Australian Privacy Principle 1
- Consult. Seek input from all areas of your entity including your public relations department, which may have ideas about innovative formats for better communicating the policy, for example, through video or other mechanisms relevant to the communication channel (paper, telephone, email, online) that you are using
- Focus on what is important to the reader. Do not try to cover everything in minute detail
- Keep it simple. Use simple language and test readability in content and format against external standards such as the Flesch-Kincaid grade level
- Consider having more than one policy. For large or complex entities, consider whether you need to have more than one policy (for different parts of your operation or business, or different functions or activities)
You may have some of this information already, or you may need to investigate. For example, you might need to do an audit and make a list of the personal information held by your entity, or develop policies and procedures if they are missing.
Describe your entity’s functions and activities
You should be able to describe your entity’s main functions and activities and identify those that involve personal information handling. For example:
- providing [specified] services
- conducting publicity campaigns
- handling complaints
- managing employee records
- running a website
- sending out a newsletter
For each activity you should be able to describe:
- the personal information you collect and hold, and how you collect and hold it
- the reasons, or purposes for which you collect, hold, use and disclose that personal information, and
- whether you disclose personal information to overseas entities
Understand your entity’s personal information handling procedures
You should understand your entity’s personal information handling practices, procedures and systems (written or otherwise), for the entity as a whole or for each of its key functions and activities including:
- specific approaches, principles or commitments your entity has decided to adopt for handling particular personal information. For example:
- in relation to X process or collection, the entity will link personal information across business processes in all cases, or never do so, or only do so if the individual would expect it, or only with the individual’s consent, or only if not sensitive information, or only for X purpose
- the entity will never sell information about individuals to anyone else, or will only do so in particular circumstances
- the entity will only disclose information overseas in X circumstances, or will never disclose information overseas
- processes for identifying, assessing and managing privacy and security risk, as well as developing and monitoring controls for those risks
- security protections (for example, encryption, audit and monitoring) you have in place (see APP 11.1), taking into account the guidance in the OAIC’s Guide to Information Security
- approaches to identifying and handling personal information your entity no longer needs:
- in the case of an agency holding Commonwealth records, your practices under the Archives Act1983
- in the case of an organisation, your approach to destruction or de-identification of personal information (ideally identifying from these the specific periods that have been set for archiving, destruction or de-identification of personal information relating to the key functions and activities that individuals will be concerned about) (see APPs 4.3 and 11.2)
- processes for providing access to and correction of personal information (see APPs 12 and 13)
- complaints handling processes (see APP 1.4(d))
- policies relevant to your entity’s personal information handling. For example, your approach to:
- maintaining the quality of personal information that is used and disclosed (see APP 10)
- anonymity or pseudonymity (see APP 2)
- policies for managing contractors when personal information may be disclosed.
Work out content and structure
Arrange information in a way that makes sense
You should arrange the information in a way that makes sense for your entity’s functions, activities and audience. For example, you could separate out personal information flows for particular groups for whom your entity has different information handling practices (for example, staff, consumers/clients/members, service users, business relationships).
Focus on what is likely to be most important to readers
Focus with more specific detail on the areas of personal information handling that individuals are:
- most concerned about, or may find objectionable (Why do you collect date of birth or age or health information? How are you going to protect it? Do you give or sell information about me to someone else without my knowledge or consent?)
- unaware of, won’t reasonably expect, or may not understand easily (Do you collect information about me from public sources, or from third party list brokers? Do you track me when I use your website? If so, what do you use the information for? Can I interact with you anonymously or pseudonymously?).
Be as specific as possible
Be as specific as possible about how your entity handles personal information, as this will provide clarity and trust. Creating clarity will be most important in areas of common concern such as contact details, health information, financial information or other information of a sensitive nature. Unqualified use of vague words such as ‘may’ could lead to concern about uses and disclosures that are not intended.
Summarise where possible
Accurately summarise as much as possible in areas that:
- individuals know about already (for example, where they have provided personal information directly by filling out a form)
- individuals would expect as common business or administrative practice (for example, using an address for billing purposes or to enable a contractor to perform these services on behalf of the entity)
- are common across the entity for all personal information handling.
Provide information in layers
Headings in the summary policy may vary according to the particular functions and activities of your entity, but often include:
- Scope — describes what the policy applies to
- Collection of personal information — provides the key information about what personal information is collected and why. Focus on areas that are most sensitive or that the reader would least expect
- Disclosure (sharing) — describes the key disclosures and the conditions around those disclosures. This is a good place to mention overseas disclosures. Disclosures of personal information are usually the most important to individuals, but unexpected uses could be mentioned too
- Rights and choices — describes any key choices that individuals can make, including the right to request access and correction of personal information held about them
- How to make a complaint — briefly describes how to make a complaint about privacy and what to do if they are not satisfied with the outcome
- Contact details — including (at least) a generic telephone and email address that won’t change with personnel.
- use the active tense (you, we, I) and simple language — avoid legal jargon, acronyms, and in-house terms
- use short sentences and break up text into paragraphs
- use headings to help people find information easily, including information that may particularly apply to their situation or relationship with the entity
- keep in mind how you are going to publish it — if it is going on your entity’s website, make sure it is in a form suited to online publication. For agencies, there are mandatory web accessibility standards
- take into account your main audience in the design and format of the policy — for example, if your audience is likely to view the policy via a mobile app, or, conversely, to request a hard copy (see APP 1.6) you should create a policy that works effectively in that format
- avoid unnecessary length by giving careful consideration to what information is and is not needed in your policy
- only include information that is relevant to the way your entity handles personal information — don’t include non-privacy related terms and conditions
- ensure the policy is readable. You can test this by using external standards such as the Flesch-Kincaid grade level test. You should try to keep the summary to no more than 500 words.
For a more detailed discussion of the requirements of APP 1, as well as information about the OAIC’s interpretation of the APPs and suggestions for good privacy practice, see Chapter 1 (APP 1) of the OAIC’s APP guidelines.
Management of personal information
Does the policy explain how you manage personal information?
Does the policy only include information that is relevant to how you manage personal information?
Easy to understand
Is the policy clearly expressed and understandable?
Easy to find
Is the policy easy to navigate so that people can find information that is relevant to them?
Is the policy tailored to reflect your specific functions, activities and personal information handling practices?
If you have distinct organisational areas that handle personal information differently, do you have a set of policies to cover the different personal information handled or the different practices?
Is the policy directed to the specific audiences who may be reading it?
Has the policy been reviewed recently, to ensure that it reflects your current information handling practices?
The kinds of personal information that you collect and hold.
For example, the policy:
How you collect personal information.
For example, the policy describes:
How you hold personal information.
For example, in relation to storage, the policy explains, if applicable:
For example, in relation to security, the policy explains:
The purposes for which you collect, hold, use and disclose personal information.
For example, the policy:
The policy is not expected to describe normal internal operational or business practices such as billing, financial auditing or planning.
How an individual may access their personal information and seek correction of it.
For example, the policy:
The policy of an agency could refer to processes for access and correction under the Freedom of Information Act 1982.
How an individual may complain if you or a contractor breaches the APPs or a binding registered APP code.
For example, the policy:
Whether you are likely to disclose personal information to overseas recipients (including a related body corporate), and the likely countries that information may be sent.
For example, the policy:
Other matters under APP 1.3
If your functions or activities could have a major impact on an individual’s privacy, but are exempt from some or all of the Privacy Act, the policy could outline:
Whether you retain a record of personal information about all individuals (or categories of persons) with whom you deal. For example, if you do not collect any personal information from some of the individuals you deal with, or only anonymous information, the policy could outline these circumstances.
If you hold information about individuals that is often accessed by people other than the individual themselves, for example, carers, or parents, or a law enforcement agency, the policy could outline:
If your information handling practices change frequently in ways that will importantly affect individuals, the policy could:
If you interact with and collect personal information about a vulnerable segment of the community (such as children), the policy could highlight:
Particularly where it is possible for individuals to interact with you anonymously or pseudonymously, or where individuals may often ask not to be identified, the policy could describe:
Particularly where you hold personal information of a sensitive nature or personal information that is likely to quickly go out of date, the policy could describe:
 ‘APP entity’ is defined in s 6(1) of the Privacy Act 1988 as ‘an agency or organisation’. ‘Organisation’ is defined in s 6C of the Privacy Act.
 Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
 See in particular, Australian Privacy Principle guidelines, Chapter 1: APP 1 — Open and transparent management of personal information, OAIC website .
 A quick online test is available at <readability-score.com>.