All agencies - Accuracy and relevance of personal information

Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).

Note

In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.

Under IPPs 7 and 8 and NPP 3, agencies have specific obligations to ensure personal information3 is accurate, up to date, complete and not misleading. In addition, non-health agencies must only use personal information that is relevant to the purpose they are undertaking.

Privacy Principles

NPP 3Data quality

A health agency must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date.

NPP 7—Amendment of documents containing personal information

(1) If a health agency has control of a document containing personal information, it must take all reasonable steps, including by the making of an appropriate amendment, to ensure the personal information—

(a) is accurate; and

(b) having regard to the purpose for which it was collected or is to be used and to any purpose directly related to fulfilling the purpose, is relevant, complete, up to date and not misleading.

(2)  Subsection (1) applies subject to any limitation in a law of the State providing for the amendment of personal information held by a health agency.

(3)  Subsection (4) applies if—

(a) a health agency considers it is not required to amend personal information included in a document under the health agency’s control in a way asked for by the individual the subject of the personal information; and

(b) no decision or recommendation to the effect that the document should be amended wholly or partly in the way asked for has been made under a law mentioned in subsection (2).

(4)  A health agency must, if the individual asks, take all reasonable steps to attach to the document any statement provided by the individual of the amendment asked for.

IPP 7—Amendment of documents containing personal information

(1)  An agency having control of a document containing personal information must take all reasonable steps, including by the making of an appropriate amendment, to ensure the personal information—

(a) is accurate; and

(b) having regard to the purpose for which it was collected or is to be used and to any purpose directly related to fulfilling the purpose, is relevant, complete, up to date and not misleading.

(2)  Subsection (1) applies subject to any limitation in a law of the State providing for the amendment of personal information held by the agency.

(3)  Subsection (4) applies if—

(a) an agency considers it is not required to amend personal information included in a document under the agency’s control in a way asked for by the individual the subject of the personal information; and

(b) no decision or recommendation to the effect that the document should be amended wholly or partly in the way asked for has been made under a law mentioned in subsection (2).

(4)  The agency must, if the individual asks, take all reasonable steps to attach to the document any statement provided by the individual of the amendment asked for.

IPP 8—Checking of accuracy etc. of personal information before use by agency

Before an agency uses personal information contained in a document under its control, the agency must take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, complete and up to date.

IPP 9—Use of personal information only for relevant purpose

(1)  This section applies if an agency having control of a document containing personal information proposes to use the information for a particular purpose.

(2)  The agency must use only the parts of the personal information that are directly relevant to fulfilling the particular purpose.

Personal information accuracy

The requirement that all agencies ensure personal information is accurate, up to date, complete and not misleading (accurate) recognises that agency decisions must be based on correct and complete facts.

In addition to creating robust privacy protection, these principles help ensure greater administrative efficiency. Compliance can save the time, potential embarrassment, and possible adverse effects when decisions have to be revoked and remade.

Agencies are not required to continually check the personal information they hold. Instead, reasonable steps must be taken when the information is collected to ensure that it is accurate, complete and up-to-date, and prior to its use or disclosure.

Factors to consider when determining what will constitute ‘reasonable steps’ include:

  • the likelihood that the information in question is complete, accurate and up to date
  • whether the information is likely to change over time (for example, date of birth will not change but address and contact details may change frequently and should be regularly checked)
  • how critical it is that the information be accurate
  • how recently the information was collected (for example, if an officer uses information soon after collecting it directly from an individual, it probably does not need to be checked)
  • how reliable the information is likely to be–--this may include professional judgements about whether, or what, information requires verification
  • who provided the information (if the information was collected from third parties the need to confirm its accuracy may increase)
  • how the information will be used, or under what circumstances it is being disclosed (for example, there is a strict obligation to ensure that an individual’s address details are correct in sending a referral letter or appointment by mail); and
  • the consequences if the information being used or disclosed is incorrect.

In most circumstances, a reliable way of ensuring accuracy will be to verify the information against the original source. However, in some cases that may be unreasonable because, for example:

  • the original source may no longer be available
  • checking the original source may be unreasonably expensive
  • the consequences of the personal information being incorrect are likely to have nominal or minimal impact; or
  • there is reason to believe that the source information may not be accurate or may have become inaccurate over time.

If agency officers cannot reasonably check with the original source, there are often other methods that can be used to ensure information accuracy.  For example, when doing a bulk mail out it would not be rea­sonable to check name and address details with each individual at the time.  However, it would be reasonable to make sure that changes of address are processed quickly and accu­rately in maintaining the database.

Accuracy by way of amendment

The requirement to ensure information is accurate by way of amendment, will, in almost all cases, be met by the mechanisms in chapter 3 of the IP Act.4

However, all agencies should put administrative processes in place for simple and non-contentious amendments to personal information, such as updating contact details.

Using other personal information to check accuracy

Under the IP Act,5 moving personal information between different parts of an agency is a use of personal information. The privacy principles only permit personal information to be used in specific circumstances, including where the use is authorised or required by law.6

Agencies are required by the IP Act to ensure personal information is accurate. This means that if, for example, one business group has more recent personal information than another, the second group can check the accuracy of the personal information with the first group.

Example

The dog management area of a council needs to send a notice to Bob, but they know he has moved and they don’t have his new postal address. However, Bob is a user of the library and the dog management officers suspect that the library may have Bob’s current address. They could check with the library for a more recently updated address to ensure the information they use to send Bob the notice is accurate.

Limitations

The interaction between the privacy principles cannot be used to justify cross-matching of data on a larger scale where there is no immediate use of personal information. For example, it could not be used to authorise the merging of two databases together, cross-referencing for inconsistencies. This could be a breach of the privacy principles.

It should be limited to circumstances in which the personal information is in active use, it is suspected to be inaccurate, and the inaccuracy is a fact, such as a person's postal address or phone number, rather than an opinion.

Non-health agencies: only use relevant personal information

Under IPP 9, if a non-health agency controls personal information, but only part of it is relevant to the purpose they are trying to achieve, they are only permitted to use the relevant personal information.

  • 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
  • 2 In this guideline, agency includes Ministers and bound contracted service providers to the agency.
  • 3 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  • 4 Paragraph 35, Purrer v Information Commissioner [2018] QSC 272
  • 5 Section 23 of the IP Act.
  • 6 IPP 10(1)(c) and NPP 2(1)(f) – see IPP 10 and NPP 2 for a complete list of when personal information may be used.

Current as at: September 20, 2019