Peter A Clarke

The privacy policies were evaluated against the requirements of Australian Privacy Principle 1 (APP 1), which requires organisations and agencies to have a privacy policy that is clearly expressed and up-to-date.

The Australian Privacy Commissioner, Timothy Pilgrim, said that all of the organisations and agencies assessed had privacy policies that were easy to locate but for some there was still room for improvement —55% of the policies did not meet one or more of the basic content requirements under APP 1.

‘Under Australian privacy laws, privacy policies need to include certain information so that people can be informed about how their personal information will be handled if they choose to deal with a particular organisation,’ Mr Pilgrim said.

‘The key to a good privacy policy is to make the information easy to read and accessible and we certainly saw some great examples of creative ways in which this type of information can be presented. However some policies are still too long making it difficult to locate relevant information’.

While all policies adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected; how a privacy complaint could be made, how personal information would be protected, and whether the personal information was likely to be sent overseas.

The Privacy Commissioner said that the assessment activity was indicative of the OAIC’s overall regulatory approach.

‘Over the last 12 months, we have provided a range of guidance to organisations and agencies including how to develop privacy policies. We are now checking in on how the new requirements have been implemented. I encourage all organisations and agencies to review their privacy policies with the aim to make it as easy as possible for their customers to understand how their personal information will be respected and protected,’ Mr Pilgrim said.

The OAIC has communicated the findings of the assessment to each of the organisations and agencies and has made recommendations to address any privacy issues that were identified.

Background

The individual entity results ranged from those with excellent privacy policies to those that needed improvement. In some cases the OAIC made no recommendations because the entity covered all content requirements and the policy was easy to read and access. On the other hand some entities had not included a range of content required under APP 1 and had not carefully considered their policy against their obligations.

Some key trends observed by the OAIC in this assessment included:

• All 20 organisations had privacy policies that were easy to find on their websites
• All privacy policies adequately described the kinds of personal information each organisation collects and how it is collected.
• 55% of the privacy policies did not adequately address one or more of the content requirements set out in APP 1.4 including
• 25% (5) privacy policies did not outline how an individual can request access or correction of their personal information
• 40% (8) privacy policies did not outline how the organisation would deal with a privacy complaint it may receive
• 25% (5) privacy policies did not adequately describe how they protect the personal information that they hold
• 20% (4) privacy policies did not outline whether the organisation was likely to disclose personal information overseas and the countries in which such recipients are likely to be located.
• 85% (17) had privacy policies that were in a WCAG 2.0 accessible format
• All 20 entities’ policies had appropriate contact information
• The median policy length was 3,413 words

This assessment focused on the privacy policies of a number of organisations and agencies that the OAIC had identified for follow up action during the 2013 Global Privacy Enforcement Network (GPEN) sweep. The 2013 GPEN sweep looked at the 50 websites most visited by Australians at that time.

The first GPEN sweep took place in May 2013, with 19 privacy enforcement authorities from around the globe evaluating a range of websites in relation to the theme ‘Privacy practice transparency’. The sweep sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.

In addition to the privacy policies identified in the 2013 GPEN sweep, the assessment also looked at the privacy policies of some of the organisations and agencies that individuals most frequently complain to the OAIC about, as well as the organisations and agencies that were new additions to the top 50 most visited websites list.

APP entities included in this assessment

1. Australian and New Zealand Banking Group Limited (www.anz.com)
2. Commonwealth Bank of Australia (www.commbank.com.au)
3. Department of Human Services (www.humanservices.gov.au)
4. Gumtree (www.gumtree.com.au)
5. Instagram (https://instagram.com)
6. LinkedIn (www.linkedin.com)
7. Microsoft Corporation (www.microsoft.com)
8. National Australia Bank Ltd (www.nab.com.au)
9. News Corp Australia (www.news.com.au)
10. Ninemsn Pty Ltd (www.ninemsn.com.au)
11. Origin Energy Limited (www.originenergy.com.au)
12. Outbrain Inc (www.outbrain.com)
13. OzBargain (www.ozbargain.com.au)
14. St George Bank Limited (www.stgeorge.com.au)
15. The Guardian (www.theguardian.com/au)
16. Fairfax (www.smh.com.au)
17. Twitter Inc (https://twitter.com)
18. Veda Advantage Information Services and Solutions Ltd (www.veda.com.au)
19. Westpac Banking Corporation (www.westpac.com.au)
20. Yahoo!7 Pty Ltd (https://au.yahoo.com)

Tips for writing a privacy policy (from the OAIC’s Guide to developing an APP privacy policy)

Although your APP privacy policy must cover all the topics mentioned in APP 1.4 (outlined in the checklist below), here are some tips to make it genuinely informative and manageable.

• Think about your audience. Don’t treat the privacy policy as a legal document to manage legal risk. It should be a document that creates trust in your entity and speaks to your customers or clients
• Don’t just repeat the words in the APPs. Make the privacy policy specific to your business or operation
• Consult. Seek input from all areas of your entity including your public relations department, which may have ideas about innovative formats for better communicating the policy, for example, through video or other mechanisms relevant to the communication channel (paper, telephone, email, online) that you are using
• Focus on what is important to the reader. Do not try to cover everything in minute detail
• Keep it simple. Use simple language and test readability in content and format against external standards such as the Flesch-Kincaid grade level
• Take a layered approach. For example, for online publication provide a condensed (summary version) of key matters in the privacy policy, with a link to the full policy
• Consider having more than one policy. For large or complex entities, consider whether you need to have more than one policy (for different parts of your operation or business, or different functions or activities)
• It is not an APP 5 notice. The APP privacy policy is not meant to be a substitute for the notice requirements under APP 5. However, it may be used to help meet requirements in some circumstances. See APP Guidelines, Chapter 5: APP 5 — Notification of the collection of personal information, for further information on the interaction between an APP privacy policy and APP 5