Availability of Privacy Policy

24.62 The NPPs and IPPs differ in that IPP 5 requires a record-keeper to take reasonable steps to enable an individual to ascertain specified matters regardless of whether the individual has made a request, whereas the corresponding obligation in NPP 5 only applies to an organisation following a request by an individual.

Submissions and consultations

24.63 In response to IP 31, some stakeholders submitted that the requirements to make certain information available should apply regardless of whether an individual has requested that information.[63]

24.64 Other stakeholders suggested that an individual’s request should be the appropriate trigger for the provision of some types of information. AAMI, for example, submitted that:

Disclosure regarding an organisation’s privacy processes/procedures should only be required upon request. However, the consumer needs to be informed via short notices that they can request or amend their personal information if they so wish.[64]

24.65 The OVPC stated that:

It is often administratively convenient for organisations to make their information-handling policies readily available (eg on the internet or in a brochure) without awaiting an individual request.

The request mechanism is useful to enable individuals to obtain further information about matters that have not been addressed in the organisation’s generic policy.[65]

24.66 The Australian Bankers’ Association expressed concern about the amount of information that already must be made available to consumers. It stated that, if the obligations were triggered without an individual’s request, customers could be over-burdened with ‘paper information’.[66] The Australian Government Department of Health and Ageing also favoured extending the request-based approach in the NPPs to agencies, stating that this would be more cost effective and practically useful for individuals.[67]

24.67 In DP 72, the ALRC proposed that an agency or organisation should be required to take reasonable steps to make its Privacy Policy available without charge to an individual electronically (for example, on its website, if it possesses one); and in hard copy, on request.[68]

24.68 Stakeholders generally supported this proposal.[69] Medicare Australia, for example, stated that this approach ‘would meet the needs of [individuals] without adding an additional burden on agency resources’.[70] The OVPC stated that:

To heighten awareness in information handling, there seems no reason why the obligation for an organisation to make its privacy policy available should be dependent upon first being asked by a member of the general public to produce it. However, this should not preclude an organisation from having to provide more detailed information about its handling practices than is generally stated in the privacy policy if requested.[71]

24.69 The OPC stated that:

Attention should be paid to whether privacy policies are provided in a form that is accessible to individuals from non-English speaking backgrounds, and individuals with other special needs, such as the visually impaired. Agencies and organisations should consider such matters in light of their customer or constituent base.[72]

24.70 PIAC expressed a similar view, noting also the special needs of those who are illiterate, or unable to access a computer because of financial disadvantage. It suggested that, in circumstances where an individual is unable to access a Privacy Policy electronically or in hard copy, the policy should be made available in such other form as the individual requests.[73]

ALRC’s view

24.71 Agencies and organisations should take reasonable steps to make their Privacy Policies available electronically—for example, on their websites, if they have one. The posting of Privacy Policies on websites is an ideal mechanism for making them generally available. This is consistent with the aims of the ‘Openness’ principle, namely increasing transparency and openness in the personal information-handling practices of agencies and organisations.

24.72 Agencies and organisations should be required to provide individuals with a hard copy of their Privacy Policies only on request. To mandate the provision of hard copies in the absence of a request would impose a significant compliance burden. It also would be of limited utility to individuals, especially those who have no dealings with a particular agency or organisation. Moreover, it may lead to individuals being overloaded with information in paper form, especially given that they already receive a large amount of general disclosure information in their transactions with government and the private sector. Finally, it is environmentally irresponsible.

24.73 Agencies and organisations also should take reasonable steps to make their Privacy Policies available in a form accessible to individuals with special needs, where this is requested. This would involve taking reasonable steps to ensure, for example, that individuals who are visually impaired, or from a non-English speaking background, can access Privacy Policies if they request to do so. The qualification that an agency or organisation need only take reasonable steps is significant. It allows for the possibility that meeting a particular request may not be reasonable. This may arise, for example, where the steps requested to be taken would impose an excessively disproportionate compliance burden compared with the privacy benefit likely to be gained by the individual making the request.

24.74 If an individual requests a copy of an agency’s or organisation’s Privacy Policy—whether in hard copy or in an alternative accessible form—he or she should not be charged a fee for this information. This reflects the underlying principle that an individual should not be unreasonably disadvantaged for seeking to assert or enjoy his or her privacy rights. This no disadvantage principle is discussed in Chapter 32.

Recommendation 24–2 An agency or organisation should take reasonable steps to make its Privacy Policy, as referred to in the ‘Openness’ principle, available without charge to an individual electronically; and, on request, in hard copy or in an alternative form accessible to individuals with special needs.

[63] W Caelli, Submission PR 99, 15 January 2007.

[64] AAMI, Submission PR 147, 29 January 2007. See also Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AXA, Submission PR 119, 15 January 2007.

[65] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[66] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007. See also National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.

[67] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[68] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 21–4.

[69] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. One stakeholder stated that such an obligation, however, should not apply to ‘vexations or frivolous’ requests: Optus, Submission PR 532, 21 December 2007.

[70] Medicare Australia, Submission PR 534, 21 December 2007.

[71] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[72] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[73] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.