16.08.2010
Background
24.75 A short form privacy notice is a summary of an agency’s or organisation’s practices for the management of personal information. By creating a short form privacy notice, an agency or organisation will not necessarily fulfil its obligations under the openness principle. Such a notice can be useful, however, in assisting individuals to understand quickly, in broad terms, how a particular agency or organisation handles personal information.
24.76 The obligation in NPP 5.1 for an organisation to maintain a document setting out its policies on the management of personal information has been described as ‘somewhat vague about what it requires organisations to do’.[74] There is a question whether the requirement should make clear that short form privacy notices are included.
24.77 The OPC’s review of the private sector provisions of the Privacy Act recommended that the Australian Government consider amending NPP 5.1 to provide for short form privacy notices. It said that this also could clarify the obligations on organisations to provide notice and clarify the links between NPP 1.3 (notification under the collection principle) and NPP 5.1 (openness).[75] The OPC said that short form notices ‘would improve the quality of an organisation’s communication with its customers’ and, further:
A long privacy notice may not fulfil its purpose of informing a consumer because the consumer may be overwhelmed and confused … The Office’s Community Attitudes Survey reports international research that shows that people do not necessarily read privacy notices, partly because they are too long and complex.[76]
24.78 The OPC stated that it would encourage the development of short form privacy notices. It would play a more active role in assisting businesses develop their notices by ‘developing template notices for different sectors, in consultation with them, and by issuing examples of both satisfactory and unsatisfactory notices’.[77]
Submissions and consultations
24.79 In response to IP 31, many stakeholders supported the privacy principles making provision for short form privacy notices.[78] Some stakeholders noted that they already provide short form privacy notices.[79]
24.80 The OPC stated that :
Short form privacy notices are an important aspect of assisting the individual to be meaningfully informed.
Providing greater detail at the point of collection may, in fact, be counter productive as research shows that many people do not read or do not understand lengthy privacy notices or policies.[80]
24.81 Some stakeholders stated that providing short form privacy notices does not obviate the need also to provide more detailed information, and that ‘layered’ privacy notices—involving a series of privacy notices that provide differing levels of detail—can be helpful.[81] The OPC submitted that ‘more detailed information regarding the personal information management policies of an organisation or agency’ should be made available in a separate document to individuals on request.[82]
24.82 On the other hand, while noting that short form privacy notices may be beneficial in certain circumstances, some stakeholders submitted that they should not be mandatory.[83]
24.83 In DP 72, the ALRC proposed that the OPC should continue to encourage and assist agencies and organisations to make available short form privacy notices summarising their personal information handling practices. Short form privacy notices should be seen as supplementing the more detailed information that is required to be made available to individuals under the Privacy Act.[84]
24.84 A number of stakeholders supported this proposal.[85] Privacy advocates, however, expressed concerns about the adoption of short form privacy notices. They stated that:
Many consumer representative organisations, while acknowledging an ‘information overload’ problem, view trends towards layered and short form privacy notices with suspicion, as they can too easily omit information which should be relevant to an individual’s decision whether to proceed with a transaction.
We believe that it is necessary to mandate a minimum level of information to be provided at or before the time of collection and a minimum standard of transparency and ease of navigation between specific collection notices and privacy policies. This is best achieved either in Regulations or a binding Code.[86]
24.85 GE Money Australia stated that it is not clear how short form privacy notices work to inform individuals effectively. It said:
Organisations will be required to have privacy policies, to provide specific notification to individuals and to take certain consents from individuals. Short form privacy notices could be misleading if they do not contain all the information relevant to the organisations proposed handling of personal information in relation to a particular product or service.[87]
ALRC’s view
24.86 The OPC should continue to encourage and guide the adoption of short form privacy notices by agencies and organisations. Short form privacy notices serve the useful purpose of communicating, in abridged form, the personal information-handling practices of agencies and organisations. As such, they are more likely to be read and understood by individuals.
24.87 The development of short form privacy notices, however, does not obviate the obligations of agencies and organisations to develop more detailed and comprehensive Privacy Policies. Similarly, agencies and organisations will still be subject to obligations under the ‘Notification’ principle to ensure that individuals are notified, or otherwise made aware, of specific matters relating to the collection of their personal information.[88] It is possible, however, that the inclusion of a specific matter in a short form notice may be sufficient for the purpose of ensuring an individual is aware of that matter for the purposes of the Notification’ principle.
24.88 There is considerable merit in agencies and organisations creating ‘layered’ privacy notices. This involves making at least two versions of a privacy notice available to individuals—a comprehensive and detailed explanation of the entity’s privacy practices, and an abridged version. Both can be made available easily and cheaply in an electronic form, such as via an agency’s or organisation’s website.
24.89 The creation of short form privacy notices, however, should not be mandated by the privacy principles. First, such an approach is inconsistent with the intention of having high-level principles in the Privacy Act.[89] Secondly, it may not be appropriate, practical and necessary for an agency or organisation to develop short form notices in addition to complying with its obligations under the ‘Openness’ and ‘Notification’ principles. For example, it may be overly burdensome, and render little by way of additional privacy protection, to require a small business that holds a minimal amount of personal information to produce short form notices.
Recommendation 24–3 The Office of the Privacy Commissioner should continue to encourage and assist agencies and organisations to make available short form privacy notices summarising their personal information-handling practices. Short form privacy notices should be seen as supplementing the more detailed information that is required to be made available to individuals under the Privacy Act.
[74] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 91.
[75] Ibid, rec 19.
[76] Ibid, 91–92.
[77] Ibid, rec 20. In August 2006, the OPC launched its layered privacy policy notice. See Office of the Privacy Commissioner, ‘Release of Privacy Impact Assessment Guide and Layered Privacy Policy’ (Press Release, 29 August 2006) and Office of the Privacy Commissioner, Privacy Policy (2006).
[78] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007.
[79] AAMI, Submission PR 147, 29 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007.
[80] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Investment and Financial Services Association, Submission PR 122, 15 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007.
[81] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007.
[82] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[83] See, eg, Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007.
[84] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 21–5.
[85] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. Optus noted that it provides short form privacy policies and had ‘no objection’ to the proposal: Optus, Submission PR 532, 21 December 2007.
[86] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[87] GE Money Australia, Submission PR 537, 21 December 2007.
[88] See Ch 23.
[89] See Rec 18–1.