Matthew Prescott

Privacy Policy Health Check

Matthew Prescott

5 May 2015

Confidentiality and Privacy

This week, the Office of the Australian Information Commissioner (OAIC) launched Privacy Awareness Week (held from 3 to 9 May 2015), which is promoted throughout the Asia Pacific region.  There are numerous government and private-sector organisations supporting Privacy Awareness Week including banks, professional service firms, educational institutions and not-for-profit organisations.  You may have seen banners promoting Privacy Awareness Week on websites you have visited recently.


Throughout the week, the OAIC plans to release materials relating to this year’s theme, “Privacy everyday”.  The theme is intended to raise awareness of day-to-day privacy issues, for example those that might arise when dealing with businesses online.


The OAIC has announced that it conducted an assessment of the online privacy policies of 20 Australian and international organisations from the finance, retail, government, social and other media sectors.  The organisations included the Commonwealth Bank of Australia, the Department of Human Services, LinkedIn, Microsoft Corporation, News Corp Australia and Twitter Inc. The OAIC chose the organisations based on highly visited websites and those organisations that the OAIC frequently receives complaints about.


The assessment identified several interesting statistics about those organisations and their compliance (or otherwise!) with the Privacy Act.  Interestingly, the OAIC identified that the online privacy policies of over half of them did not include all of the elements required by Australian Privacy Principle (APP) 1.4, which sets out the minimum content requirements of a privacy policy.  The most common missing element was information about how the organisation would deal with a privacy complaint.


The OAIC reported the following positive findings:


  • all 20 organisations had privacy policies that were easy to find on their websites;
  • all privacy policies adequately described the kinds of personal information each organisation collects and how it is collected; and
  • all policies included appropriate contact information.


Unfortunately however, the OAIC also reported some less positive findings. 55% of the privacy policies did not adequately address one or more of the content requirements set out in APP 1.4 including:


  • 11 out of 20 privacy policies did not state how an individual can request access to or correction of their personal information;
  • 8 out of 20 privacy policies did not outline how the organisation would deal with a privacy complaint it may receive;
  • 5 out of 20 privacy policies did not adequately describe how they protect the personal information that they hold; and
  • 4 out of 20 privacy policies did not say whether the organisation was likely to disclose personal information overseas and (if so) the countries in which such recipients are likely to be located.


The OAIC also indicated that some privacy policies were too lengthy, making it difficult to identify relevant information in the policy.  This may be contrary to an organisation’s obligation to have a clearly expressed privacy policy (see APP 1.3).  The median policy length of the privacy policies reviewed by the OAIC was 3413 words.


Those organisations whose privacy policies did not comply with the Privacy Act received recommendations from the OAIC to address any privacy issues that were identified.


This assessment is a timely reminder that all organisations that are subject to the Privacy Act (typically, businesses with revenue in excess of $3 million) should review their privacy policies to ensure compliance with the APPs.


It can be relatively easy to identify a privacy policy that is non-compliant with the APPs, particularly where information that is expressly required to be included in it is missing.  In our experience, many privacy policies are not compliant with the APPs, and the OAIC’s assessment is confirmation of this.


Since the recent privacy reforms in March last year, the OAIC is able to impose stronger penalties for non-compliance with the Privacy Act and APPs.  There may also be other negative outcomes where an organisation fails to adhere to privacy law requirements, for example, public relations or customer perception issues.  It would clearly not be a positive PR outcome for an organisation to be identified as having a non-compliant privacy policy.


Please do not hesitate to contact Thomson Geer’s national Privacy team if you would like us to conduct an assessment of your organisation’s privacy policy and advise whether it complies with the current legal requirements. We can assist in making any changes needed to ensure that it adheres to the requirements of the Act.


For more information about Privacy Awareness Week, please visit the OAIC’s website here.