The Information Privacy Act 2009 (Qld) (IP Act) contains a number of privacy principles which set out the rules for how personal information is to be collected, managed, used and disclosed by Queensland government agencies.1 One of these obligations is to take reasonable steps to ensure the accuracy of personal information.
Personal information is defined in section 12 of the IP Act. It is a broad definition that encompasses any information about an individual who can be identified directly from the information, or whose identity can be reasonably ascertained by reference to other information. Information does not have to be true, written down, sensitive or 'important' to be personal information.
Using personal information
Use of personal information is defined in the IP Act,2 and includes taking personal information into account when making a decision, transferring it between different parts of an agency, and manipulating, searching or otherwise dealing with it. The privacy principles only permit personal information to be used in specific circumstances, including where the use is authorised or required by law.3
Taking reasonable steps to ensure accuracy is required by law
The privacy principles contained in the IP Act require an agency to take reasonable steps to ensure that personal information is accurate, complete and up to date before it is used.4 This means that if, for example, one business group has more recent personal information than another, the second group can check the accuracy of the information with the first group.
The dog management area of a council needs to send a notice to Bob, but they know he has moved and they don’t have his new postal address. However, Bob is a user of the library and the dog management officers suspect that the library may have Bob's current address. They could check with the library for a more recently updated address to ensure the information they use to send Bob the notice is accurate.
The interaction between the privacy principles cannot be used to justify cross-matching of data on a larger scale where there is no immediate use of personal information. For example, it could not be used to authorise the merging of two databases together, cross-referencing for inconsistencies. This could be a breach of the privacy principles. It should be limited to circumstances in which the personal information is in active use, it is suspected to be inaccurate, and the inaccuracy is a fact, such as a person's postal address or phone number, rather than an opinion.
- 1 In this Guideline references to an 'agency' include Ministers and bound contracted service providers, unless otherwise specified. [up]
- 2 Section 23 of the IP Act. [up]
- 3 IPP 10(1)(c) and NPP 2(1)(f) – see IPP 10 and NPP 2 for a complete list of when personal information may be used. [up]
- 4 IPP 8 and NPP 3. [up]
Current as at: January 6, 2012