Virtually all New Zealand businesses will have some form of privacy policy in place. These policies are used to explain to customers how the business collects, handles, and shares their personal information. The content of these policies tends to vary greatly from business to business.
In addition, section 22 of the Privacy Act 2020 (the Act) contains 13 Information Privacy Principles that govern how businesses and organisations should collect, handle and use personal information.
In this article, we examine some common issues we encounter with privacy policies, as they relate to the Act, and explore the interplay of privacy policies with a selection of the Information Privacy Principles.
Defining “personal information”
The Act defines personal information broadly as "information about an identifiable individual"[1]. The wording is identical to that used in the previous Privacy Act 1993. Over the years, the Privacy Commissioner has built up a body of examples of information that falls within the definition.
However, at AJ Park, we frequently see agencies choosing to define "personal information" differently, either in a broader or a narrower form.
Sometimes, the chosen definition is drafted to capture all data held by a business, even if such data is purely "corporate" rather than "personal". This broad definition is inconsistent with the wording used in the Act and will increase the chance of the business breaching its own policy.
More commonly, we see agencies basing their policies on a bespoke or overly-narrow definition of "personal information", for example "information relating to a specific customer of the business". Again, this wording is inconsistent with the wording of the Act. It may also risk misleading customers about the scope of their privacy rights.
Drafters of policies should carefully consider whether the language of the policy is consistent with the language of the Act and the Information Privacy Principles.
Raising the standards
The word "reasonable" features in 9 of the 13 Information Privacy Principles. For example, Information Privacy Principle 5 requires agencies that hold personal information "ensure that the information is protected, by such security safeguards as are reasonable in the circumstances to take" against loss, unauthorised access, use, modification, or disclosure, and other misuse.
The standard here is "reasonable in the circumstances". Despite this, many privacy policies purport to commit the relevant agency to either unachievable or ambiguous security standards.
Wording such as "we commit to best industry security practice" is absolutely well-intentioned, but will require careful drafting so as to address the ambiguity inherent in "best practice".
The same goes for any purported commitment to using "all best endeavours" to meet certain security standards; a phrase which, unsurprisingly, has a litigious history and can result in a party having to work against its own financial interests.[2]
In this situation, it would be better to simply reflect the wording used in Information Privacy Principle 5. Agencies could also refer to information security standards they are certified under, such as ISO/IEC 27001.
Notifying the customer
Information Privacy Principle 3 obliges agencies to take "any steps that are, in the circumstances, reasonable" to ensure the individual concerned is aware of the specified matters. These matters include notifying the customer of the purpose of collection, and the intended recipients of the information.
In our experience, most businesses will do a good job of describing the purpose for collecting personal information, and the intended recipients of it. The problem tends to be that the policy itself is not brought to the customer’s attention. Privacy policies are frequently buried deep in organisational websites, or included as a small inconspicuous hyperlink far away from the where the customer would normally browse.
When it comes to notifying customers of a privacy policy, what is reasonable in the circumstances is highly fact-specific, but might include a mechanism that requires the customer to actually read, and actively acknowledge, the privacy policy before the customer begins inputting personal information in the website’s user fields.
Clarity of language
As the Privacy Commissioner has noted, a legalese-dense 35-page privacy policy is unlikely to discharge an agency’s obligations under Information Privacy Principle 3, even if the policy is brought to the customer’s attention.[3]
The best privacy policies are clear, concise, and follow a logical structure. Every paragraph should have a definitive purpose. The wording should maintain consistency with the Information Privacy Principles and any relevant industry-specific rules.
On that note, there is a growing number of secondary "Codes of Practice" relating to privacy, including the Health Information Privacy Code 2020, the Credit Reporting Privacy Code 2020, and the Telecommunications Information Privacy Code 2020. In this respect, the buck does not stop with the Act.
Conclusion
It is increasingly important for businesses to ensure their customers understand how their personal information is collected, used, and disclosed.
AJ Park offers a range of services for helping you manage personal information relevant to your business, and to ensure your systems align with the Privacy Act and its principles. For help in this area, reach out to one of our specialists.
[1] Privacy Act 2020, section 7(1).
[2] Jet2.Com Ltd v Blackpool Airport Ltd [2012] EWCA Civ 417.
[3] https://privacy.org.nz/blog/click-to-consent-not-good-enough-anymore/.