Privacy Sweep- How Did We Scrub Up?
The OAIC is moving onto the front foot in relation to Privacy. The Commissioner has indicated he will not be lenient, and results of a survey indicate there is room for improvement. As you will already be aware, the new Privacy amendments come into force in March. The amendments "raise the standard" in relation to managing personnel information. Recruitment and other companies which deal with and store personal information should be reviewing their procedures. Early last year, the OAIC (Office of the Australian Information Commissioner) conducted a 'privacy Sweep' of around 50 common websites visited by Australians. This was in conjunction with a global check of over 2000 websites and apps observed for 'Privacy Practice Transparency'- that is, how effectively these websites increased public or business awareness of privacy rights and responsibilities, and complied with both current and upcoming privacy legislation. Although this Sweep was not an official investigation, it nonetheless aimed at identifying websites that might warrant further assessment in the future after the privacy reforms in March come into force. Although participants only spent a few minutes per website, the results of this Sweep were still quite concerning: in Australia, a staggering 83% of privacy policies on websites were found to have at least one issue with readability, relevance, length, 'contacts for further information' or ability to be found.
Readability and Length
Nearly 50% of websites had readability issues- either the language employed was too complex, or the length of the policy was inexcusably long. The Information Commissioner explained that policy must be capable of being presented in formats which assist people who use technologies like screen readers (often used by visually impaired, illiterate or people who primarily speak a language other than English at home). In essence, people needed to be able to "understand what they are signing up to".
On a global and national scale, roughly one-third of policies had relevance-related issues. Too many policies used generalised, 'boiler plate' language that was unclear about whether the site complied with relevant legislation and often, they offered no information about the collection, use and disclosure of personal information. Alarmingly, mobile apps fared far worse- a shocking 92% of apps raised privacy practice concerns, with up to 54% having no privacy policies at all! Those that did frequently provided simple links to the privacy policies for their website, instead of addressing just how the apps themselves would be using and collecting information.
Location and Contact-ability