Privacy Awareness Week blog series: Communicating about privacy
It can sometimes appear that privacy is a concept which is the subject of common organisational parlance, but which is seldom properly understood.
For something as important as the proper collection, handling and use of personal information, it is crucial that when communicating about privacy, what we say to all our audiences is clear and easily understandable.
Communicating with employees
It is all well and good to have privacy principles enshrined in law, but if those who are actually engaged in the collection and handling of personal information do not understand how privacy obligations apply in their day-to-day work, then these principles are little more than abstract niceties.
Organisations should clearly express that privacy is not a cursory compliance hurdle – it is not a matter of a tick box exercise in an induction program, or a case of copying and pasting a privacy disclaimer in one’s email signature. Rather, privacy is a range of principles that should inform employees’ considerations and actions any time they are dealing with personal information.
In this sense, it is useful for organisations to put an emphasis not just on the fact that privacy obligations must be adhered to, but also on the rationale as to why privacy obligations exist in the first place. Clearly expressing the importance of privacy is likely to make employees better understand their privacy obligations and why they exist. It may be of benefit to encourage employees to consider how they would expect an organisation to handle their personal information when assessing how they should handle someone else’s personal information.
Communicating with the public
It is equally crucial that organisations communicate about their privacy practices with the public in a meaningful and effective manner.
We have written in a previous blog post about the importance of communication when things go wrong in the form of a privacy breach. Indeed, it is often the case that those breaches that prove to be the most troublesome are those where the organisation has failed to engage in proper communication with affected individuals. This perceived lack of transparency can exacerbate the individual’s sense of angst towards the organisation in relation to the breach and can result in the individual losing trust in the organisation.
Yet, good privacy communication should not be reserved for instances where organisations get things wrong. Even where an organisation is acting consistently with the Information Privacy Principles (IPPs), a failure to properly communicate in relation to its privacy practices can potentially alienate individuals or lead to a reduction in trust. Good communication, on the other hand, allows individuals to make informed choices about whether and how they should provide personal information to an organisation.
In the spirit of transparency, organisations should make it clear to members of the public why they collect their personal information and how they manage that information. IPP 5, of course, requires organisations to have a privacy policy but this is of little benefit if the policy is difficult to find or is expressed in terms that leave the reader none the wiser.
Simple strategies can be used to ensure that privacy policies do not fall foul of such deficiencies. A privacy policy can be made more easily accessible where an organisation does not incorporate it within wider policies or group it with other matters. Rather, the policy should be distinct and placed on a prominent section of an organisation’s website.
A privacy policy (and indeed all privacy communications) will be easier to understand where an organisation:
• uses short, clear sentences with an active voice and familiar, plain English words
• avoids legal jargon or technical terminology
• uses bullet points to highlight key content
• avoids large slabs of text; and
• uses a ‘layered’ approach by providing a clear summary of key points (first layer) and linking to a more detailed explanation where required (second layer).
An easy to find and clearly expressed privacy policy is, however, not sufficient to discharge the obligation to communicate clearly with members of the public about privacy. Organisations must also engage in privacy communications in “real time”. That is, at the point(s) where personal information is collected. This is a requirement under IPP 1.3, but it is also common sense.
Members of the public may not have the time or inclination to refer back to a privacy policy at the time they are providing personal information (such as in filling out an online form). At this point, the person should be made conscious of the fact they are making a choice about their personal information, and of how the information will be handled, should they decide to provide it.
In sum, clear and effective communications about privacy form a key component of good general privacy practice. This can raise the confidence of staff in understanding their responsibilities; develop trust amongst the public; and limit the likelihood of privacy breaches and complaints.
On the topic of communication, if you have any questions or queries, please feel free to contact your Privacy Officer or get in touch with the Office of the Victorian Information Commissioner.
This blog post was written by Dermot Dignam, Assurance and Legal Policy Advisor, Office of the Victorian Information Commissioner.