Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Privacy policies and collection notices

A privacy policy is a general statement about how personal information is managed by an organisation.

In addition to meeting the requirements of Information Privacy Principle 5 (IPP 5), having a privacy policy provides a number of benefits to an organisation including:

  • promoting greater public confidence in the organisation’s handling of personal information;
  • helping employees understand how they may handle the personal information they collect;
  • preventing the unnecessary collection or unlawful use or disclosure of information.

A privacy policy should demonstrate an organisation’s commitment to privacy by explaining how the organisation adheres to its privacy obligations.

A privacy policy should cover matters such as:

  • the organisation’s main functions and the types of personal information it collects to fulfil those functions;
  • how the organisation uses and shares the personal information it collects, including which third parties the information may be shared with any legislation that authorises or permits the organisation to collect and handle the personal information;
  • how the information is stored and kept secure;
  • how individuals can contact the organisation’s Privacy Officer and make a privacy complaint.

Organisations should remember that there is a difference between a privacy policy and a collection notice. Privacy policies relate to an organisation’s information management practices in a broad sense. A collection notice, on the other hand, outlines an organisation’s information handling practices for a specific purpose or activity, such as handling a complaint or sending out newsletters.

For further information on privacy policies and collection notices, please refer to OVIC’s resources: Drafting a privacy policy, Collection notices and the Guidelines chapter for IPP 5.

Before creating a privacy policy, it is a good idea to look at the different ways that an organisation collects personal information, and how that information flows through the organisation. This will help to inform the privacy policy. A privacy policy should cover all the different ways that personal information may be collected – for example, via telephone, online, or paper-based collection.

A privacy policy will be most effective where it:

  • is concise and targeted to the general public;
  • uses short, clear sentences and familiar, plain English words;
  • avoids legal jargon or technical terminology; and
  • avoids large slabs of text.

IPP 5 does not require organisations to publish a privacy policy, only to make it available to anyone who asks for it. However, most organisations will find it practical and cost effective to publish it on their website.

An organisation should periodically review its privacy policy, especially where it has been given new functions, undergone a restructure, changed its information handling practices, or new laws have come into effect that impact upon the organisation’s information handling obligations.

Information Privacy Principle 1.3 requires organisations to provide a collection notice to individuals. A collection notice is a way for organisations to tell individuals why their information is being collected and what it will be used for.

Collection notices should be provided at or before the time (or as soon as practicable after) personal information is collected from individuals. Some examples of when a collection notice would be necessary to include are when a local council collects personal information on a planning application form, or when an employer collects personal information as part of a recruitment process.

Giving notice promotes transparency about organisations’ collection and handling of personal information, and ensures individuals are aware of their rights and obligations in relation to providing their information to government organisations.

When collecting personal information, organisations must ensure that an individual is made aware of:

  1. The identity of the organisation and how to contact it;
  2. The fact that the individual is able to gain access to the information;
  3. The purpose for which the information is collected;
  4. To whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind;
  5. Any law that requires the particular information to be collected; and
  6. The main consequences (if any) for the individual if all or part of the information is not required.

There is no one correct way to provide a notice of collection. Some practical examples of how to give notice to individuals may include:

  • a written notice on a form the individual is completing;
  • notice included in an automated recorded telephone message; or
  • notice included in brochures, posters and counter signage.

There is an important distinction between a privacy policy and a collection notice, and organisations will generally need to produce both.

Privacy policies speak to an organisation’s information management practices in a broad sense, whereas collection notices outline how organisations will handle personal information collected for a specific purpose.

Back to top
Back to Top