protect the personal information it holds, including from interference, loss and unauthorised modification. If reasonable steps are taken to comply with APP 11.1, this reduces the likelihood that personal information will need correction under APP 13. APP 11.2 provides that an entity must take reasonable steps to destroy or de-identify personal information that it no longer needs for any purpose for which it may be used or disclosed. This requirement does not apply where the information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information (see Chapter 11 (APP 11)). When taking steps to identify and correct incorrect personal information under APP 13, an entity should consider whether it still needs the personal information for a permitted purpose, or whether reasonable steps must be taken to destroy or de-identify the information under APP 11.2.
‘Holds’
13.10 APP 13 only applies to personal information that an APP entity ‘holds’. An entity ‘holds’ personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)).
13.11 The term ‘holds’ extends beyond physical possession of a record to include a record that an entity has the right or power to deal with. For example, an APP entity that has outsourced the storage of personal information to a third party, but retains the right to deal with that information, including to access and amend it, holds that personal information and must comply with APP 13 (see paragraph 13.47 below). In addition, the individual has a separate right to request correction of the information by the third party, if the third party is an APP entity.
13.12 An agency that has placed a record of personal information in the care of the National Archives of Australia, or in the custody of the Australian War Memorial, is considered to be the agency that holds the record for the purposes of the Privacy Act (s 10(4)).
13.13 Upon receiving a request for correction, an APP entity should search the records that it possesses or controls to assess whether the personal information to be corrected is contained in those records. For example, an entity may search hard copy records and electronic databases and make enquiries of staff or contractors with relevant knowledge. A discussion with the individual may assist the entity to locate the information.
13.14 The term ‘holds’ is discussed in more detail in Chapter B (Key concepts).
Taking reasonable steps to correct personal information
13.15 APP 13.1 requires an APP entity to take reasonable steps to correct personal information it holds, in two circumstances: on its own initiative, and at the request of the individual to whom the personal information relates.
Correcting at the APP entity’s initiative
13.16 An APP entity is required to take reasonable steps to correct personal information it holds if the entity is satisfied, having regard to a purpose for which the personal information is held, that it is inaccurate, out-of-date, incomplete, irrelevant or misleading (that is, the personal information is incorrect). Implicit in that requirement is that an entity should be alert to the possibility that personal information it holds may be incorrect and may require correction.
13.17 Generally, an APP entity may become aware that an item of personal information requires correction if it discovers an inconsistency during normal business practices. Examples include:
- information provided to the entity by the individual or a third party may be inconsistent with other personal information held by the entity. For example, an identity document, letter, medical record or photograph
- a court or tribunal has made a finding about the personal information, in a case involving the entity or in another case that comes to the entity’s notice
- the entity may be notified by another entity or person that the personal information is incorrect, or that similar personal information held by the other entity has been corrected
- a practice, procedure or system the entity has implemented in compliance with APP 1.2 (such as an auditing or monitoring program) indicates that personal information the entity holds requires correction.
13.18 After becoming aware that personal information may require correction, the APP entity should satisfy itself that the information is incorrect, before taking reasonable steps to correct it (see paragraphs 13.30–13.41).
Correcting at the individual’s request
13.19 An APP entity is required by APP 13.1 to take reasonable steps to correct an individual’s personal information to ensure it is not incorrect when the individual ‘requests’ the entity to do so. Upon receiving a request an entity must decide if it is satisfied that the information is incorrect, and if so, take reasonable steps to correct it (see paragraphs 13.43–13.48 below).
13.20 APP 13 does not stipulate formal requirements that an individual must follow to make a request, or require that a request be made in writing, or require the individual to state that it is an APP 13 request.[1]
13.21 An APP entity is required by APP 1.4(d) to state in an APP Privacy Policy how an individual may seek the correction of their personal information held by the entity. An APP entity is also required by APP 5.2(g) to take reasonable steps to notify an individual, or ensure they are aware, of the fact the entity’s APP Privacy Policy contains information about how the individual may seek correction of their personal information held by the entity.
13.22 If an APP entity wishes an individual to follow a particular procedure in requesting correction of their personal information, the entity could publish that procedure and draw attention to it, for example, by providing a link in the APP Privacy Policy and on the entity’s website homepage to the correction request procedure, to an online request form, or to an online portal that enables an individual to correct their personal information. However, an entity cannot require an individual to follow a particular procedure, use a designated form or explain the reason for making the request. Any recommended procedure should be regularly reviewed to ensure that it is flexible and facilitates rather than hinders correction of personal information.
13.23 An APP entity must be satisfied that a request to correct personal information under APP 13 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian or authorised agent. The steps appropriate to verify an individual’s identity will depend on the circumstances, and in particular, whether the individual is already known to or readily identifiable by the entity. The discussion in Chapter 12 (APP 12) of steps that can be taken to verify the identity of an individual seeking access to their personal information apply also to APP 13.
13.24 APP 13 stipulates minimum procedural requirements that must be met by an APP entity when dealing with a request to correct personal information. These are discussed later in this chapter, and include taking reasonable steps if requested by the individual to notify other APP entities when a correction is made (see paragraphs 13.49–13.53), providing an individual with a written notice that includes the reasons for refusal if a correction request is refused (paragraphs 13.54–13.58), response times (paragraphs 13.63–13.64) and charging (paragraph 13.65). Provided an entity meets those minimum requirements, it may choose the arrangements (including an informal arrangement) for receiving and acting upon correction requests. An online portal through which individuals can access and correct their personal information is an example of an informal arrangement that may provide a fast and easy means of correction, and that can qualify as an APP 13 ‘request’ procedure.
Agencies — comparison of APP 13 and FOI Act procedures
13.25 For agencies, APP 13 operates alongside the right to amend or annotate personal information in Part V of the FOI Act. There is substantial overlap between the APP 13 and the FOI Act procedures, but also some noteworthy differences.
13.26 The FOI Act provides that a person may apply to an agency[2] to amend or annotate a record of personal information about that person, to which they have lawfully had access under the FOI Act or otherwise (FOI Act, s 48). The application must be in writing, specify as far as practicable how and why the record should be amended or annotated, and provide a return address to which notices can be sent (FOI Act, ss 49, 51A). The grounds on which such an application may be made are that the record of personal information ‘is incomplete, incorrect, out of date or misleading’ (FOI Act, s 48(a)). The record must also have been used or be available for use by the agency ‘for an administrative purpose’ (FOI Act, s 48(b)). The agency may act upon an application by altering or adding a note to a record, but as far as practicable must not obliterate the text of the record as it existed prior to the amendment (FOI Act, s 50). An applicant whose application is not accepted may provide a statement specifying their disagreement with the decision, and the agency must annotate the record by attaching that statement (FOI Act, ss 51, 51B). The time period for making a decision on an applicant’s application is 30 calendar days. An applicant may apply for internal review or Information Commissioner review of an adverse decision.
13.27 While APP 13 sets out minimum procedural requirements (see paragraph 13.24), these are not as detailed as in the FOI Act. However, in two respects APP 13 goes further than the FOI Act:
- The grounds for correction in APP 13 are that the personal information is ‘inaccurate, out-of-date, incomplete, irrelevant or misleading’. The main additional ground in this list is that the information is ‘irrelevant’. The other wording difference — ‘inaccurate’ in APP 13, ‘incorrect’ in the FOI Act — is not substantive.
- If an agency corrects personal information, the agency must, if requested by the individual, take reasonable steps under APP 13 to notify that change to any APP entity to which the personal information was previously disclosed, unless it is unlawful or impracticable to do so (see paragraphs 13.49–13.53). Where an agency amends personal information under the FOI Act, an agency could consider providing similar notification on request from the individual.
13.28 The complaint options available to the individual under the FOI Act and APP 13 also differ. Under the FOI Act, a person may apply for Information Commissioner review of an agency’s or Minister’s failure to amend or annotate a record in accordance with the person’s request. The Commissioner may exercise the agency’s or Minister’s discretion to amend or annotate a record. Under the Privacy Act, an individual may complain to the Information Commissioner about an APP entity’s failure to take reasonable steps to correct personal information to ensure it is not incorrect. After investigation, the Commissioner may find that an agency has failed to take reasonable steps to correct personal information or to comply with the minimum procedural requirements (see paragraphs 13.54–13.65) under APP 13. The Commissioner may make a determination to that effect, and require, for example, the entity to correct personal information or to comply with the minimum procedural requirements (Privacy Act, s 52).
13.29 It is open to an individual to decide whether to make an application under the FOI Act or a request under APP 13. Agencies could ensure, in appropriate cases, that people are made aware of both options and the substantive differences. An agency could refer to the FOI Act in the agency’s APP Privacy Policy. More detailed information could be provided by an agency in other ways — such as a separate document that sets out the procedure for requesting correction of personal information (see paragraph 13.21), through an ‘Access to information’ icon on the agency’s website,[3] or on a case-by-case basis as the need arises. An agency could draw attention to the more flexible procedure for which APP 13 provides. As explained in the FOI Guidelines,[4] agencies should consider establishing administrative access arrangements that operate alongside the FOI Act and that provide an easier and less formal means for individuals to make information access requests (including requests to correct personal information). Correcting or annotating personal information under an administrative arrangement is consistent with an agency’s obligations under APP 13, provided the agency meets the minimum procedural requirements stipulated in APP 13.
Grounds for correcting personal information
13.30 The five grounds listed in APP 13 — ‘accurate’, ‘up-to-date’, ‘complete’, ‘relevant’ and ‘not misleading’ — are not defined in the Privacy Act. The first four terms are listed in APP 10.1, which deals with the quality of personal information that an APP entity can collect, use and disclose. Similar terms are used also in Part V of the FOI Act concerning a person’s right to apply to an agency to amend or annotate personal information (see paragraph 13.26 above).
13.31 The following analysis of each term draws on the ordinary dictionary meaning of the terms, as well as case law concerning the meaning of those terms in the Privacy Act, FOI Act and other legislation.[5] As the analysis indicates, there is considerable overlap in the meaning of the terms.
13.32 In applying the terms to personal information, it is necessary to have regard to ‘the purpose for which it is held’. Personal information may be incorrect having regard to one purpose for which it is held, but not another. For a discussion of relevant considerations where personal information is held for multiple purposes, see paragraph 13.47.
Accurate
13.33 Personal information is inaccurate if it contains an error or defect. An example is incorrect factual information about an individual’s name, date of birth, residential address or current or former employment.[6]
13.34 An opinion about an individual given by a third party is not inaccurate by reason only that the individual disagrees with that opinion or advice.[7] For APP 13 purposes, the opinion may be ‘accurate’ if it is presented as an opinion and not objective fact, it accurately records the view held by the third party, and is an informed assessment that takes into account competing facts and views. Other matters to consider under APP 13, where there is disagreement with the soundness of an opinion, are whether the opinion is ‘up-to-date’, ‘complete’, ‘not misleading’ or ‘relevant’. If an individual disagrees with an opinion that is otherwise not incorrect, the individual may associate a statement with the record of the opinion (see paragraphs 13.59–13.62).
13.35 In relation to a similar issue, s 55M of the FOI Act provides that the Information Commissioner (in conducting an IC review) cannot alter a record of opinion unless satisfied that it was based on a mistake of fact, or the author of the opinion was biased, unqualified to form the opinion or acted improperly in conducting the factual inquiries that led to the formation of the opinion.
Up-to-date
13.36 Personal information is out-of-date if it contains facts, opinions or other information that is no longer current. An example is a statement that an individual lacks a particular qualification or accreditation that the individual has subsequently obtained.
13.37 Personal information about a past event may have been accurate at the time it was recorded, but has been overtaken by a later development. Whether that information is out-of-date will depend on the purpose for which it is held. If current information is required for the particular purpose, the information will to that extent be out-of-date. By contrast, if information from a past point in time is required for the particular purpose, the information may not be out-of-date for that purpose. Personal information held by an APP entity that is no longer needed for any purpose may need to be destroyed or de-identified under APP 11.2 (Chapter 11 (APP 11)).
Complete
13.38 Personal information is incomplete if it presents a partial or misleading picture, rather than a true or full picture. An example is a tenancy database which records that a tenant owes a debt, which in fact has since been repaid. The statement will be incomplete under APP 13 if the tenancy database is held for the purpose of assessing the tenancy record or reliability of individuals recorded in the database. Similarly, a statement that an individual has only two rather than three children will be incomplete under APP 13 if that information is held for the purpose of, and is relevant to, assessing a person’s eligibility for a benefit or service.
Relevant
13.39 Personal information is irrelevant if it does not have a bearing upon or connection to the purpose for which the information is held.
Not misleading
13.40 Personal information is misleading if it conveys a meaning that is untrue or inaccurate or could lead a user, receiver or reader of the information into error. An example is a statement that is presented as a statement of fact but in truth is a record of the opinion of a third party. In some circumstances an opinion may be misleading if it fails to include information about the limited facts on which the opinion was based or the context or circumstances in which the opinion was first recorded.
13.41 A statement may also be misleading by failing to include other relevant information. An example is a statement that a dismissed employee was reinstated, without explaining that this followed the ruling of a court or tribunal that the dismissal was legally flawed.[8]
Being satisfied and taking reasonable steps
13.42 An APP entity is required to take ‘reasonable steps’ to correct personal information when ‘satisfied’ that it is inaccurate, out-of-date, incomplete, irrelevant or misleading for the purpose for which it is held.
Being satisfied
13.43 This requirement will not always involve distinct analysis or decision by an APP entity. For example, if an entity maintains an online portal through which a person can access and correct their personal information, no additional step may be required by the entity. Correction may similarly be a straightforward process in other situations where, for example, an individual presents information to indicate that their personal information is incorrect in an entity’s records.
13.44 Where correction is requested by an individual and an APP entity requires further information or explanation before it can be satisfied that personal information is incorrect, the entity should clearly explain to the individual what additional information or explanation is required and/or why the entity cannot act on the information already provided. The entity could also advise where additional material may be obtained. The individual should be given a reasonable opportunity to comment on the refusal or reluctance of the entity to make a correction without further information or explanation from the individual.
13.45 An APP entity should also be prepared in an appropriate case to search its own records and other readily-accessible sources that it reasonably expects to contain relevant information to find any information in support of, or contrary to the individual’s request. For example, an entity could take into account a finding of an Australian court or tribunal relating to the personal information that has a bearing on whether it is or is not incorrect. However, an entity need not conduct a full, formal investigation into the matters about which the individual requests correction. The extent of the investigation required will depend on the circumstances, including the seriousness of any adverse consequences for the individual if the personal information is not corrected as requested.
13.46 Where personal information is held for multiple purposes, an APP entity need only be satisfied that the personal information requires correction having regard to one of the purposes for which it is held, not all purposes (see paragraph 13.46).
Reasonable steps to correct
13.47 A decision as to what constitutes ‘reasonable steps’ to correct personal information spans a range of options. These include making appropriate additions, deletions or alterations to a record, or declining to correct personal information if it would be unreasonable to take such steps. In some instances it may be appropriate to destroy or de-identify the personal information (there are separate requirements to destroy or de-identify personal information in APPs 4 and 11 — see Chapters 4 and 11 respectively). The reasonable steps that an APP entity should take will depend upon considerations that include:
- the sensitivity of the personal information. More rigorous steps may be required if the incorrect information is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature.
- the possible adverse consequences for an individual if a correction is not made. More rigorous steps may be required as the risk of adversity increases.
- the practicability, including time and cost involved. However, an entity is not excused from correcting personal information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.
- the likelihood that the entity will use or disclose the personal information. For example, the likelihood of the entity using or disclosing the personal information may be relevant if it would be difficult or costly to make the correction requested by an individual.
- the purpose for which the personal information is held. As noted at paragraph 13.32, personal information may be held for multiple purposes, and require correction for one purpose but not for another purpose. Reasonable steps in these circumstances may require the entity to retain the original record of personal information for one purpose and create a record with the corrected personal information for another.
- record-keeping requirements that apply to the personal information under an Australian law or court/ tribunal order. For example, the Health Practitioner Regulation 2010 (NSW), Schedule 2, clause 2.
- whether the personal information is in the physical possession of the entity or a third party. For example, where personal information is in the physical possession of a third party, the entity may still ‘hold’ it (see discussion of ‘holds’ at paragraph 13.11) and be required to take reasonable steps to correct it. In these circumstances, it may be a reasonable step for the entity to notify the third party that the information is incorrect and request that it be corrected. It will not generally be sufficient to refer the individual to the third party with physical possession. However, the third party with physical possession may also ‘hold’ the personal information, and if so, the individual will have a separate right to request the third party to correct it.
13.48 Special considerations apply to Commonwealth records. The term ‘Commonwealth record’ is defined in s 3 of the Archives Act and is discussed in more detail in Chapter B (Key concepts).[9] The definition is likely to include, in almost all cases, all personal information held by agencies. It may also include personal information held by contracted service providers. A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with s 24 of the Archives Act. Further, s 26 of the Archives Act makes it an offence to alter a Commonwealth record that is over 15 years old.[10] In relation to such records, and more generally, it may be reasonable (and consistent with statutory requirements) to:
- retain a version of a record which contains incorrect personal information (see paragraph 13.47)
- associate a statement to clarify that, having regard to the purpose for which the personal information is held, the personal information is not accurate, up-to-date, complete, relevant or is misleading, and either including the correct personal information in the note or cross referencing where it is held (such as in an attachment to the record).
APP 13 minimum procedural requirements
Taking reasonable steps to notify another APP entity
13.49 APP 13.2 provides that an APP entity must, on request, take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided to that entity, unless it is impracticable or unlawful to do so. Implicit in this requirement is that an entity should take reasonable steps to inform the individual that they can make such a request. This information could be provided, for example, at the time, or as soon as practicable after, a correction is made.
13.50 The reasonable steps for an APP entity will depend upon considerations that include:
- the sensitivity of the personal information. More rigorous steps may be required for ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature.
- the possible adverse consequences for an individual if notice is not provided to the other entity. More rigorous steps may be required as the risk of adversity increases.
- the nature or importance of the correction. For example, it may not be reasonable to provide notice of a small typographical error that does not materially affect the quality of the personal information.
- the length of time that has elapsed since the personal information was disclosed to the other entity, and the likelihood that it is still being used or disclosed by the other entity
- the materiality of the correction
- the practicability of providing notice to another entity. For example, it may be impracticable to do so if the other entity has ceased carrying on business or has been substantially restructured.
- the practicability, including time and cost of providing a notice to all entities to which the personal information was previously provided. However, an entity is not excused from giving notification by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.
13.51 An APP entity is not required to provide notice of a correction if it would be impracticable or unlawful to do so. Impracticability is addressed in the list at paragraph 13.50. An entity should consider whether it would be practicable to notify some but not all of the other APP entities to which the entity previously disclosed the personal information. In these circumstances, the entity could discuss with the individual whether there are particular entities that they wish to be notified.
13.52 The term ‘unlawful’ is not defined in the Privacy Act. The core meaning is activity that is criminal, illegal or prohibited or proscribed by law, and can include unlawful discrimination or harassment, but does not include breach of a contract. An example of when it would be unlawful to notify another APP entity is when a statutory secrecy provision prevents an agency from taking this step.
13.53 An APP entity that is notified of a correction should, in turn, consider whether to correct the personal information that it holds. As noted at paragraphs 13.16–13.18, an APP entity is required on its own initiative to take reasonable steps to correct incorrect personal information.
Giving written notice where correction is refused
13.54 APP 13.3 provides that if an APP entity refuses to correct personal information as requested by an individual, the entity must give the individual a written notice setting out:
- the reasons for the refusal, except to the extent that it would be unreasonable to do so
- the complaint mechanisms available to the individual, and
- any other matters prescribed by regulations made under the Privacy Act.
13.55 The reasons for refusal should explain, where applicable:
- that the APP entity does not hold the personal information that the individual wishes to correct
- that the entity is satisfied that the personal information it holds is accurate, up-to-date, complete, relevant and not misleading having regard to the purposes for which it is held, or
- that the steps necessary to correct the personal information as requested are not reasonable in the circumstances.
13.56 An APP entity is not required to provide its reasons for refusing to correct personal information to the extent that it would be unreasonable to do so. This course should be adopted only in justifiable circumstances. An example would be where providing reasons would prejudice an investigation of unlawful activity, or prejudice enforcement action by an enforcement body.
13.57 The description of the complaint mechanisms available to an individual should explain the internal and external complaint options, and the steps that should be followed. In particular, the individual should be advised that:
- a complaint should first be made in writing to the APP entity (s 40(1A))
- the entity should be given a reasonable time (usually 30 days) to respond
- a complaint may then be taken to a recognised external dispute resolution scheme of which the entity is a member (if any), and
- lastly, that a complaint may be made to the Information Commissioner (s 36).
13.58 Other information can also be included in the notice advising an individual that a request to correct personal information has been refused. The individual should be advised of the right under APP 13.4 to request the APP entity to associate a statement with the personal information (see paragraphs 13.59–13.62). An agency could also advise an individual of the parallel right under the FOI Act to apply for a record to be amended or annotated, and of the right to Information Commissioner review of an adverse decision under that Act (see paragraphs 13.25–13.29).
Taking reasonable steps to associate a statement
13.59 APP 13.4 provides that if an APP entity refuses to correct personal information as requested by an individual, the individual can request the entity to associate a statement that the individual believes the personal information to be inaccurate, out-of-date, incomplete, irrelevant or misleading. Implicit in this requirement is that the entity should notify the individual of the right to request that a statement be associated, for example, in the written notice where correction is refused (see paragraphs 13.54–13.58).
13.60 The APP entity must take reasonable steps to associate the statement in a way that will make it apparent to users of the personal information. For example, a statement may be attached physically to a paper record, or by an electronic link to a digital record of personal information. The statement should be associated with all records containing personal information claimed to be incorrect.
13.61 The content and length of any statement will depend on the circumstances, but it is not intended that the statement be unreasonably lengthy.[11] A longer statement may be appropriate in some instances, such as where there is a large volume of personal information that the APP entity has refused to correct. If it is not practicable to attach an extensive statement to the personal information or otherwise create a link to the statement, a note could be included on, or attached to, the personal information referring to the statement and explaining where it can be found. Where it is not reasonable for the entity to associate an extensive statement to the personal information, reasonable steps would generally include giving the individual an opportunity to revise the statement.
13.62 The reasonable steps for an APP entity will depend upon considerations that include:
- the information management practices of the entity, including whether the personal information is stored in hard copy or electronic form (see paragraph 13.59)
- whether content in a statement may be irrelevant, defamatory, offensive, abusive or breach another individual’s privacy — it may be unreasonable to associate a statement containing that content, however the individual should be given the option of revising the statement
- the practicability, including time and cost involved. However, an entity is not excused from associating a statement by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.
Timeframe for responding to a request for correction under APP 13
13.63 APP 13.5 provides that an agency must respond to a request to correct a record or to associate a statement within 30 calendar days. The 30 day time period commences on the day after the day the agency receives the request. An organisation must respond within a reasonable period after the request is made. As a general guide, a reasonable period should not exceed 30 calendar days.
13.64 The APP entity must respond by correcting the personal information as requested by the individual, or by notifying the individual of its refusal to correct it.
Access charges under APP 13
13.65 An APP entity cannot impose any charge upon an individual for correcting personal information under APP 13. This includes:
- a charge for the making of the request to correct personal information
- a charge for making a correction or for associating a statement with the personal information (APP 13.5(b)).
Footnotes
[1] This differs from the formal requirements relating to requests for amendment or annotation under the FOI Act (see FOI Act, Part III).
[2] The FOI Act is expressed to apply separately to Minister’s offices in respect of ‘an official document of a Minister’ (FOI Act, s 48). APP 13 also applies to Minister’s offices: see the discussion of ‘APP entity’ in Chapter B (Key concepts), and the Privacy Act, s 7(1)(d),(e).
[3] See OAIC, Guidance for Agency Websites: ‘Access to Information’ Web Page, OAIC website <https://www.oaic.gov.au>.
[4] OAIC, FOI Guidelines, Part 3, OAIC website <https://www.oaic.gov.au>.
[5] OAIC, FOI Guidelines, Part 7 — Amendment and Annotation of Personal Records, OAIC website <https://www.oaic.gov.au>; and 'S' and Veda Advantage Information Services and Solutions Limited [2012] AICmr 33 (20 December 2012).
[6] Personal information is also inaccurate if it is misleading. See Australian Government, Companion Guide: Australian Privacy Principles, June 2010, p 14, Parliament of Australia website <https://www.aph.gov.au>.
[7] The definition of ‘personal information’ in the Privacy Act includes ‘information or an opinion’ (s 6(1)).
[8] An organisation that is or was an employer of an individual is exempt from the operation of the Privacy Act where its act or practice is related directly to the employment relationship between the organisation and the individual, and an employee record held by the organisation (s 7B(3)).
[9] Archives Act 1983, s 3: Commonwealth record means:
(a) a record that is the property of the Commonwealth or of a Commonwealth institution; or
(b) a record that is to be deemed to be a Commonwealth record by virtue of a regulation under subsection (6) or by virtue of section 22;
but does not include a record that is exempt material or is a register or guide maintained in accordance with Part VIII.
[10] See Archives Act 1983, s 26.
[11] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy) Bill 2012, p 88.