Summary of the OAIC’s assessment of privacy policies of 10 ACT public sector agencies

30 June 2020

Part 1: Introduction

Background

1.1 The Information Privacy Act 2014 (ACT) regulates how personal information is handled by ACT public sector agencies (ACT agencies). This Act includes a set of Territory Privacy Principles (TPPs), which cover the collection, use, storage and disclosure of personal information, and an individual’s access to and correction of that information.

1.2 The Australian and ACT Governments have a Memorandum of Understanding (MoU) for the provision of privacy services by the Office of the Australian Information Commissioner (OAIC) to ACT agencies. Under the terms of this MoU, the Australian Information Commissioner exercises some of the functions of the ACT Information Privacy Commissioner. These responsibilities include conducting assessments of the ACT agencies’ compliance with the TPPs.

1.3 A privacy policy is a key tool for ACT agencies to meet the requirements under TPP 1, which is to ensure that agencies manage personal information in an open and transparent manner.

1.4 The OAIC conducted a privacy assessment survey of the TPP 1 privacy policies of 10 ACT agencies in May 2019. This report describes the assessment and provides a summary of the key findings.

1.5 The findings of this assessment will assist with identifying inconsistent approaches to privacy management across the ACT Government, which is increasing its use of digital services.

Objective and scope

1.6 The objective of this assessment was to examine whether 10 ACT agencies had privacy policies that met the requirements of TPP 1 (open and transparent management of personal information). Specifically, the assessment considered whether the ACT agencies’ privacy policies:

  • were clearly expressed and up-to-date about the management of personal information (TPP 1.3)
  • explained:
    • the kinds of personal information that the agency collects and holds
    • how the agency collects and holds personal information
    • the purposes for which the agency collects, holds, uses and discloses personal information
    • how an individual may access personal information about themselves that is held by the agency and seek the correction of that information
    • how an individual may complain about a breach of the TPPs or a registered TPP code (if any) that binds the agency, and how the agency will deal with complaints
    • whether the agency is likely to disclose personal information to overseas recipients
    • if the agency is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (TPP 1.4)
  • were reasonably available free of charge and in an appropriate form, such as on the agency’s website (TPP 1.5).

Methodology

1.7 The OAIC selected ACT agencies to be involved in the assessment in consultation with the ACT Justice and Community Safety (JACS) Directorate. The OAIC shortlisted ACT agencies for inclusion in the assessment based on the following criteria:

  • the agency is listed on the ACT Government’s Directory website, which is a central repository for all entities within the ACT Government
  • the agency’s core business functions involve the collection and handling of personal information.

1.8 Based on the selection criteria, the following 10 ACT agencies were found to be most suitable for inclusion in the assessment:

  • Access Canberra
  • ACT Corrective Services
  • ACT Revenue Office
  • Canberra Health Services
  • Community Services Directorate
  • Elections ACT
  • Legal Aid ACT
  • Public Trustee and Guardian
  • Transport Canberra
  • Victim Support ACT.

1.9 The assessment involved a desktop review of the selected ACT agencies’ full-length TPP 1 privacy policies, with reference to any condensed versions where appropriate. The OAIC analysed each privacy policy against criteria in four key areas:

  • Readability: was the privacy policy easy to understand, easy to navigate and up-to-date?
  • Contactability: can individuals locate contact details to ask privacy questions or make a privacy complaint?
  • Content: does the privacy policy contain the specific content required under TPP 1.4?
  • Availability and accessibility: was the policy easily accessible, freely available and in an appropriate form?

1.10 The OAIC also requested that the 10 ACT agencies advise on whether and how their privacy policy is displayed at their premises, how often their privacy policy is reviewed, whether their privacy policy is available in languages other than English, and whether individuals are charged a fee to access their privacy policy.

1.11 The findings in this report are based on the ACT agencies’ advice on these matters and the content of the ACT agencies’ privacy policies at the time the assessment was conducted.

1.12 All 10 ACT agencies responded to the OAIC’s assessment.

1.13 The OAIC examined the content and layout of the privacy policies. The OAIC did not assess the ACT agencies’ actual information handling practices as part of this assessment. The OAIC provided individualised feedback to the ACT agencies on their privacy policies and made recommendations to address any identified privacy risks. All 10 agencies accepted their respective recommendations in the individualised reports.

1.14 The OAIC referred the ACT agencies to the APP Guidelines where appropriate in this assessment. The TPPs are similar to the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Commonwealth Act) that apply to organisations, and Australian Government (and Norfolk Island Government) agencies. The TPPs contain minor textual differences to the APPs which do not affect the intended meaning of the principles. For example, the phrase ‘the entity must take such steps (if any) as are reasonable in the circumstances’ is used in the APPs while a similar phrase, ‘the agency must take reasonable steps’, is used in the TPPs.

1.15 The analysis in this report sets out general findings across the 10 ACT agencies that were involved in the assessment.

Part 2: Summary of findings

Areas of good privacy practice

Readability

2.1 Most of the ACT agencies’ privacy policies (7/10) were up-to-date and indicated when they were last reviewed. Six of the privacy policies had been reviewed or updated in the six months prior to the assessment and one privacy policy was reviewed 15 months prior to the assessment.

An entity should regularly review and update its privacy policy to ensure that it reflects the entity’s information handling practices. This review could, at a minimum, be undertaken as part of an entity’s annual planning processes.

2.2 All ACT agencies’ privacy policies mentioned their personal information management practices are in accordance with the Information Privacy Act 2014 (ACT), indicating an awareness of their obligations under the TPPs.

2.3 In this assessment, we noted that half of the assessed ACT agencies had taken a layered approach for their privacy policies by providing a condensed version of the policy and a link to the full-length policy, which was aimed at assisting with a reader’s understanding of the information.

A layered approach provides a summary version of the full privacy policy in the first instance, with a user-centric focus on information that a reader would like to know. The summary version will contain a link to the full privacy policy for further information.

2.4 A summary of good readability practices is listed below at Table 1:

Table 1
ACT agenciesUp-to-dateDate of review published onlineAware of TPP obligationsLayered approach
Access Canberra Unclear[1] Yes Yes Yes
ACT Corrective Services Yes Yes Yes Yes
ACT Revenue Office   Yes Yes Yes
Canberra Health Services Yes Yes Yes  
Community Services Directorate Yes   Yes  
Elections ACT Yes Yes Yes Yes
Legal Aid ACT Yes   Yes  
Public Trustee and Guardian Unclear[2]   Yes Yes
Transport Canberra Yes Yes Yes  
Victim Support ACT Yes Yes Yes  

Contactability

2.5 All ACT agencies had some form of contact information available for individuals to contact the agency for requests to access and correct personal information, or to make a privacy complaint.

Content

2.6 The specific content requirements under TPP 1.4 were addressed in the majority of privacy policies. These are listed below at Table 2:

Table 2
TPPThe privacy policy contains information about…Compliant policies
1.4(a) the kinds of personal information that the agency collects and holds 10/10
1.4(b) how the agency collects and holds personal information (discussed further, below) 10/10
1.4(c) the purposes for which the agency collects and holds personal information 10/10
1.4(c) the purposes for which the agency uses and discloses personal information 10/10
1.4(d) how an individual may access and correct personal information about them that is held by the agency 10/10
1.4(e) how an individual may complain about a breach of the TPPs, or a registered TPP code if one applies 10/10
1.4(e) how the agency will deal with such a complaint 10/10
1.4(f) whether the agency is likely to disclose personal information to overseas recipients 9/10
1.4(g) if the agency is likely to disclose personal information to overseas recipients — the countries in which such recipients are likely to be located (discussed further, below) 2/10

2.7 All ACT agencies referenced the OAIC in some capacity for complaint-handling purposes, which is a good privacy practice.

Information about dealing with complaints could include details such as the entity’s complaint handling process and the length of time an individual could expect it to take.

Availability and accessibility

2.8 All ACT agencies had their privacy policy available online and easily accessible. The privacy policy typically appeared as a direct link at the bottom of the home page.

2.9 All ACT agencies advised that their privacy policy was available free of charge.

2.10 Half of the ACT agencies advised that they display their privacy policy at their premises, such as at entry points to buildings, shopfronts and/or offices. Access Canberra demonstrated the good practice of displaying its condensed privacy policy at its premises with access to the full-length privacy policy through tablets. This is a good accessibility measure as it allows access by individuals who regularly interact with the agency but may not have internet access.

2.11 Four ACT agencies had their full-length privacy policies in HTML format (i.e. the policy appeared as a webpage), which is a good accessibility measure. Community Services Directorate and Victim Support ACT further enhanced accessibility by installing listening functions in the HTML format of their privacy policies to allow access by individuals with special needs (such as vision impairment).

2.12 A summary of availability and accessibility practices are listed below at Table 3:

Table 3
ACT agenciesPolicies online and easily accessibleFree of chargeDisplayed on premisesFull-length policy in HTML format
Access Canberra Yes Yes Yes  
ACT Corrective Services Yes Yes Yes  
ACT Revenue Office Yes Yes   Yes
Canberra Health Services Yes Yes    
Community Services Directorate Yes Yes   Yes
Elections ACT Yes Yes    
Legal Aid ACT Yes Yes Yes Yes
Public Trustee and Guardian Yes Yes Yes  
Transport Canberra Yes Yes    
Victim Support ACT Yes Yes Yes Yes

Areas for improvement

Readability

2.13 The most common recommendation in this assessment related to the ACT agencies improving the readability of their privacy policies.

‘Clearly expressed’ – language

2.14 The OAIC considered the language used in each privacy policy, the length of each policy, and the way in which each policy was formatted, to form a view about how clearly expressed the policies were for the purposes of TPP 1.3. Some ACT agencies repeated the legal obligations under the 13 TPPs in their privacy policy, which impacted their readability.

2.15 The majority of privacy policies (6/10) contain a disclaimer section, which states that ‘it is your responsibility to verify all information provided by this web site and/or web sites linked to or from this site’ or that ‘the internet is an insecure medium’. Privacy policies should explain how the agency manages the personal information that it handles and should not contain irrelevant details such as disclaimers. The OAIC made suggestions whenever ACT agencies included disclaimers in its privacy policies.

A clearly expressed privacy policy should be easy to understand (avoiding jargon, legalistic and in-house terms), easy to navigate, and only include information that is relevant to how an entity manages personal information.

2.16 The OAIC’s assessments of the readability of the privacy policies were combined with outputs from the Flesch-Kincaid Reading Ease test.[3] This test takes a number of factors into account to calculate the readability of a text, such as the total number of words, average sentence length, and the percentage of complex words.

2.17 One output from the Flesch-Kincaid Reading Ease test that the OAIC considered was the ‘reading age’ of each policy. The reading age refers to a calculation of how old an individual needs to be in order to understand a document.

2.18 The reading age results for the 10 privacy policies were as follows:

Flesch-Kincaid reading ageNumber of policies with that reading age
18-19 1
19-20 2
20-21 2
21-22 1
23-24 1
Unclear (discussed below) 3

2.19 The OAIC had regard to audiences likely to access the ACT agencies’ privacy policies. Given the nature of the ACT Government’s operations, it is most likely that the general audience of these privacy policies are over 18 years of age.

2.20 All 10 of the ACT agencies’ privacy policies were above the reading age of 18, three of which were ‘unclear’ as the Flesch-Kincaid test did not produce any results. This suggests that the privacy policy may be too complicated for an average reader.

2.21 The OAIC recommended that all 10 ACT agencies review their privacy policies to improve readability as they all had (or if unclear, were assumed to have) a reading age of 18 or higher.

‘Clearly expressed’ – length and presentation

2.22 Victim Support ACT had the longest full-length privacy policy with over 9,000 words, which was the clear outlier amongst all the policies. The length of most of the privacy policies ranged between 2,400 to 3,800 words.

2.23 There did not appear to be a clear correlation between the length of a policy and its Flesch-Kincaid reading age. That is, the longer policies did not necessarily have higher reading ages, and the shorter policies did not necessarily have lower reading ages. For example, Victim Support ACT had the lowest reading age in this assessment even though the policy was the longest. However, the OAIC considers the policy length of over 12 pages (approximately 4,000 words) as a privacy risk as it impacts on the readability.

2.24 While five ACT agencies took a layered approach for their privacy policies, four of the five policies were inconsistent in content between the full-length and condensed versions. ACT Revenue Office was the only agency whose content was consistent between the layers.

2.25 The OAIC found inconsistencies in Access Canberra and ACT Corrective Services’ privacy policies when describing their approach to the handling of sensitive information. The condensed version of both policies state that sensitive personal information will not be collected or disclosed without the individual’s consent, but neither acknowledge that this is subject to a range of exceptions. However, both full-length privacy policies do acknowledge the exceptions.

2.26 Where the OAIC made a recommendation about readability, the OAIC also suggested that the agencies review their privacy policies to increase the use of ‘plain English’[4] throughout, as well as considering adjustments to formatting and presentation.

‘Up-to-date’ policies

2.27 The OAIC relied on advice from the ACT agencies about when their policies were last updated. This information was not available in the online policies of three agencies.

2.28 In these cases, the OAIC recommended that the ACT agency include the date of last review in the privacy policy so that a reader can easily determine whether the policy is up to date.

Contactability

2.29 While all ACT agencies had some form of contact information available for individuals with privacy concerns or queries, in a number of cases, the contact details listed were in the form of a generic email address, which does not relate to privacy matters or complaints. It would be better privacy practice for the contact information to direct an individual to a dedicated privacy contact.

2.30 A few ACT agencies did not provide adequate contact information for individuals to submit a privacy question or complaint. For example, both Legal Aid ACT and Canberra Health Services did not provide a postal address should an individual wish to complain by mail. ACT Revenue Office requires all complaints and feedback to be made in writing, but no email address was provided. Instead, individuals are required to use the online contact form, which lists a number of topics but none that relate to privacy-specific complaints or enquiries.

At a minimum, the privacy policy should state:

the position title, telephone number, postal address and email address of a contact person for complaints about a breach of the TPPs or a binding registered TPP code. An entity could establish a privacy-specific or complaint handling email address that will not change with staff movements (for example, privacy@agency.act.gov.au).

Content

Collection and storage of personal information

2.31 It was good practice that all ACT agencies provided information on how the agency collects and holds personal information. However, four ACT agencies (Access Canberra, ACT Revenue Office, Legal Aid ACT and Transport Canberra) provided limited information on how personal information is held. While no recommendation was made, the OAIC made suggestions to consult the OAIC’s APP Guidelines on reasonable steps agencies could take to describe how they store and secure personal information.

The privacy policy must describe an entity’s usual approach to holding personal information. This should include how the entity stores and secures personal information. For example, the policy may explain that personal information is stored by a third party data storage provider, or is combined or linked to other information held about an individual. The description of security measures should not provide details that jeopardise the effectiveness of those measures.

Overseas disclosures

2.32 While most ACT agencies (9/10) provided information about whether they were likely to disclose personal information to overseas recipients, only Victim Support ACT and ACT Corrective Services also met the requirement to specify in their privacy policy the countries where those overseas recipients are likely to be located. Both agencies listed circumstances where information could be disclosed overseas including the use of Google Analytics for information analysis by contracted third party providers based in the United States of America. ACT Revenue Office did not include any information on the likelihood of overseas disclosures nor which countries the recipients are likely to be located, which is required under TPP 1.4(f) and (g).

2.33 Of the nine ACT agencies that provided information about whether they were likely to disclose personal information to overseas recipients, only Elections ACT specified that it was not likely to disclose overseas. In that case, the OAIC suggested that Elections ACT review the likelihood of overseas disclosures as an ongoing concern and clarify its position in the privacy policy if circumstances change.

2.34 In its online full-length privacy policy, Public Trustee and Guardian noted its view that it would be too exhaustive to list all the overseas recipients to which it is likely to disclose personal information. In that case, instead of a recommendation, the OAIC suggested that the agency consider some of the practical options suggested in the OAIC’s APP Guidelines. These options may include listing overseas countries in an appendix to the privacy policy rather than in the body of the policy or including a link in the privacy policy to a regularly updated list of those countries, accessible from the agency’s website.

2.35 Of the remaining seven ACT agencies that indicated they were likely to disclose personal information to overseas recipients, five ACT agencies did not specify which countries in their privacy policies, which is required under TPP 1.4(g).

A privacy policy must set out whether personal information is likely to be disclosed to overseas recipients, and if overseas disclosure is likely, specify the countries in which such recipients are likely to be if practicable to do so in the policy. This includes a likely disclosure to a related body corporate located overseas, and the country in which that body is located. This ensures that the management of personal information is open and transparent to individuals, which increases confidence and trust.

Reference to the ‘OAIC’

2.36 While all ACT agencies mentioned the OAIC in the ‘how to make complaints’ section of their privacy policies, half of the agencies incorrectly referred to the OAIC as ‘Australian Privacy Commission’, ‘Australian Privacy Commissioner’ or ‘Information Privacy Commission’. In those cases, the OAIC suggested the agencies update the references to ‘Office of the Australian Information Commissioner’ as the independent body for privacy complaints.

Availability and accessibility

2.37 The majority of ACT agencies (6/10) required individuals to download a separate PDF document in order to access the full-length privacy policy.

2.38 Where this occurred, the OAIC recommended that those agencies improve the accessibility of their privacy policy by providing it in HTML format.

2.39 None of the ACT agencies had their privacy policy available in a language other than English. Four ACT agencies (Access Canberra, ACT Corrective Services, Legal Aid ACT and Public Trustee and Guardian) advised that they had translating and interpreting services available as well as access to the National Relay Service[5] upon request. These are good accessibility measures.

2.40 ACT Revenue Office and Canberra Health Services advised that additional accessibility services are available, however, this is not mentioned in their privacy policy, so readers may not be aware of these services. In those cases, the OAIC suggested that agencies insert a short sentence in the privacy policy explaining that additional accessibility services are available and provide a link to that webpage.

TPP 1 does not require that a privacy policy must be available in languages other than English, but it does require the policy to be accessible to the audience it is intended for. With this in mind, entities should consider whether translations of its privacy policy would be appropriate to meet the needs of individuals from non-English speaking backgrounds.

Footnotes

[1] There was a discrepancy between the date in the published full-length version of the privacy policy and the agency’s advised date.

[2] No date was published online, and the agency did not advise the OAIC of the last date of review or update.

[3] The test can be found at http://read-able.com/. ‘Test by direct input’ was used for all targets in this assessment as this method focuses on the main content of the page and removes any skew in the results due to navigational elements on a webpage.

[4] ‘Plain English’ refers to language that is clear, concise, and avoids using technical jargon.

[5] The National Relay Service is a Government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au