Summary of the OAIC’s assessment of privacy policies of 20 DVS business users in the finance sector
Assessment undertaken: July 2018
Draft report issued: January 2019
Final report issued: August 2019
Part 1: Introduction
1.1 The Office of the Australian Information Commissioner (OAIC) has a range of functions and powers that protect the privacy of individuals by ensuring the proper handling of personal information. These functions and powers are conferred by the Privacy Act 1988 (Privacy Act) and by other legislation containing privacy protection provisions.
1.2 The OAIC conducted a privacy assessment survey of the privacy policies of 20 Document Verification Service (DVS) business users in the finance sector in July 2018. This report describes the assessment and provides a summary of the key findings.
1.3 The DVS is a national online system that allows agencies or organisations to collect personal information from an identity document presented by an individual, with their consent, and compare it against the original record of the document held by the Government agency that issued the document. The DVS is managed by the Department of Home Affairs (Home Affairs).
1.4 Identity documents that can be verified by the DVS include, but are not limited to, passports and visas, birth certificates, driver licences, and Medicare cards. DVS verification transactions are conducted in real time to inform decisions that rely upon the confirmation of an individual’s identity, such as an application for credit.
1.5 The DVS is available to certain organisations operating under legislated client identification requirements. In this report, the term ‘business user’ refers to these organisations.
Objective and scope
1.8 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether personal information held by an entity is being maintained and handled in accordance with the APPs.
- were clearly expressed and up-to-date about the management of personal information (APP 1.3)
- the kinds of personal information that the business user collects and holds
- how the business user collects and holds personal information
- the purposes for which the business user collects, holds, uses and discloses personal information
- how an individual may access personal information about themselves that is held by the business user and seek the correction of that information
- how an individual may complain about a breach of the APPs or a registered APP code (if any) that binds the business user, and how the business user will deal with complaints
- whether the business user is likely to disclose personal information to overseas recipients
- if the business user is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4)
- were reasonably available free of charge and in an appropriate form, such as on the business users’ websites (APP 1.5).
1.10 The OAIC selected business users to be involved in the assessment in consultation with Home Affairs. Home Affairs provided the OAIC with monthly DVS transaction data for August 2017, December 2017 and May 2018. The OAIC shortlisted business users for inclusion in the assessment based on the following criteria:
- the business user was from the finance sector. The finance sector is high volume user of the DVS and was the most commonly complained about sector in privacy complaints to the OAIC in 2016-17
- the business user conducted 200 or more DVS verification transactions across each of the three months. This was to ensure that the assessment targeted frequent users of the DVS.
1.11 Of the shortlisted business users, the OAIC randomly selected 20 for inclusion in the assessment.
- Contactability: can individuals locate contact details to ask privacy questions or make a privacy complaint?
- Availability and accessibility: was the policy easily accessible, freely available and in an appropriate form?
1.14 The findings in this report are based on the business users’ advice on these matters and the content of the business users’ privacy policies at the time the assessment was conducted.
1.15 The OAIC examined the content and layout of the privacy policies. The OAIC did not inspect business users’ actual information handling practices as part of this assessment. The OAIC provided individualised feedback to the business users on their privacy policies and made recommendations to address any identified privacy risks.
1.16 The analysis in this report sets out general findings across the 20 business users that were involved in the assessment, which remain anonymous.
Part 2: Summary of findings
Areas of good privacy practice
2.1 Most of the business users’ privacy policies were up to date. Fourteen of the privacy policies had been reviewed or updated in the six months prior to the assessment.
2.2 In this assessment, we noted that some business users had updated their privacy policies to take account of the European Union General Data Protection Regulation (GDPR), which had commenced a short time prior to the assessment.
2.3 All business users had some form of contact information available for individuals to contact the business user for requests to access and correct personal information, or to make a privacy complaint.
2.4 The specific content requirements under APP 1.4 were addressed in the majority of privacy policies. These are listed below:
|1.4(a)||the kinds of personal information that the business user collects and holds||18/20|
|1.4(b)||how the business user collects and holds personal information||19/20|
|1.4(c)||the purposes for which the business user collects and holds personal information||19/20|
|1.4(c)||the purposes for which the business user uses and discloses personal information||19/20|
|1.4(d)||how an individual may access and correct personal information about them that is held by the business user||19/20|
|1.4(e)||how an individual may complain about a breach of the APPs, or a registered APP code if one applies||17/20|
|1.4(e)||how the business user will deal with such a complaint (discussed further, below)||14/20|
|1.4(f)||whether the business user is likely to disclose personal information to overseas recipients||18/20|
|1.4(g)||if the business user is likely to disclose personal information to overseas recipients — the countries in which such recipients are likely to be located (discussed further, below)||12/20|
Availability and accessibility
Areas for improvement
2.9 The most common recommendation in this assessment related to business users improving the readability of their privacy policies.
‘Clearly expressed’ – language
2.11 The OAIC’s assessments of the readability of the privacy policies were combined with outputs from the Flesch-Kincaid Reading Ease test.  This test takes a number of factors into account to calculate the readability of a text, such as the total number of words, average sentence length, and the percentage of complex words.
2.12 One output from the Flesch-Kincaid Reading Ease test that the OAIC considered was the ‘reading age’ of each policy. The reading age refers to a calculation of how old an individual needs to be in order to understand a document.
2.13 The reading age results for the 20 privacy policies were as follows:
|Flesch-Kincaid reading age||Number of policies with that reading age|
2.15 The OAIC had regard to the nature of the business users’ operations. The financial services that the business users offer are, in some cases, only be available to individuals 18 years or older. Describing these services in privacy policies involves using some complex financial terms and phrases, which would increase the reading age in measurements like the Flesh-Kincaid Reading Ease test.
2.16 Nevertheless, the OAIC considered that the readability of most privacy policies could be improved with a review that focuses on increasing the use of ‘plain English’ throughout, as well as considering adjustments to formatting and presentation.
‘Clearly expressed’ – length and presentation
2.18 There did not appear to be a clear correlation between the length of a policy and its Flesch-Kincaid reading age. That is, the longer policies did not necessarily have higher reading ages, and the shorter policies did not necessarily have lower reading ages. Aside from the two outliers, the OAIC did not make specific recommendations regarding policy length in this assessment.
2.20 None of the 20 privacy policies used a layered approach.
A layered approach is particularly effective in the online environment. It would also be an effective way for organisations that use complex personal information handling practices to be more transparent with individuals about those practices.
2.22 While most of the privacy policies were up to date, in a number of cases (9/20) this information was not available in the policy. The OAIC relied on advice from the business user about when the policy was last updated.
2.24 While all business users had some form of contact information available for individuals with privacy concerns or queries, in a number of cases, the contact details listed were in the form of a generic email address or switchboard line. It would be better privacy practice for the contact information to direct an individual to a dedicated privacy contact.
2.25 While the majority of business users provided information in their privacy policies about how to make a complaint, a smaller number (14/20) specified how they would deal with one.
Information about dealing with complaints could include details like the business users’ complaint handling process, and the length of time an individual could expect it to take.
2.28 Of the 18 business users that provided information about whether they were likely to disclose personal information to overseas recipients, two business users specified that they were not likely to do so.
2.29 Of the remaining 16 business users that indicated they were likely to disclose personal information to overseas recipients, six business users did not specify the location of the disclosures in their privacy policies.
Availability and accessibility
 Refer to Complaints, Privacy section of Part 2 Performance, Annual Report 2016–17 for more information.
 ‘Plain English’ refers to language that is clear, concise, and avoids using technical jargon.
 Allowing empty spaces between words and lines in the layout of a document helps to offset the impact of large amounts of text, and helps the reader to flow through the text.