Notifying users of privacy matters

Before or at the time personal information is collected from users, entities must notify users of the matters set out in APP 5. These matters include the types of information that will be collected, how information will be collected, who information will be disclosed to, and whether information will be sent overseas.

Consider how you will present this information to users on a small screen, and draw their attention to the most important sections. In the OAIC's publication 'Mobile privacy: a better practice guide for mobile app developers', the OAIC's suggestions include:

  • use short form notices – these are notices that are no longer than a single screen and explain what data will be collected from users, and whether information will be shared with other parties. They should also link to the entity's full privacy policy (discussed further below);
  • provide consent notices – if consent is required for a specific collection or disclosure of personal information, a targeted notice should be provided to users which allows them to consent to the collection or disclosure;
  • provide a 'privacy dashboard' – this allow users to adjust their privacy setting by offering a privacy dashboard that is easy and straightforward to use;
  • get creative – try to avoid large slabs of text by using other techniques such as graphics, colour and sound to draw users' attention to important privacy matters.

Recording acknowledgement and consent

Consider how you will maintain appropriate evidence that notice of the APP 5 matters was given to users at the appropriate time and that users consented (where necessary) to specific collections and disclosures. Tick-boxes built into the app can record the user's acknowledgement that they have read the privacy notifications outlined above, and/or consent to certain collections and disclosures.

The OAIC expects you to generally highlight privacy practices and obtain acknowledgement and consent during the download or purchase process and also upon first use. You can also use tick-boxes to provide users with the opportunity to 'opt out' of receiving direct marketing material, as required by APP 7.

You may need to make additional privacy disclosures and obtain additional consents after the app is downloaded, depending on the app's functions. For example, if the app accesses a user's calendar information, the first time that this function is activated the user should be notified that their calendar data is going to be collected and be able to opt out of this feature.

Privacy Policy

Under APP 1, entities must also have a clearly expressed and up-to-date Privacy Policy that sets out how they handle personal information. The Privacy Policy should be easily located through the app.

At a minimum, a Privacy Policy must contain the following information:

  • the kind of personal information that the entity collects and holds;
  • how the entity collects and holds personal information;
  • the purposes for which the entity collects, holds, uses and discloses personal information;
  • how an individual may access their personal information and seek the correction of such information;
  • how an individual may complain about a breach of the APPs, or a registered APP code (such as the Credit Reporting Code), and how the entity will deal with such a complaint;
  • whether the entity is likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if practicable).

If you have a single Privacy Policy for the entire business, ensure that it includes the handling of personal information that is collected via the mobile app.

If changes are made to a Privacy Policy, users should be informed of the changes in advance and told exactly what aspects of the Privacy Policy are changing. Depending on the nature of the changes, you may need to obtain the user's consent (for example, via a tick-box).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.