Skip to Content

Examination of Local Government Privacy Policies

    Foreword

    Privacy policies form the starting point for an organisation’s engagement with the public about privacy. Organisations are required by Information Privacy Principle (IPP) 5 to develop a privacy policy. But as well as being essential for compliance with the IPPs, privacy policies can set the tone for future interactions and signal the organisation’s attitude towards the information privacy rights of the individuals that they serve.

    This report outlines the findings of an examination conducted by the Office of the Victorian Information Commissioner (OVIC), in which we reviewed the privacy policies of all 79 local government authorities. The examination measured the privacy policies against the requirements of the Privacy and Data Protection Act 2014 (PDP Act) and relevant guidance.

    While we found that generally, privacy policies were made available as required by the PDP Act, there are areas for improvement. How a policy is written and presented, and the inclusion of information about making a privacy complaint, are important aspects of a privacy policy and feedback into the notion of openness and transparency.

    It is encouraging to find that, since a similar examination in 2016, local councils have made their privacy policies more available with 89 percent of privacy policies being available online, compared to 82 percent in 2016. It is also encouraging to find that 97 percent of privacy policies now include information on how an individual can access and correct their personal information – compared to 7 percent in 2016.

    Effective communication is important for the protection of privacy as a human right, and to maintain the public’s trust in government. Openness and transparency by organisations empowers individuals to understand what their rights are, and what organisations are doing with their personal information. An accessible and effective privacy policy demonstrates that the organisation takes privacy seriously, and that it can be trusted to manage the personal information it holds about an individual, responsibly.

    We found through this examination that larger regional and metropolitan councils did better than the smaller rural shires when it came to the quality of their privacy policy. This should come as no surprise, as metropolitan councils will often have greater resources available for privacy compliance compared to rural councils. We also find through our dealings with local councils, not just in the privacy area but also public access, that most Privacy Officers also carry other titles and responsibilities under freedom of information, information security and document management, making their role as Privacy officer, somewhat challenging.

    While this examination report provides some specific recommendations to local councils, the tips and recommendations are useful and relevant for all Victorian public sector organisations covered by Part 3 of the PDP Act. In addition, this examination report has referred to OVIC’s discrete guidance, which is still valid and relevant, and has been incorporated into the findings and tools created. 1

    The themes and findings highlighted in this examination report are not specific to councils, nor are a reflection on ‘mistakes’ made by councils, rather we predict that the they are indicative of common issues amongst privacy policies across the Victorian public sector.

    As a result of this examination report, we have developed a self-assessment tool2 which is designed to assist all government agencies subject to the PDP Act develop and revise their privacy policy.

     

    Rachel Dixon

    Privacy and Data Protection Deputy Commissioner


     

    Summary of best practices and minimum requirements

     

    Findability and accessibility

    Provide users with multiple ways to find the policy.

    Use descriptive titles for each webpage, allowing users to quickly identify whether the information contained in the webpage is what they are looking for.

    Use clear and simple language to appropriately name the policy.

    Consider creating a dedicated privacy webpage explaining the need to know information about privacy and how to contact the council about a privacy concern.

     

    Policy control

    Include a version number, date of which the policy was approved and a clear statement when the policy is due for a review

     

    Policy content

    Reference the correct privacy legislation.

    Include a description of the organisations main functions.

    Have an explanation on how the organisation adheres to the IPPs. This may include using specific examples about the organisation’s functions and how it will use the personal information it holds. Organisations should consider how they present this information in a concise and clear way.

    Every policy should be written using plain language, and avoid legal jargon. Privacy policies should not mirror the wording of the legislation.

     

    Privacy complaints

    Every policy should include a clear explanation and process for making a privacy complaint.

    Every policy should include accurate details of OVIC and any other external complaint agencies that are able to review the decisions of your organisation.

    Introduction

    Background
    1

    Council activities are diverse and extensive, ranging from providing public health services, to traffic, parking, and animal management. Councils collect a vast amount of personal information about individuals, from information about ratepayers and pet owners, to details of complaints made to the council. Local councils are required to comply with Part 3 of the Privacy and Data Protection Act 2014 (PDP Act) which provides for the responsible handling of personal information by Victorian public sector organisations.

    2

    Where a local council collects, holds, uses or discloses personal information, it must comply with the 10 Information Privacy Principles (IPPs) listed in Schedule 1 of the PDP Act. The IPPs set out the minimum standard for how the Victorian public sector should handle personal information, from the time it is first collected until it is disposed of when no longer required

    3

    This report outlines findings from an examination of the 79 Victorian council privacy policies against IPP 5, which requires an organisation to have a public facing privacy policy. IPP 5 states that ‘an organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.’

    4

    This examination measures each council’s privacy policy against the binding standards imposed by IPP 5, and the best practice standard suggested by discrete guidance from this Office. 3

    5

    This report does not aim to name or criticise councils, but rather to highlight good practices as well as areas for improvement. The tips and recommendations made in this report represent what OVIC considers to be good practice and a minimum standard for privacy policies.

    Why are privacy policies so important?
    6

    A key emphasis of the report is the importance of effective communication in the protection of privacy, compliance with the PDP Act, and the maintenance of public trust in government.

    7

    Compliance with the PDP Act and the IPPs often turns on the quality and effectiveness of an organisation’s ability to communicate its privacy obligations. In many cases — such as providing a collection notice or establishing informed consent — compliance with the IPPs depends on whether information has been effectively conveyed to allow understanding by an individual engaging with the organisation.

    8

    Transparency around information handling practices is also essential to both the protection of privacy as a human right, and the maintenance of public trust. Transparency empowers individuals to understand what their rights are and what organisations are doing with their personal information. It empowers individuals to engage effectively with organisations when they have concerns about their privacy and gives them confidence that they will be heard. Transparency allows an organisation to demonstrate that they take privacy seriously, and that they can be trusted to responsibly manage the personal information that they hold.

    What we examined
    9

    The examination assessed the quality of each council’s privacy policy created under IPP 5. While IPP 5 states that an organisation must have a policy on its management of personal information and make it available to anyone who asks for it, it does not explicitly state what information the policy should include.

    10

    For this reason, each policy was assessed against discrete guidance issued by this Office on the minimum content required, and best practice drafting principles. Specifically, each policy was assessed as to whether it, at a minimum, included:

    • The identity of the council, including a description of the council’s main function.
    • A description of the type of information the council collects to fulfil its functions.
    • How the council uses and shares the personal information it collects, including the types of third parties the information may be shared with.
    • Whether collection of personal information is compulsory or optional.
    • How the organisation securely stores and manages access to the personal information, and how long it may be stored for.
    • The date and version of the policy.
    • How an individual can contact the council, request access to the information or make a privacy complaint.
    11

    In addition to these minimum requirements, we examined how the policy can be found online and how accessible it is; for example, whether it is downloadable and available in other languages.

    What we needed
    12

    In order to conduct the examination, we required each council’s privacy policy.

    13

    In December 2018, we searched every council’s website and downloaded the available privacy policy.

    14

    In February 2019, we wrote to each council notifying them of the examination, and requesting that it confirm the policy online is the current version. 4For those councils that did not appear to have a privacy policy available online, they were asked to provide a copy to our office for assessment.

    How we conducted the examination
    15

    The examination was conducted as a desktop review.

    16

    A set of qualitative and quantitative questions were developed to measure the content of each privacy policy.

    17

    At the conclusion of the examination we wrote to each council and provided feedback on their policy and, where necessary, included suggestions for policy improvement.

    Summary Statistics

    18

    78 out of the 79 councils confirmed that they have a privacy policy. One council does not currently have a privacy policy, but it confirmed that it will adopt one by July 2019.

    19

    Our initial search in December 2018 found that 10 councils did not have a privacy policy online. In response to our correspondence in February 2019 requesting provision of their policy:

    • Eight provided a copy of their policy; four of the eight arranged for the policy to be published online, and one also provided a draft revised policy.
    • One confirmed it did not have a policy, but would implement one by July 2019.
    • One clarified that its privacy policy is online, however was contained in a larger document encompassing other council policies.
    20

    Of the remaining 69 councils who have policies online:

    • 46 policies are current, with one being provided as a draft revised policy in the process of being approved.
    • 14 policies are planned for review, or are currently being reviewed.
    • Seven provided updated policies and arranged for the updated versions to be uploaded to their website.
    21

    A detailed discussion of our examination is set out in the next part of this report, and includes findings, recommendations and tips for better practice. The scope of the examination was structured around four themes; policy findability and accessibility, policy control, policy content and privacy complaints.

    22

    For a comparison of how councils fared with one another in the four themes, please refer to Appendix 1. The statistics are aimed to provide a comparative snapshot of councils according to whether they are metropolitan or regional.

    What We Found – In Detail

    23

    The findings are structured around four themes; policy findability and accessibility, policy control, policy content and privacy complaints.

    24

    For a full list of the question asked and the total findings, please refer to the table in Appendix 2.

     

    Policy findability and accessibility
    Findability
    25

    There is no specific requirement under the PDP Act for an organisation to publish a privacy policy – only to make one available to anyone who asks for it. However, OVIC’s guidance suggests that organisations may find it practical to publish their privacy policy online so that it can easily be found by those who would like to see a copy of it.

    26

    Publishing a relevant, accurate and accessible privacy policy online reflects an organisation’s commitment to openness and transparency.

    27

    We asked three questions about finding a privacy policy online:

    • Is there a dedicated privacy section on the website? That is, whether there is a privacy webpage dedicated to providing information to users about the privacy policy. This is separate to a website privacy statement. A website privacy statement generally covers how information is automatically collected from an internet user because of a visit to a website, but does not detail the organisation’s obligations to privacy more widely.
    • Can the policy be found by typing ‘privacy’ or ‘privacy policy’ in the search bar?
    • Can the policy be found by clicking on the privacy statement of the home page? That is, whether there is a link to, or information on, the organisation’s privacy policy on the website’s privacy statement.
    28

    If all three questions answered yes then the policy was easy to find. If one or two out of three questions answered yes then it was average to find and if you could not find it using these three ways then it was difficult to find.

    29

    We found that 47 out of 78 councils were easy to find, 17 were average to find and 14 were difficult to find.

    30

    There are many authorities and standards when it comes to website usability and digital standards. Councils and other Government organisations should take into consideration the digital standards set by the Victorian Government 5 and the recommendations made by the Web Content Accessibility Guidelines (WCAG) 6 The WCAG recommendations and guidelines aim to make web content accessible to a wide range of people with disabilities, and will often make web content more usable to users in general.

    Case example 1: Example of a policy that was ‘easy’ to find

    Melbourne City Council

    The privacy statement page provides a direct link to the council’s privacy policy webpage.

    The council’s privacy policy webpage provides the user with the ‘need to know’ information from its policy such as answering what is personal information, what the council’s obligations are regarding privacy, and how to access and correct personal information.  The website also provides a contact name and details to allow privacy concerns to be easily raised.

    The information is easy to read and understand, and links are provided to the council’s privacy policy and health records policy, should the user want more information.

    31

    The example above illustrates that not only is it important to have an easy to find policy, but that it is beneficial to have a dedicated privacy policy page allowing privacy concepts and obligations to be explained simply and directly.

    32

    While just over half of the policies were ‘easy’ to find, mostly by using the website’s search bar tool, policies were often located on a page that contains all council policies, procedures and other corporate governance documents. Most of the time, policies are located under headings such as ‘Governance’ or ‘Corporate’ that, to the general public, have little meaning and may lead to confusion and an inability to identify the relevant privacy document.

    Case example 2: Example of a policy that was ‘difficult’ to find

    This example is from a large shire.

    The council has one document in which all its policies and procedures are contained. There is no description or indication to the user that this is where they would be able to find the privacy policy. Furthermore, finding this one document is difficult as the user is required to navigate through various and multiple menus and options.

    Accessibility
    33

    The Victorian Government Digital Standards (VGDS) state that to comply with the Disability Discrimination Act, and the VGDS, a Victorian government agency’s digital presence must comply with the WCAG ‘AA’ conformance requirements. The VGDS note that, to comply with WCAG, it is best to avoid using PDFs, or Microsoft Word, PowerPoint or Excel documents online. The VGDS recommend HTML.

    34

    We found that 59 out of 78 council policies were downloadable as PDFs, and only 10 were available in other forms, mostly Microsoft Word documents. 12 councils had their privacy policy accessible as a webpage (HTML format).

    35

    Two council policies are available in other languages. 7

    36

    A small hand full (5 out of 78) of the policies that are accessible as a webpage have an audio option, which reads the policy for the user.

    37

    9 out of 78 councils that have a dedicated privacy webpage also had an audio capacity for the webpage. This means that, while the downloadable policy cannot be read out to the user, the information on the webpage can be. This provides the site user with another option to access privacy information.

    Case example 3: Good example of an accessible policy

    Greater Geelong City Council

    The council’s privacy policy is available as a webpage and downloadable in Microsoft Word format.

    The policy webpage, which is the privacy policy, can be translated into various languages, and has an audio option allowing the policy to be read out to the site user.

    38

    The case example above illustrates good practices in relation to policy accessibility. There are three options available for users that may require assistance in reading and understanding the council’s privacy policy.

    Tips to improve

    Some effective ways to make a privacy policy more findable and accessible on a webpage may include:

    • Providing site users with multiple ways to find the policy.
    • Using descriptive titles for each webpage, allowing users to quickly identify whether the information contained in the webpage is what they are looking for.
    • Using clear and simple language to appropriately name the policy.
    • Creating a dedicated privacy webpage explaining the ‘need to know’ information about privacy and how to contact the council about a privacy concern.

    Some effective ways to make a privacy policy more accessible may include:

    • Making the policy available in HTML format or equivalent, in addition to other utilised formats.
    Policy control
    39

    Our discrete guidance for drafting a privacy policy suggests that, at a minimum, a policy should contain a version number and date.

    40

    We found that only a small number of council policies included a version number (29 out of 78).

    41

    70 out of 78 policies had a date of either approval or publication, and 60 out of 78 had a review date.

    42

    OVIC’s guidance for drafting a privacy policy also suggests that it is reviewed at least every two years. We found that 19 out of 78 policies are overdue for a review, with the three oldest policies not being updated since 2002 and 2008. However, we have been informed by two of the councils that their policy is currently being reviewed.

    43

    We also found that 13 out of 78 policies were unclear regarding a review date, mainly because the policy is presented as a webpage rather than a downloadable policy document. An updated webpage or attachment does not represent an updated policy.

    44

    Statements such as ‘will be reviewed periodically’ or ‘will be reviewed time to time’, are not clear statements of when, or if, the policy will be reviewed and updated.

    Tips to improve

    As best practice, the policy should include:

    • a version number;
    • a date of which the policy was approved; and
    • a clear statement when the policy is due for a review.
    Recommendation

    It is recommended that every council:

    • reviews its current policy, unless it has done so within the last year; and
    • schedule a review of its privacy policy at least every two years.
    Policy content
    45

    The focus on this part of the examination was in two parts; how comprehensive the content of the policy is, and assessing how well the policy is written.

    Content – how comprehensive is the content of the policy?
    46

    IPP 5 does not state the type of information a policy should include. Each policy was assessed against guidance issued by this Office on the minimum content required and best practice drafting principles.

    47

    We also examined whether each council’s policy adequately referenced the 10 IPPs, as the IPPs set out the minimum standards for the handling of personal information for all Victorian public sector agencies specified in the PDP Act.

    48

    Our discrete guidance suggests that a privacy policy should include a description of the organisation’s main functions.

    49

    While we found that overall each council policy referenced the 10 IPPs, only 2 out of 78 8policies included a description of the council’s main functions. They both include an ‘About Council’ section in their policy and briefly describe their role and functions under the Local Government Act 1989.

    50

    Including a clear and concise statement of the organisations main functions, and linking it to the IPPs, demonstrates that the organisation has considered the different ways the organisations collects information (as it will differ between organisations) and how that information flows through the organisation.

    51

    Good examples defined what personal information is, and used specific examples to explain:

    • What types of personal information it generally collects, and for what purpose (IPP 1); and
    • How it uses and discloses the personal information (IPP 2).
    Case example 4: Good example of IPP1 and IPP2 – Explanation with examples

    Boroondara City Council

    The council’s privacy policy provides practical and useful examples to explain what types of personal information it collects. Below is an example taken from the council’s policy:

    IPP 1 – Collection

    Council will only collect personal information supplied by you when it is necessary to do so. This information typically includes but is not limited to the following:

    • name
    • address (postal and email)
    • telephone number (work, home and mobile)
    • date of birth
    • occupation
    • Medicare number
    • credit card and bank account numbers
    • motor vehicle registration number.

     The information you provide may be used for purposes including but not limited to the following … to contact you where it is necessary to resolve issues relating to the Boroondara City Council services or functions which you have brought to our attention. For instance, contacting you in response to your report of a fallen tree branch.

     

     Casey City Council

    The council’s privacy policy provides practical and useful examples to explain how it uses and discloses personal information. Below is an example taken from the council’s policy:

     IPP 2 – Use and disclosure

    The information may be disclosed:

    • To Council’s contracted service providers who manage the services provided by Council. Some examples include: garbage collection, management of leisure centres, environmental health inspections and infrastructure maintenance. Council will also require these service providers to maintain the confidentiality of the information and comply with the Information Privacy Principles in all respects.
    52

    While a majority of councils covered and explained the 10 IPPs, we found that some councils failed to mention two important IPPs being:

    • IPP 7, which relates to the use of unique identifiers and under what circumstances they are used by organisations, and
    • IPP 9, which relates to transborder data flow and how privacy is protected if transferred outside of Victoria.
    53

    We found that IPP 7 was explained with generic wording which mirrored the wording in the legislation. For example, broad statements such as ‘Council will not assign, adopt, use, disclose or require unique identifiers except if required by law’ does not explain what a unique identifier is, and in what circumstances they would be used. An explanation of what a unique identifier is for council purposes would be helpful for individuals.

    54

    Similarly, statements attempting to address IPP 9, such as ‘Council may transfer personal information outside of Victoria only if that data transfer conforms with the reasons and conditions set out in the Act’ often did not adequately explain the reason why personal data was being transferred outside of Victoria, or how the council would protect personal information once it was transferred.

    Case example 5: Good example of IPP 7 and IPP 9 – Explanation with examples

    Maribyrnong City Council

    The council’s privacy policy provides succinct and clear explanations of both IPP 7 and IPP 9, which are provided below:

    IPP 7 – Unique identifiers

    A unique identifier is a number or code that is assigned to someone’s record to assist with identification (similar to a drivers licence number). Council will only assign a unique identifier to a person if the assignment is reasonably necessary to carry out its functions efficiently. 

    IPP 9 – Transborder data flows

    … does not prohibit the transfer of personal information outside of Victoria but it does place restrictions on when it can occur. This is because the PDPA is a Victorian law and therefore the IPP’s will not apply to organisations in a different state, territory or country.

    Council will only transfer personal or health information outside of Victoria in accordance with the provisions outlined in the PDPA and Health Records Act.

    While Council uses cloud computing services based outside Victoria, it has taken all reasonable steps to ensure that the information which it transfers will not be held, used or disclosed by the host of the information inconsistently with the Victorian IPPs. It also ensures the hosts/recipients are subject to laws and/or binding contractual arrangements that provide similar protections to that afforded under the PDPA.

     

     Latrobe City Council

    The council specifically states that it:

    may use cloud computing services based outside Victoria, in which case Council must ensure [compliance] with the Victorian IPPs and HPPs in engaging with those

    55

    The second example above demonstrates the council’s awareness of how personal information is stored on its information technology services. IPP 9 does not only apply to personal information that is physically transferred outside of Victoria, but also applies to electronic information that may be stored on servers based outside of Victoria. We found that a small handful of councils specifically mentioned that they use a cloud type storage system to store personal information, meaning that IPP 9 applies to protect that information.

    56

    We also found that IPP 6 could be explained more effectively. IPP 6 deals with how individuals can access and correct their information held by organisations.

    57

    12 policies had a statement addressing the possibility of access to, and correction of, personal information. However, all 12 policies failed to detail how an individual could undertake this process rendering the statement ineffective.

    Case example 6: Example of ineffective IPP 6 statement – Access and Correction

    This example is from a metropolitan council.

     Individuals have a right to request access to any personal or health information held about them by Council. If an individual believes that their information is inaccurate, incomplete or out of date, they may request Council to correct it.

    Council can deny access to personal and health information in accordance with the exemptions detailed in the Privacy and Data Protection Act 2014 and Health Records Acts 2001.

    58

    We found that 7 councils use the above statement (or similar) when explaining how an individual can access or correct information. While the statement provides an explanation of an individual’s rights to access and correct their information, it would be preferable if agencies took the default position that everyone has the right to access and correct their information through the processes outlined in the Freedom of Information Act 1982, which is the approach taken by majority of the councils.

    59

    In contrast, a handful of councils encourage individuals wishing to access their information and correct it to contact the council department first or to speak with the Privacy Officer in an attempt to resolve the concern informally, rather than going through the more formal and lengthy FOI process. In some instances, however, it may be more appropriate for an individual to make a formal request to council under the freedom of information process. In these instances, the council can support their customer by providing guidance around initiating an FOI request.

    Case example 7: A good example of IPP 6 explanation – Access and Correction

    Warrnambool City Council

    The council’s privacy policy provides succinct and clear explanations of how to contact the council to request access and correction of personal information:

    Should an individual wish to access their personal information, the individual can contact the most relevant Council department directly or Council’s FOI/Privacy Officer [details provided] …

    Access will be provided except in the circumstances outlined in the Act, for example, where the information relates to legal proceedings or where the Freedom of Information Act 1982 applies. If an individual believes that their personal information is inaccurate, incomplete or out of date, the individual may request Council to correct the information. The request will be dealt with in accordance with the Act.

    60

    An organisation’s commitment to open and transparent privacy practices is reflected in the way it clearly and simply communicates guidance to the public. The above example illustrates the benefits of including contact details to directly support and guide an individual seeking information around access and correction of their personal information.

    61

    We also found that 9 policies reference outdated legislation, meaning that the content of their privacy policy was incorrect. Furthermore, some policies were overdue for review showing the importance of review. Some policies appear to be updated to refer to the current and correct IPPs but unfortunately, still refer to old legislation, which could be due to an oversight.

    62

    In Victoria, OVIC shares the oversight of information privacy with the Health Complaints Commissioner, who is responsible for the oversight of how health related information is handled. While some councils have a separate Health Privacy Policy that explain and reference the Health Privacy Principles (HPPs), some councils cover both the IPPs and HPPs in the same document. We found that the reference to the HPPs was inconsistent across the councils, with most of them referencing the Health Records Act 2001 but not discussing the HPPs in any detail.

    Content – how well is the policy written?
    63

    In 2006, the Australian Bureau of Statistics conducted a survey to identify and measure a broad range of social and economic characteristics of people across Australia, including literacy levels.9 Five different literacy capabilities were tested including the ability to read, understand and use information from various kinds of narrative texts such as information from newspapers, brochures and information sheets. Almost half of Australians between the ages of 15 to 74 scored in levels 1 and 2 (level 1 being the lowest measured level of literacy, and level 3 being considered the minimum requirement to understand narrative text). 37% of survey respondents scored in level 3.

    64

    With this in mind, it is important for documents, such as a policy, to be written using simple, plain English. While it is difficult to measure, we found that overwhelmingly, most policies were written using complex, legal terminology, and often mirrored the legislation.

    65

    A privacy policy need not specifically reference all 10 IPPs in detail to be considered effective. For example, a privacy policy may be structured in terms of the organisation’s functions, touching on each of their obligations under the IPPs incidentally. Further, the organisations may have express legal authority to collect and use personal information, which may make an exploration of IPP 2 unnecessary. However, the organisation will need to be transparent about such legal authorisations to collect, use and disclose personal information in their privacy policy.

    66

    OVIC’s guidance suggests ways to ensure effective communication, including:

    • Using plain language – for example, short, clear sentences and familiar, plain English words;
    • Avoiding legal jargon or technical terminology;
    • Providing sufficient information – having a concise privacy policy can be effective, however it also needs to contain enough detail to allow individuals to understand how their personal information will be handled; and
    • Be user-friendly – avoid large slabs of text and consider organising the privacy policy into sections with clear headings.
    67

    Organisations might consider presenting their discussion of IPPs in a different way including, for example, by theme. Alternatively, organisations might provide a narrative of how personal information is collected by the organisation and how it travels through the organisation from collection to destruction.

    Case example 8: Good example of how IPPs are discussed

    Brimbank City Council

    The council uses headings, in the form of questions, to explain the IPPs without presenting them in any particular order, or mirroring the legislation.

    What type of information does the council collect?
    What does the council do with information?
    What disclosures might be made?
    How does the council ensure that information is accurate, up to date, and secure?
    How can a person access or correct information held by council?

     

    Loddon Shire Council

    The council uses sub-headings, in the form of questions, to explain ‘what is use’ and ‘what is disclosure’ when explaining IPP 2, and uses simple language and examples to detail the answers:

    What is use? This includes:

    • searching records for any reason
    • using personal and/or health information in a record to make a decision
    • inserting personal and/or health information into a database

    What is disclosure? This includes:

    • providing personal and/or health information to a third party (such as a contractor)
    • providing a record containing personal and/or health information to a member of the public
    68

    When drafting or reviewing a policy, it is important to consider just what is trying to be achieved (the intent of the policy), and how the policy aims to achieve this outcome. It is also important to think about the audience and what information they would expect to see in the policy.

    69

    For councils that have dedicated privacy webpages, we found that the information is able to be, and has been, presented in a simple and easy to understand way.

    Tips to improve

    As best practice, every policy should include:

    • A reference to the correct privacy legislation.
    • A description of the organisations main functions.
    • An explanation on how the organisation adheres to the IPPs. This may include using specific examples about the organisation’s functions and how it will use the personal information it holds. Organisations should consider how they present this information in a concise and clear way.

    As best practice, every policy should be written using plain language, and avoid legal jargon. Privacy policies should not mirror the wording of the legislation.

    Recommendation

    It is recommended that every council:

    • Review its explanation of its process to accessing and correcting personal information.
    • When undertaking its next review of its policy, consider plain English drafting principles.
    Privacy complaints
    70

    In an overwhelming majority of reviewed privacy policies, we found little or no explanation or guidance regarding the ability make a privacy complaint.

    71

    While 64 out of 78 policies did mention the ability to raise a complaint, many councils failed to provide adequate details or guidance regarding the complaint process. Only a very few policies provided sufficient information covering the complaint process, from how to make a complaint, to how it would be investigated, and how long it would take for the process to conclude.

    72

    Organisations should make it as simple as possible for individuals to make a privacy complaint. The PDP Act does not provide any legislative requirements for complaints to be made in a certain way. We found that 5 councils require complaints to be made in writing alongside the provisions of proof of identification. We do not recommend this as a standard practice.

    73

    Making it simple for an aggrieved individual to make a privacy complaint reflects an organisation’s openness and transparency.

    74

    We also found that policies lacked information about OVIC as the independent regulator of privacy for state government agencies, or for the Health Complaints Commissioner (for health information related complaints). When considering privacy complaints, many councils failed to accurately describe OVIC’s function and role in conciliating privacy complaints between aggrieved parties. Only one council accurately described OVICs functions.

    75

    When OVIC’s contact details were provided, they were generally incorrect and outdated, with OVIC often being referred to as its predecessor agency, the Commissioner of Privacy and Data Protection, which is inaccurate.

    76

    It was often difficult to find information about making a complaint – both within the relevant privacy policy, or on the council’s webpage. General feedback mechanisms were also missing or difficult to find.

    77

    Other Victorian government oversight bodies have reviewed the complaint handling processes of local government 10 and provided useful guidance and tips on complaint handling in general. During this examination, the Victorian Ombudsman announced an enquiry into how councils handle complaints.11 The outcome of this enquiry will be beneficial in assisting councils to provide better privacy complaint processes.

    78

    Overall, the internal and external complaints processes are inadequately and ineffectively explained, or are not explained at all. Some councils have separate complaints handling policies that address how to make a complaint about privacy, but the policies are not linked or cross-referenced.

    Tips to improve

    As best practice, every policy should include a clear explanation and process for making a privacy complaint.

    As best practice, every policy should include accurate details of OVIC and any other external complaint agencies that are able to review the decisions of your organisation.

     


     

    Appendix 1 - Council Comparison

    Chart 1 – Break down of council by classification

    Chart 1 illustrates a simple breakdown of council by classification. Source of the categories is provided by www.localgovernment.vic.gov.au.

    Note that the small shire classification differs in our results (we have a total of 18) due to one council not having a privacy policy. This council falls into the small shire category.

     

    Table 1 – Comparison on policy findability according to classification
    Easy Average Difficult
    Metro 17 4 1
    Interface 7 2 0
    Regional 6 3 1
    Large Shire 9 4 6
    Small Shire 8 4 6
    TOTAL 47 17 14

     

    Table 1 compares the findings from the question “Describe how easy it is to find the policy on the website: Easy, Average, Difficult.”

     

    Chart 2 – Illustration of comparison on policy findability

     

    Table 2 – Comparison on policy control according to classification
    Is there a version number? Is there a date? Is there a review date?
    Metro 8 21 19
    Interface 4 6 6
    Regional 5 8 5
    Large Shire 7 17 14
    Small Shire 5 18 16
    TOTAL 29 70 60

     

    Table 2 compares the findings between council classification and various questions about policy control. The finding is that of a “yes” answer.

     

    Chart 3 – Illustration of comparison on policy governance

     

    Table 3 – Comparison on overdue policies according to classification
    Yes No Unclear
    Metro 8 10 4
    Interface 1 6 2
    Regional 1 5 4
    Large Shire 6 9 4
    Small Shire 5 12 1
    Total 21 42 15

     

    Table 3 compares the findings from the question “Is the policy overdue for a review?”

    Note that 8 out of the 19 policies that are overdue for a review, are being reviewed at the time of this examination.

     

    Chart 4 – Illustration of comparison on overdue policies according to classification

     

    Table 4 – Comparison on IPPs according to classification
    IPP1 IPP2 IPP3 IPP4 IPP6 IPP7 IPP8 IPP9 IPP10
    Metro 20 21 22 19 22 15 21 15 21
    Interface 8 8 8 8 8 6 8 4 8
    Regional 10 10 10 10 10 8 10 8 10
    Large Shire 19 18 18 18 18 15 17 14 17
    Small Shire 17 18 18 17 18 12 16 13 17
    TOTAL 74 75 76 72 76 56 72 54 73

     

    Table 4 compares the findings between council classification and whether their policies include mention and explanation of the 10 IPPs.

     

    Chart 5 – llustration of comparison on IPPs according to classification

     

    Table 5 – Comparison of complaint handling according to classification
    Does the policy explain how to make a complaint to the council? Does the policy include information about OVIC? Does the policy include information about the Health Complaints Commissioner?
    Metro 18 15 4
    Interface 8 5 6
    Regional 7 3 2
    Large shire 16 11 4
    Small shire 15 12 7
    TOTAL 64 46 23

     

    Table 5 compares the findings between council classification and whether their policies include information about making and responding to privacy complaints. The finding is that of a “yes” answer.

    Note that some councils have separate Health Information Policies, or do not reference the health privacy principles in their privacy policy which could be a factor in why reference to the Health Complaints Commissioner are low.

     

    Chart 6 – Illustration of comparison on complaint handling according to classification

     

     

     


     

    Appendix 2 – Table of statistical findings

    1. Policy location and accessibility
    Question Answer “Yes” Percentage
    Is there a policy? (IPP5 – Openness) 78 99%
    Is there a dedicated ‘privacy’ section on the website? 46 59%
    Can the policy be found by typing ‘privacy’ or ‘privacy policy’ in the search bar? 62 79%
    Can the policy be found by clicking on the ‘privacy’ section of the home page? 43 55%
    Describe how easy it is to find the policy on the website: Easy, Average, Difficult.
    Is there more than one version of the privacy policy on the website? 2 3%
    If so, describe what is online.
    Is there a separate website privacy policy or privacy statement? 49 63%
    Is there a combined website privacy statement and privacy policy? 14 18%
    Are ther other policies that affect privacy? For example, CCTV policy or Health Records Policy? 37 47%
    If so, what are they?
    Are there supporting documents that accompany or compliment the policy? 21 27%
    If so, what are they?
    Is the policy available as a webpage? 12 15%
    Is the policy available as a downloadable PDF? 59 76%
    Is the policy available as a downloadable Word document? 10 13%
    Is the policy available as a downloadable HTML document? 0 0%
    Is the policy available in other languages? 1 1%
    If so, what languages?
    Is there an audio version of the policy? 5 6%
    Are there other accessibility options? 9 12%
    If so, what are they?
    Can the policy be shared? For example, shared to an email or social media? 20 26%
    2. Policy control
    Question Answer “Yes” Percentage
    Does the policy identify the council? 77 98%
    Does the policy identify a position or business unit that is responsible for approving and updating the policy? 72 92%
    If so, who?
    Does the policy have information about who approved the policy? 57 73%
    If so, who?
    Does the policy state what version it is? 29 37%
    Does the policy have a date? 70 90%
    Does the policy have a review date? 60 77%
    What is the review date?
    Is the policy overdue for a review? 19 24%
    Additional comments

     

    3. Policy content
    Question Answer “Yes” Percentage
    Does the policy refer to current legislation? 68 87%
    How many pages is the policy?
    Is the policy broken up into sections with clearly marked headings? 78 99%
    Is the policy layered? 8 10%
    Does the policy state the council’s main functions? 2 3%
    Does the policy state the types of third parties the information may be shared with? 72 92%
    Does the policy state whether collection of personal information is compulsory or optional? 71 91%
    Does the policy state the types of personal information it generally collects? (IPP 1 – Collection) 74 95%
    Does the policy state how the council uses and discloses the personal information? (IPP 2 – Use and disclosure) 75 96%
    Does the policy state how the council ensures the personal information it collects is accurate, complete and up to date? (IPP 3 – Data quality) 76 97%
    Does the policy state how the council stores and manages personal information, including how long personal information may be stored for? (IPP 4 – Data security) 72 92%
    Does the policy contain information about how an individual can request to access and/or alter their personal information? (IPP 6 – Access and correction) 76 97%
    If so, what is it?
    Does the policy state whether the council assigns unique identifiers to individuals, and if so, under what circumstances? (IPP 7 – Unique identifiers) 56 72%
    Does the policy state that a person may remain anonymous when dealing the council? (IPP 8 – Anonymity) 72 92%
    Does the policy state how privacy is protected if information is transferred or stored outside of Victoria? (IPP 9 – Transborder data flows) 54 69%
    Does the policy state whether the council collects sensitive information? (IPP 10 – Sensitive information) 73 93%
    Does the policy explain how to make a privacy complaint to the council? 64 82%
    Does the policy correctly direct complaints to OVIC only after the complaint is first made to the council? 46 59%
    Is there a separate policy for general complaint handling? 12 15%
    Does the policy include information about the Health Records Act 2001? 47 60%
    Does the policy address the Health Privacy Principles? 40 51%
    Does the policy correctly direct complaints about health information to the Health Complaints Commissioner? 22 28%
    Is there a separate policy that addresses health privacy? 10 13%
    In general terms, comment on the quality of the policy content. For example, has the information been simplified and examples used to explain the IPPs, or is it a cut and paste of the legislation?
    4. Reference to external agencies
    Question Answer “Yes” Percentage
    Does the policy include a description of OVIC’s functions? 2/78 3%
    Is it accurate? 1/2 50%
    Does the policy include a link to OVIC’s website? 13/78 16%
    Is it accurate? 4/13 31%
    Does the policy include OVIC’s contact phone number? 19/78 24%
    Is it accurate? 2/19 11%
    Does the policy include OVIC’s email? 20/78 26%
    Is it accurate? 2/20 10%
    Does the policy include OVIC’s postal address? 14/78 18%
    Is it accurate? 6/14 43%
    Does the policy include a description the Health Complaints Commissioner’s functions? 2/78 3%
    Is it accurate? 1/2 50%
    Does the policy include a link to Health Complaints Commissioner’s website? 7/78 9%
    Is it accurate? 4/7 57%
    Does the policy include Health Complaints Commissioner’s contact phone number? 13/78 16%
    Is it accurate? 10/13 77%
    Does the policy include Health Complaints Commissioner’s enquiries email? 6/78 8%
    Is it accurate? 1/6 17%
    Does the policy include Health Complaints Commissioner’s postal address? 6/78 8%
    Is it accurate? 4/6 67%
    5. Contact information
    Question Answer “Yes” Percentage
    Does the policy contain information about who to contact at the council regarding privacy concerns? 68/78 87%
    What is the name and/or title of the contact point?
    Is there a phone line to call? 46/78 59%
    If so, what is it?
    Is the phone line the same as the council switchboard/general enquiries? 28/46 61%
    Is there an email address? 30/78 38%
    If so, what is it?
    Is the email address the same as for general enquiries? 19/30 63%
    Is there a postal address? 36/78 46%
    If so, what is it?
    Is the postal address the same as for general enquiries? 33/36 92%
    Additional comments – is there contact information in any other form, online, fax, online complaint form or is there contact information on another page?
    1. OVIC, Drafting a Privacy Policy: Guidance for the Victorian Public Sector. https://ovic.vic.gov.au/wp-content/uploads/2018/07/Drafting-a-privacy-policy.pdf
    2. OVIC, IPP 5 Self Assessment Tool. https://ovic.vic.gov.au/wp-content/uploads/2019/06/20190530-IPP-5-Self-Assessment-Tool-re-draft.docx
    3. OVIC, Drafting a Privacy Policy: Guidance for the Victorian Public Sector. https://ovic.vic.gov.au/wp-content/uploads/2018/07/Drafting-a-privacy-policy.pdf
    4. By ‘current’ we mean the most recent or updated policy. See ‘Summary statistics’ section for more information on how councils responded.
    5. https://www.vic.gov.au/digital-standards – the framework is Victoria’s central reference for digital best practice standards and, where applicable, mandatory standards
    6. 2.0. https://www.w3.org/TR/WCAG20/
    7. Moreland City Council and Greater Geelong City Council
    8. Banyule City Council and Melbourne City Council.
    9. The Adult Literacy and Life Skills Survey http://www.ausstats.abs.gov.au/ausstats/subscriber.nsf/0/B22A471C221C7BADCA2573CA00207F10/$File/42280_2006%20(reissue).pdf
    10. Victorian Ombudsman report into Council and Complaints – A good practice guide Feb 2015 https://www.ombudsman.vic.gov.au/Publications/Parliamentary-Reports/Councils-and-complaints-%E2%80%93-A-report-on-current-prac
    11. https://www.ombudsman.vic.gov.au/News/Media-Releases/Enquiry-into-how-local-councils-handle-complaints
    Back to top

    Subscribe To Our Newsletter

    Join our mailing list to receive the latest news and updates from our team.

    I'm interested in

    You have Successfully Subscribed!