11 April 2024

Good, better, best: writing a best-practice privacy policy

Tessa Loftus

elevenM’s Tessa Loftus outlines some simple actions organisations should take to ensure their privacy policy does more than tick the box.

APP 1.3: An APP entity must have a clearly expressed and up to date policy…about the management of personal information by the entity.

How many clearly expressed privacy policies have you ever read? Privacy policies are an important requirement under the Privacy Act, but they tend to be long, complex, unwieldy documents that have been written as a tool for managing legal risk, not as a method of communicating with average people, and not as a way of ensuring people are informed of their rights.

Privacy policies are important and there are ways to write yours so that it fulfils your legal obligations AND supports customer engagement.

The background on privacy policies

Privacy policies are one of the first requirements in the Australian Privacy Principles (APPs), and there’s a reason for this. In order to write an accurate privacy policy, you need to have a comprehensive understanding of your organisation’s personal information collection, handling and security. You need to understand the information flows for your organisation, which in turn leads to identifying any gaps. If your organisation has an accurate data-holding inventory or a mature information management process, then you will probably find creating an accurate privacy policy considerably easier than an organisation that doesn’t.

As well as clearly-expressed and up to date, there are specific types of information that must be included:

  • what PI is collected
  • how and why the org collects, holds, uses and discloses personal information
  • informationg about access, correction and complaints (incl. contact info)
  • if personal information is likely to be transferred overseas, and if so, where.

Using your privacy policy as a communications tool

A lot of organisations don’t get any further than this. They have a document that outlines the personal information they collect and what they do with it. But this is a tick-box approach that, in my view, doesn’t even really tick the box.

The APP guidelines, which the Office of the Australian Information Commissioner (OAIC) uses to assess whether an organisation has met their obligations, states that “At a minimum, a clearly expressed policy should be easy to understand (avoiding jargon, legalistic and in-house terms), easy to navigate, and only include information that is relevant to the management of personal information by the entity.” Not only should your privacy policy be written in accessible language, it should also be accessible in the more specific disability-access sense of the word — the APP guidelines clearly state that your privacy policy “should be directed to the different audiences who may consult it”. This is supported in the review of the Privacy Act, with the Government agreeing-in-principle that “privacy [collection] notices should be clear, up-to-date, concise and understandable, with appropriate accessibility measures in place”.

This is a fairly consistent requirement across jurisdictions with mature privacy legislation. Article 12.1 of the GDPR says that organisations should provide information about personal information handling “to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

Implicit in these requirements is:

  • that you are genuinely trying to communicate information
  • an understanding of who your audience is and an approach appropriate to that audience
  • that while this document might be legally required, it is not intended to be a tool for managing legal risk
  • an assumption of basic accessibility.

What do people want from a privacy policy?

The good news is that the information people want from a privacy policy is more-or-less the same types of information as is required by the APPs. People want to know:

  • what personal information you are collecting and why
  • what you’re doing with it
  • how to do they contact you with issues and access requests
  • what happens if you have a data breach.

The question of what you’re doing with it is, according to the 2023 OAIC Australian Community Attitudes to Privacy survey, the most important inclusion in a privacy policy.

The 2023 IAPP Privacy and Consumer Trust report shows that only 29% of consumers globally find it easy to understand how well a company protects their personal information and 30% of respondents think that writing in simpler language would help their understanding of an organisation’s privacy practices.

To write a best practice privacy policy you need:

  • plain English
  • relevant information
  • good useability (structure, findability, relevance, etc.)

Layering is a good way to ensure you’re meeting your communications objectives, but also including everything the legal team insists must be in there. This can be as substantial as a summary policy and a complete policy or it may be as simple as providing a summary paragraph at the beginning of your privacy policy.

Please be cautious of…

Organisations have a tendency to front-load privacy policies with a lot of legal information — like definitions, information about the legislation that requires this policy, and corporate information like ABNs. None of that information is required to be included in a privacy policy, so think carefully about if it needs to be there.

Your privacy policy will be on your website, so the person reading it probably knows which organisation it relates to. They are going to assume that words like ‘you’ and ‘we’ have their usual dictionary definition (and if they don’t, you should address that).

My advice if you really want to include corporate and legal information is to put it at the end. That way if someone wants to double check a definition, they can, but you’re not forcing it on everyone.

In summary…

Your privacy policy should be clear, easy to read and as short as it’s possible to be while covering all the information it needs to contain. And it is should be genuinely trying to communicate that information.

Contact us

If you’re interested in learning more about privacy communications, contact us at hello@elevenM.com.au or on 1300 003 922.