Keypoint Law survey reveals that 46% still do not comply with Australian Privacy Principles

It is now 18 months since the Australian Privacy Principles (APPs) came into force, and 3 years since the legislation introducing them was passed by the House of Representative.   However, Keypoint Law’s survey of the websites of 164 large Australian agencies and organisations has revealed that, even after all this time, 46% of those surveyed either did not have an online privacy policy, or had a policy which failed to address one of the mandatory content requirements in APP 1.

APP 1.3 requires each APP entity to have a clearly expressed and up to date policy about the management of personal information by the entity.  It must also take reasonable steps to make its APP privacy policy available (usually on the entity’s website).  APP 1.4 identifies the minimum information that an APP privacy policy must contain, which is:

• the kinds of personal information that the entity collects and holds;
• how the entity collects and holds personal information.
• the purposes for which the entity collects, holds, uses and discloses personal information;
• how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
• how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
• whether the entity is likely to disclose personal information to overseas recipients;
• if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Of course, the APPs contain many other obligations for APP entities in respect of their personal information-handling practices.  However, compliance with APP 1.3 and 1.4 is the easiest to ascertain through publicly available information.  Keypoint Law surveyed the websites of 164 APP entities, which included government departments, statutory authorities, companies and trusts.  We first identified whether the entity had published its APP privacy policy on its website.  If it had, we then evaluated whether the policy addressed each of the content requirements in APP 1.4 as set out above.

We were surprised to discover that 20% of the entities we surveyed did not have any online privacy policy at all (or had just changed the name of their website privacy statement to ‘privacy policy’ without changing its content).  While it is possible that some of these entities may have adopted APP privacy policies and decided not to make it available on its website, this still represents a material rate of non-compliance given the time since the APPs were first introduced.

In addition, where entities did have a policy, 33% failed to address at least one of the mandatory content requirements in APP 1.4.  Policies almost always specified both the kinds of personal information collected, how the information was collected and the purpose for collection, as required under APP1.4(a), (b) and (c).  Most (90%) adequately described how an individual could access and seek correction of their personal information held by the entity.  However, while most (91%) policies described how an individual could make a privacy complaint, 22% failed to comply with the obligation in APP1.4(e) to describe how the entity will deal with any such complaint.  In addition, 20% of policies failed to state whether or not the entity would disclose personal information overseas, as required under APP1.4(f).   The Office of the Australian Information Commissioner (OAIC), in the assessment of 20 entities it conducted in May 2015,¹ also identified specifying how to deal with a privacy complaint and addressing cross-border disclosure as significant areas for improvement in online privacy policies.

For the purposes of this survey we did not make a qualitative assessment of the readability or accessibility of each policy, or how comprehensively each matter had been addressed.  We did however note that relatively few entities (26%) have adopted the ‘condensed privacy policy’ format recommended by the OAIC, where a summary of the privacy policy is published on the website with a link to the full policy.

The OAIC is going through a process of checking how the new requirements in the APPs have been implemented.  It has prepared a range of helpful guidance to assist APP entities to comply with their obligations under APP 1.3 and 1.4, including it’s:

• Guide to Developing an APP Privacy Policy;² and
• APP Guidelines.³

We recommend that APP entities consider the OAIC’s guidance when they are preparing or reviewing their APP privacy policy, and in particular make sure that they have properly addressed the mandatory content requirements in APP 1.4 (in particular specifying how the entity will deal with a privacy complaint, and addressing cross-border disclosure).  By improving their privacy policies in line with the OAIC guidance, entities will make it as easy as possible for people to understand how their personal information will be collected, used, disclosed and protected.  It makes good economic sense for entities to take the time and effort to improve their APP privacy policies and to consider how they deal with personal information, as customer confidence in an entity’s personal information handling-practices can directly affect their purchasing decisions.

¹Office of the Australian Information Commissioner, “Privacy policies still have room for improvement”, 4 May 2015, http://www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/privacy-policies-still-have-room-for-improvement

²Office of the Australian Information Commissioner, “Guide to developing an APP Privacy Policy”, May 2014, http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-developing-an-app-privacy-policy

³Office of the Australian Information Commissioner, “APP Guidelines”, 1 April 2015, http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines