Privacy Awareness Week blog series: Communicating about privacy
It can sometimes appear that privacy is a concept which is the subject of common organisational parlance, but which is seldom properly understood.
For something as important as the proper collection, handling and use of personal information, it is crucial that when communicating about privacy, what we say to all our audiences is clear and easily understandable.
Communicating with employees
It is all well and good to have privacy principles enshrined in law, but if those who are actually engaged in the collection and handling of personal information do not understand how privacy obligations apply in their day-to-day work, then these principles are little more than abstract niceties.
Organisations should clearly express that privacy is not a cursory compliance hurdle – it is not a matter of a tick box exercise in an induction program, or a case of copying and pasting a privacy disclaimer in one’s email signature. Rather, privacy is a range of principles that should inform employees’ considerations and actions any time they are dealing with personal information.
In this sense, it is useful for organisations to put an emphasis not just on the fact that privacy obligations must be adhered to, but also on the rationale as to why privacy obligations exist in the first place. Clearly expressing the importance of privacy is likely to make employees better understand their privacy obligations and why they exist. It may be of benefit to encourage employees to consider how they would expect an organisation to handle their personal information when assessing how they should handle someone else’s personal information.
Communicating with the public
It is equally crucial that organisations communicate about their privacy practices with the public in a meaningful and effective manner.
We have written in a previous blog post about the importance of communication when things go wrong in the form of a privacy breach. Indeed, it is often the case that those breaches that prove to be the most troublesome are those where the organisation has failed to engage in proper communication with affected individuals. This perceived lack of transparency can exacerbate the individual’s sense of angst towards the organisation in relation to the breach and can result in the individual losing trust in the organisation.
Yet, good privacy communication should not be reserved for instances where organisations get things wrong. Even where an organisation is acting consistently with the Information Privacy Principles (IPPs), a failure to properly communicate in relation to its privacy practices can potentially alienate individuals or lead to a reduction in trust. Good communication, on the other hand, allows individuals to make informed choices about whether and how they should provide personal information to an organisation.
• uses short, clear sentences with an active voice and familiar, plain English words
• avoids legal jargon or technical terminology
• uses bullet points to highlight key content
• avoids large slabs of text; and
• uses a ‘layered’ approach by providing a clear summary of key points (first layer) and linking to a more detailed explanation where required (second layer).
In sum, clear and effective communications about privacy form a key component of good general privacy practice. This can raise the confidence of staff in understanding their responsibilities; develop trust amongst the public; and limit the likelihood of privacy breaches and complaints.
On the topic of communication, if you have any questions or queries, please feel free to contact your Privacy Officer or get in touch with the Office of the Victorian Information Commissioner.
This blog post was written by Dermot Dignam, Assurance and Legal Policy Advisor, Office of the Victorian Information Commissioner.