Office of the Privacy Commissioner | NZ website privacy notices could do better to inform users
A sample of New Zealand websites surveyed by the Office of the Privacy Commissioner has found similar shortcomings as overseas websites when it comes to informing users about how personal information is collected, stored and used.
New Zealand contributed to an annual survey or sweep carried out by the Global Privacy Enforcement Network (GPEN). The 2017 GPEN Sweep focused on website privacy notices.
The investigation by 24 data protection and privacy regulators from around the world concluded that there was significant room for improvement in terms of specific details contained in privacy communications.
The privacy notices, communications and practices of 455 websites and apps in sectors including retail, finance and banking, travel, social media, gaming/gambling, education and health were assessed to consider whether it was clear what information was collected, for what purpose, and how it would be processed, used and shared.
In its findings, GPEN said website privacy notices were too vague and generally inadequate. The sweep found that organisations needed to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data.
Overall, GPEN concluded that:
- Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses
- The majority of organisations failed to inform the user what would happen to their information once it had been provided
- Organisations generally failed to specify with whom data would be shared
- Many organisations failed to refer to the security of the data collected and held - it was often unclear in which country data was stored or whether any safeguards were in place
- Just over half the organisations examined made reference to how users could access the personal data held about them.
New Zealand contributed to the 2017 GPEN Sweep by surveying eight domestic websites. It found that six of the eight websites failed to explain how personal information was stored; four websites failed to adequately explain whether they shared data with third parties; and three of the websites failed to provide users with a clear means for deleting personal information collected by the website.
One clear observation which emerged from the survey of New Zealand website privacy notices was there seemed to be a general trend in retail sector websites of not advising consumers about how their information would be stored. There were also a significant number of observations of residual discretion by the website owners to share information with third parties.
Privacy Commissioner John Edwards says online retailers and other organisations which interact with the public through their websites have no excuse for not having a clear privacy statement explaining what happens with personal information.
The Office of the Privacy Commissioner’s website has an online tool which is free to use. The Priv-o-matic privacy statement generator can create an easy-to-understand privacy statement in minutes. It can be found here.
The 2017 GPEN Sweep international report can be accessed here.
A PDF copy of this media release can be downloaded here.
For more information, contact Charles Mabbett 021 509 735.