Earlier in 2015, the Privacy Commissioner (the figurehead of the Office of the Australian Information Commissioner), not content with a week devoted to privacy awareness, conducted an audit of the Privacy Policies of 21 of the nation’s biggest entities. Our ‘big four’ banks were included, as well as dozens of other businesses like Twitter, LinkedIn and Instagram. This article will look at ways to improve your Privacy Policy.
Australian Privacy Principles
Privacy policies were evaluated against Australian Privacy Principle 1, which requires organisations to have a privacy policy that is clearly expressed and up to date. If you’re interested, the Australian Privacy Principles are contained within schedule 1 of the Privacy Act 1988 (Cth).
Under privacy law in Australia, businesses must include certain information that will allow people to be informed about how their personal information will be handled if they choose to interact with the business. The Commissioner distributed gold stars to a select few for their stellar privacy policies but noted that some organised remained firmly in the sin-bin. Organisations fell down when relevant information took too long to locate, or when they skirted around the issue of how information could be accessed and corrected. Black marks were also given when information on how a privacy complaint could be made or how information was protected was fudged or unclear.
The Commissioner’s findings boil down to ensuring that organisations doing business online have privacy policies that are ‘clearly expressed’. As an objective criterion, being ‘clearly expressed’ is a difficult concept to clearly and objectively define. Our Commissioner does his hardest to try, however, using instruments such as the Flesch-Kincaid Grade Level. Yes, this is a real measure.Using this system provides a result equivalent to the number of years of schooling a reader requires to be able to understand an organisation’s privacy policy.
The result is calculated using the formula below:
Grade Level = 0.39 (total words/total sentences) + 11.8 (total syllables/total words) – 15.59
For an instrument used to measure Plain English, the level of irony of using the formula above probably tops the scale.
Tips from the Commissioner
The Commissioner does have some excellent advice everyone can use to improve their privacy policy:
- “Think about your audience. Don’t treat the privacy policy as a legal document to manage legal risk. It should be a document that creates trust in your entity and speaks to your customers or clients;
- Don’t just repeat the words in the Australian Privacy Principles. Make the privacy policy specific to your business or operation;
- Seek input from all areas of your entity including your public relations department, which may have ideas about innovative formats for better communicating the policy, for example, through video or other mechanisms relevant to the communication channel (paper, telephone, email, online) that you are using;
- Focus on what is important to the reader. Do not try to cover everything in minute detail;
- Keep it simple. Use simple language and test readability in content and format against external standards such as the Flesch-Kincaid grade level;
- Take a layered approach. For example, for online publication provide a condensed (summary version) of key matters in the privacy policy, with a link to the full policy; and
- Consider having more than one policy. For large or complex entities, consider whether you need to have more than one policy (for different parts of your operation or business, or different functions or activities).”
Conclusion
In summary, make sure you tailor your privacy policy to your audience, make it as clear as possible to understand and include information on how data is obtained, stored, used and how a complaint can be made. Perhaps hold back from dotting your policy with emojis and the odd ‘YOLO’. Get in touch with LegalVision on 1300 544 755 if you have questions.