APP 10: Quality of Personal Information
Australian Privacy Principle 10 requires APP entities to take reasonable steps to ensure personal information is accurate, up-to-date and complete at collection, use and disclosure.
Two distinct obligations
APP 10 imposes two distinct obligations on APP entities. The first, under APP 10.1, concerns the quality of personal information at the point of collection. An APP entity must take reasonable steps to ensure the information gathered is accurate, up-to-date and complete. The second obligation, found in APP 10.2, relates to the quality of personal information when it is used or disclosed. Here, the entity must also take reasonable steps to ensure the information is accurate, up-to-date, complete and relevant, having regard to the purpose of that use or disclosure.
The requirement for quality applies at two key points in the information handling cycle: initially when personal information is collected, and again each time it is used or disclosed. This ensures ongoing assessment of the information's suitability for its intended purpose. If personal information is inaccurate, incomplete, out of date or irrelevant, an individual may seek a APP 13 correction of personal information.
The terms used to define quality have specific meanings. ‘Accurate’ means correct or precise. ‘Up-to-date’ means current. ‘Complete’ means containing all required elements. ‘Relevant’ is determined by assessing the information’s suitability in relation to its intended purpose of use or disclosure.
What counts as reasonable steps
What counts as reasonable steps to ensure the quality of personal information is determined by several factors. The Office of the Australian Information Commissioner (OAIC) states that the sensitivity of the information is a key consideration; greater sensitivity requires more rigorous steps. Similarly, the nature of the organisation handling the information – including its size, resources, and business model – influences what is considered reasonable.
The potential harm to an individual if the information is inaccurate also shapes the required steps. Higher risk scenarios necessitate more robust quality assurance measures. However, the practicability of implementing these steps, considering factors like time and cost, is also relevant. An entity cannot avoid a necessary step simply because it is inconvenient.
Examples of actions that may constitute reasonable steps include conducting internal data quality audits, verifying details when the information is initially collected, and regularly prompting individuals to review and update their personal information.
Relationship with APP 1, 11 and 13
APP 10, concerning the quality of personal information, is underpinned by broader obligations under the Australian Privacy Principles. [APP 1.2] requires organisations to implement practices, procedures and systems to ensure compliance with all the APPs. This includes establishing quality controls to support the ongoing accuracy and relevance of personal information held.
The obligation to maintain quality personal information also interacts with APP 11 reasonable steps for security. By taking reasonable steps to destroy or de-identify personal information no longer needed, organisations reduce the volume of data requiring ongoing quality management.
Separately, APP 13 creates a right for individuals to seek correction of inaccurate personal information. However, an organisation’s obligations under APP 10 are not solely triggered by such requests. APP 10 imposes a proactive duty to maintain data quality, meaning a breach can occur even without an individual’s intervention.
AI, automation and APP 10
APP 10’s requirements regarding the quality of personal information extend to the use of artificial intelligence (AI) tools. The OAIC’s recent guidance on commercially available AI products confirms that entities must consider data quality before using AI tools to generate or process personal information. Failure to do so can result in breaches of the Privacy Act.
If a generative AI model produces inaccurate personal information about an individual, an entity deploying that model may breach APP 10.2 if it subsequently uses or discloses that inaccurate information. This highlights the importance of careful evaluation and validation of AI-generated outputs. Privacy Act 2024 ADM transparency obligations
Automated decision-making processes that rely on personal information are also subject to APP 10. This supports a duty to verify the underlying data before any decision is made. From 10 December 2026, new transparency requirements under the Privacy and Other Legislation Amendment Act 2024 will mandate that certain entities disclose the use of personal information in substantially automated decisions within their privacy policy.
Frequently asked
Does APP 10 require zero errors in customer data?
No. APP 10 requires reasonable steps to ensure accuracy, currency and completeness. The OAIC accepts that perfect accuracy is not achievable; the question is whether the entity's processes are reasonable given sensitivity, risk and resources.
Is APP 10 satisfied by handling APP 13 correction requests?
No. APP 13 is reactive, triggered by an individual's request. APP 10 is a positive obligation that requires proactive quality controls even where no correction has been requested.