Skip to Content

You are in the AGIMO archive | Archive Home Page | Return to the AGIMO website | Contact Us

AGIMO archive > Guide to Minimum Website Standards > Privacy

The Australian Government Information Management Office Archive

The content on this page and other AGIMO archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.

Guide to Minimum Website Standards - Privacy


This guidance has been superseded by the Australian Government Web Publishing Guide and should be used for reference purposes only.

April 2003 edition.  Contact details updated July 2004.

Chapter headings:
What is the standard, and which agency issued the standard? - Implementation Requirements - Background - Key things you should know - Further Assistance - FAQ

Privacy

What is the standard, and which agency issued the standard?

The privacy standards are the Guidelines for Federal and ACT Government World Wide Websites, which were issued by the Privacy Commissioner, and mandated by the Government as part of the Government Online strategy. The Guidelines are available at http://www.privacy.gov.au/internet/web/index.html.

Agencies should also ensure that their activities comply with the Privacy Act (1988).  

Implementation Requirements

All agencies were required to have implemented these guidelines by 1 June 2000.

Background

The Privacy Act binds Commonwealth agencies in the handling of personal information. Agencies must abide by the Information Privacy Principles (IPPs) in section 14 of the Act. The IPP's set out general rules for collecting, storing, using and disclosing personal information. They also contain rules for individual access and correction of personal information, although in practice these matters are handled via the FOI Act. For the text of the IPP's see www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/index.html#s14

The Guidelines for Federal and ACT Government World Wide Websites supplement the IPPs specifically for the handling of personal information through websites.

Key things you should know

The Guidelines for Federal and ACT Government World Wide Websites contain four guidelines with which an agency's website(s) must comply. Compliance with these four guidelines will also mean that the online activities comply with the Privacy Act. The guidelines are:

Guideline One - Openness

Agency websites should incorporate a prominently displayed privacy statement. This should state: - What information is collected; - For what purpose; - How this information is used; - If it is disclosed and to whom; and - Address any other relevant privacy issues.

Guideline Two - Collection of Personal Information via the website

Agencies that solicit or collect personal information through their websites must comply with IPPs 1- 3. Agency website privacy statements should include a statement regarding this collection which complies with IPP 2. Where an online form is used to collect personal information an IPP 2 statement should be on the same page as the form or prominently linked to it.

Guideline Three - Security

If agencies collect personal information via an agency website, this should be done by sufficiently secure means. Individuals should be provided with alternative means of providing personal information to the agency, other than via the website. The agency's privacy statement should address security issues where appropriate.

Guideline Four - Publishing Personal Information on a website

Where agencies are considering the publication of personal information regarding individuals on the web they should be sure that this complies with IPPs 1 - 3, 10 and 11.

Privacy Checklist

A checklist to help to ensure that your agency complies with the privacy guidelines us provided at Attachment C.

Further Assistance

Websites - www.privacy.gov.au

Contact Person - Brant Pridmore, Director of Compliance, Office of the Federal Privacy Commissioner

Telephone - (02) 9284 9600

Fax - (02) 9284 9666

E-mail - brantpridmore@privacy.gov.au 

Address - Level 8 Piccadilly Tower, 133 Castlereagh Street, Sydney NSW 2000; GPO Box 5218, Sydney NSW 1024.

FAQ

Q. The Guidelines consider that staff details are personal information. Does this mean that these details can't be published on the Agency's website?

A. The web site privacy guidelines do not prevent the publication of staff details on agency websites. However, Guideline 4 and the Privacy Act both require agencies only to publish personal information in circumstances permitted by the Information Privacy Principles in s.14 of the Act. Technically speaking, publication should meet the requirements of IPP 10 and IPP 11. The best way is to get the individual's consent; that will satisfy both IPP 10 and IPP 11.

For some staff it is not strictly necessary to get consent. IPP 10 lets an agency use personal information for a purpose directly related to the purpose for which the agency first collected the information. IPP 11 lets an agency disclose personal information if the individual is reasonably likely to be aware that the information will be disclosed. Media liaison officers, contact officers for particular programs and senior executives are reasonably likely to be aware that the agency would publish their details on its web site. In addition, the nature of those people's positions require their contact details to be published, so the purpose of publication would be directly related to the original purpose of collection and IPP 10 would be satisfied.

Even for such staff, though, it is good practice to let them know if it is proposed to publish their details and give them a chance to raise any concerns.

Agencies should take care about publishing other personal information, including lists of all staff. Many staff may not expect their names and contact details to be published on the internet and some may have legitimate security concerns about that happening.

Q. My Agency's web site only collects a site user's e-mail address and then only if a user sends an e-mail to us. Why is an e-mail address considered personal information?

A. The Privacy Act defines personal information as 'information ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information ...'. Strictly speaking, some email addresses will be personal information and some will not. Mushroom23@hotmail.com would not be personal information but David.Stephanopoulos@affa.gov.au almost certainly would be. The safest course is to treat all email addresses as though they are personal information.

Q. We collect personal information via a form that users can download, print, fill in and mail to us. Do we have to have an IPP 2 notice on the form itself? Could we put the IPP 2 notice on the page from which the form is downloaded?

A. Guideline 2 reminds agencies of the need to have an 'IPP 2 statement' when collecting personal information. IPP 2 says that an agency must 'take such steps (if any) as are, in the circumstances, reasonable to ensure that ... the individual concerned is generally aware of' a number of matters. Usually it would be a reasonable step to have the IPP 2 information on the form itself. If space is limited, put what you can on the form and refer the individual to an easily accessible source of more detailed information, eg in a pamphlet or on the website.

Q. We collect different types of personal information through a number of different pages. But Guideline 2 says that the website privacy statement should include an IPP 2 statement for personal information collected through the site. How can our privacy statement cover all the different collections?

A. If a site collects personal information through a number of different pages, the site privacy statement could include an IPP 2 statement for each collection with a clearly marked link from each relevant page to the corresponding part of the site statement. But that would make the site privacy statement very complicated. It is probably simpler to link a separate IPP 2 statement to each page through which personal information is collected.

Q. We are aiming to deliver as high a proportion of our services as possible through our site. But Guideline 3 says we have to provide individuals with other ways of providing personal information. Doesn't this defeat the purpose?

A. All Guideline 3 requires is that the site privacy statement should warn people about the risks of transmitting information over the Internet. There no need to exaggerate the risks. For instance, for all but very sensitive information it would be reasonable to say: 'While the risk of anyone intercepting and misusing information transmitted by email is usually very low you should be aware that an individual with the right skills may be able to do this. If you prefer, you can contact us at: ...'.

Q. Guideline 3 says that the privacy statement should address security issues 'where appropriate'. What's appropriate?

A. If the site uses encryption technology in collecting personal information, the privacy statement should identify the product being used and describe the level of protection it provides. If no encryption is in use, the statement should mention the risks associated with sending unencrypted email (see previous question).

Contents of the Guide to Minimum Website Standards

Legal Notices