Privacy policies
A privacy policy is a core element of your organisation’s overall approach to protecting privacy and demonstrating transparency. It explains to your organisation’s staff and to the public how your organisation handles personal information. It informs your staff of their obligations, and members of the public what to expect if they choose to transact with your organisation.
What should be in a privacy policy?
IPP 5.1 requires organisations to have a document that sets out “clearly expressed policies on its management of personal information.” However, it does not state what the policy needs to say.
When considering what your privacy policy might say, you should put yourself in the shoes of a member of the public who is considering engaging with your organisation – what would they want to know about how their information will be handled?
For further guidance on what information you should provide in your privacy policy, you should consult our resources on privacy policies and the section of the IPP Guidelines on IPP 5 – Openness.
Drafting a privacy policy
As a privacy officer, it’s likely you will play a key role in drafting or reviewing your organisation’s privacy policy. This requires examining and understanding the way personal information is gathered and flows through your organisation so you can then explain it in the policy – OVIC’s IPP 5 Self-Assessment Tool should assist with this.
Tips for a good privacy policy
It’s one thing to have a privacy policy but quite another to have a good privacy policy. Here are some quick tips to help you achieve this:
- Use plain language and avoid legal jargon – to achieve a ‘clearly expressed’ policy.
- Do not just mirror the IPPs – explain how information flows in your organisation.
- Be specific about your organisations functions and how it will handle personal information.
- Highlight aspects that are likely to be relevant to the reader or which may be surprising or unexpected.