On 4 May 2015, as part of the 2015 Privacy Awareness Week, the Privacy Commissioner announced that business can still improve their privacy policies after his Office assessed the policies of 20 Australian and international organisations. The Commissioner’s warning highlights the reputational risks to organisations if they get privacy compliance wrong.

While compliance with privacy laws may be seem a burden, failure to protect individuals’ personal information has resulted in harsh reputational damage to Australian and overseas companies, with some senior executives losing their jobs. As Australia moves towards a regime of mandatory data breach notification towards the end of 2015, businesses are urged to review their compliance with Australia’s privacy laws to ensure that they minimise their risk of non-compliance.

Large Australian and overseas organisations assessed

The OAIC assessed privacy policies of the “big four banks”, traditional media including News Corp, Fairfax and the Guardian Australia, and social media outlets, including Instragram, LinkedIn and Twitter.

Their policies were evaluated against the requirements of Australian Privacy Principle 1 (“APP 1”). Under APP 1, organisations must have a clearly expressed and up-to-date privacy policy. The Commissioner said that all organisations assessed had easily locatable privacy policies but many still had room for improvement, as 11 policies did not meet one or more of APP 1’s basic content requirements.

Tips for a compliant privacy policy

The Commissioner noted that “privacy policies need to include certain information so that people can be informed about how their personal information will be handled if they choose to deal with a particular organisation. The key to a good privacy policy is to make the information easy to read and accessible”.

While all the assessed policies adequately described the kinds of personal information collected and how information was collected, some did not inform individuals as to how they could access and correct their information, how a complaint could be made, how information would be protected and whether information could be sent overseas.

Further information about the assessments is available at the OAIC website.

Privacy Management Framework released

Separately, the OAIC released its new Privacy Management Framework as part of Privacy Awareness Week. The Framework is a step-by-step guide to compliance with the APP 1.2, which provides that organisations must take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs.

The Framework calls for four steps: “embed (a culture of privacy that enables compliance)”, “establish (robust and effective privacy processes)”, “evaluate (your privacy processes to ensure continued effectiveness)” and “enhance (your response to privacy issues)”.

The OAIC encourages that organisations and businesses to embed a culture of respecting privacy in order to build a “reputation for strong and effective privacy management that will inspire trust and confidence” and describes ongoing privacy compliance as part of “good governance”.

Find the Framework at the OAIC’s website as part of its privacy resources.