06 Mar 2014

How does your privacy policy rate? Our top tips for getting your privacy policy ready

by Wei-Loong Chen, Eibhlin Hamman

Jargon, too much information (or not enough) and no contact details are all common flaws of privacy policies.

We are well and truly counting down to the start date of the changes to the Privacy Act on 12 March 2014. As part of the lead-up to the reforms, last year the Office of the Australian Information Commissioner (OAIC) released the results of a privacy sweep of almost 50 website privacy policies, which were assessed against new transparency requirements in the Privacy Act.

The results of the sweep were mixed, with many privacy policies held to be too long and complex.

Australian Privacy Principle 1.3 requires an organisation to have a clearly expressed and up-to-date privacy policy. While this requirement itself is not new, APP 1 is more prescriptive than NPP 5 by specifying in APP 1.4 the minimum information that must be contained in a privacy policy.

While including the additional content in your organisation's privacy policy to meet APP 1.4's requirements may seem straightforward, the results of the OAIC's privacy sweep suggest that drafting clear and concise policies while complying with the content requirements can be sometimes challenging.

In light of the Commissioner's findings, here are some tips for organisations as they get their privacy policies ready for 12 March 2014.

Keep it simple: Present information in a way that is easy to understand for your likely audience. Consider the use of plain language and how the information in your policy is laid out. Your privacy policy needs to cover a number of issues, and these should be signposted by headings or separate sections. Avoid large sections of text, instead using tables, short paragraphs, and "frequently asked questions" sections where appropriate.

Readability: In the Commissioner's privacy sweep, it was found almost 50% of privacy policies were considered either too long or difficult to read, and none of the full policies met the OAIC's preferred reading age level of 14. Use clear and concise language, and avoid jargon and in-house terms. Consider testing your policy's readability level using publicly available readability tests (such as the Flesch-Kincaid or Gunning-Fog tests ) – your work processing program may even include a tool for this purpose. Above all, do not use legalistic expressions or quote directly from legislation.

Personal information only: Your Privacy Policy should specifically deal with how you handle the personal information you collect. Remember that "personal information" has a specific meaning in the Privacy Act which could be narrower than the general public's perception of the term. Your Privacy Policy need not describe how you handle other types of information you may collect, unless this is relevant to how you manage personal information.

Consent: If you require an individual's consent for the way you handle personal information, the OAIC expects that the consent provided is voluntary, current and specific, informed and that the individual has the capacity to understand and communicate that consent. Consider how you could use the disclosures in your Privacy Policy (and Collection Statements) to facilitate the obtaining of consent, or alternatively, to assist in creating a reasonable expectation that the individual's personal information will be used or disclosed for relevant purposes.

Relevance: Consider your likely audience. In most cases, it will be individuals who are looking for information on what personal information you are or may be collecting, using or disclosing about them. While the OAIC has indicated that it does not expect your Privacy Policy to contain detailed information about all possible instances of collection of personal information, you should still seek to provide meaningful information about how personal information is handled in your organisation and avoid brief, general statements.

Include contact details: Provide details of a contact officer who individuals can contact if they have questions about your privacy policy or other privacy concerns. To avoid having to update these details with staff changes, consider establishing a generic telephone number and email address that will not change (for example, [email protected])

Reality check: Given the extent and complexity of the privacy reforms, there is an understandable temptation to adopt off-the-shelf template privacy policies as a base from which to work from. While this is acceptable, you should nonetheless ensure that your privacy policy is accurately tailored to the way your organisation actually handles personal information, takes into account the likely reader demographic and is consistent with how your organisation has structured its interactions with individuals.

Remember why you are doing this!: Ultimately, your Privacy Policy should allow you to conduct your business and service your customers in your intended manner, subject to the APP requirements. It should not unduly restrict the way you handle personal information – rather, it should reflect the kind of personal information you collect and how that information flows through your business. When drafting or reviewing your Privacy Policy, ensure that it reflects (and is consistent with) your organisation's other privacy practices, procedures and systems. If significant changes are made to your Privacy Policy, consider notifying your customers and providing an updated version of the Policy (particularly if the changes result in a more permissive personal information handling regime).

You might also be interested in...

Related Knowledge

Get in Touch

Get in touch information is loading


Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.