Balancing data quality and other privacy interests

27.30 In its review of the private sector provisions of the Privacy Act (the OPC Review), the OPC noted that some organisations consider that their obligations under NPP 3 to keep personal information up-to-date and accurate are absolute, and could be used to justify intruding upon an individual’s privacy.[29] In other words, compliance with the ‘Data Quality’ principle could result in intrusions upon an individual’s privacy.

27.31 A question arises, therefore, whether the ‘Data Quality’ principle should be amended to make it clear that the obligation to maintain data quality is qualified. An express provision to this effect is included, for example, in the data quality principles in the OECD Guidelines[30] and in Canadian privacy legislation.[31]

27.32 In the OPC Review, the OPC stated that it is not reasonable to take steps to ensure data accuracy where this has no privacy benefit for the individual. It considered that legislative amendment of NPP 3 was unnecessary, but indicated that it would issue further guidance to organisations about their obligations under NPP 3 to ensure a proportional approach is taken to compliance.[32]

27.33 This approach was supported by a large number of stakeholders that made submissions in response to IP 31[33] and DP 72.[34] The Australian Privacy Foundation and the Cyberspace Law and Policy Centre also suggested that a statement should be included in a note to the principle or in the relevant Explanatory Memorandum that, in assessing what is ‘reasonable’ in the context of the ‘Data Quality’ principle, regard should be given to the potential for errors to result in detrimental consequences for the individual whose personal information is held.[35]

ALRC’s view

27.34 Many stakeholders submitted that it was unnecessary for the ‘Data Quality’ principle to make it clear that there is no absolute obligation on agencies and organisations to ensure that personal information they collect, use or disclose is up-to-date and accurate.

27.35 In the ALRC’s view, it is unnecessary to insert a note or include in the Explanatory Memorandum a provision that stipulates that the obligations in the ‘Data Quality’ principle are not absolute. Such a note or provision runs the risk of causing more confusion than it resolves. The OPC has already undertaken to provide further guidance on this issue and this guidance should adequately address the issue.

Recommendation 27-1 The model Unified Privacy Principles should contain a principle called ‘Data Quality’ that requires an agency or organisation to take reasonable steps to make certain that the personal information it collects, uses or discloses is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant.

[29] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 267–268.

[30]Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 8.

[31]Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada), Principle 4.6.

[32] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 79.

[33] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; CSIRO, Submission PR 176, 6 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; Insolvency and Trustee Service Australia, Submission PR 123, 15 January 2007; AXA, Submission PR 119, 15 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007.

[34] See, for example: Optus, Submission PR 532, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[35]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.