16.08.2010
Background
27.11 The scope of the data quality requirements set out in the IPPs and the NPPs varies in a number of respects. First, the application of the IPPs and the NPPs to information outside the possession or control of an agency or organisation differs. Pursuant to NPP 3, organisations must take steps to ensure the quality of personal information that they ‘collect, use or disclose’. In comparison, the data quality obligations under IPP 8 apply to documents in an agency’s ‘possession or control’. Unlike NPP 3, this imposes data quality requirements on an agency that has outsourced the handling of personal information to another agency or organisation, as well as on an agency that merely holds personal information on behalf of someone else.
27.12 Secondly, the criteria in the IPPs and the NPP to ensure the quality of personal information differ. NPP 3 requires organisations to keep personal information ‘accurate, complete and up-to-date’. It does not include a requirement for the information to be ‘relevant’. In contrast, the IPPs contain an express provision stating that, at the time of collection, personal information must be relevant to the purpose of collection.[11] There also is a stand-alone IPP requiring that personal information only be used for relevant purposes.[12]
27.13 Finally, IPP 3 provides that the quality of personal information that agencies collect should be interpreted with regard to ‘the purpose for which the information is collected’. Similarly, IPP 8 sets out that the requirements of the principle should be interpreted ‘having regard to the purpose for which the information is proposed to be used’. NPP 3 does not include an equivalent framework for interpreting how its data quality criteria are to be applied.
27.14 These differences need to be addressed when considering the appropriate scope of the ‘Data Quality’ principle in the model UPPs.
Submissions and consultations
27.15 In DP 72, the ALRC proposed that the ‘Data Quality’ principle
should require an agency or organisation to take reasonable steps to make sure that personal information it collects, uses or discloses is, with reference to a purpose of collection permitted by the proposed UPPs, accurate, complete, up-to-date and relevant.[13]
27.16 Many stakeholders supported the proposed ‘Data Quality’ principle.[14] The Australian Government Department of Disability Housing and Community Services and the National Health and Medical Research Council strongly supported the proposal.[15] The Australian Government Department of Agriculture, Fisheries and Forestry noted that its position would depend on the interpretation of ‘reasonable steps’. For example, it questioned, whether the ‘Data Quality’ principle would require an agency to engage an independent third party proactively to assess all personal information.[16]
27.17 Some stakeholders supported expressly the additional criterion that information should be ‘relevant’ to the purpose for which it was collected, or a permitted secondary purpose.[17] The OPC noted that, although a relevance requirement may be implicit in other privacy principles, including it expressly in the ‘Data Quality’ principle would provide greater clarity and promote consistency between the principles.[18] The additional criterion of ‘relevance’ also was supported by all of the stakeholders who commented on this issue in submissions on Issues Paper, Review of Privacy (IP 31).[19]
27.18 Other stakeholders, however, raised concerns about the proposed criterion of ‘relevance’. The Australasian Retail Credit Association was concerned that the application of the ‘relevance’ criterion in the ‘Data Quality’ principle could be inconsistent with the requirement under the ‘Collection’ principle that an agency or organisation only must collect personal information that is ‘necessary for one or more of its functions or activities’.[20] The Investment and Financial Services Association (IFSA) submitted that the operation of the ‘Collection’ principle meant that the ‘relevance’ requirement was superfluous. IFSA suggested that the ‘relevance’ requirement was regulated already by the market, as collecting irrelevant information ‘wastes space and raises the ire of the consumer to the detriment of the insurer and its business’.[21] Several stakeholders submitted that agencies and organisations may need to collect personal information where the relevance of the information only becomes clear sometime after collection.[22] This could arise particularly in the context of law enforcement[23] and consular activities.[24]
27.19 Medicare Australia and Privacy NSW specifically supported including a reference to a ‘purpose of collection permitted by the proposed UPPs’ in the ‘Data Quality’ principle.[25] The Cyberspace Law and Policy Centre submitted, however, that the proposed wording of this provision should be changed. It noted that, if personal information is being used for a secondary purpose, then the agency or organisation should be required to ensure that it is of appropriate quality for that use or disclosure. This may be quite different from the ‘relevance’ that would be required for the primary purpose of collection.[26]
27.20 PIAC and the Office of the Victorian Privacy Commissioner (OVPC) submitted that the principle should extend to information that is in the ‘possession or control’ of the agency or organisation.[27]
27.21 The Cyberspace Law and Policy Centre also suggested that the ‘Data Quality’ principle should provide that
an organisation or agency should take reasonable steps to avoid making a decision adverse to the interests of an individual based on automated processing, without the prior review of that decision by a human.[28]
ALRC’s view
‘Possession or control’
27.22 As noted above, the data quality obligations in NPP 3 apply only when an organisation collects, uses or discloses personal information. There was some disagreement among stakeholders about whether these requirements also should apply when an agency or organisation merely controls the information.
27.23 The ‘Data Quality’ principle should apply to information that an agency or organisation ‘collects, uses or discloses’. Extending the application of the principle to personal information merely in the control of an agency or organisation would broaden unnecessarily the data quality requirements. For example, where an organisation maintains a database containing personal information on behalf of another organisation, it would be very onerous—and often unreasonable—to expect the second organisation to maintain the data quality of the personal information in the database. The ALRC, therefore, considers that extending the data quality principle in this way would impose an unjustified compliance burden on agencies and organisations.
‘Relevance’
27.24 The ‘Data Quality’ principle should require that, where an agency or organisation collects, uses or discloses personal information, the information should be relevant to the purpose of that collection, use or disclosure. This complements the requirement in the ‘Collection’ principle that personal information collected by an organisation should be ‘necessary for one or more of its functions or activities’. If the purpose of collection is not necessary for one or more of the functions or activities of an agency or organisation, the requirement in the ‘Collection’ principle cannot be satisfied. It is logical, therefore, to include a corresponding obligation to limit the use or disclosure of personal information to that which is relevant to the purpose of that use or disclosure.
27.25 Moreover, the fact that an agency or organisation has legitimately collected personal information for a permitted purpose should not mean that it is necessarily allowed to use or disclose all of that information. Rather, the agency or organisation should be allowed to use or disclose only so much of the personal information it holds as is relevant to the purpose of the particular use or disclosure.
27.26 This is illustrated by the following hypothetical example. Assume that a company, X, lawfully collected personal information about an individual, Y, including her address, job description, marital status, physical disabilities and financial position. This was necessary for the purpose of providing Y with financial advice. Some time later, X wishes to disclose Y’s personal information to another company, Z, for the purpose of buying shares on Y’s behalf—this being a related secondary purpose that Y would reasonably expect. X should not be permitted to disclose to Z all the personal information it holds on Y. Instead, X should be allowed to disclose only such personal information about X as is relevant to obtaining the shares.
27.27 The other concern raised by stakeholders about including a relevance criterion in the ‘Data Quality’ principle was the potential for it to prevent them from collecting personal information where the relevance of the information only can be established some time after collection. The ALRC notes, however, that IPP 3 already requires agencies only to collect ‘relevant’ information. Furthermore, where an agency or organisation collects personal information that is ‘unnecessary for one or more of its functions or activities’—and, therefore, breaches the ‘Collection’ principle—it is appropriate that retention of this information should be a breach of the ‘Data Quality’ principle. The ALRC does not consider, therefore, that including a relevance criterion in the ‘Data Quality’ principle would impede the legitimate functions of agencies and organisations.
Reference to permitted purpose
27.28 In DP 72, the ALRC proposed that the ‘Data Quality’ principle should be interpreted having regard to ‘a purpose of collection permitted by the proposed UPPs’. The ALRC accepts the Cyberspace Law and Policy Centre’s argument that, if an agency or organisation uses or discloses personal information for a secondary purpose, then the appropriate question is whether the information is of a quality appropriate for that use or disclosure. This may be different from the quality that would be required for the primary purpose of collection. The ‘Data Quality’ principle, therefore, should include a reference to ‘the purpose of that collection, use or disclosure’. This phrasing also is consistent with the data quality provisions in the IPPs and the OECD Guidelines.
Automated decision-making
27.29 In Chapter 10, the ALRC recommends that the OPC should provide guidance on when it would be appropriate for an agency or organisation to involve humans in the review of decisions made by automated mechanisms. Specific reference to automated decision making in the ‘Data Quality’ principle would complicate the principle unnecessarily.
[11]Privacy Act 1988 (Cth) s 14, IPP 3(c).
[12] Ibid s 14, IPP 9. A criterion of ‘relevance’ also is included in the data quality requirements in a number of international instruments. See, for example: Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 8; European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 6. See also: Personal Information Protection Act 2004 (Tas) sch1, PIPP 3.
[13]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 24–2.
[14]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Anglicare Tasmania, Submission PR 514, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007.
[15]ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[16]Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.
[17]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[18]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[19] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[20]Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[21]Investment and Financial Services Association, Submission PR 538, 21 December 2007.
[22]Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Victoria Police, Submission PR 523, 21 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.
[23]Victoria Police, Submission PR 523, 21 December 2007.
[24]Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.
[25]Medicare Australia, Submission PR 534, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.
[26]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[27]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[28]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.