IPP 5 requires organisations to have a privacy policy. Privacy policies should be clear and accessible. The primary purpose of the policy is to tell the public how the organisation handles personal information. A clear and accurate privacy policy supports a positive, trusting relationship between the organisation and members of the public. The drafting and ongoing review of privacy policies is part of an organisation’s privacy governance.

Organisations must also tell people, if they ask, about the information the organisation holds and how it is handled. This requires an organisation to establish procedures to respond to queries about its personal information handling practices, for example, by appointing a privacy officer and publishing their contact details.

IPP 5.1 states:

An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

Victorian public sector organisations and contractors bound by the PDP Act must have a privacy policy. An organisation should periodically review its privacy policy, especially where it has been given new functions or has undergone a restructure. OVIC recommends organisations schedule a regular review of a privacy policy at least once a year. The periodic review of a privacy policy should ideally be subject to executive sign-off, to ensure executive members of staff have oversight of the organisation’s privacy practices.¹

It is good practice (and consistent with obligations under the Public Records Act 1973 (Vic) (Public Records Act) to keep full and accurate records) to include a date and version reference on a privacy policy. This helps establish which policy was in effect at any given time and may be relevant to assessing whether an organisation took reasonable steps at the time of an alleged breach or complaint, or what a person might have reasonably expected from the organisation at that time.

Preparing to write a privacy policy involves examining the way personal information is gathered and flows through an organisation. An effective privacy policy is appropriately tailored to what the organisation does with personal information, what it needs to do and what it properly can do. An effective privacy policy also ensures the organisation actually complies with its privacy policy. A privacy policy should not be a reproduction of the IPPs.

In drafting a privacy policy, there is no one-size-fits-all approach. It is insufficient for an organisation to copy another organisation’s policy. Organisations may consult the work of others and take the best from good privacy policies, but they should first and foremost consider how their own privacy policies will operate.

Large organisations should consider whether they should have more than one privacy policy to cover, for example, the activities of individual business units which have distinct functions. It may be appropriate for an organisation to have different policies to cover different types of information or information handling practices. A separate website policy, email monitoring policy or a social media policy are examples. An organisation may wish to consolidate their obligations under the PDP Act and Health Records Act 2001 (Vic), in relation to personal and health information respectively, into a single document or set of documents. ³

There is no specific requirement under IPP 5.1 to publish the privacy policy – only to make it available on request to anyone who asks. Nonetheless, an organisation may find it convenient and cost effective to publish its policy on its website. Publishing privacy policies for members of the public to easily access also increases transparency of government.

As a matter of good practice, OVIC suggests all agencies make their privacy policies publicly available online. Other options include:

• sending a privacy policy with written correspondence to individuals when they first transact with, or become a client of, an organisation;
• referring to the privacy policy with annual notices such as re-registration forms; and,
• having a copy of a privacy policy available at an organisation’s enquiries desk or counter.

Organisations should ensure privacy policies use clear and accessible language. As a matter of best practice, a privacy policy should include at least:

• the identity of the organisation and how to contact it;
• the organisation’s main functions and the types of personal information the organisation generally collects and holds to fulfil those functions;
• how personal information is used by the organisation, and to whom it is routinely disclosed;
• whether collection of personal information is compulsory or optional (including a reference to any legislation which authorises the collection, use or disclosure of the information, such as the Local Government Act 1989);
• how personal information is secured and access to it managed;
• how privacy is protected if the information is transferred or stored outside Victoria;
• the organisation’s privacy officer or unit and information about how to make a complaint or seek further information;
• whether the organisation uses CSPs, and which organisation is responsible for compliance (receiving complaints and answering questions in relation to different services); and,
• the date and version reference of the policy.

Organisations should ensure privacy policies are drafted to suit different audiences. For example, where an organisation often deals with the personal information of children, age-appropriate language should be used to ensure children can understand the privacy policy. Individuals reading a privacy policy should be able to easily understand how their personal information may be handled, to allow them to exercise their information rights.

There is no single way to draft a privacy policy. Organisations should consider the best way to draft and publish their privacy policy according to the types of personal information they most commonly handle and for which purposes.

When an organisation is drafting or reviewing their privacy policy, it is important to ensure the audience and purpose is carefully considered. Policies drafted primarily with an organisation’s compliance with the PDP Act in mind, and which are approached with a ‘set and forget’ mentality, often result in little meaningful information being provided to individuals. This prevents individuals from making informed choices when interacting with the organisation.

OVIC’s IPP 5 Self Assessment Tool may help organisations draft and review their privacy policy or privacy policies by prompting organisations to consider the different aspects of a good policy, including findability, version control, and important content to include.⁵

It may be appropriate for an organisation to take a layered approach to its privacy policies. For example, a brief outline of the organisation’s privacy policy may be provided on a form, sign or poster, referring to the full privacy policy contained on the organisation’s website or in a brochure. This alerts individuals to the existence of a privacy policy and allows them to seek out further information if they wish.

Privacy policies should be readily available to staff within an organisation so a prompt response can be given to a request from a member of the public that the privacy policy be made available.

IPP 5.1 requires an organisation make its privacy policy available ‘to anyone who asks for it’.

Although IPP 5.1 does not specify a timeframe, if an organisation takes an unduly long time to provide its privacy policy in response to a request, it will not have provided the policy ‘on request’, which may amount to a breach of IPP 5.

The requirement to provide a copy of a privacy policy to an individual ‘on request’ necessarily implies the response to the request must be completed in a reasonable period. Due to advances in telecommunications technologies and changing community expectations, this period may be shorter than it was when hard copy policies were sent by post. In most cases, requests should be able to be responded to very quickly by email or by reference to an online copy of a policy.

As a matter of best practice, organisations should ensure their privacy policies are either publicly available (for example, on their website) or can be provided promptly in response to a request.

IPP 5.2 states:

On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

IPP 5.2 requires organisations to take reasonable steps, when asked, to let people know what kind of personal information the organisation collects and how it uses it. Unlike IPP 5.1, IPP 5.2 does not expressly require an organisation to document the sorts of personal information it collects and handles.

IPP 5.2 does not require an organisation to inform individuals about what information is specifically held about them. Requests for access to personal information are governed by IPP 6 and the Freedom of Information Act 1982 (Vic) (FOI Act).

For IPP 5.1, it is sufficient to give information about the sort of information that is held, its purposes, and how it is collected, held, used and disclosed. IPP 5.2 should be seen as a requirement for a further, more detailed level of information beyond the minimum required in an IPP 5.1 privacy policy.

An organisation may find it more efficient to meet the requirements of IPP 5.1 and anticipate common queries under IPP 5.2 in the same document. An organisation’s published Information Asset Register ⁹(IAR) may meet some or all of the requirements of IPP 5.2. It may also be useful for an organisation to refer to their IAR when drafting or reviewing their privacy policy, to gain a complete picture of the types of information they hold.

However, if an organisation receives a request for information that is not answered by its published information, the organisation is required to take reasonable steps to respond. For example, an organisation’s privacy policy may not explicitly discuss its practice of taking and using photographs, monitoring email, or recording telephone conversations. If an individual subsequently asks for information about these practices, the organisation should be able to provide a tailored response.

In practice, staff will need to help people understand how the generic descriptions in an organisation’s privacy policy apply to the individual’s own personal information. The privacy policy and any other information sought by an individual may be that individual’s starting point in deciding whether to make an access request under the FOI Act or IPP 6 (Access and Correction).

A privacy policy is a statement about how an organisation manages the personal information it collects. It is a general, non-exhaustive statement about how personal information flows through an organisation. This is different to a collection notice, required by IPP 1.3. A collection notice addresses a specific collection practice of an organisation (such as collecting personal information on a council planning application form, or for a job application).

A privacy policy can help people decide whether to make an application for access to information held by an organisation under IPP 6 (Access and Correction) or the FOI Act. People must know what type of information is generally held by an organisation so they can specifically ask for access to that information.

There are similarities in the obligations under IPP 5 (Openness) and Part II of the FOI Act. Part II of the FOI Act requires agencies to publish various statements, including a statement of the categories of documents in the possession of an agency,¹¹ which are appropriate for assisting the public to effectively exercise their rights under the FOI Act.¹² These requirements may also assist agencies meet their obligations under the Public Records Act, to keep full and accurate records.¹³

A privacy policy must explain an organisation’s information handling practices. It will usually discuss the IPPs but should not simply reproduce them. It should be concise, targeted to the general public, written in plain English and easy to read. Privacy policies should also be tailored to reflect the operations and functions of the specific Victorian government organisation, be that a department, agency or service provider.

A privacy policy should generally include at least:

• the identity of the organisation and how to contact it;
• the organisation’s main functions and the sorts of personal information the organisation generally collects and holds to fulfil those functions;
• how personal information is used by the organisation, and to whom it is routinely disclosed;
• whether collection of personal information is compulsory or optional (referring to any legislation which authorises the collection, use or disclosure of the information, such as the Local Government Act 1989);
• how personal information is secured and access to it managed;
• how privacy is protected if the information is transferred or stored outside Victoria;
• the organisation’s privacy officer or unit and information about how to make a complaint or seek further information;
• if the organisation uses CSPs, which organisation is responsible for compliance (receiving complaints and answering questions in relation to different services); and,
• the date and version reference of the policy.

Privacy policies explain an organisation’s information management practices in a broad sense. They explain how the organisation manages personal information.

Collection notices outline the information handling practices of organisations for a specific purpose and are a requirement of IPP 1.3. See also the discussion: The difference between privacy policies and collection notices.

Consent forms specify a particular reason for the collection, use or disclosure of a personal information, for the purpose of seeking an individual’s agreement to a particular information handling practice.

An organisation should review its privacy policy when it has been given new functions, has undergone a restructure, has significantly changed its practices, or if there has been an amendment to any relevant legislation. If an organisation begins to collect more information or uses or discloses the information in new ways, for example, where the introduction of a new technology has changed how an organisation handles personal information, this should be immediately reflected in the organisation’s privacy policy.¹⁷

As a matter of best practice, OVIC suggests organisations schedule a review of their privacy policies at least once every 12 months.

If an organisation offers a range of services, it can consider having several privacy policies. While a privacy policy is not as specific as a collection notice, attempting to draft a one-size-fits-all policy can reduce its clarity. A balance needs to be struck between being making the policy accessible and easy to understand, but not misrepresenting the organisation’s activities to the individual service user.

Some organisations collect and handle health information in addition to other personal information. The Health Records Act 2001 (Vic) contains Health Privacy Principles that are similar to the IPPs in the PDP Act. Organisations may prefer to develop one privacy policy that addresses the principles under both Acts.

For more information about health information and privacy, contact the Health Complaints Commissioner.

An organisation’s privacy officer should be involved in the drafting of a privacy policy. The role of a privacy officer involves ensuring the organisation upholds their obligations under the IPPs. The privacy officer will therefore be well placed to coordinate the development of the privacy policy.

If an organisation decides to outsource this task, they should ensure there is adequate consultation with relevant staff within the organisation, including the privacy officer. Otherwise, there is a risk that the privacy policy will be drafted by someone who does not have a deep understanding of the organisation’s information handling practices. An organisation’s privacy policy must adequately represent how the organisation will actually manage an individual’s personal information (see Case Study 5A, above).

It is also important to involve communications professionals in the drafting process, to help ensure the language and content of the privacy policy is clear and easy to understand. An organisation’s ICT or information security professionals may also be able to assist in outlining the types of protections the organisation has in place to secure personal information.

Privacy policies should be user friendly and drafted with members of the public as the intended audience in mind.

To meet their IPP 5 obligations, organisations should make their privacy policy readily available for anyone on request. In general, organisations should publish the latest version of their privacy policy or policies on their website.

As a matter of best practice, individuals should not have to contact the organisation to request a copy of their privacy policy, it should be readily available.

Any communications drafted for children should be age-appropriate, using clear, easy to understand language. Individuals reading a privacy policy should be able to easily ascertain how their personal information may be handled, in order to allow them to exercise their information rights.