At Ash St. we were alarmed to read, recently, that more than a third of consumers had experienced privacy “issues” with Australian companies and, further, more than half of all major Australian companies examined by the Information Commissioner had failed to comply with privacy rules.

The statistics expose an absolutely poor performance on the part of businesses of all sizes.  (Revealed by the SMH here, for Privacy Awareness Week, May 4-8): )

Further, Information Commissioner Timothy Pilgrim is also particularly concerned about the length of some privacy policies, the median length of 20 he assessed being an “excessive 3413 words”, one coming in at a “whopping 18,000 words”:,top-aussie-websites-need-to-improve-privacy-policies-pilgrim.aspx#ixzz3ZoGB4SCT

Ash St. regularly helps businesses understand, and comply with, privacy law requirements.

It begins with drafting a simple, plain English privacy policy. 

“It’s not as straightforward as it appears,” says Jason Dixon, Ash St Director, IT & IP. “Compliance can be challenging, especially considering that both Federal and State legislation might apply in any given circumstance.  Add to that, several different privacy guidelines, industry specific requirements and OAIC decisions”. 

It’s been a year since the Office of the Australian Information Commissioner (OAIC) revamped privacy rules for government agencies and businesses.  Among the new rules is “Privacy Principle 1” which “requires organisations to have a clearly expressed, easy to find and up to date privacy policy on their website.”  As the SMH reported, many businesses failed to disclose these key terms of engagement:  “How individuals could access or correct their personal data; how they could make a privacy complaint to the organisation; how their personal data was protected and whether their data was likely to be sent offshore.  Forty per cent of the organisations surveyed did not outline how they would deal with a privacy complaint.”

At Ash St., we recommend these Top Five Tips for privacy compliance:

  1. Privacy by design:  Be proactive. Privacy must be your company's default mode of operation, rather than just being based on regulatory frameworks. With changing information and communications technologies and large-scale data systems becoming a way of life, a reactive response to privacy is not enough. A proactive company will ensure its policies and procedures are visible, transparent and user-centric.
  2. Privacy does not start and end with your privacy policy:  Your company must actively protect the personal information that it collects and holds.  For example:
    1. Your privacy policy must be appropriate to your industry and business. 
    2. Staff should be trained on how to deal with personal information and that training must be regularly updated.  
    3. Your privacy policy should be regularly tested against your business practices to ensure it does what it is supposed to do and complies with the law.
    4. Don’t over complicate things – aim for simple, plain-English drafting.
  3. Bring Your Own Device (BYOD):  Do your staff members really need access to personal customer information on their devices?  If so, you need to have measures in place to protect that data, e.g. encryption, data partitions from employee personal data.
  4. Risk of out-sourcing and cloud service providers:  In most cases, even if you outsource the storage of personal information which your company collects and holds, you are still liable to ensure it is protected.  Do you know where that information is stored?  Is it secure?  Can you easily access it to correct the information if requested to do so?  Can you easily destroy or de-identify it, once it is no longer required?
  5. Consider a privacy risk assessment:  It could save your business from the wrath of the OAIC, hefty fines and significant reputational damage.