14 March 2023

Privacy and accessibility — more closely related than you think

Tessa Loftus

elevenM Senior Consultant Tessa Loftus looks at the connection between privacy and accessibility, and the steps being taken to address it in the Privacy Act review.

One of the questions that is commonly asked when an organisation is starting the complex and sometimes expensive process of making their online services accessible, is “but how many people with <<this particular need>> are going to use this service anyway?” This is the wrong question. The right question is “if you became disabled tomorrow, would you still want to be able to access services via the internet?” And the answer is, of course, yes.

Public buildings have had an accessibility requirement since 1993, and government websites have been required to meet the Web Content Accessibility Guidelines 2.0 since 2014 (although compliance is patchy at best). And while the Disability Discrimination Act aims to do what it says on the tin, the ability for people with a disability to access services on the internet is unreliable.

When the APPs came into force in 2014, they introduced the requirement for organisations covered by the Privacy Act to “manage personal information in an open and transparent way” and one of the primary methods for achieving this is to have a “clearly expressed and up to date policy about the management of personal information”.

Speaking as a consumer, a privacy professional, and a plain English specialist, I think I could count on the fingers of one hand the number of ‘clearly expressed’ privacy policies I have encountered.

We know that very few people read privacy policies. This is largely because they are long, boring, complex, and tend to be written as tool for managing legal risk, not as the consumer communication tool that they were intended to be.

Privacy, accessibility and the Privacy Act review

One of the proposals elevenM made to the current review of the Privacy Act is that privacy policies and collection notices should be accessible. That this has now been (at least partially) taken up is a good start. The final report of the review proposes a new requirement for “collection notices to be clear, up-to-date, concise and understandable. Appropriate accessibility measures should also be in place.” It also includes the proposal that “APP entities that provide online services should be required to ensure that any privacy settings are clear and easily accessible for service users.” To have a system based on notice and consent without a requirement for accessibility undermines a significant number of individuals’ ability to access that notice or validly provide that consent. In other words, for it to be “open and transparent”, it must also be accessible.   

Proposed changes to the definition of consent will also improve accessibility. The current definition of consent simply states that “consent can be express or implied”, without further clarification. The proposals in the report propose that the definition be changed to “must be voluntary, informed, current, specific, and unambiguous”. While this is consistent with current OAIC guidance, organisations are not currently required to comply with OAIC guidance, therefore a definition is both a stronger protection and a step in the right direction. There are a range of interesting details in the explanation of these terms, many of which pick up on issues of accessibility. For example, “an individual must have a genuine opportunity to provide or withhold consent” and “an individual must be provided with sufficient information in an understandable form so that [they are] likely to be aware of the implications of providing or withholding…entities should ensure that they use clear and plain language when presenting consents to individuals.”

Now we just need to see organisations following through. The more regulatory systems there are that require accessibility, the more often organisations will have to consider it and the higher the chance of it being gradually integrated into the concept of ‘good design’. And this would be a win for everyone, because accessibility is actually useful for a range of people — from those who really need it in order to use the internet and access services through to those who simply cannot bear to read a 20,000-word privacy policy.

While I can easily understand why so many companies allow their privacy policies, collection notices and consent mechanisms to be written in legalese, the truth of the matter is that writing and formatting them in a way that is accessible and easy to read is an incredibly easy win, for effectively no outlay — it costs no more to make your privacy policy comprehensible than it does to make it incomprehensible, most websites have existing capacity to produce content in an accessible format, and it improves customer service across the board. Most importantly, it takes one small step towards making the internet a more useable place for the 4.4million people in Australia living with a disability.

If you’d like to know more about the importance of communication strategies in privacy, get in touch with us.

Photo credit: Daniel Ali on Unsplash