7 steps to writing a good privacy policy

13 Dec 2016

  • Privacy and Compliance

If your business is one of the thousands in Australia to which the Australian Privacy Principles apply - those with an annual turnover of $3m+, then there is no doubt that having a good privacy policy in place, no matter where and how you run it, is one of the most important things you need to get right from the start.

A Privacy Policy is a legal document that describes how your company manages personal information and helps it do so in an open and transparent manner.

According to the Australian Privacy Principles (APP), the building blocks for developing an approved privacy policy are the “practices, procedure and systems” that an APP entity must implement to ensure it complies with the APPs.

Here’s a step-by-step guide to developing an APP-approved privacy policy:

1. Information gathering

Start with an overview of the personal information held by your business, personal information handling practices, procedures and system. This will help you to describe the business’ functions and activities and understand your entity’s personal information handling procedures. While all this information need not be included in your privacy policy, it will aid in identifying what’s important to your readers and also what you’ll need to focus on in detail or what can be accurately summarised.

2. Work out content and structure

While your privacy policy needs to cover all the topics outlined in the Appendix ‘A’ checklist, it does not need to follow a particular order. Arrange the information in a way that makes sense and what is likely to be more important to those reading it. To provide clarity and enable trust, be as specific as possible except when in areas where individuals already have knowledge about, expect as common business or administrative practice, or are common across the entity for all personal information handling.

3. Provide information in layers

Consider taking a layered approach such as providing a summary version that focuses on what the reader would like to know then add a link to the full privacy policy. This is especially effective when someone is reading this online. A summary policy varies according to the functions and activities of your business, but often includes: Scope, Collection of personal information, Disclosure (sharing), Rights and choices, How to make a complaint, and Contact details.

4. Draft your privacy policy

A draft version will ensure that all your points are clearly and correctly put across to the reader. To ensure the policy is accessible, easy to navigate and easy to read:
• Use the active tense and simple language, keeping in mind to avoid legal jargon, acronyms and in-house terms
• Use short sentences and break up text into paragraphs
• Use headings to help people find information easily
• Keep in mind how you are going to publish it
• Take into account your main audience in the design and format of the policy
• Avoid unnecessary length by giving careful consideration to what information is and is not needed
• Only include information that is relevant to the way your entity handles personal information.
• Ensure the policy is readable.

5. Test your privacy policy

We’re almost there. Be sure to test out your privacy policy on the target audience, including likely readers. If resources are limited, have a family member or friend read it to give you some idea of how easy it is to digest. Regardless the people you’re targeting, the standard test of a privacy policy is that it needs to be easily read and understood by a 14-year-old.

6. Make your privacy policy easily available

Your privacy policy should be available free of charge and in appropriate form. So if your entity is a website, it should be published there. You’re also required to take reasonable steps to make your privacy policy available in the particular form a person asks for.

7. Regularly review and update your privacy policy

Don’t leave your privacy policy to collect dust. It needs to be regularly reviewed and updated to ensure that it reflects your most current personal information handling practices.

There are many good examples of ways to communicate your privacy policy to your clients and consumers. Here are two: Virgin Mobile and LinkedIn.

Virgin Mobile’s Australian Privacy Policy is comprehensive yet easy to follow with plenty of detail. By comparison, LinkedIn produced a clear simple video to address user’s basic concerns. However it should be noted that it doesn’t replace a published Privacy Policy.

Downloadable checklists are available should you remain unsure if your privacy policy complies with APP’s standards.

As a member of ADMA, your company has access to our Regulatory team for advice and an array of compliance tools and resources online at adma.com.au.

Need more info?