16.08.2010

Content of a Privacy Policy

24.27 The openness requirements applicable to agencies and organisations differ. NPP 5 imposes a general obligation on an organisation to maintain a document setting out ‘clearly expressed policies on its management of personal information’, whereas IPP 5 takes a more prescriptive approach. As noted above, IPP 5 lists the specific matters that must be included in the record summarising how the agency handles personal information. These matters are: the nature of the records of personal information it keeps; the purpose for which each type of record is kept; the classes of individuals about whom records are kept; the period for which each type of record is kept; who is entitled to access the personal information, and upon what conditions; and how persons can access the information.

24.28 In addition to the maintenance of some kind of document setting out their personal information-handling practices, the openness provisions under the IPPs and NPPs impose requirements on agencies and organisations to take reasonable steps to ensure openness. Under IPP 5, agencies are required to take such steps as are reasonable in the circumstances to enable any person to ascertain:

whether the agency has possession or control of any records that contain personal information; and,
if so the: nature of the information; main purposes for which it is used; and the steps to be taken to obtain access to the record.

24.29 Under NPP 5, an organisation is required on request by a person, to take reasonable steps to let that person know generally about: what sort of personal information it holds; for what purposes it holds that information; and how it collects, holds, uses and discloses that information.

24.30 There are some requirements relating to content that are common to the IPPs and NPPs, therefore, even though the stipulated regulatory mechanisms for delivering that information content differ for specific matters. That is, both sets of privacy principles require disclosure of the sort of personal information that is held, and the purposes for which personal information is held.

Submissions and consultations

24.31 In response to IP 31, some stakeholders supported the imposition of more prescriptive openness requirements on organisations. For example, it was submitted that organisations should make available the ‘details of the information systems used to maintain relevant databases’ because this would allow individuals to assess the security and other qualities of the information-handling system.^[27] Another stakeholder stated that the OPC should be given the discretion to ‘require organisations to publish further information about particular personal information handling projects’.^[28]

24.32 The OPC submitted that ‘the obligations imposed by NPP 5 require more specificity to remain relevant and effective’, but this should not allow the principle to become too prescriptive. In the OPC’s view, this would run contrary to the regulatory framework of the Act.^[29] Some stakeholders also noted that greater guidance could be provided in guidelines, as distinct from primary legislation.^[30]

24.33 Other stakeholders opposed taking a prescriptive approach to the openness obligations.^[31] They stated that a prescriptive approach would hamper the ability of organisations to tailor privacy policies to customers’ needs and it may lead to lengthy and complex privacy policies.^[32]

24.34 In DP 72, the ALRC proposed that agencies and organisations should be required to set out in a Privacy Policy their policies on the management of personal information, including how personal information is collected, held, used and disclosed. The ALRC proposed that this document should also include:

(a) what sort of personal information the agency or organisation holds;
(b) the purposes for which personal information is held;
(c) the avenues of complaint available to individuals in the event that they have a privacy complaint;
(d) the steps individuals may take to gain access to personal information about them held by the agency or organisation;
(e) the types of individuals about whom records are kept;
(f) the period for which each type of record is kept; and
(g) the persons, other than the individual, who can access personal information and the conditions under which they can access it.^[33]

General responses

24.35 Some stakeholders supported this proposal.^[34] For example, the Office of the Victorian Privacy Commissioner (OVPC) stated that:

There is benefit in a slightly more prescriptive approach towards ‘Openness’, provided that the additional details required by (a) to (g) do not require an agency or organisation to provide an exhaustive list of those matters, but rather a general one …
The additional details proposed in (a) to (g) would provide an organisation with a better guide as to how to meet this aspect of an openness principle and enhance the general public’s understanding about personal information that is held by organisations and the organisations’ resulting obligations.^[35]

24.36 The OPC agreed in principle with the proposal, but noted ‘it may be somewhat more prescriptive than required and hence may be contrary to the intention of having high-level principles in the Privacy Act’. It stated that the proposed approach would ‘pose the risk that the prescribed matters might be taken as an exhaustive list of factors for an openness policy’.^[36]

24.37 The OPC expressed the view that the matters to be stated in the ‘Openness’ principle for inclusion in a Privacy Policy should be limited to: the sort of personal information held; the purposes for which it is held; and the steps individuals may take to gain access.^[37] Another stakeholder expressed a similar view on the essential content of a Privacy Policy, but stated that the avenues of complaint available to an individual should also be included.^[38]

24.38 PIAC stated that Privacy Policies also should refer to the fact that an individual can seek to correct his or her personal information.^[39]

24.39 Other stakeholders expressed opposition to the ALRC’s proposal,^[40] or to specific limbs of the proposal.^[41] Reasons for opposing the proposal included that:

it is overly prescriptive;^[42]
a ‘one size fits all’ approach is inappropriate because it fails to recognise: the competitive nature of organisations as opposed to agencies; and that organisations have different business imperatives and customer relationships;^[43]
some of the information proposed to be included in Privacy Policies is already included in other customer documents—such as Product Disclosure Statements;^[44]
it would result in lengthy, detailed and complex Privacy Policies, which is likely to discourage individuals from reading them;^[45] and
it would impose significant compliance costs on organisations.^[46]

24.40 One stakeholder opposed the inclusion of all of the matters proposed to be included in a Privacy Policy, other than information about avenues of complaint and the steps individuals can take to seek access to their personal information. It stated that the requirements objected to:

‘serve little or no constructive purpose because most people do not have the time or sufficient interest in these details’;
are inappropriate for the private sector; and
will be difficult and costly to comply with, particularly on an ongoing basis.^[47]

24.41 The Law Council of Australia noted that organisations currently focus on their core customer base in Privacy Policies. It stated that:

If [the proposal] were adopted then it would be very clear that the Privacy Policy needed to address not only customers but also applicants for employment, employees (if the employee record exemption is removed), individuals who work for the organisation’s suppliers and service providers, other business contacts etc. For some of these categories of individual (in particular business contacts and employees of suppliers and service providers) the information held is typically only basic business contact information. The Law Council questions the value of addressing each of paragraphs (a) to (d), (f) and (g) in relation to that type of personal information, particularly if to do so materially adds to the length and complexity of the Privacy Policy.^[48]

24.42 Another stakeholder expressed general concern that there not be overlap between the requirements of a Privacy Policy and those relating to notification.^[49]

Types of individuals about whom records are kept

24.43 Some stakeholders opposed the mandatory inclusion in a Privacy Policy of a description of the types of individuals about whom records are kept.^[50] For example, one stakeholder stated that such a requirement is unnecessary because the types of people about whom information is kept ‘is usually directly connected to the purpose(s) for which personal information is collected, used and disclosed’.^[51]

Retention period

24.44 Many stakeholders expressed opposition to the proposed requirement that organisations be required to set out in a Privacy Policy the period of time for which each type of record is kept.^[52] They stated that such a requirement is impracticable and costly, particularly in the financial services industry. This was said to be due to the number of different records that financial institutions hold, and the different retention requirements that exist in various statutes. For example, the Australian Bankers’ Association stated that ‘to devise an openness policy specifying the various retention periods would be a sizeable task and questionable on a cost and benefit analysis’.^[53] Stakeholders also expressed the view that providing such information to customers would be unhelpful and confusing.^[54]

24.45 Australian Unity Ltd opposed the particularisation of various periods of retention, noting that retention periods can depend on a variety of circumstances, such as whether a transaction is complete, or if litigation is pending. It supported, however,

a generalised notification within the [organisation’s] privacy policy stating records are maintained for a period consistent with applicable laws but no longer than a stated maximum period set by the organisation after consideration of the relevant laws directly affecting that industry.^[55]

Guidance

24.46 In DP 72, the ALRC proposed that the OPC issue guidance on how agencies and organisations can comply with their obligations under the ‘Openness’ principle to produce and make available a Privacy Policy.^[56]

24.47 This proposal was generally supported.^[57] PIAC stated that the OPC also should provide guidance on the implementation of Privacy Policies. It stressed the importance of the OPC conducting audits of Privacy Policies to ensure compliance with the ‘Openness’ principle.^[58]

ALRC’s view

24.48 The ‘Openness’ principle should be less prescriptive than the one proposed in DP 72. It is necessary to strike an appropriate balance between the detail in the ‘Notification’ and ‘Openness’ principles. An assessment of the content of one principle cannot be made without reference to the other.

24.49 The ‘Notification’ principle is relatively prescriptive. There is a strong argument that the ‘Openness’ principle, therefore, should be less prescriptive. This is consistent with the approach in the NPPs—the notification provisions of the collection principle are prescriptive, whereas the openness principle is expressed in high-level terms. Conversely, in the IPPs, the openness principle is prescriptive, and the notification provisions within the collection principle are comparatively less prescriptive.

Matters to be included

24.50 The essential content of a Privacy Policy should be expressed in high-level terms. That is, the central obligation should be for agencies and organisations to set out in such a document clearly expressed policies on an agency’s or organisation’s handling of personal information, including how it collects, holds, uses and discloses personal information. Any other matters required to be included in Privacy Policies, therefore, should not be interpreted as being exhaustive. The listing of such matters in the ‘Openness’ principle, however, should be limited, consistent with a less prescriptive approach. Such matters should include the sort of personal information the agency or organisation holds, and the purposes for which it is held. Both of these requirements are currently the subject of the IPPs and NPPs, so their inclusion in the ‘Openness’ principle should not add significantly to compliance costs.

24.51 Privacy Policies also should include the steps individuals may take to access and correct personal information. This information complements, but does not duplicate, a particular requirement under the ‘Notification’ principle. That is, that an agency or organisation is to notify or otherwise ensure that an individual whose personal information has been, or is to be, collected is aware of his or her rights under the UPPs to seek access to, and correction of, personal information. One obligation concerns notification of the right; the other, the process by which that right can be exercised. It is appropriate that information about general processes concerning personal information is the subject of the ‘Openness’ principle.

24.52 Similarly, Privacy Policies also should address the avenues of complaint available to individuals in the event that they have a privacy complaint. Significantly, the requirement is merely explanatory of the existing options available to individuals who may have a complaint. It does not require any new avenues of complaint to be made available. Again, this requirement complements, but does not duplicate, the requirement in the ‘Notification’ principle that individuals be made aware of the fact that the avenues of complaint available to them are set out in the agency’s or organisation’s Privacy Policy.

24.53 Ideally, information about avenues of complaint should include an internal dispute resolution contact and whether the agency or organisation is part of an external dispute resolution scheme (such as the Telecommunications Industry Ombudsman or Banking and Financial Services Ombudsman).^[59] The need for such details, however, should be addressed in OPC guidance, rather than being incorporated in the ‘Openness’ principle itself.

24.54 It is not necessary to duplicate the requirements imposed on organisations by different legislative and regulatory regimes. As noted in Chapter 23, banks are required under the Corporations Act, the Code of Banking Practice, and the Electronic Funds Transfer Code of Conduct to provide complaint handling and dispute resolution information. It should be sufficient, therefore, for a Privacy Policy to state, where applicable, that the avenues of complaint available to an individual are set out in another generally available document that has been prepared to comply with other legislative or industry requirements.

24.55 For the reasons discussed in Chapter 31, the Privacy Policy of an agency or organisation also should set out whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred.^[60]

Matters not required to be included

24.56 Agencies and organisations may choose, but should not be required, to include the following matters in their Privacy Policies:

details of the types of individuals about whom records are kept;
details of the persons, other than the individual, who can access personal information, and the conditions upon which they access it; and
the period for which each type of record is kept.

24.57 Arguably, the types of individuals about whom records are kept. can be surmised from the purposes for which personal information is collected, used and disclosed. Similarly, information about persons, other than the individual, who can access personal information, should be apparent from:

a general description of an agency’s or organisation’s disclosure practices in its Privacy Policy, including information about cross-border transfers; and
information provided about an agency’s or organisation’s usual disclosures of personal information of the kind collected, pursuant to the obligation in the ‘Notification’ principle.^[61]

24.58 It may be costly and burdensome for some organisations, for example, those in the financial sector, to set out in their Privacy Policies, an explanation of the period of time for which they keep each type of record containing personal information. In particular, a statutory obligation in the Privacy Act to set out statutory retention periods contained in other legislation is an unnecessary compliance burden.

Alternative approach

24.59 The ALRC considered an alternative approach to reform of the ‘Openness’ principle. Most of the concerns expressed about the proposed matters to be included in a Privacy Policy related to their application to organisations. The alternative is to:

restrict the specific matters that the ‘Openness’ principle should require for inclusion in an organisation’s Privacy Policy to the: sort of information held; purposes for which it is held; steps that may be taken to access and correct personal information; and avenues of complaint; and
provide that the ‘Openness’ principle should provide for more matters to be included in an agency’s Privacy Policy. These should be the four matters mentioned above, as well as the matters in respect of which agencies currently have to provide details. That is, the Privacy Policies of agencies also should address: the types of individuals about whom records are kept; the period for which each type of record is kept; and the persons, other than the individual, who can access personal information and the conditions under which they can access it.

24.60 On balance, it would be simpler to have the same ‘Openness’ principle apply to both agencies and organisations to avoid the types of complications that currently arise due to the existence of a dual set of principles.^[62] It should be emphasised, however, that the central obligation in the ‘Openness’ principle is for agencies and organisations to set out clearly expressed policies in their Privacy Policies about the management of personal information. Pursuant to such an obligation, agencies may still deem it appropriate to include information in their Privacy Policies about the specific matters that they currently are obliged to address.

Guidance

24.61 The ALRC anticipates that the OPC will develop and publish general guidance to assist agencies and organisations to comply with the ‘Openness’ principle. The ALRC notes the OPC’s support for such an approach. In the absence of a need to nominate any particular area upon which such guidance should focus, it is unnecessary for the ALRC to make a specific recommendation in this regard.

Recommendation 24-1 The model Unified Privacy Principles should contain a principle called ‘Openness’. The principle should set out the requirements on an agency or organisation to operate openly and transparently by setting out clearly expressed policies on its handling of personal information in a Privacy Policy, including how it collects, holds, uses and discloses personal information. This document also should include:

(a) what sort of personal information the agency or organisation holds;

(b) the purposes for which personal information is held;

(c) the steps individuals may take to access and correct personal information about them held by the agency or organisation; and

(d) the avenues of complaint available to individuals in the event that they have a privacy complaint.

^[27] W Caelli, Submission PR 99, 15 January 2007.

^[28] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

^[29] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

^[30] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

^[31] Law Council of Australia, Submission PR 177, 8 February 2007; Investment and Financial Services Association, Submission PR 122, 15 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007.

^[32] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Law Council of Australia, Submission PR 177, 8 February 2007.

^[33] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 21–2.

^[34] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

^[35] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. Optus also expressed support on the basis that it was made clear that the descriptions to be given could be high-level, rather than detailed: Optus, Submission PR 532, 21 December 2007.

^[36] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

^[37] Ibid. The OPC also stated that, where necessary, it would issue guidance on the content of an agency’s or organisation’s policies on the management of personal information.

^[38] Confidential, Submission PR 570, 13 February 2008.

^[39] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

^[40] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007. See also Confidential, Submission PR 570, 13 February 2008; Law Council of Australia, Submission PR 527, 21 December 2007.

^[41] Investment and Financial Services Association, Submission PR 538, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007. Responses to specific limbs of the proposal are addressed separately below.

^[42] Confidential, Submission PR 570, 13 February 2008.

^[43] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

^[44] Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

^[45] Confidential, Submission PR 536, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007.

^[46] Confidential, Submission PR 536, 21 December 2007.

^[47] Ibid.

^[48] Law Council of Australia, Submission PR 527, 21 December 2007.

^[49] GE Money Australia, Submission PR 537, 21 December 2007. Concerns about the duplication of requirements in the ‘Openness’ and ‘Notification’ principles also are discussed in Ch 23.

^[50] Confidential, Submission PR 570, 13 February 2008; Confidential, Submission PR 536, 21 December 2007.

^[51] Confidential, Submission PR 570, 13 February 2008.

^[52] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Investment and Financial Services Association, Submission PR 538, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007.

^[53] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

^[54] For eg, Investment and Financial Services Association, Submission PR 538, 21 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007.

^[55] Australian Unity Group, Submission PR 381, 6 December 2007.

^[56]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 21–3.

^[57] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

^[58] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

^[59] A similar obligation, in relation to internal dispute resolution, is provided for in the Privacy and Personal Information Protection Act 1998 (NSW) s 33(2)(c).

^[60] See Rec 31–8.

^[61] See Ch 23; UPP 3(f).

^[62] Such complications are discussed in Ch 18.