Developing a Privacy Policy:
a guide for organisations
Introduction
Organisations covered by the privacy laws are required to have a privacy policy and to make that policy available to the public. Whether they are subject to the privacy laws or not, it would be prudent for all organisations to have an agreed public policy on privacy setting out how the members of the organisation should handle the legal and ethical issues relating to personal information. Having a policy means that should an issue of privacy arise, managers, office bearers and employees have a consistent set of guidelines to refer to and a clear course of action to follow.
From the consumer point-of-view, knowing there is a policy on the handling of personal information is re-assuring and is likely to generate greater public confidence in dealing with the organisation.
What is policy?
Policy is part of the core values of an organisation. Policy assists an organisation to adopt and set standards, and to guide decisions. A privacy policy represents a statement of an organisation’s established position on the collection, storage, use and disclosure of personal information. This position is usually backed up by procedures to make sure that the policy is followed through in day-to-day practice. Policies reflect the legal obligations of an organisation as well as ethical considerations.
Policies can deal with the big picture – for example, internet usage – or relatively minor matters, such as the secure transfer of files around the workplace. They can be formal – printed in manuals or brochures – or informally developed. Informal, unwritten policies can however give rise to problems of inconsistencies especially when staff leave and are replaced over time. Best-practice organisations have a written privacy policy and make it freely available to anyone with an interest or a responsibility in relation to it. Many organisations send a copy of their privacy policy to their customers rather than waiting to be asked for it.
Privacy policies usually have two elements:
strategic, stating broad principles about privacy to which the organisation is committed; and
procedural, giving the details about how the principles are implemented and how personal information is managed in practical terms.
The strategic element must be consistent with privacy principles and standards set out in the legislation. The procedural element can be generated in the workplace by workers and supervisors, and where practicable, with input from consumers or users of the organisation’s services.
Policy is authoritative
While policy may be developed in different ways (including ideas first raised by rank-and-file employees), it is ultimately ratified from the top of an organisation and applied downwards and outwards. Policy therefore enables management to direct what may and may not be done about personal information by anyone acting on behalf of the organisation. Members of the public should, therefore, have confidence that an organisation’s privacy policy has the authority of the organisation’s senior management.
Other benefits of policy
In operational matters, a privacy policy gives managers and others a position from which to determine how good the organisation’s services are and how well it cares for its clients. The policy allows the setting of standards about how the organisation functions in regard to handling personal information.
The development and implementation of a privacy policy should also be linked with the organisation’s staff training program, whether this be part of an induction activity for new employees or part of an on-going scheme aimed at having all staff familiar with and competent in carrying through the organisation’s policies.
Getting ready to develop a privacy policy
Before an organisation can develop and implement a privacy policy, it would be prudent to make sure the environment is well prepared and the legislative framework is well understood. This preparation will entail some or all of the following measures. (This section draws on the booklet, "How to Prepare for the Victorian Information Privacy Act, May 2002" issued by the Office of the Victorian Privacy Commissioner 2002)
Appoint a privacy officer, someone who is, or can make themselves, familiar with legal obligations and can understand the Privacy Principles and the context in which the organisation is placed. The Privacy Officer will provide leadership within the organisation on compliance with obligations and set up the machinery for developing policy and dealing with complaints. Depending on the size of the organisation and its complexity, the position may not necessarily be a full-time one.
Establish a privacy committee representative of the main parts of the organisation to support the Privacy Officer and to advise on policy and practical issues requiring attention.
Set up an interim complaints handling process but make it clear this process will be refined as part of the policy development process (see below)
Conduct an analysis of the current situation in regard to how the organisation collects and handles personal information:
examine the collection of personal information, its use and disclosure, its quality and security, access and correction, openness, the use of unique identifiers, anonymity, the flow of information across borders.
Use the material gained from the analysis above to identify any areas that may present problems in complying with the privacy laws and move into the policy development phase.
The process for developing policy
The process of policy-making is like making other decisions in the organisation: the issues to be dealt with have to be identified and resolved, and at the right level. Defining the extent of the problem and proposing solutions will involve many people and takes time, while the decision to ratify the final policy will ultimately have to be made at the higher levels of the organisations.
Policy-making steps
Experience in organisations suggests that a number of common steps occur in the process.
Step 1: Make someone responsible for developing the policy
Once that need for a policy is identified (eg when a problem arises in the organisation or there is a change in the environment such as new laws), it is important that someone (or a group of appropriate people) be given the responsibility for developing the policy. Communication and consultation are important elements in making sure a policy effective: having someone to facilitate this is vital.
Step 2: Check who is affected by the policy
Identify the "stakeholders" and their interests. Workers, managers, clients and others affected by your organisation are a vital part of determining the extent of the problem and the content of the policy. Some or all of these parties should be included in consultations about the development and review of the policy.
Step 3: Define the issues and work on content
The issues to be addressed, or problems to be solved by the policy, must be clearly identified. The first thing to look at is how far should the policy go – its scope and content. Some questions to consider include: What do the employees and the organisation think needs to be done? Do the clients have any input? What about broader industry standards? Are there expert guidelines (eg from the Privacy Commissioner or Health Services Commissioner)? What can the organisation do in the short-term? And in the longer-term? What resources are available? What competencies exist? What solutions to the policy issues do these suggest?
Step 4: Seek input
Build a platform for decision-making. Typically, there will be consultation, feedback, amendment, some form of trialling and further feedback. In a smaller organisation, you may seek input in a much less structured fashion, but there should be some effort to publicise the draft policy and to encourage comments. Place the draft where all can read it, and give contact details for those who want to comment or raise questions. Allow a reasonable time for this process but do not be too casual about closing off this stage.
Step 5: Seek ratification
Once the policy is fully developed it must be submitted for ratification at the most appropriate level in the organisation. Major policies like privacy always need to be ratified at board or senior organisational level.
Step 6: Implement, then revise and evaluate
At the time of submitting the policy for ratification, you should also have devised a timetable for implementation, including details of the resources needed. The timetable can be simple or considerably more complex.
In addition to a timetable for implementation, the policy should be able to be reviewed and evaluated. The mechanisms for review and evaluation are usually included in the policy document itself, but can also be set at the point of ratification or dealt with separately. There may be no need for complex procedures – evaluation can consist of a simple questionnaire – but some form of revision and evaluation are usually necessary to ensure that a policy continues to be effective.
An effective policy is …
Simple and clear
A clear, well-expressed policy is integral to both communication and accessibility. Write your policy in language and a format that can be understood by all who are affected by it. Good communication is part of the key to good policy.
Relevant and comprehensive
Understand the issues and problems that have created the need for the policy. Make sure you undertake adequate research and consultation. As well as any legislative obligations, you need to canvass industry standards, best practice, and particular practices relevant to your organisation. You should also try to anticipate changes that might be in the wind and any likely future needs.
Clear about the lines of responsibility
Telling people what to do is easy, but you also have to let them know who to contact when they have questions and make it clear who they have to report to under the policy.
Communicated and accessible
Policies direct workers in the performance of their professional and legal duties. They have an impact on their legal responsibilities. Explain the policy to all staff. Make your notices clear and concise; keep your manuals user-friendly. Implement a variety of modes of communication such as posters, notices in meeting rooms or reception areas and on the organisation’s website
Updated
Include a clause stating when and how it can be updated. Follow through with regular reviews.
Complaints handling process
Make sure the privacy policy has clear information about how the organisation deals with complaints, from clients or the general public and from members of the organisation itself. Prompt, fair and effective handling of complaints can save the organisation considerable time and resources in the long run. Very few concerns should be allowed to remain unresolved long enough to see them turn into formal proceedings.
The policy document should make clear what the procedure is, what timeline will be observed, who in the organisation is responsible for handling complaints and what remedies might be available where a breach of privacy is shown to occur. As a preventative measure, a process for sharing experiences of complaints within the organisation and monitoring the outcomes of the complaints procedure should be built in to the structure of the complaints machinery.
Links to:
Websites of three Commissions and their guidelines.
Privacy Victoria: www.privacy.vic.gov.au
Victorian Health Services Commissioner: www.health.vic.gov.au/hsc/
Federal Privacy Commissioner: www.privacy.gov.au
Examples of policy
Maroondah Council www.maroondah.vic.gov.au
St Vincent’s Hospital www.svhm.org.au/
Sparke Helmore’s website privacy policy www.sparke.com.au/privacystatement.htm
Acknowledgements
Material used in the development of this Policy Guide includes extract for the Law for Human Services – Taking Care CD ROM 2003, Written by Margaret White and Susan Bunting - Social and Equity Consulting Group and How to Prepare for the Victorian Information Privacy Act - Office of the Victorian Privacy Commissioner, May 2002. Compiled and edited by Frank Golding
© Victoria Law Foundation
Contents
Click on the heading to go to the page or scroll down the document.
Getting ready to develop a privacy policy