APP 13: Correction of Personal Information

When the correction obligation arises

APP 13.1 establishes an obligation for APP entities to correct personal information they hold. This obligation arises in two primary circumstances: when an individual requests correction of their personal information, or when the APP entity itself is satisfied that the information requires correction. This satisfaction can be based on the information being inaccurate, out-of-date, incomplete, irrelevant or misleading, considering the purpose for which it is held. APP 10 quality of personal information addresses the quality of personal information.

The correction obligation is not solely triggered by requests from individuals. An APP entity has a responsibility to proactively address inaccuracies in the personal information it holds, even without a direct request. If an entity determines, based on reasonable grounds, that the information is flawed, it must take steps to correct it.

Importantly, an individual is not required to demonstrate any specific detriment or harm resulting from inaccurate personal information to trigger the correction obligation. The focus is on the accuracy and relevance of the information itself. Furthermore, APP 13.4 prevents any fees from being charged for making a correction request, performing the correction, or providing a statement relating to the correction.

Notifying third parties of corrections

APP 13.2 mandates that an entity take reasonable steps to notify another Australian Privacy Principles (APP) entity when it corrects personal information previously disclosed to that entity, and an individual makes a request for this notification. This requirement ensures that corrected information is reflected across the information held by different entities.

The obligation to notify is not absolute. An entity is not required to notify if doing so would be impracticable or unlawful. This exception recognises that certain circumstances may make notification unduly burdensome or legally problematic.

It is important to note that APP 13.2 applies only to disclosures made to other APP entities. It does not extend to disclosures of personal information to recipients who are not themselves subject to the Australian Privacy Principles.

Refusal and statement of correction

When an entity refuses to correct an individual’s personal information, a written notice must be provided. This notice must explain the reasons for the refusal, unless doing so would be unreasonable. The notice must also detail the processes available for lodging a complaint regarding the refusal.

If an individual requests it, an entity must take reasonable steps to associate a statement with the personal information. This statement can express the individual’s belief that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

The associated statement must be made apparent to anyone using the personal information. For electronic records, this may involve a flag or a link to the statement. The Office of the Australian Information Commissioner (OAIC) advises that the statement should not be unreasonably long.

Response timeframe

APP 13.5 dictates the timeframe for responding to a request to correct personal information. Agencies must respond within 30 days. For organisations, the response timeframe is a reasonable period, although the Office of the Australian Information Commissioner (OAIC) indicates that this will generally not exceed 30 calendar days. APP 12 access to personal information outlines related individual rights.

During this response period, the entity must take one of three actions: make the correction to the personal information, refuse the request under APP 13.3 and provide reasons for the refusal, or associate a statement with the personal information under APP 13.4.

Failure to respond to a correction request, or an unreasonable delay in responding, can constitute an interference with privacy under section 13. APP 12 access to personal information provides further context on individual rights and entity obligations.