Businesses cannot rely on the fact that the practice is explained somewhere in a privacy policy, especially if it’s buried in complex terms and legalese Allan Yeoman and Keri Johansson, Buddle Findlay The Privacy Commissioner, John Edwards, has told businesses that it’s “time to raise your game” and improve the transparency of their privacy practices. In a recent online blog post, the Commissioner sends a clear message that he expects businesses to do more to make sure customers are aware of how their information is being collected and used, especially when the Privacy Bill 2018 becomes law. Currently, it’s common to tell customers how you handle personal information in a privacy policy. That policy is probably linked at the bottom of your website, and before customers buy your products, you might ask them to tick a box saying they agree to it. In practice, probably very few people actually read the privacy policy before ticking “I agree” and if they did choose to read it, they’d probably need around 15 to 18 minutes’ time to spare, and at least a university reading level. A privacy policy serves two key legal purposes: It tells people what personal information you are collecting, why, and what you will do with it. This is because the Privacy Act says that agencies need to take “reasonable” steps to ensure people are aware of these thingsIn some situations, if you need broader rights to use or disclose personal information than would normally be legally allowed, a privacy policy can serve as “authorisation” of those broader rights. This is because the Privacy Act says that when you collect personal information from someone for one purpose, you can only use it for that purpose. There is an exception to this rule where you believe on “reasonable” grounds that the person authorises you to use or disclose their information for something else. In both situations, you need to do what is “reasonable” in the circumstances. You need to take “reasonable” steps to ensure the person is aware of your privacy practices, and you need reasonable grounds to believe someone has authorised you to use or disclose their personal information for something other than the original purpose of collection. The Commissioner’s post says that simply putting this information in a privacy policy and (without evidence that customers read and understand the policy), is not necessarily reasonable. This is most likely to come up where the privacy policy is complex, or says something unexpected or unfair. For example, let’s say you provide an online service with a monthly subscription. Customers subscribe via your website with their contact and payment information. Even without reading your privacy policy, customers will expect you to use their personal information to provide them with the service, but they probably don’t expect you to sell their information to a United States data broker. Similarly, if you’re a global household brand, they might expect you to share their details with other entities in your group, but they probably don’t expect you to be sharing it with other people. Buddle FindlayKeri Johansson The Commissioner’s post suggests that in these unexpected situations, businesses cannot rely on the fact that the practice is explained somewhere in a privacy policy, especially if it’s buried in complex terms and legalese. He will be looking for evidence that it’s actually reasonable to believe that customers understand what is in the policy, and that authorisation from individuals is genuine and informed. Buddle FindlayAllan Yeoman Although the Commissioner’s blog post presents this as a change, we don’t think that it is really a shift in the law, or how it is interpreted. The obligations to be reasonable are already in the current Privacy Act, and it’s already difficult to enforce unexpected or onerous clauses in standard terms under New Zealand law, especially for consumer products and services. However, we do think this means that the Commissioner will be paying closer attention to these issues, and intends to use his expanded powers under the Privacy Bill to improve transparency around privacy practices. For example, under the Bill, the Commissioner will be able to issue compliance notices, to require agencies to make changes where their privacy practices are not up to scratch. We think now is a good time for all organisations to review their privacy policies and consider: Are they clear and easy to understand?Are they presented in a way that encourages people to read them?Is there anything unexpected in there that should be brought to people’s attention more prominently (e.g. via a separate tick box)?Can we increase customer control over their personal information in some other way (eg by letting them change their own privacy settings, or using other features of “privacy by design”)? Answering these questions will go a long way towards meeting the “reasonable” criteria, and help businesses get ready for when the Bill becomes law in early 2020. Allan Yeoman is a partner and Keri Johansson is a senior associate at Buddle Findlay. Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz Send news tips and comments to divina_paredes@idg.co.nz @divinap Related content brandpost Sponsored by Freshworks When your AI chatbots mess up AI ‘hallucinations’ present significant business risks, but new types of guardrails can keep them from doing serious damage By Paul Gillin Dec 08, 2023 4 mins Generative AI brandpost Sponsored by Dell New research: How IT leaders drive business benefits by accelerating device refresh strategies Security leaders have particular concerns that older devices are more vulnerable to increasingly sophisticated cyber attacks. By Laura McEwan Dec 08, 2023 3 mins Infrastructure Management case study Toyota transforms IT service desk with gen AI To help promote insourcing and quality control, Toyota Motor North America is leveraging generative AI for HR and IT service desk requests. By Thor Olavsrud Dec 08, 2023 7 mins Employee Experience Generative AI ICT Partners feature CSM certification: Costs, requirements, and all you need to know The Certified ScrumMaster (CSM) certification sets the standard for establishing Scrum theory, developing practical applications and rules, and leading teams and stakeholders through the development process. By Moira Alexander Dec 08, 2023 8 mins Certifications IT Skills Project Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe