What is bundled consent?

On 23 August 2013, the Office of the Australian Information Commissioner (OAIC) released the first tranche of the draft Australian Privacy Principles Guidelines (Guidelines) for public consultation.  The first tranche of the draft Guidelines deal with Australian Privacy Principles (APPs) 1 to 5 and are intended to:

• assist private and public sector entities in understanding and complying with their obligations under the APPs;

• explain how the Information Commissioner will interpret and apply the APPs when exercising its powers under the Privacy Act 1988 (Cth) (Privacy Act), as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth); and

• enable the public to develop a better understanding of how their personal information is managed and utilised by entities.

“Bundled Consents” – trouble down the track?

In Chapter A of the Guidelines, the OAIC have provided simple definitions of some of the key terms that will be used in the Privacy Act, including the term “consent”.  The term “consent” is explained in the Guidelines¹ as consisting of the following elements:

• it must be provided voluntarily;

• the individual must be adequately informed of what they are consenting to;

• it must be current and specific; and

• the individual must have the capacity to understand and communicate their consent.

The Guidelines go on to deal with the potential problems caused by “bundled consent”.

What is bundled consent?

Bundled consent refers an entity using a single document or single request process to ask an individual to consent to a wide range of collections, uses and disclosures of their personal information, without giving them the opportunity to choose which of those collections, uses and disclosures they are willing to consent to.²

The Guidelines suggest that the use by entities of a “bundled consent” mechanism has “the potential to undermine the voluntary nature of consent”.³  This could be an issue in particular for electronic, retail or marketing entities that use singular, simplistic forms when asking consumers for their personal details and permission to use those details.

What can entities do to avoid this problem?

1. Create separate and straightforward forms for different collections, uses or disclosures of personal information.

In order for an entity to avoid the potential problems associated with “bundled consent”, it will be necessary for it to:

• have different forms or documents in place to ask individuals to consent to particular kinds of collections, uses or disclosure of personal information;

• ensure that the forms or documents that it has in place allow individuals to selectively determine how they are willing for their information to be used and for how long;

• ensure that the forms or documents are easily understandable, in order to enable individuals to understand what it is they are agreeing to.

2. Introduce internal programs and policies for the management of personal information.

The Guidelines make it clear that the obligations of entities under the APPs extend to developing programs and policies for the maintenance of personal information and importantly, that all of these programs and policies need to be maintained on an ongoing basis as their obligations are constant.⁴  The Guidelines stress the need for entities to:

• identify what kind of entity they are and accordingly, when they can collect different kinds of personal information;⁵

• have a program in place to enable them to differentiate between personal information and sensitive information and to manage that information (whether it can be retained or needs to be destroyed);⁶ and

• have a program in place to enable them to notify individuals:⁷

  • that they have their personal information;

  • about the facts and circumstances of the collection of the information;

  • about whether the collection is authorised by law and about why the information was collected; and

  • of the possible consequences for that individual if personal information is not collected.

3. Create a new or amend their existing Privacy Policy.

The Guidelines stress the need for entities to have a clearly expressed and up to date APPs Privacy Policy (Policy) outlining how they manage personal information.⁸  The Guidelines suggest that entities ensure:

• their Policy is available on their website – being easy to access and download;⁹

• their Policy explains how it manages the personal information it collects;¹⁰

• their Policy is easily understandable;¹¹

• that if appropriate, the reader is aware that they can deal anonymously or by a pseudonym with the entity;¹²

• they use a “layered” approach when explaining their Policy (giving readers the option to read a shorter and simpler version of the full Policy, with links to the more detailed information in the full Policy);¹³

• their Policy is directed to the different audiences who may use it – such as the elderly, those who do not have internet access, the disabled, etc;¹⁴ and

• their Policy should be arranged clearly – making use of headings or a separate discussion of issues where appropriate.

Where to from here?

Although the Guidelines will not have legislative force, they will be used actively by the OAIC in determining how to exercise their powers.  Accordingly, it is advisable that entities review and, if necessary, modify their current Privacy Policies and Privacy management systems and policies.

Lavan Legal comment

You need to review your privacy management programs and systems and your privacy policy to identify where it may be necessary for you to make changes before the new privacy laws come into force on 12 March 2014.  Don’t leave it too late.