It has been almost three years since the Australian Privacy Principles (APPs) were introduced. At that time many organisations did a widespread review and update of their privacy policies and other key privacy documents and procedures. In a world where fast-evolving technologies regularly impact information collection practices, another review and update may well be (over)due.

APP 1 requires organisations bound by the Privacy Act 1988 (Cth) (Privacy Act) to have a privacy policy that is clearly expressed, up-to-date and one that accurately describes how they manage personal information. An up-to-date privacy policy is not just about complying with your privacy obligations; privacy policies may also be representations by an organisation that are governed by consumer law. You don’t want to mislead your customers because your published privacy policy contains outdated or inaccurate information about how you handle their personal information.

PRIVACY IS KEY TO CONSUMER TRUST

Consumers are now more privacy-aware and discerning about who they provide their personal information to than they have ever been. Privacy breaches quickly become headline news and often have repercussions for organisations that fail to meet community expectations about how personal information should be managed.

In 2013, the Office of the Australian Information Commissioner’s (OAIC) privacy survey found that 60% of Australians have decided not to deal with a private company due to concerns as to how their personal information will be used. In light of high profile data breaches and the community response to the 2016 Census (both in terms of the privacy concerns and the website being taken off-line due to security concerns) even more people may avoid dealing with an organisation – Government or private sector – if they don’t trust it will handle their personal information appropriately.

WHAT POLICIES SHOULD LOOK LIKE AND INCLUDE

An accurate, plain language and regularly updated privacy policy is key to keeping consumers adequately informed about how their personal information is collected and handled, and achieving compliance with APP 1. A privacy policy is not just a legal document – it is a document that establishes trust and manages the relationship with your existing and potential customers. For this reason, it should be written in clear (even engaging) language and be as concise as possible.

The OAIC’s guide to developing an APP privacy policy contains a number of useful checklists to assist you in making sure your privacy policy includes the information required. Such guidance is not just a matter of academic interest. Under the Privacy Act, the OAIC has powers to conduct (and has conducted) audits and assessments to determine how well APP entities comply with their privacy obligations. The OAIC has also conducted a ‘privacy sweep’ of website privacy policies, emphasising that website privacy policies are generally too long and complex. In an age where consumer trust is linked to privacy practices, you don’t want to be the subject of a ‘name and shame.’

Since APP 1 has the objective of ensuring personal information is managed in an open and transparent way, it is also useful to consider whether your privacy policy is prominently displayed and easily accessible. In particular, it should be appropriately adapted for the different mediums in which it is accessed, including mobile devices.

THREE DATA PRACTICES THAT MAY HAVE CHANGED FOR YOU IN THE LAST THREE YEARS

Technology is rapidly evolving, and with it, the way organisations interact with and collect data from customers. This section lists a few key data practices which may have changed since your privacy policy was last updated.

  1. Cookies and information collection technology: the ability for websites to collect information via cookies and other information collection technologies (such as internet tags and navigational data collection) has increased drastically over the past few years. These technologies collect location data and other information passively, without users actively providing it. If you collect this type of information using such technologies, your privacy policy should address this. Specify the kind of information that is collected – such as an IP address, device number, or webpage visiting information – and how it is used.
  2. Information storage: in an increasingly connected world, corporate restructures, company growth and the use of cloud computing all mean that information storage practices often change. Privacy policies must accurately reflect how data is stored and list the overseas countries to which information is disclosed – you should make sure this is up to date.
  3. Marketing and remarketing: tools such as Google Analytics and Facebook Custom Audiences have changed the manner in which organisations engage with existing and potential customers. These technologies can be effective marketing tools, however, privacy policies should be updated to specify that personal information may be used for marketing purposes, and may be disclosed overseas.

NEXT STEPS

Publicise the update When you update your privacy policy, update the version number and date stamp on the policy, then get it out there. If you make material changes to your privacy policy, let your customers know through the channels your ordinarily communicate with them (such as via email, through an app or via social media).

Update related documents Privacy policies do not exist in a vacuum and are not the only documents you need to have in order to support privacy compliance. Make sure you also make corresponding and appropriate updates to your other internal and external privacy documents that address privacy and information management, such as your website terms and conditions, privacy collection statements and data breach response plans.

Information management continues to rapidly evolve. Make a resolution that your privacy policy should change with it.