A year on and there’s room for improvement – is your privacy policy Privacy Act compliant?

It has been just over a year since the amendments to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP) were introduced.  One of the amendments has had the effect of requiring all APP entities to have an APP compliant privacy policy.  Having given Australian companies and agencies a year to get on board with the changes, the Office of the Australian Information Commissioner (OAIC) recently carried out an audit of the privacy policies of 20 well known Australian and international organisations and entities.

Shockingly, the OAIC found that 55% of the policies reviewed did not meet one or more of the basic content requirements under APP 1.4 (the Australian Privacy Principle which governs the content of and form of APP privacy policies).  These organisations and agencies are not alone – many organisations and agencies are yet to take the necessary steps to update their privacy policies.

What kind of privacy policies were those companies and organisations supposed to have?

APP’s 1.3 and 1.4 require companies and organisations to have a clearly expressed and up to date APP privacy policy detailing how they manage personal information.  Those requirements relate to the things that need to be referred to in the policy and how the policy is presented.  Most importantly, APP 1.4 provides that there are six key points companies and organisations must address in their privacy policy – including (but not limited to) the purposes for the collection and disclosure of personal information, how an individual can request access to and the correction of their personal information and whether the personal information might be disclosed overseas.

What else did the OAIC find?

The OAIC found that each of the companies had a privacy policy and that those policies described the kinds of personal information collected by the entity and how the information would be collected.  Where these organisations got caught out was in their compliance with the other core privacy policy requirements.  For example, the OAIC found that:

• 25% of the privacy policies did not outline how an individual can request access to or the correction of their personal information or adequately describe how the entity protects the personal information it holds;
• 40% of the privacy policies did not outline how the organisation would deal with a privacy complaint it may receive; and
• 20% of the privacy policies did not outline whether an organisation was likely to disclose personal information overseas and if so, where.

Lavan Legal comment

Making sure that you have an APP compliant privacy policy does not have to be an onerous exercise – it can be as simple as ensuring that all of those key points are addressed and that your organisation or agency is taking steps to provide access to and to administer that policy appropriately.  If you require advice as to whether your privacy policy is APP compliant, please contact Iain Freeman or Mathea McCubbing.