Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
Note
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPPs 7 and 8 and NPP 3, agencies have specific obligations to ensure personal information3 is accurate, up to date, complete and not misleading. In addition, non-health agencies must only use personal information that is relevant to the purpose they are undertaking.
A health agency must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date.
(1) If a health agency has control of a document containing personal information, it must take all reasonable steps, including by the making of an appropriate amendment, to ensure the personal information—
(a) is accurate; and
(b) having regard to the purpose for which it was collected or is to be used and to any purpose directly related to fulfilling the purpose, is relevant, complete, up to date and not misleading.
(2) Subsection (1) applies subject to any limitation in a law of the State providing for the amendment of personal information held by a health agency.
(3) Subsection (4) applies if—
(a) a health agency considers it is not required to amend personal information included in a document under the health agency’s control in a way asked for by the individual the subject of the personal information; and
(b) no decision or recommendation to the effect that the document should be amended wholly or partly in the way asked for has been made under a law mentioned in subsection (2).
(4) A health agency must, if the individual asks, take all reasonable steps to attach to the document any statement provided by the individual of the amendment asked for.
(1) An agency having control of a document containing personal information must take all reasonable steps, including by the making of an appropriate amendment, to ensure the personal information—
(a) is accurate; and
(b) having regard to the purpose for which it was collected or is to be used and to any purpose directly related to fulfilling the purpose, is relevant, complete, up to date and not misleading.
(2) Subsection (1) applies subject to any limitation in a law of the State providing for the amendment of personal information held by the agency.
(3) Subsection (4) applies if—
(a) an agency considers it is not required to amend personal information included in a document under the agency’s control in a way asked for by the individual the subject of the personal information; and
(b) no decision or recommendation to the effect that the document should be amended wholly or partly in the way asked for has been made under a law mentioned in subsection (2).
(4) The agency must, if the individual asks, take all reasonable steps to attach to the document any statement provided by the individual of the amendment asked for.
Before an agency uses personal information contained in a document under its control, the agency must take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, complete and up to date.
(1) This section applies if an agency having control of a document containing personal information proposes to use the information for a particular purpose.
(2) The agency must use only the parts of the personal information that are directly relevant to fulfilling the particular purpose.
The requirement that all agencies ensure personal information is accurate, up to date, complete and not misleading (accurate) recognises that agency decisions must be based on correct and complete facts.
In addition to creating robust privacy protection, these principles help ensure greater administrative efficiency. Compliance can save the time, potential embarrassment, and possible adverse effects when decisions have to be revoked and remade.
Agencies are not required to continually check the personal information they hold. Instead, reasonable steps must be taken when the information is collected to ensure that it is accurate, complete and up-to-date, and prior to its use or disclosure.
Factors to consider when determining what will constitute ‘reasonable steps’ include:
In most circumstances, a reliable way of ensuring accuracy will be to verify the information against the original source. However, in some cases that may be unreasonable because, for example:
If agency officers cannot reasonably check with the original source, there are often other methods that can be used to ensure information accuracy. For example, when doing a bulk mail out it would not be reasonable to check name and address details with each individual at the time. However, it would be reasonable to make sure that changes of address are processed quickly and accurately in maintaining the database.
The requirement to ensure information is accurate by way of amendment, will, in almost all cases, be met by the mechanisms in chapter 3 of the IP Act.4
However, all agencies should put administrative processes in place for simple and non-contentious amendments to personal information, such as updating contact details.
Under the IP Act,5 moving personal information between different parts of an agency is a use of personal information. The privacy principles only permit personal information to be used in specific circumstances, including where the use is authorised or required by law.6
Agencies are required by the IP Act to ensure personal information is accurate. This means that if, for example, one business group has more recent personal information than another, the second group can check the accuracy of the personal information with the first group.
The dog management area of a council needs to send a notice to Bob, but they know he has moved and they don’t have his new postal address. However, Bob is a user of the library and the dog management officers suspect that the library may have Bob’s current address. They could check with the library for a more recently updated address to ensure the information they use to send Bob the notice is accurate.
The interaction between the privacy principles cannot be used to justify cross-matching of data on a larger scale where there is no immediate use of personal information. For example, it could not be used to authorise the merging of two databases together, cross-referencing for inconsistencies. This could be a breach of the privacy principles.
It should be limited to circumstances in which the personal information is in active use, it is suspected to be inaccurate, and the inaccuracy is a fact, such as a person's postal address or phone number, rather than an opinion.
Under IPP 9, if a non-health agency controls personal information, but only part of it is relevant to the purpose they are trying to achieve, they are only permitted to use the relevant personal information.
Current as at: September 20, 2019