- the kinds of personal information that the entity collects and holds;
- how the entity collects and holds personal information.
- the purposes for which the entity collects, holds, uses and discloses personal information;
- how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
- how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
- whether the entity is likely to disclose personal information to overseas recipients;
- if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
In addition, where entities did have a policy, 33% failed to address at least one of the mandatory content requirements in APP 1.4. Policies almost always specified both the kinds of personal information collected, how the information was collected and the purpose for collection, as required under APP1.4(a), (b) and (c). Most (90%) adequately described how an individual could access and seek correction of their personal information held by the entity. However, while most (91%) policies described how an individual could make a privacy complaint, 22% failed to comply with the obligation in APP1.4(e) to describe how the entity will deal with any such complaint. In addition, 20% of policies failed to state whether or not the entity would disclose personal information overseas, as required under APP1.4(f). The Office of the Australian Information Commissioner (OAIC), in the assessment of 20 entities it conducted in May 2015,1 also identified specifying how to deal with a privacy complaint and addressing cross-border disclosure as significant areas for improvement in online privacy policies.
The OAIC is going through a process of checking how the new requirements in the APPs have been implemented. It has prepared a range of helpful guidance to assist APP entities to comply with their obligations under APP 1.3 and 1.4, including it’s:
1Office of the Australian Information Commissioner, “Privacy policies still have room for improvement”, 4 May 2015, http://www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/privacy-policies-still-have-room-for-improvement
3Office of the Australian Information Commissioner, “APP Guidelines”, 1 April 2015, http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article