A Comprehensive Guide to Navigating APP 13 and Recommendations from the OAIC
In today’s data-centric world, the accuracy of personal information held by organisations is paramount. Australian Privacy Principle 13 (APP13), a vital component of the Privacy Act 1988, addresses the right of individuals to correct personal information that an organisation holds about them.
This principle, coupled with the recommendations from the Office of the Australian Information Commissioner (OAIC), forms a critical framework for organisations to ensure data accuracy and integrity. Here, we explore the step-by-step process for handling correction requests, navigating the legal requirements, and embedding best practices within your organisation’s privacy policy.
Understanding the Imperative of APP13
APP 13 – Correction of Personal Information empowers individuals to have control over their data. It states that organisations must take reasonable steps to correct personal information it holds, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held.
In a nutshell, organisations are required to correct incorrect personal information.
This obligation applies in two circumstances:
Grounds for Correcting Personal Information
Under APP13, there are five grounds for correcting personal information: accurate, up-to-date, complete, relevant and not misleading. These are not defined in the Privacy Act. However, the OIAC recommends the following:
Accurate: Personal information is inaccurate if it contains an error or defect. An example is incorrect factual information about an individual’s name, date of birth, residential address or current or former employment.
Up-to-date: Personal information is out-of-date if it contains facts, opinions or other information that is no longer current. An example is a statement that an individual lacks a particular qualification or accreditation that the individual has subsequently obtained.
Complete: Personal information is incomplete if it presents a partial or misleading picture, rather than a true or full picture. An example is a tenancy database which records that a tenant owes a debt, which in fact has since been repaid.
Relevant: Personal information is irrelevant if it does not have a bearing upon or connection to the purpose for which the information is held.
Not Misleading: Personal information is misleading if it conveys a meaning that is untrue or inaccurate or could lead a user, receiver or reader of the information into error. An example is a statement that is presented as a statement of fact but in truth is a record of the opinion of a third party.
Step-by-Step Guide to Processing Correction Requests
Establish a Clear Procedure
Your organisation’s Privacy Policy should clearly outline the process for individuals to request corrections. This includes identifying the contact person (usually the Privacy Officer) for such requests.
Prompt Acknowledgment of Requests
Acknowledge receipt of correction requests as soon as possible, setting a positive and cooperative tone for the process.
Verify Identity
Verify the identity of the individual making the request to prevent unauthorised changes to personal information.
Assess the Request
Evaluate the request to determine whether the personal information indeed requires correction. This might involve reviewing the data in question and any supporting evidence provided by the individual.
Respond Within 30 Days
The OAIC recommends processing correction requests or providing a response explaining any applicable exceptions within 30 days from the date of the request.
Handle Exceptions
If an exception under APP 13 applies, meaning the organisation believes the information does not need correction, this must be communicated clearly to the individual, along with the reasons for this decision and the available complaint mechanisms.
Implement Corrections
If a correction is required, promptly update the information to ensure it is accurate, up-to-date, and complete.
Organisations are not permitted to charge a fee for processing requests to correct personal information.
Notify the Corrections are Made
If the corrected information has been previously disclosed to third parties, consider whether these parties should be informed of the changes.
Document the Process
Keep records of all correction requests and actions taken. This documentation is crucial for compliance purposes and might be useful in case of disputes or audits.
Training and Awareness
Ensure staff members are trained and aware of the procedures for handling correction requests, emphasising the importance of accuracy in personal data management.
Conclusion: Embracing Data Accuracy as a Core Value
Effective handling of correction requests under APP13 is not merely about compliance; it represents a commitment to data accuracy and respect for individual privacy rights. By adopting a structured, transparent, and responsive approach, organisations can strengthen trust with their stakeholders, mitigate the risks of inaccurate data, and uphold their reputation as responsible data custodians.
Questions? Queries? Keen for further information? Contact de.iterate today.
Did you know? All this can be managed by the de.iterate platform—from just $99 per month. Buy now.
Disclaimer: The articles on our website are intended to stimulate interest in the subject matters. All comments and articles are for information purposes only. Professional advice should be sought on specific matters, and with lawyers under Costs Agreement and to which Legal Professional Privilege (LPP) applies.