IPP7: handling requests to correct personal information
When an individual says your records are wrong, you have obligations to correct or annotate. Here is the process.
Information Privacy Principle 7 (IPP7) gives individuals the right to request correction of their personal information held by an agency.
The obligation
When an individual requests correction, you must:
- Consider whether the information is accurate, up to date, complete, and not misleading.
- If it is inaccurate, correct it.
- If you disagree that it is inaccurate, attach a statement of the correction sought by the individual.
- Inform the individual of the outcome.
- If you corrected the information, take reasonable steps to inform any third party to whom the incorrect information was previously disclosed.
The DEIS dimension
If your business ran a lookup through DEIS and the results contained inaccurate information about an individual, IPP7 creates specific obligations:
- You must correct any records you hold that are based on the inaccurate data.
- You should notify the original data source (e.g., Centrix, Carjam) about the potential inaccuracy.
- Your evidence log should record that a correction was requested and the outcome.
How DEIS helps
DEIS allows you to flag lookup results that are subject to a correction request. The flag appears in the evidence log and on the individual's transparency portal, ensuring full visibility of the correction process.
IPP6 explained: the individual's right to access their personal information
NextDebt collection agencies: privacy compliance when tracing and collecting