Council activities are diverse and extensive, ranging from providing public health services, to traffic, parking, and animal management. Councils collect a vast amount of personal information about individuals, from information about ratepayers and pet owners, to details of complaints made to the council. Local councils are required to comply with Part 3 of the Privacy and Data Protection Act 2014 (PDP Act) which provides for the responsible handling of personal information by Victorian public sector organisations.

Where a local council collects, holds, uses or discloses personal information, it must comply with the 10 Information Privacy Principles (IPPs) listed in Schedule 1 of the PDP Act. The IPPs set out the minimum standard for how the Victorian public sector should handle personal information, from the time it is first collected until it is disposed of when no longer required

This report outlines findings from an examination of the 79 Victorian council privacy policies against IPP 5, which requires an organisation to have a public facing privacy policy. IPP 5 states that ‘an organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.’

This examination measures each council’s privacy policy against the binding standards imposed by IPP 5, and the best practice standard suggested by discrete guidance from this Office. ⁵

This report does not aim to name or criticise councils, but rather to highlight good practices as well as areas for improvement. The tips and recommendations made in this report represent what OVIC considers to be good practice and a minimum standard for privacy policies.

A key emphasis of the report is the importance of effective communication in the protection of privacy, compliance with the PDP Act, and the maintenance of public trust in government.

Compliance with the PDP Act and the IPPs often turns on the quality and effectiveness of an organisation’s ability to communicate its privacy obligations. In many cases — such as providing a collection notice or establishing informed consent — compliance with the IPPs depends on whether information has been effectively conveyed to allow understanding by an individual engaging with the organisation.

Transparency around information handling practices is also essential to both the protection of privacy as a human right, and the maintenance of public trust. Transparency empowers individuals to understand what their rights are and what organisations are doing with their personal information. It empowers individuals to engage effectively with organisations when they have concerns about their privacy and gives them confidence that they will be heard. Transparency allows an organisation to demonstrate that they take privacy seriously, and that they can be trusted to responsibly manage the personal information that they hold.

The examination assessed the quality of each council’s privacy policy created under IPP 5. While IPP 5 states that an organisation must have a policy on its management of personal information and make it available to anyone who asks for it, it does not explicitly state what information the policy should include.

For this reason, each policy was assessed against discrete guidance issued by this Office on the minimum content required, and best practice drafting principles. Specifically, each policy was assessed as to whether it, at a minimum, included:

• The identity of the council, including a description of the council’s main function.
• A description of the type of information the council collects to fulfil its functions.
• How the council uses and shares the personal information it collects, including the types of third parties the information may be shared with.
• Whether collection of personal information is compulsory or optional.
• How the organisation securely stores and manages access to the personal information, and how long it may be stored for.
• The date and version of the policy.
• How an individual can contact the council, request access to the information or make a privacy complaint.

In addition to these minimum requirements, we examined how the policy can be found online and how accessible it is; for example, whether it is downloadable and available in other languages.

In order to conduct the examination, we required each council’s privacy policy.

In December 2018, we searched every council’s website and downloaded the available privacy policy.

In February 2019, we wrote to each council notifying them of the examination, and requesting that it confirm the policy online is the current version.⁷ For those councils that did not appear to have a privacy policy available online, they were asked to provide a copy to our office for assessment.

The examination was conducted as a desktop review.

A set of qualitative and quantitative questions were developed to measure the content of each privacy policy.

At the conclusion of the examination we wrote to each council and provided feedback on their policy and, where necessary, included suggestions for policy improvement.

78 out of the 79 councils confirmed that they have a privacy policy. One council does not currently have a privacy policy, but it confirmed that it will adopt one by July 2019.

Our initial search in December 2018 found that 10 councils did not have a privacy policy online. In response to our correspondence in February 2019 requesting provision of their policy:

• Eight provided a copy of their policy; four of the eight arranged for the policy to be published online, and one also provided a draft revised policy.
• One confirmed it did not have a policy, but would implement one by July 2019.
• One clarified that its privacy policy is online, however was contained in a larger document encompassing other council policies.

Of the remaining 69 councils who have policies online:

• 46 policies are current, with one being provided as a draft revised policy in the process of being approved.
• 14 policies are planned for review, or are currently being reviewed.
• Seven provided updated policies and arranged for the updated versions to be uploaded to their website.

A detailed discussion of our examination is set out in the next part of this report, and includes findings, recommendations and tips for better practice. The scope of the examination was structured around four themes; policy findability and accessibility, policy control, policy content and privacy complaints.

For a comparison of how councils fared with one another in the four themes, please refer to Appendix 1. The statistics are aimed to provide a comparative snapshot of councils according to whether they are metropolitan or regional.

The findings are structured around four themes; policy findability and accessibility, policy control, policy content and privacy complaints.

For a full list of the question asked and the total findings, please refer to the table in Appendix 2.

There is no specific requirement under the PDP Act for an organisation to publish a privacy policy – only to make one available to anyone who asks for it. However, OVIC’s guidance suggests that organisations may find it practical to publish their privacy policy online so that it can easily be found by those who would like to see a copy of it.

Publishing a relevant, accurate and accessible privacy policy online reflects an organisation’s commitment to openness and transparency.

We asked three questions about finding a privacy policy online:

• Is there a dedicated privacy section on the website? That is, whether there is a privacy webpage dedicated to providing information to users about the privacy policy. This is separate to a website privacy statement. A website privacy statement generally covers how information is automatically collected from an internet user because of a visit to a website, but does not detail the organisation’s obligations to privacy more widely.
• Can the policy be found by typing ‘privacy’ or ‘privacy policy’ in the search bar?
• Can the policy be found by clicking on the privacy statement of the home page? That is, whether there is a link to, or information on, the organisation’s privacy policy on the website’s privacy statement.

If all three questions answered yes then the policy was easy to find. If one or two out of three questions answered yes then it was average to find and if you could not find it using these three ways then it was difficult to find.

We found that 47 out of 78 councils were easy to find, 17 were average to find and 14 were difficult to find.

There are many authorities and standards when it comes to website usability and digital standards. Councils and other Government organisations should take into consideration the digital standards set by the Victorian Government⁹ and the recommendations made by the Web Content Accessibility Guidelines (WCAG)¹⁰ The WCAG recommendations and guidelines aim to make web content accessible to a wide range of people with disabilities, and will often make web content more usable to users in general.

The example above illustrates that not only is it important to have an easy to find policy, but that it is beneficial to have a dedicated privacy policy page allowing privacy concepts and obligations to be explained simply and directly.

While just over half of the policies were ‘easy’ to find, mostly by using the website’s search bar tool, policies were often located on a page that contains all council policies, procedures and other corporate governance documents. Most of the time, policies are located under headings such as ‘Governance’ or ‘Corporate’ that, to the general public, have little meaning and may lead to confusion and an inability to identify the relevant privacy document.

The Victorian Government Digital Standards (VGDS) state that to comply with the Disability Discrimination Act, and the VGDS, a Victorian government agency’s digital presence must comply with the WCAG ‘AA’ conformance requirements. The VGDS note that, to comply with WCAG, it is best to avoid using PDFs, or Microsoft Word, PowerPoint or Excel documents online. The VGDS recommend HTML.

We found that 59 out of 78 council policies were downloadable as PDFs, and only 10 were available in other forms, mostly Microsoft Word documents. 12 councils had their privacy policy accessible as a webpage (HTML format).

Two council policies are available in other languages.¹³

A small hand full (5 out of 78) of the policies that are accessible as a webpage have an audio option, which reads the policy for the user.

9 out of 78 councils that have a dedicated privacy webpage also had an audio capacity for the webpage. This means that, while the downloadable policy cannot be read out to the user, the information on the webpage can be. This provides the site user with another option to access privacy information.

The case example above illustrates good practices in relation to policy accessibility. There are three options available for users that may require assistance in reading and understanding the council’s privacy policy.

Our discrete guidance for drafting a privacy policy suggests that, at a minimum, a policy should contain a version number and date.

We found that only a small number of council policies included a version number (29 out of 78).

70 out of 78 policies had a date of either approval or publication, and 60 out of 78 had a review date.

OVIC’s guidance for drafting a privacy policy also suggests that it is reviewed at least every two years. We found that 19 out of 78 policies are overdue for a review, with the three oldest policies not being updated since 2002 and 2008. However, we have been informed by two of the councils that their policy is currently being reviewed.

We also found that 13 out of 78 policies were unclear regarding a review date, mainly because the policy is presented as a webpage rather than a downloadable policy document. An updated webpage or attachment does not represent an updated policy.

Statements such as ‘will be reviewed periodically’ or ‘will be reviewed time to time’, are not clear statements of when, or if, the policy will be reviewed and updated.

The focus on this part of the examination was in two parts; how comprehensive the content of the policy is, and assessing how well the policy is written.

IPP 5 does not state the type of information a policy should include. Each policy was assessed against guidance issued by this Office on the minimum content required and best practice drafting principles.

We also examined whether each council’s policy adequately referenced the 10 IPPs, as the IPPs set out the minimum standards for the handling of personal information for all Victorian public sector agencies specified in the PDP Act.

Our discrete guidance suggests that a privacy policy should include a description of the organisation’s main functions.

While we found that overall each council policy referenced the 10 IPPs, only 2 out of 78 ¹⁵policies included a description of the council’s main functions. They both include an ‘About Council’ section in their policy and briefly describe their role and functions under the Local Government Act 1989.

Including a clear and concise statement of the organisations main functions, and linking it to the IPPs, demonstrates that the organisation has considered the different ways the organisations collects information (as it will differ between organisations) and how that information flows through the organisation.

Good examples defined what personal information is, and used specific examples to explain:

• What types of personal information it generally collects, and for what purpose (IPP 1); and
• How it uses and discloses the personal information (IPP 2).

While a majority of councils covered and explained the 10 IPPs, we found that some councils failed to mention two important IPPs being:

• IPP 7, which relates to the use of unique identifiers and under what circumstances they are used by organisations, and
• IPP 9, which relates to transborder data flow and how privacy is protected if transferred outside of Victoria.

We found that IPP 7 was explained with generic wording which mirrored the wording in the legislation. For example, broad statements such as ‘Council will not assign, adopt, use, disclose or require unique identifiers except if required by law’ does not explain what a unique identifier is, and in what circumstances they would be used. An explanation of what a unique identifier is for council purposes would be helpful for individuals.

Similarly, statements attempting to address IPP 9, such as ‘Council may transfer personal information outside of Victoria only if that data transfer conforms with the reasons and conditions set out in the Act’ often did not adequately explain the reason why personal data was being transferred outside of Victoria, or how the council would protect personal information once it was transferred.

The second example above demonstrates the council’s awareness of how personal information is stored on its information technology services. IPP 9 does not only apply to personal information that is physically transferred outside of Victoria, but also applies to electronic information that may be stored on servers based outside of Victoria. We found that a small handful of councils specifically mentioned that they use a cloud type storage system to store personal information, meaning that IPP 9 applies to protect that information.

We also found that IPP 6 could be explained more effectively. IPP 6 deals with how individuals can access and correct their information held by organisations.

12 policies had a statement addressing the possibility of access to, and correction of, personal information. However, all 12 policies failed to detail how an individual could undertake this process rendering the statement ineffective.

We found that 7 councils use the above statement (or similar) when explaining how an individual can access or correct information. While the statement provides an explanation of an individual’s rights to access and correct their information, it would be preferable if agencies took the default position that everyone has the right to access and correct their information through the processes outlined in the Freedom of Information Act 1982, which is the approach taken by majority of the councils.

In contrast, a handful of councils encourage individuals wishing to access their information and correct it to contact the council department first or to speak with the Privacy Officer in an attempt to resolve the concern informally, rather than going through the more formal and lengthy FOI process. In some instances, however, it may be more appropriate for an individual to make a formal request to council under the freedom of information process. In these instances, the council can support their customer by providing guidance around initiating an FOI request.

An organisation’s commitment to open and transparent privacy practices is reflected in the way it clearly and simply communicates guidance to the public. The above example illustrates the benefits of including contact details to directly support and guide an individual seeking information around access and correction of their personal information.

We also found that 9 policies reference outdated legislation, meaning that the content of their privacy policy was incorrect. Furthermore, some policies were overdue for review showing the importance of review. Some policies appear to be updated to refer to the current and correct IPPs but unfortunately, still refer to old legislation, which could be due to an oversight.

In Victoria, OVIC shares the oversight of information privacy with the Health Complaints Commissioner, who is responsible for the oversight of how health related information is handled. While some councils have a separate Health Privacy Policy that explain and reference the Health Privacy Principles (HPPs), some councils cover both the IPPs and HPPs in the same document. We found that the reference to the HPPs was inconsistent across the councils, with most of them referencing the Health Records Act 2001 but not discussing the HPPs in any detail.

In 2006, the Australian Bureau of Statistics conducted a survey to identify and measure a broad range of social and economic characteristics of people across Australia, including literacy levels.¹⁷ Five different literacy capabilities were tested including the ability to read, understand and use information from various kinds of narrative texts such as information from newspapers, brochures and information sheets. Almost half of Australians between the ages of 15 to 74 scored in levels 1 and 2 (level 1 being the lowest measured level of literacy, and level 3 being considered the minimum requirement to understand narrative text). 37% of survey respondents scored in level 3.

With this in mind, it is important for documents, such as a policy, to be written using simple, plain English. While it is difficult to measure, we found that overwhelmingly, most policies were written using complex, legal terminology, and often mirrored the legislation.

A privacy policy need not specifically reference all 10 IPPs in detail to be considered effective. For example, a privacy policy may be structured in terms of the organisation’s functions, touching on each of their obligations under the IPPs incidentally. Further, the organisations may have express legal authority to collect and use personal information, which may make an exploration of IPP 2 unnecessary. However, the organisation will need to be transparent about such legal authorisations to collect, use and disclose personal information in their privacy policy.

OVIC’s guidance suggests ways to ensure effective communication, including:

• Using plain language – for example, short, clear sentences and familiar, plain English words;
• Avoiding legal jargon or technical terminology;
• Providing sufficient information – having a concise privacy policy can be effective, however it also needs to contain enough detail to allow individuals to understand how their personal information will be handled; and
• Be user-friendly – avoid large slabs of text and consider organising the privacy policy into sections with clear headings.

Organisations might consider presenting their discussion of IPPs in a different way including, for example, by theme. Alternatively, organisations might provide a narrative of how personal information is collected by the organisation and how it travels through the organisation from collection to destruction.

When drafting or reviewing a policy, it is important to consider just what is trying to be achieved (the intent of the policy), and how the policy aims to achieve this outcome. It is also important to think about the audience and what information they would expect to see in the policy.

For councils that have dedicated privacy webpages, we found that the information is able to be, and has been, presented in a simple and easy to understand way.

In an overwhelming majority of reviewed privacy policies, we found little or no explanation or guidance regarding the ability make a privacy complaint.

While 64 out of 78 policies did mention the ability to raise a complaint, many councils failed to provide adequate details or guidance regarding the complaint process. Only a very few policies provided sufficient information covering the complaint process, from how to make a complaint, to how it would be investigated, and how long it would take for the process to conclude.

Organisations should make it as simple as possible for individuals to make a privacy complaint. The PDP Act does not provide any legislative requirements for complaints to be made in a certain way. We found that 5 councils require complaints to be made in writing alongside the provisions of proof of identification. We do not recommend this as a standard practice.

Making it simple for an aggrieved individual to make a privacy complaint reflects an organisation’s openness and transparency.

We also found that policies lacked information about OVIC as the independent regulator of privacy for state government agencies, or for the Health Complaints Commissioner (for health information related complaints). When considering privacy complaints, many councils failed to accurately describe OVIC’s function and role in conciliating privacy complaints between aggrieved parties. Only one council accurately described OVICs functions.

When OVIC’s contact details were provided, they were generally incorrect and outdated, with OVIC often being referred to as its predecessor agency, the Commissioner of Privacy and Data Protection, which is inaccurate.

It was often difficult to find information about making a complaint – both within the relevant privacy policy, or on the council’s webpage. General feedback mechanisms were also missing or difficult to find.

Other Victorian government oversight bodies have reviewed the complaint handling processes of local government ¹⁹ and provided useful guidance and tips on complaint handling in general. During this examination, the Victorian Ombudsman announced an enquiry into how councils handle complaints.²⁰ The outcome of this enquiry will be beneficial in assisting councils to provide better privacy complaint processes.

Overall, the internal and external complaints processes are inadequately and ineffectively explained, or are not explained at all. Some councils have separate complaints handling policies that address how to make a complaint about privacy, but the policies are not linked or cross-referenced.