Tuesday 8 October 2013

Time to spring-clean your privacy policy?

Big reforms are afoot in federal privacy law.  They don’t change Victorian law but they do give Victorian agencies some reasons to spring-clean their privacy policies.

Federal changes

From 12 March 2014, the Australian Privacy Principles (APPs) will apply to private sector organisations and Commonwealth Government agencies.

The APPs are a single set of principles that will replace the separate sets of public and private sector principles at the federal level, known as the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) respectively.

These are the most significant amendments to the Privacy Act 1988 (Cth) since its commencement.  Most of the APPs are based on the existing IPPs and NPPs.  However, the APPs also include some significant changes in order to keep pace with changing technology, emerging privacy issues and developments in privacy law in Australia and internationally.

What does this mean for State government entities?

These reforms don’t change Victorian law.  However, it is an important development for the Victorian government to monitor because:
  • it affects the privacy rights of individual Victorians; and
  • if the move toward national uniform legislation proposed by the previous federal Government proceeds, it could ultimately affect the privacy obligations of Victorian public sector bodies.

The privacy principles in the Information Privacy Act 2000 (Vic) and the Health Records Act 2001 (Vic), which apply to the handling of personal information and health information by the Victorian public sector, are both adapted from the NPPs.  This was done, as explained in the Explanatory Memorandum to the IP Act, to maintain as ‘much consistency as possible’ with ‘perceptions and practice already operating nationally’.

Because the Victorian principles are based on the NPPs rather than the IPPs, the obligations of Victorian government agencies are, in many respects, similar to those that private sector organisations and Commonwealth government agencies will now have to comply with.  Victorian agencies have long been required to:
  • have a clear and accessible policy about the management of personal information by the agency; and
  • provide individuals with the option of not identifying themselves when entering transactions with the agency.

Other requirements of the APPs do not explicitly feature in Victorian law.  These include new obligations when an entity receives unsolicited information or engages in direct marketing.

Privacy policies

Although these new federal privacy reforms do not directly affect the privacy obligations of the Victorian public sector, there are two reasons why Victorian agencies might want to review their current privacy policies.

Firstly, whilst VIPP 5 has long required Victorian public sector organisations to have clearly expressed policies on managing personal information, the new APP 1 is far more prescriptive as to what an agency’s privacy policy should specify.  It requires privacy policies to contain the following information:
the kinds of personal information that the entity collects and holds;

how the entity collects and holds personal information;

the purposes for which the entity collects, holds, uses and discloses personal information;

how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

whether the entity is likely to disclose personal information to overseas recipients;

if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Further guidance on each of these items is set out in the draft guideline for APP 1.

Given that the previous acting Victorian Privacy Commissioner wrote approvingly of the level of detail in APP 1, it would be a worthwhile exercise for Victorian agencies to consider if their policies match these more prescriptive requirements.

Secondly, the Office of the Australian Information Commissioner (OAIC) has recently conducted a ‘privacy sweep’ of the websites most used by Australians.  It assessed nearly 50 website privacy policies for accessibility, readability and content. 

The OAIC found that most sites had issues with either readability, provision of contacts for further information, relevance or length.  In particular, it was concerned that the average length of policies was over 2600 words, which it considered was too long for people to understand the key points.

The OAIC helpfully identified the following characteristics of the better privacy policies, which might be of interest to Victorian agencies thinking of updating their privacy policies:
Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person.  This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.
Most organisations included contact information for the particular individual responsible for privacy practices.  Providing more than one option for contacting that individual (eg mail, toll-free number and email) is a thoughtful way of ensuring there are no barriers to contacting an organisation about its privacy practices.
Some policies had been tailored for mobile apps and sites, going beyond simply providing a hyperlink to an organisation's existing website privacy policy.
In some instances, organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information.

If you are in the Victorian government and would like advice on these developments or your privacy policy, please contact:

Carolyn Doyle
Principal Solicitor
t 9032 3038

No comments:

Post a Comment