Question
Under Privacy Safeguard 13, one of the corrective actions to be taken is to include a “qualifying statement” with the CDR data.
What is the mechanism by which a data holder can correct data to the data recipients?
if by API:
- Is there any mechanism in the standards to describe such a correction, and, contain the electronic link?
- If the sharing arrangement was one-off, how should the correction be sent to the Recipient?
- If the sharing arrangement is recurring, should the corrected record be included in the next bulk refresh/access.
- How does the recipient know that the record is a correction?
If by an out-of-band means:
- What means are acceptable (letter, email, other)?
- How does the data holder gain access to this mean (eg email address)? Is it in the registry?
- How could corrected personal data be sent safely by an out-of-bands means?
Answer
Privacy Safeguard 11 gives some guidance that an electronic communication is suitable for notifying consumers of incorrect data:
11.41 CDR Rule 7.10 requires a data holder to notify the consumer by electronic means after disclosing incorrect data.
11.42 The requirement for this notice to be given by electronic means will be satisfied if the notice is given over email or over the consumer’s dashboard.
11.43 The written notice may, for instance, be in the body of an email or in an electronic file attached to an email.
Update as of 1st of September 2021
Privacy Safeguard 13 and CDR Rule 7.15 require data holders and ADRs to take certain steps to correct CDR data after a CDR consumer has requested that it be corrected, unless the entity does not consider a correction or statement to be appropriate.
CDR entities have two options to correct it to the extent appropriate under Rule 7.15:
- Correct the data, or
- Include a qualifying statement with the data and where practicable, attach an electronic link to a digital record of the data in such a way that the statement will be apparent to users.
The CDR entity can also refuse the request if they consider that it is unnecessary or inappropriate.
A ‘qualifying statement’ is usually used because it is either not appropriate to correct a record in the way a consumer asks, or because it is not technically possible to update a particular document or record. A qualifying statement therefore provides a way of actioning a consumer’s correction request under Privacy Safeguard 13 when the request might otherwise be refused.
This Privacy Safeguard 13 obligation to correct CDR data through including a qualifying statement with the CDR data relates generally to correction of an entity’s own data holdings. It does not relate to the transfer of CDR data to another CDR entity or to the consumer.
See Chapter 13: Privacy Safeguard 13 — Correction of CDR data for further information.
We note that there is a separate obligation under Privacy Safeguard 11, where data holders and ADRs are required to transfer CDR data which has been corrected (including where it includes a qualifying statement under Privacy Safeguard 13 if requested by the consumer). See the note on Privacy Safeguard 11 for further information.
See:
- CDR Rules, main section, part 7 Rules relating to privacy safeguards
- OAIC Privacy Safeguard Guidelines
Comments
2 comments
Hi Neale Morison Jarryd
Just wanted to ask a follow up question.
Can you please elaborate more on what this "qualifying statement" looks like? Is this shared with ADR or with customer? In what form and by what mechanism?
Hi Jakub Vozarik,
Thanks for the question - the article references the FAQ guidance provided by the OAIC on Privacy Safeguard 11 which you can find here: https://cdr-support.zendesk.com/hc/en-us/articles/900004795243-Note-on-privacy-safeguard-11-
The complete guidance is posted here on the OAIC main website: https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-11-privacy-safeguard-11-quality-of-cdr-data/ how entries 11.54 and 11.55 contain the most direct means of explaining a "qualifying statement". This piece also outlines different vehicles for delivery as well.
Regards.
Please sign in to leave a comment.