QPP 12 and 13 – Access and correction

Overview

All Queensland government agencies¹ must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).

This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.

What is personal information?

Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or recorded in a material format.

The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.

Refer to Key privacy concepts – personal and sensitive information for more information.

QPP 12 and 13

QPP 12.1 creates a right of access to personal information and QPP 13 creates a right to correct information. However:

• under QPP 12.2, an agency is not required to give access to personal information if they would be authorised to refuse access under the Right to Information Act 2009 (RTI Act) or another law in force in Queensland that provides for access to, or amendment of, documents; and
• under QPP 13.6, an agency is not required to correct personal information if it would be authorised or required to refuse amendment under the RTI Act or another Act regulating the amendment of personal information.

QPP 12 – Access to personal information

QPP 12 provides that, where an agency has control of a document containing personal information, it must give the subject of the information access if they ask for it. It operates alongside, and subject to, the RTI Act and other laws that provide a right of access to information held by agencies.

QPP 12 does not prescribe a particular access mechanism, and agencies can give effect to the right by, for example, robust compliance with the RTI Act and administrative access schemes.

Access under the RTI Act is intended to be a last resort, which means access to personal information should not automatically be managed through the formal mechanisms of the RTI Act. Generally, where the circumstances surrounding the information are not contentious, releasing it would not breach legislative or confidentiality obligations, and access would not be refused under the RTI Act, agencies should consider providing access administratively.

Refer to Administrative release of information for more information.

QPP 13 – Correction of personal information

QPP 13.1 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

An agency is only required to take these reasonable steps if:

• It is satisfied, independent of any request, that personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held; or
• the individual asks the agency to correct the information.

Correction at agency's initiative

QPP 13 does not require agencies to continually check the personal information they hold. However, an agency may become aware that personal information is incorrect in the course of business, for example:

• information provided to the agency by the individual or a third party may be inconsistent with other personal information held by the agency. For example, an identity document, letter, medical record or photograph
• a court or tribunal may make a finding about the personal information, in a case involving the agency or in another case that comes to the agency’s notice
• the agency may be notified by another agency or person that the personal information is incorrect, or that similar personal information held by the other agency has been corrected; or
• an auditing or monitoring program indicates that personal information the agency holds requires correction.

After becoming aware that personal information may require correction, agencies should take steps to satisfy themselves that the information is incorrect before taking reasonable steps to correct it.

Correction on request

If an individual asks an agency to correct their personal information, the agency must take reasonable steps to correct it if it is satisfied that the information is incorrect.

QPP 13 operates alongside, and subject to, the amendment rights in the Right to Information Act 2009 (2009) (RTI Act) and other laws that provide a right of amendment if of personal information held by agencies. QPP 13 does not prescribe a particular mechanism for correction requests, and agencies can give effect to QPP 13, for example, by robust compliance with the RTI Act and administrative mechanisms for correction.

Personal information correction, however, should not automatically be managed through the formal mechanisms of the RTI Act. Generally, where the circumstances surrounding the information are not contentious, amending it would not breach legislative obligations, and amendment would not be refused under the RTI Act, agencies should consider correcting it administratively.

Making a notation

If the agency refuses to correct personal information at an individual's request, eg because it is not satisfied the information is incorrect or there are no reasonable steps it can take to correct it, the individual can ask the agency to associate a statement with the information. If an agency refuses to correct the information, they should inform the individual that they have this option.

If the individual requests it, the agency must take reasonable steps to associate the statement with the information in a way that will make it apparent to users of the information.

The statement should state that the personal information is inaccurate, out of date, incomplete, irrelevant or misleading. If the agency refused because it was not satisfied that the information is incorrect, the statement should reflect that it is based on the individual's assertion, rather than a statement of fact.

If the agency refused correction because there were no reasonable steps it could take, the statement should clearly set out that the information is incorrect and, where appropriate, provide the correct information.

Being satisfied

Being satisfied that personal information is incorrect will not always require detailed analysis. For example, if an agency maintains an online portal through which an individual can access and correct their personal information, the agency may not need to take any additional steps. Correction may also be straightforward in other situations where, for example, an individual presents information to demonstrate that their personal information is incorrect.

If an individual requests correction and the agency needs more information before they can assess the request, it can ask the individual to provide it. However, the agency must clearly explain to the individual what information they need, why they need it, and the consequences of not providing it, eg it may not be able to process or the request or make the correction. However, the burden should not be placed entirely on the individual.

Where appropriate, agencies should be prepared to search their own records and other readily accessible sources that could reasonably be expected to contain information relevant to the individual's request. A full, formal investigation into the matters about which the individual requests correction will generally not be required. The extent of any investigation required will depend on the circumstances, including the seriousness of any adverse consequences for the individual if the correction is not made.

Reasonable steps to correct

If there are no reasonable steps an agency can take, it can decline to correct personal information. The reasonable steps open to an agency include making appropriate additions, deletions or alterations to a record. In some circumstances, it may be appropriate to destroy or de-identify personal information if the agency is satisfied it is incorrect.²

The reasonable steps that an agency must take will depend on the circumstances, including:

• the sensitivity of the personal information. More rigorous steps may be required if the incorrect information is sensitive information as defined in schedule 5 of the IP Act or other personal information of a sensitive nature.
• the possible adverse consequences for an individual if a correction is not made. More rigorous steps may be required as the risk of adversity increases.
• the practicability, including time and cost involved. However, an agency is not excused from correcting personal information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.
• the likelihood that the agency will use or disclose the personal information.
• the purpose for which the personal information is held.
• record-keeping requirements that apply to the personal information.
• whether the personal information is in the physical possession of the agency or a third party.

Bound contracted service providers

Bound contracted service providers (bound under section 35 of the IP Act) are not subject to the RTI Act but are subject to the QPPs.³

Agencies should ensure there are processes in place for individuals to access and correct their personal information held by bound contracted service providers.

This could be done by, for example:

• ensuring contracted service providers understand their access and correction obligations under QPP 12 and 13 and providing guidance; or
• by establishing in the contract that relevant documents remain under the control of the agency, which means individuals can apply to the agency for access to or correction of their information.