The Privacy Commissioner, John Edwards, has told businesses that it's "time to raise your game" and improve the transparency of their privacy practices.
In a recent blog post, the Commissioner sends a clear message that he expects businesses to do more to make sure customers are aware of how their information is being collected and used, especially when the new Privacy Bill becomes law next year.
1. It tells people what personal information you are collecting, why, and what you will do with it. This is because the Privacy Act says that agencies need to take "reasonable" steps to ensure people are aware of these things
It's important to note that in both situations, you need to do what is "reasonable".
In practice, probably very few people actually read privacy policies in full before ticking "I agree". And if they do choose to read it, they'll probably need around 15-18 minutes' time to spare, and at least a university reading level.
Although the Commissioner's blog post presents this as a change, we don't think that it is really a shift in the law, or how it is interpreted. The obligations to be reasonable are already in the current Privacy Act, and it's already difficult to enforce unexpected or onerous clauses in standard terms, especially for consumer products and services.
However, we do think this means that the Commissioner will be paying closer attention to these issues, and intends to use his expanded powers under the Privacy Bill to take a stance on this issue. For example, under the Bill, the Commissioner will be able to issue compliance notices, to require agencies to make changes where their privacy practices are not up to scratch.
We think now is a good time for all organisations to review their privacy policies and consider:
- Are they clear and easy to understand?
- Are they presented in a way that encourages people to read them?
- Is there anything unexpected in there that should be brought to people's attention more prominently (eg via a separate tick box)?
- Can you increase customer control over their personal information in some other way (eg using features of "privacy by design")?
Answering these questions will go a long way towards meeting the "reasonable" criteria, and help businesses get ready for when the Bill becomes law in early 2020.
This article was written for the NBR (October 2019).