Privacy Act Review Report; Chapter 10: Privacy Notices and Notifications under APP 5.2. An analysis and review. Some adjustment but mostly steady as she goes

June 25, 2023 |

Chapter 10 of the Attorney General’s Privacy Act Review Report considers the operation of Privacy Policies and Notice obligations when collecting personal information.

A Privacy Policy is a critically important document for compliance under the Privacy Act 1988.  Privacy policies are part of most privacy legislation across most jurisdictions.  They serve an important function of informing people how their personal information will be handled, That doesn’t mean they are free of controversy.  Privacy policies are commonly criticized for being unduly complicated, very long and often a model of opacity rather than transparency. Some organisations have excellent policies designed provide useful information.  Others are mass of legalese which defy easy understanding.

Australian Privacy Principle (“APP”) 1 requires:

  • entities to maintain a ‘clearly expressed’ and ‘up-to-date’ privacy policy that addresses the matters listed in APP 1.4.
  • per he APP Guidelines a ‘clearly expressed’ privacy policy should be:
    • ‘easy to understand (avoiding jargon, legalistic and in-house terms),
    • easy to navigate,
    • only include information that is relevant to the management of personal information by the entity’.
  • an APP entity to regularly review and update its privacy policy to ensure that it reflects the entity’s information handling practices.
  • an APP entity to take such steps as are reasonable in the circumstances to make its privacy policy available:
    • free of charge and
    • ‘in such form as is appropriate.’
  • that where an individual requests a privacy policy in a particular form, the APP entity must take reasonable steps to accommodate that request.
  • APP entities to make a privacy policy available by publication on a website.
  • where it is foreseeable that the privacy policy may be accessed by individuals with accessibility needs, or where individuals request a copy of the privacy policy in an accessible form, appropriate accessibility measures should be put in place.

APP 5 requires entities to:

  • take such steps (if any) as are reasonable in the circumstances to notify individuals about the collection of their personal information.
  • provide collection notice at or before the time an APP entity collects personal information (or as soon as practicable afterwards)
  • ensure the collection notices address the matters listed in APP 5.2, or ‘otherwise ensure that the individual is aware’ of those matters.
  • per, APP Guidelines, take ‘reasonable steps’ such as:
    • prominent display of the matters in a sign-up form,
    • providing a readily accessible link to an APP 5 notice or verbal communication of the matters over a telephone call.

It may not be reasonable to provide notice to an individual where:

  • the individual is already aware of the APP 5 matters
  • an entity collects personal information from an individual on a recurring basis in relation to the same matter, and there has been no material change in the nature of the collection
  • notification may pose a serious threat to life, health or safety
  • notification may jeopardise the purpose of collection or the integrity of the personal information collected and there is a clear public interest in the purpose of collection
  • notification would be inconsistent with another legal obligation, or
  • the impracticability of notification, including the time and cost, outweighs the benefit of notification.

It may be reasonable for an entity to notify some but not all of the APP 5 matters where the collecting entity’s identity is obvious from the circumstances.

A large number of submitters to the Discussion Paper supported collection notices and privacy policies regarding them as playing a crucial role in fostering transparency over personal information handling practices.  The OAIC optimistically submitted that the transparency provided by privacy policies and collection notices enables individuals to decide whether ‘to exercise control in how they deal with a service (such as adjusting privacy settings) or decide not to engage with the [service].’  Given the dilemma facing the individuals is that if the privacy policy provides no transparency it remains likely that the person will purchase the product or use the service.  Consumers are usually left with a non choice.  The OAIC was more realistic in stating that  while also assisting regulators in holding entities to account.

There was concern that many privacy policies and collection notices are complex, lengthy, legalistic and vague, which can undermine individuals’ understanding of how their personal information will be handled and the Digital Platforms Inquiry’s assessment of large online platforms found that lengthy and complex privacy policies were common, many employing ambiguous descriptions of how user data is handled and were difficult to navigate.

There was a clear split between submitters with those, primarily large organisations such as Telstra  and ANZ, regarding the wording of APP 5 as being logistically challenging and recommending hyperlink to where individuals may find privacy information satisfies the obligation to ensure the individual has been made aware of the relevant matters and others, including academics and civil society groups, who saw the benefits of maintaining both APP 1 and APP 5, regarding each as playing distinct roles.  The OAIC sided with the latter approach stating that APP 5 collection notices should contain information that is relevant to the particular collection of personal information, which facilitates individuals’ privacy self-management while  APP 1 privacy policies provide high-level information to the world at large about how an organisation generally handles personal information.

Given the split and support for both Privacy Policy and APP 5 collection notices The Report recommended retaining both APP 1 privacy policies and APP 5 collection notices on the basis that each serves a distinct and important function being:

  • An APP 1 privacy policy is necessary at all times and:
    • covers the entity’s entire personal information handling practices.
    • facilitates monitoring of compliance and is valuable for:
      • particularly concerned individuals,
      • civil society groups,
      • researchers
  • APP 5 collection notices, when required, should:
    • be concise,
    • be easy for the average consumer to understand, and
    • only contain information that is relevant to the particular collection of personal information.
    • existing APP Guidelines clarify the circumstances in which APP entities may consider providing individuals with a hyperlink to a privacy policy in order to fulfil their notification obligations under APP 5. Pursuant to the 7-Eleven determination mere publication of a ‘privacy policy on a website does not amount to compliance with APP 5’ and a collection notice on, or in the vicinity of, the tablet screen prior to the collection of biometric data
    • unlike APP 1, there is no legislative requirement in APP 5 that requires collection notices to be clear or up-to-date.

There was support for the Discussion Paper’s recommendation to update APP 5 to require collection notices to be ‘clear, current and understandable.’  The OAIC submitted that APP entities would need to consider the appropriate length of their APP 5 notice in order to comply with the requirements for notices to be clear and understandable.  It was noted that the proposal bears similarities to equivalent requirements in overseas jurisdictions, including Europe’s GDPR.

There was quibbling with the term ‘current’ with big end of town submissions sought clarification about the possible interpretation of ‘current’ and concern that it was ambiguous and could mean any of:

  • notice continues to be accurate
  • notice is updated at regular intervals, or
  • notice is provided at each collection.

The OAIC, whose submissions carried significant weight in this process, submitted that a requirement for collection notices to be ‘current’ should require ‘APP entities to update their documentation when their practices change, such as information being used for a new purpose.’

As a result the Report reommends using the term ‘up-to-date’ instead of ‘current’ to note that collection notices procedures would only need to be updated when practices change.

The Report also accepted the submissions that APP 5 notices be ‘concise’.  It also agreed that there be a requirement that it be ‘understandable’  which would would accommodate notification in other languages where appropriate and use plain language.

The resulting proposal is that:

10.1 Clear collection notices

Introduce an express requirement in APP 5 that requires collection notices to be clear, up-to-date, concise, and understandable. Appropriate accessibility measures should also be in place.

The contents of privacy policies and collection notices

The Report opted not to follow the Discussion Paper’s  proposal of reduce the number of matters that must be addressed in an APP 5 collection notice. The Discussion Paper proposal was to move the matters set out in APP 5.2(c), (e), (i) and (j) into APP 1.4, and that collection notices could also address the types of personal information collected, as well as the purposes for which the entity may use or disclose that personal information.  The OAIC was in favour of collection notices continuing to disclose whether a collection of personal information is required or authorised by law, and whether the APP entity is likely to disclose personal information to overseas recipients.

The OAIC dealt with the issue of a long list of matters requiring notice under APP 5.2 by stating  that ‘APP 5 only requires APP entities to take reasonable steps to notify the individual of such matters referred to in subclause 5.2’ which provides a degree of flexibility in the principle and ‘allows APP entities to limit notice to what is needed in the circumstances.’ Accordingly many APP entities would not provide notice of all matters in APP 5.2. The Report also noted that existing OAIC guidance clarifies that an APP 5 notice does not need to include ‘internal purposes that form part of normal business practices, such as auditing, business planning, billing or de-identifying personal information.’

The Report recommends extending notification to new individual rights proposed in Chapter 18, and withdrawal of consent, erasure and objection. As such the Report proposes:

10.2 Contents of an APP 1 privacy policy and APP 5 collection notice

The list of matters in APP 5.2 should be retained. OAIC guidance should make clear that only relevant matters, which serve the purpose of informing the individual in the circumstances, need to be addressed in a notice.

The following new matters should be included in an APP 5 collection notice:

·       if the entity collects, uses or discloses personal information for a high privacy risk activity —the circumstances of that collection, use or disclosure

·       that the APP privacy policy contains details on how to exercise any applicable Rights of the Individual, and

·       the types of personal information that may be disclosed to overseas recipients.

Note: See Chapter 18 (Rights of the individual), Chapter 19 (Automated decision-making), Chapter 21 (Security, retention and destruction) for additional matters that would be required to be addressed in a privacy policy.

Standardisation of privacy policies and collection notices

The Report proposed that standardised collection notices be developed by way of guidance and APP codes.  This was not surprisingly a very popular proposal because it was seen as would simplifying compliance for APP entities and assist individuals to understand the content of collection notices. The OAIC optimistically submitted that standardised collection notices would make it easier for individuals to compare different services. Whether individuals, especially in consumer mode, actually do that is open for debate.  The Report noted that International data protection laws also contemplate the future development of standardised privacy notices or methods through which individuals may exercise privacy rights, including the GDPR and the California Consumer Privacy Act of 2018 (CCPA) and the New Zealand’s Privacy Commissioner has developed a Privacy Statement Generator, which enables entities to quickly create a privacy policy in a standardised template.

Because it is impractical to develop one standardised template, lexicon or icon for use across all APP entities due to the wide range of contexts in which the Act applies standardised templates would be developed by reference to relevant sectors while seeking to maintain a degree of consistency across the economy. Standardisation would be assisted by OAIC guidance, which could provide standardised templates and layouts, and provide guidance on standardised terminology and icons.

The Report proposes:

10.3 Standardisation of privacy policies and collection notices

Standardised templates and layouts for privacy policies and collection notices, as well as standardised terminology and icons, should be developed by reference to relevant sectors while seeking to maintain a degree of consistency across the economy. This could be done through OAIC guidance and/or through any future APP Codes that may apply to particular sectors or personal information-handling practices.

The circumstances in which notice is required

The Discussion Paper was influenced by the  Digital Platforms Inquiry’s  recommendation that all collections of personal information be accompanied by a collection notice unless the individual already has the information or an overriding legal or public interest reason applies.  It proposed that APP 5 be amended to require notice under APP 5 unless the notification would be ‘impossible’ or would involve ‘disproportionate effort.’ This would involve APP 5 notices being provided in a greater range of circumstances, including indirect collections

The responses were mixed. The OAIC regarded the current requirement for entities to take ‘such steps (if any) as are reasonable in the circumstances’ as creating a flexible requirement without the need for specific exceptions to the notification requirement.  What influenced the Review most was the Commissioner’s determination in October 2021, where APP 5.1 was considered in the context of the personal information handling practices of Clearview AI, Inc (Clearview), who collected biometric information from third party sources using an automated image scraper.  The Commissioner determined that Clearview was required to take more rigorous steps to notify under APP 5 noting ‘the sensitivity of the information collected and potential adverse consequences for individuals as a result of the collection.’  The APP Guidelines also provide that the ‘requirement to notify or ensure awareness of the APP 5 matters applies to all personal information ‘collected’ about an individual, either directly from the individual or from a third party.’

Given the above, the Report regarded APP 5.1 as requiring notice even where an entity collects personal information from third party sources so there is little merit changing the current provision

Leave a Reply