This week, the Office of the Australian Information Commissioner (OAIC) launched Privacy Awareness Week (held from 3 to 9 May 2015), which is promoted throughout the Asia Pacific region. There are numerous government and private-sector organisations supporting Privacy Awareness Week including banks, professional service firms, educational institutions and not-for-profit organisations. You may have seen banners promoting Privacy Awareness Week on websites you have visited recently.
Throughout the week, the OAIC plans to release materials relating to this year’s theme, “Privacy everyday”. The theme is intended to raise awareness of day-to-day privacy issues, for example those that might arise when dealing with businesses online.
The OAIC has announced that it conducted an assessment of the online privacy policies of 20 Australian and international organisations from the finance, retail, government, social and other media sectors. The organisations included the Commonwealth Bank of Australia, the Department of Human Services, LinkedIn, Microsoft Corporation, News Corp Australia and Twitter Inc. The OAIC chose the organisations based on highly visited websites and those organisations that the OAIC frequently receives complaints about.
The OAIC reported the following positive findings:
- all 20 organisations had privacy policies that were easy to find on their websites;
- all privacy policies adequately described the kinds of personal information each organisation collects and how it is collected; and
- all policies included appropriate contact information.
Unfortunately however, the OAIC also reported some less positive findings. 55% of the privacy policies did not adequately address one or more of the content requirements set out in APP 1.4 including:
- 11 out of 20 privacy policies did not state how an individual can request access to or correction of their personal information;
- 8 out of 20 privacy policies did not outline how the organisation would deal with a privacy complaint it may receive;
- 5 out of 20 privacy policies did not adequately describe how they protect the personal information that they hold; and
- 4 out of 20 privacy policies did not say whether the organisation was likely to disclose personal information overseas and (if so) the countries in which such recipients are likely to be located.
Those organisations whose privacy policies did not comply with the Privacy Act received recommendations from the OAIC to address any privacy issues that were identified.
This assessment is a timely reminder that all organisations that are subject to the Privacy Act (typically, businesses with revenue in excess of $3 million) should review their privacy policies to ensure compliance with the APPs.
For more information about Privacy Awareness Week, please visit the OAIC’s website here.