Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy business resource 17: Dealing with requests for correction of personal information

pdfPrintable version680.75 KB

pdfPoster: Flowchart PDF995.24 KB
pdfPoster: Flowchart print-ready PDF1008.96 KB

May 2016

The purpose of this resource is to provide a step-by-step guide to help business deal with requests for correction of personal information in accordance with the requirements of Australian Privacy Principle (APP) 13. It should be read together with the full text of the APP Guidelines.

Introduction

Under APP 13, you must take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading (‘incorrect’).

This requirement applies in two circumstances:

  • where you become aware, through normal business practices, that personal information you hold is incorrect, or
  • where an individual asks you to correct their personal information.

This resource deals with circumstances where you receive a request from an individual to correct their personal information. For more information about the broader requirements of APP 13, see the APP Guidelines: Chapter 13.

The flow chart below sets out the key steps to help you respond to a request for correction of personal information.

Back to Contents

When can you correct personal information?

Flowchart. Link to long text description follows image.

Long text description

Back to Contents

Request for correction

  • There are no formal requirements under APP 13 for an individual to make a request to correct their personal information. You may ask an individual to follow a particular procedure, such as filling out a form but you cannot require individuals to do this. However, developing a simple process may assist both yourself and the individual when dealing with correction requests. Additionally, your APP Privacy Policy should set out how an individual may seek correction of the personal information that you hold about them (APP 1.4(d)).
  • You must respond to a request for correction within a reasonable period after the request is made. In most cases, a reasonable period will not exceed 30 calendar days.
  • You must not charge an individual for making a request to correct personal, for correcting the personal information or for associating a statement with the personal information.

Back to Contents

Can you verify the individual’s identity?

  • You should ensure that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney or authorised agent.
  • Ask the individual for any evidence you may reasonably need to confirm their identity.
  • It is preferable to simply sight identity documents, rather than make copies and retain these in your records.
  • You should not make corrections to personal information if you are not sure of the requesting individual’s identity. For more information, see the Chapter 13; correcting at the individual’s request.

Back to Contents

Can you locate the individual’s personal information?

  • Upon receiving a request for correction, you should search the records that you possess or control to determine whether the personal information to be corrected is contained in those records.
  • You could search hard copy records and electronic databases and make enquiries of staff or contractors with relevant knowledge. A discussion with the individual may assist in locating the information to be corrected.

Back to Contents

Are you satisfied that the information is incorrect?

  • You must correct personal information if you are satisfied that, having regard to the purpose for which it is held, it is inaccurate, out-of-date, incomplete, irrelevant or misleading. For more information about the meaning of these terms, see the Chapter 13; grounds for correction.
  • You may ask the individual for further information or explanation if you are not satisfied that the personal information is incorrect.

Back to Contents

Can you take reasonable steps to correct the personal information?

  • The reasonable steps that you must take will depend on the circumstances. Reasonable steps include making appropriate additions, deletions or alterations to a record, or declining to correct personal information if it would be unreasonable to take such steps.
  • In some instances, it may be appropriate to destroy or de-identify the personal information.

Back to Contents

Do you need to take reasonable steps to notify another entity?

  • If requested, you must take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided by you to that entity.
  • You are not required to notify another APP entity if it is impracticable or unlawful to do so.
  • You should inform individuals that they can make such a request at the time, or as soon as practicable after, a correction is made.

Back to Contents

Can you associate a statement with the personal information?

  • If you refuse to correct personal information, you should notify an individual that they can request that a statement that the individual believes the personal information to be incorrect is associated with the information.
  • You must take reasonable steps to associate the statement in a way that will make it apparent to users of the personal information. If the information is in electronic form, this may request a flag being placed on the information with a link to alert where the statement is.
  • The content and length of any statement will depend on the circumstances, but it is not intended that the statement be unreasonably long. Generally, a statement should not be more than one page.

Back to Contents

Providing written notice

  • If you refuse to correct personal information, you must give the individual written notice setting out:
    • the reasons why you have refused to correct the information (except to the extent it would be unreasonable to do so)
    • that the individual may request a statement be associated to the personal information that the individual believes the information to be incorrect
    • how the individual may make a complaint about your decision, how you will deal with the complaint and include information about external complaint avenues such as an external dispute resolution scheme and the OAIC.
  • If you have corrected the individual’s personal information, it would also be good practice to provide a notice to the individual, including in it the identity of any third parties you have notified about the change.

Back to Contents

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Long text description

Start: Correction request received.

Question 1: Can you verify the individual’s identity?

  • Yes: Go to Question 2.
  • No: Notify individual that you can’t correct the personal information. End

Question 2: Can you locate the requested personal information?

  • Yes: Go to Question 3.
  • No: Notify individual that you can’t locate the information. End

Question 3: Are you satisfied the personal information is incorrect?

  • Yes: Go to Question 4.
  • No: Associate a statement to the personal information, if possible. Notify individual that you can’t correct personal information and why, but that you have associated a statement. End

Question 4: Can you correct the personal information?

  • Yes: Correct the personal information. Notify any third parties if necessary. Notify the individual that you have corrected the information. End
  • No: Associate a statement to the personal information, if possible. Notify individual that you can’t correct personal information and why, but that you have associated a statement. End

Back to Contents