Background

27.2 The Privacy Act 1988 (Cth) contains provisions that are designed to ensure that, where an agency or organisation handles personal information, it takes reasonable steps to make certain that the information is of a sufficiently high quality—that is, that the information is accurate, complete, up-to-date and (for agencies) relevant. These are commonly known as ‘data quality’ requirements. Ensuring the quality of personal information that is collected, used and disclosed, is recognised as a fundamental obligation of agencies and organisations under the Privacy Act.[1]

27.3 NPP 3 provides that:

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.[2]

27.4 The IPPs do not contain a ‘stand-alone’ data quality principle that applies to agencies. Aspects of the data quality principle, however, are included in IPPs 3 and 8. IPP 3 provides that, where an agency collects personal information, it must

take such steps (if any) as are in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected … the information collected is relevant to that purpose and is up-to-date and complete.[3]

27.5 IPP 8 provides that an agency

who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up-to-date and complete.[4]

27.6 The IPPs do not impose data quality requirements at the time of disclosure. This differs from some overseas privacy legislation. For example, US privacy legislation requires agencies to ensure that, before disclosing a record about an individual to any person other than an agency, they make reasonable efforts to ensure that such records are ‘accurate, complete, timely and relevant for agency purposes’.[5]

[1] See, eg, Commonwealth, Parliamentary Debates, House of Representatives, 1 November 1988, 2117 (L Bowen–Attorney-General), 2117; Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 141.

[2]Privacy Act 1988 (Cth) sch 3, NPP 3.

[3]Ibid s 14, IPP 3. This requirement only applies to ‘solicited’ personal information.

[4]Ibid s 14, IPP 8.

[5]Privacy Act 1974 5 USC § 552a (US). See also G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008, Principle 10.