Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Waters, Nigel; Greenleaf, Graham --- "IPPs examined: The correction principle" [2005] PrivLawPRpr 5; (2005) 11(5) Privacy Law and Policy Reporter 137

IPPs examined: The correction principle

Nigel Waters + Graham Greenleaf

This is the third in a series which will examine the interpretations of similar information privacy principles (IPPs) by Courts, privacy and information Commissioners and other sources of interpretation, with an emphasis on legislation in Australian jurisdictions and caselaw from Asia-Pacific jurisdictions. (General Editor)

All privacy laws contain a principle creating a right of correction of personal information. In some laws it stands alone as a separate principle, while in others it is combined with the access principle. Access and correction have been a cornerstone of information privacy since the 1980 OECD Guidelines on which most privacy laws are based[1] . The new APEC Privacy Framework provides both a correction right and specific exceptions to it (Principle VIII)[2] .

Correction rights in FOI laws

Like the access right, the right to correction in Australian and New Zealand privacy laws overlaps, for information held by public sector agencies, with an amendment right created by Freedom of Information laws., Most of these FOI laws pre-dated privacy laws[3] and have given rise to a

body of case law which is directly relevant to the parallel privacy principle. While there is no such pre-existing right for the private sector, public sector jurisprudence on the FOI amendment rights provides useful guidance, although its utility is limited by inconsistent and confusing definitions in some jurisdictions. For reasons of space, this article cannot deal comprehensively with the FOI case law on correction.

Correction rights in privacy laws

The principles in Australasian privacy laws that deal with correction are similar in overall effect though there are significant differences in the way they are expressed. The correction principle in privacy laws also interacts closely with the data quality principle.

The ‘IPP model’

The earliest set of correction principles in an Australasian privacy law, the Information Privacy Principles (IPPs) in the Australian Commonwealth (federal) Privacy Act 1988 , has a separate ‘alteration’ principle, which places an obligation on Commonwealth (federal government) agencies to make appropriate corrections, deletions and additions to ensure that records containing personal information are, firstly ‘accurate’; and secondly ‘relevant, up to date, complete and not misleading’. This second obligation is qualified as “having regard to the purpose for which the information was collected or is to be used, and to any purpose that is directly related...”[4] . The Commonwealth Act therefore combined the correction principle with the data quality principle, for its initial public sector regime.

While the first clause of the alteration IPP does not expressly mention corrections requested by the subject of the information, a second clause to the principle makes the obligation “subject to any applicable limitation in another Commonwealth law which provides a right to require correction or amendment of documents”[5] This both implies that there is a right to request corrections, and effectively ‘imports’ the correction provisions of the Commonwealth Freedom of Information Act 1982 into the Privacy Act (subject to questions of what might be ‘applicable’ limitations).

Because of the availability of a FOI correction remedy, it is arguable that the Privacy Commissioner is in effect given a discretion to refuse to investigate complaints requesting correction, because s41(f) provides that the Commissioner may refuse to investigate where ‘another Commonwealth law ... provides a more appropriate remedy...’. However, it is also arguable that the FOIA remedy is not ‘more appropriate’ where the complaint has suffered damage because of a refusal to correct, for the reason that the FOIA does not provide any remedies such as compensatory damages.

The more recent NSW public sector law has a separate ‘alteration’ principle which uses the same words and qualification as the Commonwealth principle, but is only operative at ‘at the request of the individual’.[6] As in the Commonwealth jurisdiction, the NSW privacy law imports any ‘conditions or limitations (however expressed)’ in the State FOI law on correction[7] . This means that the alteration right only applies to ‘a person to whom access to an agency’s document(s) has been given’, and only to ‘personal affairs’ information.[8] Guidance from Privacy NSW suggests that the two regimes run in parallel, and that requests for correction of ‘minor or short-lived records’ could be processed under the ‘more simple and flexible’ provisions of the privacy law rather than the potentially ‘cumbersome’ FOI Act processes.[9] Agencies are advised to specify in their Privacy Management Plans the circumstances in which they intend to follow simplified alteration procedures.

The ‘NPP jurisdictions’

In the private sector NPPs, introduced into the federal Privacy Act in 2000, there is a combined access and correction principle which includes a right to correction but (unusually) places the onus on the individual to establish that the information is not accurate, complete and up-to-date.[10]

This NPP formulation is also used in the Victorian[11] law, although that law also defers to the State FOI law[12] , which in the case of Victoria is even more restrictive, in that the amendment right only applies ‘where a document containing [personal affairs information] has been released to [the subject]’[13] .

The Northern Territory law[14] combines FOI and privacy and therefore deals with the potential overlap more coherently[15] .

Other Asia-Pacific jurisdictions

Although New Zealand also had limited correction rights under a pre-existing freedom of information law – the Official Information Act 1982[16] , the Privacy Act 1993 included both a separate principle dealing entirely with the rights of individuals to request correction[17] , (the general data quality obligation being dealt with in a separate principle), and a set of procedural provisions relating to the access and correction.[18]

The Hong Kong Ordinance also provides for correction as part of an overall access principle:

“A data subject shall be entitled to ... (e) request the correction of personal data. ... ”[19]

but this is subject to detailed provisions relating to correction requests in Part IV[20] .

The Canadian federal law applying to the private sector has a similar general obligation:

“An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.” (part of Principle 9)[21]

Under some privacy laws there are also industry-specific principles – notably for consumer credit reporting[22] . In some cases these contain detailed provisions relating to data quality and correction.

The scope of correction principles

Must there be a request for correction?

Almost all privacy laws (except for the Commonwealth public sector) have a correction principle (imposing obligations to correct only on the request of a data subject) which is separate from a data quality principle (which can impose obligations to correct under circumstances such as the use of the data). This article does not deal with data quality obligations.

Even under data quality obligations, an organisation will not normally be held to account for inaccuracies of which it is unaware. The Canadian Privacy Commissioner, in a 2003 case[23] , rejected the complainant’s allegation of a breach of the quality and correction principle on the grounds that the complainant, having obtained access, failed to notify the bank in question of factual errors.

Is the obligation absolute?

Most of the laws only require that ‘reasonable steps’ be taken to correct, even when a request is received. If information is still incorrect despite reasonable steps being taken, there is no breach. The guidance issued by the Office of the Federal Privacy Commissioner on the NPPs suggests that what is reasonable will depend on the circumstances[24] (this is explicit in the Australian Commonwealth public sector and NZ IPPs), and that an organisation might not be obliged to take any steps correct personal information that is inaccessible and never likely to be used, even if it is poor quality[25] .

Because the ‘NPP jurisdictions’ place the onus on the individual ‘to establish that the information is not accurate’ (etc), the obligation to take ‘reasonable steps’ does not even arise until this onus is discharged.

The NSW Act requires ‘appropriate amendments’ to ‘ensure’ accuracy etc. ‘Appropriate’ refers to the type of amendment, not to the care taken to investigate, so NSW may have a more absolute obligation.

One important difference between the correction rights in privacy and FOI laws is that the rights in all FOI and most privacy laws apply only to records, whereas the correction rights in other privacy laws (NZ and NSW) relate to personal information whether or not they are included in a record.[26]

Are the rights retrospective?

Most access and correction rights apply to all personal information held by an organisation after the provisions of the relevant law came into force, irrespective of when the information was collected[27] , although in the Australian private sector jurisdiction the requirement is qualified in relation to pre-commencement information[28] .

Compliance issues

Organisations subject to a privacy law are understandably uneasy about what compliance means in practice, particularly given the subjective judgement involved in a ‘reasonable steps’ test. They will look ultimately to decisions of tribunals and courts for the standards required in different circumstances.

To date, there are few such decisions available other than under FOI law, and organisations also have to fall back on the opinions of the privacy regulators as expressed in guidance material and in the reports of conciliated cases published by some Privacy Commissioners. These are considered in the rest of this article.

Some guidance may also be found in textbooks on regional privacy laws[29] .

Does correction depend on a right of access?

Many organisations appear to believe that individuals have to have formally obtained access to the information (typically under privacy or FOI access provisions) before challenging it.

However, this is only expressly stated in the HK Ordinance[30] , The Commonwealth FOI Act correction right, to which the Privacy Act IPP 7 defers, does limit the right to ‘documents to which access has been lawfully provided to the person.’[31] While this does not mean that the access has to have been via an FOI request it does mean that correction rights do not apply to documents to which access has been lawfully denied (eg: as a result of an FOI exemption) or which have been unlawfully obtained (eg by leaks in breach of secrecy provisions).

The same limitation applies under NSW and Victorian laws, as explained above under Correction rights in privacy laws, with the Victorian FOI Act almost implying that the right only applies where access has been via FOI[32] .

There is no such limitation in the private sector or Northern Territory NPPs[33] , and an individual can request corrections (even where access to a document is exempt from access) based on an understanding of inaccuracies etc obtained in other ways, such as word of mouth, or implication from other actions or documents. However, the individual will have the problem of discharging the onus of establishing the inaccuracy etc of the document via these secondary sources.

In all of the above jurisdictions it would however remain open to the individual concerned about inaccuracy in documents obtained by other means, or unseen but suspected of inaccuracy etc, to challenge them under the relevant data quality principle,. However, the individual will have to provide sufficiently credible evidence of inaccuracy to lead the relevant Privacy Commissioner to investigate to examine the record in question.

Annotation of exempt documents

Where an individual has been denied access to a document under the Commonwealth FOI Act, and the individual has exhausted both their rights of review of that decision through the AAT, and their right to complain about refusal to amend under the Privacy Act, they can apply to the Privacy Commissioner, who may, after due consideration, require an agency to add an appropriate notation.

This is a particularly indirect and convoluted process and, not surprisingly, no-one has yet taken advantage of it to have a record annotated.

The required quality standard

Generally the parameters are specified, either in the correction principle itself or in a separate data quality principle – accuracy is always required, but the ‘menu’ of parameters can also include complete, up-to-date, relevant and not misleading. Many of these, even accuracy, are not always objective or black and white to apply in practice – they are often contextual and therefore inherently subjective.

Verification of challenged information

It is not possible to specify all of the possible verification measures that could be taken – many will be context specific. However, one common measure is to check with the source of the information, where this is a third party. The credit reporting provisions under some laws expressly require credit reference agencies to check back with the relevant credit provider when a listing is challenged, but this is a sensible step to take in most sectors and circumstances.

In Case 2/2002, the Hong Kong Administrative Appeals Board upheld the Privacy Commissioner’s finding that a credit bureau’s reliance on oral confirmation from a credit provider was not a breach of either the specific procedural requirements for correction requests in the Credit Data Code of Practice[34] or of the data quality principle DPP 2(1). The AAB did however, unlike the Commissioner, recommend that such confirmation should be provided in writing.

What form of alteration is necessary?

Some of the principles only specify a generic ‘correction’, while others expressly give a ‘menu’ of possible corrective action; eg: ‘correction, deletion or addition’ in Commonwealth IPP 7 and Canadian PIPEDA Principle 9; ‘amendment deletion or addition’ in the Victorian IPA[35] and NT IA[36] , and ‘rectification, erasure or completion’ in the HK PDPO[37] . The main issue here is whether or not the complainant can insist on deletion of information so that the ‘historical’ incorrect form of the record is lost forever.

The OVPC guidance expressly draws attention to a tension with proper records management practices, and suggests that expunging information could harm the integrity of files[38] . The same guidance also recommends the provision for annotating a record with the individual’s challenge to agencies as a way of meeting individuals’ concerns without conceding inaccuracy etc. This ‘agency friendly’ advice arguably sits oddly alongside an emphasis in the same guidelines on sensitivity to the intensity of an individual’s feelings about loss of control.

In a 2003 case, FH v Department of Corrective Services, the NSW Administrative Decisions Tribunal rejected a former prisoner’s request for deletion of his prison records despite the fact that his conviction had been quashed. The ADT found no breach of the correction principle in the NSW Act, accepting the several justifications put forward by the Department for retaining ex-inmate records.

Should a record be retained of amended facts?

Archives or records laws may prevent government agencies from actually changing or deleting information without keeping a historical record of the original[39] . Other laws may place similar record integrity obligations on private sector businesses.

Guidance from the Australian federal Privacy Commissioner on the IPPs, repeated by the OVPC for the Victorian IPPs, suggests a general practice of retaining old information – while clearly marking it as no longer current - and the new information, together with a record of the date and reason for the change.[40]

The same guidance does however acknowledge that “there may be some particularly sensitive cases in which the mere existence of the earlier incorrect information could be detrimental. In such cases, deletion may be the only appropriate option.”

The Commonwealth FOIA s50(3) expressly favours non-deletion:

“To the extent that it is practicable to do so, the agency or Minister must, when making an amendment under paragraph (2)(a), ensure that the record of information is amended in a way that does not obliterate the text of the record as it existed prior to the amendment.”

In a recent AAT Appeals Panel case; Tang and Minister for Immigration and Multicultural and Indigenous Affairs, the applicant succeeded in having an obviously incorrect date of birth deleted and replaced with one which, while uncertain, was held to be more accurate[41] . The Tribunal did not invoke s.50(3) in this case.

Annotation of disputes

Correction principles generally require organisations to annotate a record to the effect that it is disputed[42] , even if the complainant does not succeed in obtaining a correction. In most cases, the annotation has to be triggered by a specific request from the individual, and the obligation has a ‘reasonable steps’ qualification.

In Complaint Determination No 2 of 2004, the Australian federal Privacy Commissioner found that the tenancy reference service TICA was in breach of NPP 6.6. If an individual challenged the accuracy of a listing, TICA was adding a ‘disputed by tenant’ note to the record, but only for 30 days, after which the note was removed, leaving the disputed information on the record.

While the Commissioner took the view that he was not able to prescribe specific actions in a Determination, he recommended a number of actions, to be completed by July 2004, including:

“Provide tenants with the ability to add a statement to any listings which they dispute.”

Annotation of records can take several forms, and the options will depend on the format and storage medium[43] . The OFPC/OVPC Guidance expresses a preference for a statement by the aggrieved person to be directly attached to the relevant information, with less desirable options being a separate field in a database; a separate file linked to the record, and, least desirable, a flag in a record or database to indicate that a statement should be consulted. The Guidelines go on to say:

“The important thing is that it should be clear to anyone accessing the information that it has been disputed, on what grounds it has been disputed, and why the [agency/organisation] has decided not to correct, delete or add to the information as the person asked”[44]

The NSW Act specifically provides that the statement must be attached ‘in a manner capable of being read with the information’[45]

Another question that arises from the annotation requirement is whether organisations are required to attach the individual’s statement ‘verbatim’. The Privacy NSW Guidelines suggest that this should be the default action, although where the contents are offensive, the individual could be given an opportunity to re-draft:

“Agencies should avoid the temptation to refuse to attach a statement merely because the statement criticises the agency ...”[46]

Reasons for declining to make corrections

There is an express requirement in

NPP 6.7 to give reasons for refusal, although the OFPC Guidelines suggest that this would not be required where such a disclosure would prejudice an investigation against fraud or other unlawful activity[47]

In relation to public sector agencies, the normal principles of administrative law require such reasons to be given, whether or not the privacy legislation expressly provides this.

Informing third party recipients of corrections

The laws vary as to whether they require notification of third parties. The Australian federal, Victorian and NT laws have no such requirement. In NSW agencies are required to do so ‘if reasonably practicable’[48] , although the implication in the wording is that the individual would have to request this action. Privacy NSW guidance offers a range of factors to take into account in deciding whether and who to notify[49] .

There is a similar requirement to notify in the NZ, Canadian and Hong Kong laws: in NZ ‘where practicable; in Canada ‘where appropriate’; and in Hong Kong a detailed requirement through the data quality principle rather than the correction principle[50] .

One curiosity is that the Australian Casino Association voluntarily added a requirement to notify third parties to whom disclosures had been made of any subsequent corrections, in their draft Code of Practice developed in 2002 for approval by the Privacy Commissioner, but which has not progressed[51] .

Is correction available to all data subjects?

Until 2004, the correction rights under the Australian private sector jurisdiction (the NPPs) were limited to citizens and permanent residents.[52] This was one of the criticisms of the Act by the European Commission that was standing in the way of an adequacy assessment under the EU Data Protection Directive. An amendment in early 2004[53] removed this limitation so that now correction rights are available to all individual data subjects, including foreigners and temporary residents. A similar limitation in the NZ Act remains[54] , despite a recommendation by the Privacy Commissioner in 1998 to remove it[55] .

Remedies

Under most of the privacy laws, individuals alleging non-compliance with the correction principles can access the standard remedies through the normal processes – ie: complaint to the Privacy Commissioner and/or judicial review of decisions

The remedies available under the various privacy Acts provide remedies not available under FOI. In particular, compensatory damages, and apologies are available. These remedies are not available merely because a record is inaccurate. They are available only where there has been an unjustified refusal to amend a record.

The one exception is that the Australian Federal Privacy Commissioner has declined to investigate complaints about correction (and access) to records held by Commonwealth agencies on the grounds that a more appropriate remedy[56] exists under the FOI Act – ie: review of refusals to correct by the Administrative Appeals Tribunal and/or the Ombudsman[57] . This could potentially be challenged on the basis that the FOI Act, unlike the Privacy Act, does not provide for compensation.

Nigel Waters, Associate Editor, and Graham Greenleaf, General Editor

[1] Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Information 1980 - Individual Participation Principle (13) includes the right ... ‘to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.’

[2] See details in the article concerning the Framework in this issue.

[3] The correction right in the Commonwealth FOI Act 1982 resulted from a Senate Committee recommendation that it be a temporary measure until federal privacy laws were enacted. However, the ‘temporary measure’ stayed and was then copied by all State and Territory FOI laws, becoming an unusual feature of Austrlaia’s FOI laws.

[4] Privacy Act 1988 (Cth) s.14 IPP 7.1

[5] Privacy Act 1988 (Cth) s.14 IPP 7.2

[6] Privacy and Personal Information Protection Act 1998 (NSW), s.15, IPP 8.

[7] Privacy and Personal Information Protection Act 1998 (NSW), s.20(5)

[8] Freedom of Information Act 1989 (NSW), s.39

[9] Privacy NSW (ONPC), A Guide to the Information Protection Principles, No 6, February 2000, p.27

[10] Privacy Act 1988 (Cth) Schedule 3, Clause 6.5 – known as National Privacy Principle (NPP) 6.5

[11] Information Privacy Act 2000 (Vic), Information Privacy Principle (IPP) 6.5

[12] Information Privacy Act 2000 (Vic), s6(2) and s.12

[13] Freedom of Information Act 1982 (Vic), s.39

[14] Information Act (NT), enacted in 2002

[15] Information Act (NT), Information Privacy Principle (IPP) 6.5, and Part 3 – access and correction rights

[16] The Official Information Act 1982 (NZ) includes a right of correction (s.26) which is limited to information provided under the same Act.

[17] Privacy Act 1993 (NZ) s.6 – Principle 7

[18] Privacy Act 1993 (NZ) Part 5

[19] Personal Data (Privacy) Ordinance 1995 (HK), Schedule 1, Data Protection Principle (DPP) 6

[20] Personal Data (Privacy) Ordinance 1995 (HK), ss.22-29.

[21] Personal Information Protection and Electronic Documents Act 1998 (Can )- see also Schedule 1, 4.9.5 & 4.9.6

[22] Privacy Act 1988 (Cth), Part IIIA ss.18F(3)-(6) and 18J, and Code of Conduct issued by the Privacy Commissioner; HK Consumer Credit Data Code of Practice; NZ Credit Reporting Privacy Code 2004

[23] Finding #122, 2003 CanLII 39367 (P.C.C.)

[24] OFPC, Guidelines to the National Privacy Principles, September 2001, p 53.

[25] This invites the obvious question ‘why is the information still being held in these circumstances?’ See the companion article on the retention principle in[ 2004] 11 PLPR 4.

[26] The NSW and NZ privacy laws apply to personal information however held. The HK law applies to personal data ‘in a form in which access to or processing of the data is practicable’. Although the Commonwealth Privacy Act applies only to personal information contained in a record or generally available publication (IPPs are qualified in this way, while s.16B provides generically for the same qualification to the NPPs). The Victorian Act applies to personal information contained in a document.

[27] Privacy Act 1988 (Cth) s.15(2); Information Privacy Act 2000 (Vic), s.15(2); Privacy and Personal Information Protection Act 1998 (NSW), s.20(3); Information Act (NT),s.14(1); Privacy Act 1993 (NZ), s.8(2); Personal Data (Privacy) Ordinance 1995 (HK), ??? (silent?)

[28] Privacy Act 1988 (Cth) s.16C(3) – correction right applies to information collected before commencement where it is used or disclosed after commencement, except where compliance would place an unreasonable burden or incur unreasonable expense.

[29] These include Berthold & Wacks [2003] Hong Kong Data Privacy Law, 2nd Edition pub. Thomson Sweet & Maxwell and Perrin, Black, Flaherty and Rankin [2001] The Personal Information Protection and Electronic Documents Act: An Annotated Guide, pub. Irwin Law, Concord Ontario.

[30] Personal Data (Privacy) Ordinance 1995 (HK), ss.22(1).

[31] Freedom of Information Act 1982 (Cth) s.48

[32] Freedom of Information Act 1982 (Vic), s.39

[33] National Privacy Principle (NPP) 6.5, and equivalent principles in the Information Act (NT

[34] Code of Practice on Consumer Credit Data (Revised 2003)

[35] Information Privacy Act 2000 (Vic) s.3 definition of correction

[36] Information Act (NT), s.4

[37] Personal Data (Privacy) Ordinance, 1995 (HK), s.2, definition of collection

[38] OVPC, Guidelines to the Information Privacy Principles, Part Two, August 2002. p.17

[39] Although the NSW law expressly provides for the correction principle to override the State Records Act 1998 - Privacy and Personal Information Protection Act 1998 (NSW), s.20(4)

[40] OVPC, Guidelines to the Information Privacy Principles, Part Two, August 2002, pp.17-18

[41] This decision related to the discretion under s.50(1) of the FOIA

[42] Privacy Act 1988 (Cth) IPP 7(3) and NPP 6.6; Information Privacy Act 2000 (Vic), IPP 6.6; Privacy and Personal Information Protection Act 1998 (NSW), s.15(2)); Information Act (NT), IPP 6.6); Privacy Act 1993 (NZ), IPP 7(3); Personal Data (Privacy) Ordinance 1995 (HK), s.25(2); Personal Information Protection and Electronic Documents Act 1998 (Can), Schedule 1, Principle 4.9.6

[43] Privacy NSW (ONPC), A Guide to the Information Protection Principles, No 6, February 2000, p.27

[44] OVPC, Guidelines to the Information Privacy Principles, Part Two, August 2002, p.18

[45] Privacy and Personal Information Protection Act 1998 (NSW), s.15(2)

[46] Privacy NSW (ONPC), A Guide to the Information Protection Principles, No 6, February 2000, p.27

[47] OFPC, Guidelines to the National Privacy Principles, September 2001, p 54.

[48] Privacy and Personal Information Protection Act 1998 (NSW), s.15(IPP8)(3)

[49] Privacy NSW (ONPC), A Guide to the Information Protection Principles, No 6, February 2000, p.28

[50] Privacy Act 1993 (NZ), IPP7(4); Personal Information Protection and Electronic Documents Act 1998(Can) Schedule 1, 4.9.5; Personal Data (Privacy) Ordinance 1995 (HK), Schedule 1, DPP 2(1)(c)

[51] Australian Casino Association, Privacy Code Consultation Draft 2002 – proposed Principle 6.5(2) – see http://www.auscasinos.com/documents/publicationsSubmissions/PrivacyCode0403.pdf

[52] Privacy Act 1988 section 41(4)

[53] Privacy Amendment Act 2004, Part 2

[54] Privacy Act 1993 (NZ), s.34 – limits access and correction requests to citizens, permanent residents, and other persons while physically in New Zealand.

[55] Privacy Commissioner of New Zealand, Necessary and Desirable: Privacy Act 1993 Review, recommendation 61

[56] Privacy Act 1988 section 41(1)(f)

[57] See for example Casenote S v Various Commonwealth Agencies [2004] PrivCmrA 8