Publication date: 18 October 2019

Assessment undertaken: July 2018
Draft report issued: January 2019
Final report issued: August 2019

Part 1: Introduction

1.1 The Office of the Australian Information Commissioner (OAIC) has a range of functions and powers that protect the privacy of individuals by ensuring the proper handling of personal information. These functions and powers are conferred by the Privacy Act 1988 and by other legislation containing privacy protection provisions.

1.2 The OAIC conducted a privacy assessment survey of the privacy policies of 20 Document Verification Service (DVS) business users in the finance sector in July 2018. This report describes the assessment and provides a summary of the key findings.

Background

1.3 The DVS is a national online system that allows agencies or organisations to collect personal information from an identity document presented by an individual, with their consent, and compare it against the original record of the document held by the Government agency that issued the document.[1] The DVS is managed by the Department of Home Affairs (Home Affairs).

1.4 Identity documents that can be verified by the DVS include, but are not limited to, passports and visas, birth certificates, driver licences, and Medicare cards. DVS verification transactions are conducted in real time to inform decisions that rely upon the confirmation of an individual’s identity, such as an application for credit.

1.5 The DVS is available to certain organisations operating under legislated client identification requirements. In this report, the term ‘business user’ refers to these organisations.

1.6 All DVS business users must meet the eligibility criteria contained in the DVS Access Policy and Guidelines, and abide by the DVS Terms and Conditions of Use. One of these conditions is to have a privacy policy under the Privacy Act.

1.7 A privacy policy is a key tool for entities to meet the central object of Australian Privacy Principle (APP) 1, which is to ensure that entities manage personal information in an open and transparent manner.

Objective and scope

1.8 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether personal information held by an entity is being maintained and handled in accordance with the APPs.

1.9 The objective of this assessment was to examine whether the selected 20 business users had a privacy policy that met the requirements of APP 1 (open and transparent management of personal information). Specifically, the assessment considered whether the business users’ privacy policies:

  • were clearly expressed and up-to-date about the management of personal information (APP 1.3)
  • explained:
    • the kinds of personal information that the business user collects and holds
    • how the business user collects and holds personal information
    • the purposes for which the business user collects, holds, uses and discloses personal information
    • how an individual may access personal information about themselves that is held by the business user and seek the correction of that information
    • how an individual may complain about a breach of the APPs or a registered APP code (if any) that binds the business user, and how the business user will deal with complaints
    • whether the business user is likely to disclose personal information to overseas recipients
    • if the business user is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4)
  • were reasonably available free of charge and in an appropriate form, such as on the business users’ websites (APP 1.5).

Methodology

1.10 The OAIC selected business users to be involved in the assessment in consultation with Home Affairs. Home Affairs provided the OAIC with monthly DVS transaction data for August 2017, December 2017 and May 2018. The OAIC shortlisted business users for inclusion in the assessment based on the following criteria:

  • the business user was from the finance sector. The finance sector is high volume user of the DVS and was the most commonly complained about sector in privacy complaints to the OAIC in 2016-17[2]
  • the business user conducted 200 or more DVS verification transactions across each of the three months. This was to ensure that the assessment targeted frequent users of the DVS.

1.11 Of the shortlisted business users, the OAIC randomly selected 20 for inclusion in the assessment.

1.12 The assessment involved a desktop review of the selected business users’ privacy policies in July 2018. The OAIC analysed each privacy policy against criteria in four key areas:

  • Readability: was the privacy policy easy to understand, easy to navigate and up to date?
  • Contactability: can individuals locate contact details to ask privacy questions or make a privacy complaint?
  • Content: does the privacy policy contain the specific content required under APP 1.4?
  • Availability and accessibility: was the policy easily accessible, freely available and in an appropriate form?

1.13 The OAIC also requested that the 20 business users advise on whether and how their privacy policy is displayed at their premises, how often their privacy policy is reviewed, whether their privacy policy is available in languages other than English, and whether individuals are charged a fee to access their privacy policy.

1.14 The findings in this report are based on the business users’ advice on these matters and the content of the business users’ privacy policies at the time the assessment was conducted.

1.15 The OAIC examined the content and layout of the privacy policies. The OAIC did not inspect business users’ actual information handling practices as part of this assessment. The OAIC provided individualised feedback to the business users on their privacy policies and made recommendations to address any identified privacy risks.

1.16 The analysis in this report sets out general findings across the 20 business users that were involved in the assessment, which remain anonymous.

Part 2: Summary of findings

Areas of good privacy practice

Readability

2.1 Most of the business users’ privacy policies were up to date. Fourteen of the privacy policies had been reviewed or updated in the six months prior to the assessment.

An APP entity should regularly review and update its APP Privacy Policy to ensure that it reflects the entity’s information handling practices. This review could, at a minimum, be undertaken as part of an entity’s annual planning processes.

2.2 In this assessment, we noted that some business users had updated their privacy policies to take account of the European Union General Data Protection Regulation (GDPR), which had commenced a short time prior to the assessment.

Contactability

2.3 All business users had some form of contact information available for individuals to contact the business user for requests to access and correct personal information, or to make a privacy complaint.

Content

2.4 The specific content requirements under APP 1.4 were addressed in the majority of privacy policies. These are listed below:

APP The privacy policy contains information about… Compliant policies
1.4(a) the kinds of personal information that the business user collects and holds 18/20
1.4(b) how the business user collects and holds personal information 19/20
1.4(c) the purposes for which the business user collects and holds personal information 19/20
1.4(c) the purposes for which the business user uses and discloses personal information 19/20
1.4(d) how an individual may access and correct personal information about them that is held by the business user 19/20
1.4(e) how an individual may complain about a breach of the APPs, or a registered APP code if one applies 17/20
1.4(e) how the business user will deal with such a complaint (discussed further, below) 14/20
1.4(f) whether the business user is likely to disclose personal information to overseas recipients 18/20
1.4(g) if the business user is likely to disclose personal information to overseas recipients — the countries in which such recipients are likely to be located (discussed further, below) 12/20

Availability and accessibility

2.5 All business users had their privacy policy available online, with most business users (18/20) having the privacy policy easily accessible. The privacy policy typically appeared as a direct link at the bottom of the home page.

2.6 Nearly all business users said that their privacy policy was available free of charge.

2.7 The majority of business users (15/20) had their privacy policy in HTML format (the policy appeared as a web page). The remaining business users (5/20) required individuals to download a separate PDF document in order to access the policy.

2.8 Where this occurred, the OAIC recommended that the business user improve the accessibility of their privacy policy, particularly for individuals using mobile devices, by providing it in HTML format.

Areas for improvement

Readability

2.9 The most common recommendation in this assessment related to business users improving the readability of their privacy policies.

‘Clearly expressed’ – language

2.10 The OAIC considered the language used in each policy, the length of each privacy policy, and the way in which each policy was formatted, to form a view about how clearly expressed the policies were for the purposes of APP 1.3.

A clearly expressed privacy policy should be easy to understand (avoiding jargon, legalistic and in-house terms), easy to navigate, and only include information that is relevant to how an entity manages personal information.

2.11 The OAIC’s assessments of the readability of the privacy policies were combined with outputs from the Flesch-Kincaid Reading Ease test. [3] This test takes a number of factors into account to calculate the readability of a text, such as the total number of words, average sentence length, and the percentage of complex words.

2.12 One output from the Flesch-Kincaid Reading Ease test that the OAIC considered was the ‘reading age’ of each policy. The reading age refers to a calculation of how old an individual needs to be in order to understand a document.

2.13 The reading age results for the 20 privacy policies were as follows:

Flesch-Kincaid reading age Number of policies with that reading age
16–17 2
17–18 4
18–19 4
19–20 5
21–22 4
23–24 1

2.14 In this assessment, the OAIC recommended that business users review their privacy policy to improve readability if a policy had a reading age of 18 or higher.

2.15 The OAIC had regard to the nature of the business users’ operations. The financial services that the business users offer are, in some cases, only be available to individuals 18 years or older. Describing these services in privacy policies involves using some complex financial terms and phrases, which would increase the reading age in measurements like the Flesh-Kincaid Reading Ease test.

2.16 Nevertheless, the OAIC considered that the readability of most privacy policies could be improved with a review that focuses on increasing the use of ‘plain English’[4] throughout, as well as considering adjustments to formatting and presentation.

‘Clearly expressed’ – length and presentation

2.17 The longest privacy policy was 7,570 words long and the shortest was 258 words long. These two policies were outliers amongst all of the policies. Of the remainder, the average length of the privacy policies was 2,515 words.

2.18 There did not appear to be a clear correlation between the length of a policy and its Flesch-Kincaid reading age. That is, the longer policies did not necessarily have higher reading ages, and the shorter policies did not necessarily have lower reading ages. Aside from the two outliers, the OAIC did not make specific recommendations regarding policy length in this assessment.

2.19 The privacy policies were generally displayed as a document on a standalone webpage. The policies that were easier to read made effective use of headings and ‘white space’[5]. One privacy policy demonstrated a good practice of using a drop-down menu that allowed a reader to go directly to a particular subject.

2.20 None of the 20 privacy policies used a layered approach.

A layered approach provides a summary version of the full privacy policy in the first instance, with a user-centric focus on information that a reader would like to know. The summary version will contain a link to the full privacy policy for further information.

A layered approach is particularly effective in the online environment. It would also be an effective way for organisations that use complex personal information handling practices to be more transparent with individuals about those practices.

2.21 Where the OAIC made a recommendation about readability, the OAIC also recommended that business users consider taking a layered approach to their privacy policy.

‘Up-to-date’ policies

2.22 While most of the privacy policies were up to date, in a number of cases (9/20) this information was not available in the policy. The OAIC relied on advice from the business user about when the policy was last updated.

2.23 In these cases, the OAIC recommended that the business user include the date of last review in the privacy policy so that a reader can easily determine whether the policy is up-to-date.

Contactability

2.24 While all business users had some form of contact information available for individuals with privacy concerns or queries, in a number of cases, the contact details listed were in the form of a generic email address or switchboard line. It would be better privacy practice for the contact information to direct an individual to a dedicated privacy contact.

Content

2.25 While the majority of business users provided information in their privacy policies about how to make a complaint, a smaller number (14/20) specified how they would deal with one.

Information about dealing with complaints could include details like the business users’ complaint handling process, and the length of time an individual could expect it to take.

2.26 In some instances, a privacy policy also provided the OAIC’s contact details for complaint-handling purposes. This is good privacy practice. Some business users that operated in multiple jurisdictions referred to overseas regulators, but did not also reference the OAIC.

2.27 While it was good practice that most business users (18/20) provided information about whether they were likely to disclose personal information to overseas recipients, a smaller number also met the requirement to specify the location of those overseas recipients in their privacy policy.

2.28 Of the 18 business users that provided information about whether they were likely to disclose personal information to overseas recipients, two business users specified that they were not likely to do so.

2.29 Of the remaining 16 business users that indicated they were likely to disclose personal information to overseas recipients, six business users did not specify the location of the disclosures in their privacy policies.

A privacy policy must set out whether personal information is likely to be disclosed to overseas recipients, and if overseas disclosure is likely, the countries in which such recipients are likely to be. This includes a likely disclosure to a related body corporate located overseas, and the country in which that body is located. This ensures that the management of personal information is open and transparent to individuals, which increases confidence and trust.

Availability and accessibility

2.30 Two business users advised that they display their privacy policy at their premises. Many of the business users operate on an online only basis, without physical premises, and many noted that a privacy policy could be produced on request.

2.31 The majority of business users (18/20) did not have their privacy policy available in a language other than English. The other two business users advised that they had translated their privacy policy to another language to address the needs of a group of their clients. Some business users advised that they would be willing to make a translation of the privacy policy available upon request.

APP 1 does not require that a privacy policy must be available in languages other than English, but it does require the policy to be accessible to its audience. With this in mind, organisations should consider their client base to determine whether translations of its privacy policy would be appropriate to meet the needs of clients from non-English speaking backgrounds.

[1] See https://www.dvs.gov.au/

[2] Refer to Complaints, Privacy section of Part 2 Performance, Annual Report 2016–17 for more information.

[3] The test can be found at http://read-able.com/

[4] ‘Plain English’ refers to language that is clear, concise, and avoids using technical jargon.

[5] Allowing empty spaces between words and lines in the layout of a document helps to offset the impact of large amounts of text, and helps the reader to flow through the text.