Online privacy policies: Australian Privacy Principle 1 – Summary of assessment

Date: 1 May 2015

Introduction

The Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment of the online privacy policies of 20 Australian Privacy Principle (APP) entities. Each entity’s privacy policy was assessed against specific criteria drawn from APP 1, which deals with the open and transparent management of personal information. Under APP 1, entities must have a privacy policy that is clearly expressed and up-to-date.

This assessment was conducted under s 33C of the Privacy Act 1988 (Cth), which provides the Information Commissioner with the power to assess whether personal information held by an APP entity is being maintained and handled in accordance with the APPs.

Selection of assessment entities

The entities included in the assessment were drawn from a variety of sectors including finance, government and social media. The entities were selected for inclusion in this assessment if they met one or more of the following criteria:

  1. the entity was identified for follow up action during the OAIC’s Global Privacy Enforcement Network (GPEN) internet privacy sweep in 2013. The GPEN sweep looked at the top 50 most visited websites by Australians in 2013
  2. the OAIC received a large volume of complaints about the entity in 2013–14, or
  3. the entity had one of the most visited websites in Australia.

Objective and scope of the assessment

The object of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.

The assessment examined each entity’s privacy policy against specific criteria drawn from APP 1 relating to ‘accessibility’, ‘readability’, ‘contactability’ and ‘content’. Specifically, the assessment considered whether each entity’s online privacy policy:

  • was clearly expressed and up-to-date about the management of personal information (APP 1.3)
  • covered the content requirements set out in APP 1.4, and
  • was available in an appropriate form (APP 1.5).

The assessment examined the content and display of the online privacy policies but did not consider each entity’s actual or observed information handling practices.

Key findings

The individual entity results ranged from those with excellent privacy policies to those that needed improvement. In some cases the OAIC made no recommendations because the entity covered all content requirements and the policy was easy to read and access. On the other hand some entities had not included a range of content required under APP 1 and had not carefully considered their policy against their obligations.

All 20 entities had privacy policies that were easy to find on their websites and all the entities had taken some steps to address the requirements of APP 1.

All the privacy policies that were assessed adequately described the kinds of personal information the organisation collects and how it is collected.

The OAIC found that 55% (11) of the entities had privacy policies that did not adequately address one or more of the content requirements in APP 1.4. Specifically:

  • 25% (5) privacy policies did not outline how an individual can request access or correction of their personal information
  • 40% (8) privacy policies did not outline how the organisation would deal with a privacy complaint it may receive
  • 25% (5) privacy policies did not adequately describe how they protect the personal information that they hold
  • 20% (4) privacy policies did not outline whether the organisation was likely to disclose personal information overseas and the countries in which such recipients are likely to be located.

Some other key trends included:

  • 85% (17) had privacy policies provided in a WCAG 2.0 accessible format
  • All 20 entities’ policies had appropriate contact information
  • The median length of the policies assessed was 3,413 words

List of assessment entities

  1. Australia and New Zealand Banking Group Limited (www.anz.com)
  2. Commonwealth Bank of Australia (www.commbank.com.au)
  3. Department of Human Services (www.humanservices.gov.au)
  4. Gumtree (www.gumtree.com.au)
  5. Instagram (https://instagram.com)
  6. LinkedIn (www.linkedin.com)
  7. Microsoft Corporation (www.microsoft.com)
  8. National Australia Bank Ltd (www.nab.com.au)
  9. News Corp Australia (www.news.com.au)
  10. Ninemsn Pty Ltd (www.ninemsn.com.au)
  11. Origin Energy Limited (www.originenergy.com.au)
  12. Outbrain Inc (www.outbrain.com)
  13. OzBargain (www.ozbargain.com.au)
  14. St George Bank Limited (www.stgeorge.com.au)
  15. The Guardian (www.theguardian.com/au)
  16. Fairfax (www.smh.com.au)
  17. Twitter Inc (https://twitter.com)
  18. Veda Advantage Information Services and Solutions Ltd (www.veda.com.au)
  19. Westpac Banking Corporation (www.westpac.com.au)
  20. Yahoo!7 Pty Ltd (https://au.yahoo.com)

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au