Guidelines for Federal and ACT Government Websites

March 2003

The purpose of these Guidelines is to assist Federal and ACT government agencies to adopt best privacy practice and comply with the Privacy Act 1988 (Cth) (Privacy Act) in respect to their websites. If personal information may be transmitted, published, solicited and collected via the Internet, agencies need to consider the relevant privacy implications when considering their web strategies. It is the responsibility of agencies to ensure that their website implementation complies with the Privacy Act and addresses the privacy concerns of net users.

It is not possible in this document to provide advice that will cover all possible agency website implementations. If you need further advice please contact the Office of the Australian Information Commissioner (OAIC) at enquiries@oaic.gov.au.

 Background

Several online surveys have indicated that privacy is a major issue for net users. The concerns raised include a lack of transparency regarding the use and disclosure of personal information by websites, the tracking of an individual's activities at websites and concerns about the security of personal information in the Internet environment. It is widely considered that individuals need to trust that their privacy will be protected before they make significant use of the Internet for services such as Electronic Commerce and Electronic Service Delivery.

 Summary of the Guidelines

Openness

Guideline 1. Agency Websites should incorporate a prominently displayed Privacy Statement which states what information is collected, for what purpose and how this information is used, if it is disclosed and to whom and addresses any other relevant privacy issues.

Collection of Personal Information via Websites

Guideline 2. Agencies that solicit or collect personal information via their websites must comply with Information Privacy Principles (IPPs) 1-3. Agency website privacy statements should include a statement regarding this collection which complies with IPP 2. Where an online form is used to collect personal information the statement should be on the same page as the form or prominently linked to it.

Security

Guideline 3. If personal information is collected via an agency website this should be done by sufficiently secure means. Individuals should be provided with alternative means of providing personal information to the agency, other than via the website. The Privacy statement should address security issues where appropriate.

Publication

Guideline 4. Where agencies are considering the publication of personal information regarding individuals on the web they should be sure that this complies with IPPs 1-3 and 10 and 11.

 Explanation of the Guidelines

Openness

Privacy Statement or Policy

In response to these concerns many websites now include a Privacy Statement or Policy which states what information is collected about individuals when they visit the website, how it is used and if it is disclosed. This is now considered to be best practice.

Clickstream Data and Cookies

The Privacy Act defines personal information as "...information. about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion." Some information collected by website hosts about individuals visiting the site will not in itself identify the individual. This is sometimes called "clickstream data" and consists of information collected automatically and logged due to the nature of the communications protocols. Our Privacy Policy sets out the click stream data collected.

Even though clickstream data may not in itself identify individuals, and so may not be personal information as defined in the Privacy Act, it is recommended, in the interests of transparency that website Privacy Statements and Policies state what clickstream data is collected.

Cookies can also be used to track individuals' activities on websites. Like clickstream data, cookies may not conform to the Privacy Act definition of personal information, however many net users consider cookies to be intrusive. If a website uses cookies it is recommended that the Privacy Statement or Policy state that they are used and for what purpose.

Guideline 1. Agency websites should incorporate a prominently displayed Privacy Statement which states what information is collected, for what purpose and how this information is used, if it is disclosed and to whom and addresses any other relevant privacy issues.

Collection of Personal Information via Websites

Some agencies may collect e-mail addresses when individuals e-mail the agency via the website. Agencies may also use electronic forms to solicit personal information related to the agency's functions. This will become more widespread as agencies employ the Internet for Electronic Service Delivery. Where agencies solicit and collect personal information via their websites, they must comply with the collection Information Privacy Principles (IPPs 1-3)of the Privacy Act.

IPP 1.1 requires the collector to only collect personal information for a lawful purpose, directly related to the function or activity of the collector and that the collection be necessary for or directly related to that purpose. IPP 1.2 requires that personal information not be collected by unlawful or unfair means. IPP 3 makes similar requirements for when personal information is solicited by the collector. To comply with the collection principles agencies should not collect or solicit personal information via their websites which would be unlawful, unnecessary or unrelated to their functions and collection should not be unfair or unreasonably intrusive.

IPP 2 requires that agencies provide notice to individuals where any personal information is solicited from the individual concerned. The notice should cover all those matters addressed by IPP 2, namely the purpose for which the information is being collected (including if the information is to be published), the legal authority for the collection if it is authorised or required by or under law and any usual disclosures made by the agency.

An example of part of a Privacy Statement for a site that collects e-mail addresses is below.

We will only record your e-mail address if you send us a message. It will only be used for the purpose for which you have provided it and will not be added to a mailing list. We will not use your e-mail address for any other purpose, and will not disclose it, without your consent.

Guideline 2. Agencies that solicit or collect personal information via their websites must comply with IPPs 1-3. Agency website privacy statements should include a statement regarding this collection which complies with IPP 2. Where an online form is used to collect personal information the statement should be on the same page as the form or prominently linked to it.

Security

IPP 4 (a) requires record-keepers to ensure that records containing personal information are protected by such security safeguards as are reasonable in the circumstances to protect against loss, unauthorised access, use, modification, disclosure and other misuse. Agencies must ensure that their internal networks and databases which contain personal information are sufficiently protected from unauthorised access via their website and any Internet connection. Firewall technology is often used to protect internal networks from the web. The Defence Signals Directorate issues guidelines and provides advice for Federal Government agencies on security.

When agencies solicit or collect information from individuals using electronic forms or e-mail they should make it clear to the individual the risks associated with using the Internet as the transmission medium and notify the individual of any other options there are available for providing the information. For example, the individual may prefer to use the telephone or provide a response on paper.

If any security measures, such as encryption, are provided information regarding these should be provided to the individual. For example, the agency may include a hyperlink to a brief statement about Internet security and, if they use encryption, to a statement about the product used and the level of protection it provides.

Guideline 3. If personal information is collected via an agency website this should be done by sufficiently secure means. Individuals should be provided with alternative means of providing personal information to the agency, other than via the website. The Privacy statement should address security issues where appropriate.

Publication

Generally Available Publications (GAP)

The definition of a record in section 6 of the Privacy Act excludes a Generally Available Publication (GAP). A GAP is defined in the Privacy Act as a "... publication that is or will be generally available to members of the public." Most websites are accessible to anyone with web access. If a website is accessible to the public then it fits the Privacy Act definition of a GAP. Some websites may be protected cryptographically and accessible only to users with a key or password (these are sometimes called extranets or virtual private networks) and other websites may exist within an agency or organisation and only be accessible to staff (sometimes called intranets). Sites such as these which are not generally available to the public are not GAPs.

While not prevented by the Privacy Act, the web publication of GAPs (not originally published on the web) can raise privacy concerns. Agencies should carefully consider the appropriateness of:

  • placing GAPs which contain personal information on the web, as this information may be exposed to a much wider audience than originally intended and
  • publishing on the web, personal information which was collected for inclusion in a less widely available publication.

Agencies should also be aware that the Privacy Act applies to any disclosures or publications of personal information they hold in their records regardless of whether the same information is included elsewhere in a GAP. Therefore agencies should not disclose or publish their records of personal information on the web simply because the same information is made publicly available in another form. Another option may be to de-identify or remove personal information from the document before publishing it on the web.

Publication of Personal Information on a Website

Agencies may publish personal information if it is collected for this purpose and if the collection complies with the Privacy Act. If the personal information was not collected for inclusion in a publication, it may only be published if allowed by one of the exceptions to IPPs 10 and 11 (which, respectively limit the use and disclosure of personal information). IPP 10.1(a) allows the use of personal information for another purpose if the individual concerned has consented to the new use. IPP 11.1(b) allows disclosure of personal information where the individual concerned has consented to the disclosure. It is important, where consent for publication is sought, that it is informed consent.

The individual should be given to understand that if their personal information is published on the web then it will be accessible to millions of users from all over the world, that their information can be searched for using an identifier such as the individual's name and that their information can be copied, and used by any web user. Most importantly, the individual should be made aware that once their personal information has been published on the web, the agency has no control over its subsequent use and disclosure.

While there are other exceptions in IPPs 10 and 11 which may allow the publication of personal information on the web these circumstances seem unlikely. Agencies should seek advice from the OAIC if these circumstances arise.

The staff of Federal Government agencies are entitled to the same protection, afforded by the Privacy Act, as agency clients. However, IPP 10.1(e) allows the publication of personal information if this is directly related to the purpose for which the information was obtained. The web publication of information about certain staff such as the agency head, senior officers and contact or media officers may be directly related to the purpose for which the information was obtained and therefore permitted by IPP 10.1(e). IPP 11 would permit disclosure of such details where the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that their personal information would be disclosed widely (see IPP 11.1(a)). Staff in senior positions, or positions of public contact, would normally expect their contact details to be publicly available in some form. These staff members should be advised if their personal information is to published on the web.

Other staff, however, may not expect their personal information to be published on the web or in another form. There have been instances where agencies have published entire staff telephone lists on their websites.

It is easy to download or print an entire staff list that is made available on the web. The publication and easy accessibility of this information may place staff at risk of receiving unsolicited e-mail (spam) and unwelcome attention from a range of people and organisations.

Publishing a staff list on the web, may place staff in a position where they are subject to scrutiny by people with whom they would not normally choose to share their personal information. The publication of information such as staff classifications may make the information even more interesting to third parties as the salary range associated with these classifications is publicly available information.

There may also be dangers to particular staff in publishing their personal information on the web. Individuals may be placed at risk of harassment particularly if their work involves contact with members of the public. For personal safety reasons individuals may not wish that their work contact details be published.

There may also be instances where personal information is incidentally or accidentally published on the web. Personal information may be included in documents which are published on the web. It is recommended that documents be carefully checked before being published on the web and any unnecessary personal information removed.

Guideline 4. Where agencies are considering the publication of personal information regarding individuals on the web they should be sure that this complies with IPPs 1-3 and 10 and 11.

 Web Publishing Guide

The former Office of the Privacy Commissioner (now OAIC) provided input on privacy matters to AusInfo during the drafting of their Guidelines for Commonwealth Information Published in Electronic Formats. This document has been superseded and the information incorporated into the Web Publishing Guide. The Web Publishing Guide is a valuable source of best practice for web publishing by the Australian Government. It is available from the Australian Government Information Management Office website at http://webpublishing.agimo.gov.au.

Share this page

Protecting information rights — advancing information policy