What does APP 10 say?
10.1 An APP entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete (APP 10.1).
10.2 An APP entity must also take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant (APP 10.2). It is implicit that this requirement only applies to personal information ‘held’ by an entity (see Chapter 6 (APP 6)). ‘Holds’ is discussed in Chapter B (Key concepts).
10.3 Handling poor quality personal information can have significant privacy impacts for individuals. The requirements in APP 10 ensure that an APP entity takes reasonable steps to only handle high quality personal information, which builds community trust and confidence in an entity’s information handling practices.
When an APP entity must take reasonable steps to ensure the quality of personal information
10.4 An APP entity must take reasonable steps to ensure the quality of personal information at two distinct points in the information handling cycle. The first is at the time the information is collected. The second is at the time the information is used or disclosed.
10.5 Regular reviews, at other times, of the quality of personal information held by the APP entity may also assist in ensuring it is accurate, up-to-date, complete and relevant at the time it is used or disclosed.
Taking reasonable steps
10.6 The reasonable steps that an APP entity should take will depend upon circumstances that include:
- the sensitivity of the personal information. More rigorous steps may be required if the information collected, used or disclosed is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature.
- the nature of the APP entity holding the personal information. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity.
- the possible adverse consequences for an individual if the quality of personal information is not ensured. More rigorous steps may be required as the risk of adversity increases.
- the practicability, including time and cost involved. However an entity is not excused from taking particular steps by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances.
10.7 In some circumstances it will be reasonable for an APP entity to take no steps to ensure the quality of personal information. For example, where an entity collects personal information from a source known to be reliable (such as the individual concerned) it may be reasonable to take no steps to ensure the quality of personal information. It is the responsibility of the entity to be able to justify that this is reasonable.
Examples of reasonable steps
10.8 The following are given as examples of reasonable steps that an APP entity could consider:
- implementing internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems). For example, if the entity commonly uses or discloses personal information in time-critical situations such that it may not be possible to take steps to ensure quality at the time of the use or disclosure, the entity might take steps to ensure the quality of personal information at regular intervals
- implementing protocols that ensure personal information is collected and recorded in a consistent format. For example, to help assess whether personal information is up-to-date, an entity might, where practicable, note on a record when the personal information was collected and the point in time to which it relates, and if it is an opinion, that fact
- ensuring updated or new personal information is promptly added to relevant existing records
- providing individuals with a simple means to review and update their personal information on an on-going basis, for example through an online portal
- reminding individuals to update their personal information each time the entity engages with the individual
- contacting the individual to verify the quality of personal information when it is used or disclosed, particularly if there has been a lengthy period since collection
- checking that a third party, from whom personal information is collected, has implemented appropriate practices, procedures and systems to ensure the quality of personal information. Depending on the circumstances, this could include:
- making an enforceable contractual arrangement to ensure that the third party implements appropriate measures to ensure the quality of personal information the entity collects from the third party
- undertaking due diligence in relation to the third party’s quality practices prior to the collection
- if personal information is to be used or disclosed for a new purpose that is not the primary purpose of collection, assessing the quality of the personal information having regard to that new purpose before the use or disclosure.
What are the quality considerations?
10.9 The three terms listed in APPs 10.1 and 10.2, ‘accurate’, ‘up-to-date’, ‘complete’, and the additional term in APP 10.2, ‘relevant’, are not defined in the Privacy Act. These terms are also listed in APP 13.1, which deals with the correction of personal information held by an APP entity.
10.10 The following analysis of each term draws on the ordinary dictionary meaning of the terms, as well as case law concerning the meaning of those terms in the Privacy Act, Freedom of Information Act 1982 (FOI Act) and other legislation. As the analysis indicates, there is overlap in the meaning of the terms.
10.11 In applying the terms to the use and disclosure of personal information, it is necessary to have regard to ‘the purpose of the use or disclosure’ (APP 10.2). This is also a necessary consideration when applying these terms to the collection of personal information (see paragraph 10.21 below). That is, personal information may be of poor quality having regard to one purpose for which it is collected, used or disclosed, but not another. ‘Purpose’ is discussed in Chapter B (Key concepts).
10.12 Personal information is inaccurate if it contains an error or defect. Personal information is also inaccurate if it is misleading. An example is incorrect factual information about a person’s name, date of birth, residential address or current or former employment.
10.13 An opinion about an individual given by a third party is not inaccurate by reason only that the individual disagrees with that opinion or advice. For APP 10 purposes, the opinion may be ‘accurate’ if it is presented as an opinion and not objective fact, it accurately records the view held by the third party, and is an informed assessment that takes into account competing facts and views. Other matters to consider under APP 10, are whether the opinion is ‘up-to-date’, ‘complete’, ‘not misleading’ or ‘relevant’.
10.14 In relation to a similar issue, s 55M of the FOI Act provides that the Information Commissioner (in conducting an Information Commissioner review) cannot alter a record of opinion unless satisfied that it was based on a mistake of fact, or the author of the opinion was biased, unqualified to form the opinion or acted improperly in conducting the factual inquiries that led to the formation of the opinion.
10.15 Personal information is out-of-date if it contains facts, opinions or other information that is no longer current. An example is a statement that an individual lacks a particular qualification or accreditation that the individual has subsequently obtained.
10.16 Personal information about a past event may have been accurate at the time it was recorded, but has been overtaken by a later development. Whether that personal information is out-of-date will depend on the purpose for which it is collected, used or disclosed. If current personal information is required for the particular purpose, the personal information will, to that extent, be out-of-date. Personal information held by an APP entity that is no longer needed for any purpose, may need to be destroyed or de‑identified under APP 11.2 (Chapter 11 (APP 11)).
10.17 Personal information is incomplete if it presents a partial or misleading picture, rather than a true or full picture. An example is a tenancy database which records that a tenant owes a debt, which in fact has since been repaid. The personal information will be incomplete under APP 10 if the tenancy database is used or disclosed for the purpose of providing members with personal information about defaults on tenant agreements. Similarly, a statement that a person has only two rather than three children will be incomplete under APP 10 if that personal information is used for the purpose of, and is relevant to, assessing a person’s eligibility for a benefit or service.
10.18 Where an APP entity is required to collect additional personal information to ensure that the information is complete, having regard to the purpose for which the information is collected, used or disclosed, the collection of that information will be reasonably necessary for the entity’s functions or activities (see Chapter 3 (APP 3)).
10.19 Personal information is irrelevant if it does not have a bearing upon or connection to the purpose for which the personal information is used or disclosed. An example is an APP entity that holds personal information about a client collected for the purpose of providing financial advice. If the entity later discloses personal information to purchase shares on the client’s behalf, it should only disclose parts of the personal information relevant to that secondary purpose.
Interaction with other APPs
10.20 The requirements in APP 10 to take reasonable steps to ensure the quality of personal information are complemented by other requirements in APP 3 (collection of solicited personal information), APP 11 (security of personal information), APP 12 (access to personal information) and APP 13 (correction of personal information).
APP 3 (collection of solicited personal information)
10.21 APP 10.1 does not specifically require an APP entity to take reasonable steps to ensure that the personal information it collects is relevant to the purpose of collection. However, this requirement is implied in APP 3. Under APP 3, an APP entity must only collect personal information which is reasonably necessary for ‘one or more of the entity’s functions or activities’. Agencies may, in addition, collect personal information that is directly related to one or more of the agency’s functions or activities. For sensitive information, an entity will also need the individual’s consent, unless an exception applies (see Chapter 3 (APP 3)).
APP 11 (security of personal information)
10.22 Where an APP entity amends personal information or adds new personal information to a record to comply with APP 10, it should consider whether it needs to take action under APP 11 to destroy or de-identify other personal information that it holds (for example a copy of that information). APP 11 requires an APP entity to take reasonable steps to destroy or de‑identify personal information that it no longer needs, unless it is contained in a Commonwealth record or the entity is required by or under an Australian law, or a court/tribunal order, to retain it (see Chapter 11 (APP 11)).
APP 12 (access to personal information) and APP 13 (correction of personal information)
10.23 APPs 12 and 13 can support an APP entity in meeting its obligation under APP 10 to ensure the quality of personal information that it collects, uses and discloses. Providing an individual with access to their personal information under APP 12 will allow the individual to identify whether any personal information is inaccurate, out-of-date, incomplete or irrelevant. Similarly, taking reasonable steps to correct incorrect personal information at the request of an individual under APP 13 can also enhance the quality of that information.
10.24 APP 13 also requires an APP entity to take reasonable steps to correct personal information where an APP entity is satisfied, independently of any request, that personal information it holds, is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which the information is held (see Chapter 13 (APP 13)).
10.25 In addition to responding to requests for access and correction under APPs 12 and 13, an APP entity should proactively provide individuals with a simple means to access and update their personal information on an on-going basis (see paragraph 10.8 above).