-
On this page
This provides a step-by-step guide to help businesses deal with requests for correction of personal information in accordance with the requirements of Australian Privacy Principle (APP) 13. It should be read together with the full text of the APP guidelines.
Introduction
Under APP 13, you must take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading (‘incorrect’).
This requirement applies in two circumstances:
- where you become aware, through normal business practices, that personal information you hold is incorrect, or
- where an individual asks you to correct their personal information.
This resource deals with circumstances where you receive a request from an individual to correct their personal information. For more information about the broader requirements of APP 13, see the APP Guidelines: Chapter 13.
The flow chart below sets out the key steps to help you respond to a request for correction of personal information.
When can you correct personal information?
Request for correction
There are no formal requirements under APP 13 for an individual to make a request to correct their personal information. You may ask an individual to follow a particular procedure, such as filling out a form but you cannot require individuals to do this. However, developing a simple process may assist both yourself and the individual when dealing with correction requests. Additionally, your APP Privacy Policy should set out how an individual may seek correction of the personal information that you hold about them (APP 1.4(d)).
You must respond to a request for correction within a reasonable period after the request is made. In most cases, a reasonable period will not exceed 30 calendar days.
You must not charge an individual for making a request to correct personal, for correcting the personal information or for associating a statement with the personal information.
Can you verify the individual’s identity?
You should ensure that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney or authorised agent.
Ask the individual for any evidence you may reasonably need to confirm their identity.
It is preferable to simply sight identity documents, rather than make copies and retain these in your records.
You should not make corrections to personal information if you are not sure of the requesting individual’s identity. For more information, see the Chapter 13: Correcting at the Individual’s Request.
Can you locate the individual’s personal information?
Upon receiving a request for correction, you should search the records that you possess or control to determine whether the personal information to be corrected is contained in those records.
You could search hard copy records and electronic databases and make enquiries of staff or contractors with relevant knowledge. A discussion with the individual may assist in locating the information to be corrected.
Are you satisfied that the information is incorrect?
You must correct personal information if you are satisfied that, having regard to the purpose for which it is held, it is inaccurate, out-of-date, incomplete, irrelevant or misleading. For more information about the meaning of these terms, see the Chapter 13: Grounds for Correction.
You may ask the individual for further information or explanation if you are not satisfied that the personal information is incorrect.
Can you take reasonable steps to correct the personal information?
The reasonable steps that you must take will depend on the circumstances. Reasonable steps include making appropriate additions, deletions or alterations to a record, or declining to correct personal information if it would be unreasonable to take such steps.
In some instances, it may be appropriate to destroy or de-identify the personal information.
Do you need to take reasonable steps to notify another entity?
If requested, you must take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided by you to that entity.
You are not required to notify another APP entity if it is impracticable or unlawful to do so.
You should inform individuals that they can make such a request at the time, or as soon as practicable after, a correction is made.
Can you associate a statement with the personal information?
- If you refuse to correct personal information, you should notify an individual that they can request that a statement that the individual believes the personal information to be incorrect is associated with the information.
- You must take reasonable steps to associate the statement in a way that will make it apparent to users of the personal information. If the information is in electronic form, this may request a flag being placed on the information with a link to alert where the statement is.
- The content and length of any statement will depend on the circumstances, but it is not intended that the statement be unreasonably long. Generally, a statement should not be more than one page.
Providing written notice
If you refuse to correct personal information, you must give the individual written notice setting out:
- the reasons why you have refused to correct the information (except to the extent it would be unreasonable to do so)
- that the individual may request a statement be associated to the personal information that the individual believes the information to be incorrect
- how the individual may make a complaint about your decision, how you will deal with the complaint and include information about external complaint avenues such as an external dispute resolution scheme and the OAIC.
If you have corrected the individual’s personal information, it would also be good practice to provide a notice to the individual, including in it the identity of any third parties you have notified about the change.
The information provided in this resource is of a general nature and is not a substitute for legal advice
Long text description
Start: Correction request received.
Question 1: Can you verify the individual’s identity?
- Yes: Go to Question 2.
- No: Notify individual that you can’t correct the personal information. End
Question 2: Can you locate the requested personal information?
- Yes: Go to Question 3.
- No: Notify individual that you can’t locate the information. End
Question 3: Are you satisfied the personal information is incorrect?
- Yes: Go to Question 4.
- No: Associate a statement to the personal information, if possible. Notify individual that you can’t correct personal information and why, but that you have associated a statement. End
Question 4: Can you correct the personal information?
- Yes: Correct the personal information. Notify any third parties if necessary. Notify the individual that you have corrected the information. End
- No: Associate a statement to the personal information, if possible. Notify individual that you can’t correct personal information and why, but that you have associated a statement. End