Question mark  What


Decide what to include by working out:

  • what personal information you hold;
  • what you do with it and what you are planning to do with it;
  • what you actually need;
  • whether you are collecting the information you need;
  • whether you are creating new personal information; and
  • whether there are multiple data controllers.

If you are relying on consent, you should:

  • display it clearly and prominently;
  • ask individuals to positively opt-in;
  • give them sufficient information to make a choice;
  • explain the different ways you will use their information, if you have more than one purpose;
  • provide a clear and simple way for them to indicate they agree to different types of processing; and
  • include a separate unticked opt-in box for direct marketing.

Also consider including:

  • the links between different types of data you collect and the purposes that you use each type of data for;
  • the consequences of not providing information;
  • what you are doing to ensure the security of personal information;
  • information about people’s right of access to their data; and
  • what you will not do with their data.

Question mark  Where


Give privacy information:

  • orally;
  • in writing;
  • through signage; and
  • electronically.

Consider a layered approach:

  • just-in-time notices;
  • video;
  • icons and symbols; and
  • privacy dashboards.

Question mark  When


Actively give privacy information if:

  • you are collecting sensitive information;
  • the intended use of the information is likely to be unexpected or objectionable;
  • providing personal information, or failing to do so, will have a significant effect on the individual; or
  • the information will be shared with another organisation in a way that individuals would not expect.

Question mark  How


Write and present it effectively:

  • use clear, straightforward language;
  • adopt a style that your audience will understand;
  • don’t assume that everybody has the same level of understanding as you;
  • avoid confusing terminology or legalistic language;
  • draw on research about features of effective privacy notices;
  • align to your house style;
  • align with your organisation’s values and principles;
  • be truthful. Don’t offer people choices that are counter-intuitive or misleading;
  • follow any specific sectoral rules;
  • ensure all your notices are consistent and can be updated rapidly; and
  • provide separate notices for different audiences.

Reviewer's clipboard  Test and review


Before roll out:

  • test your draft privacy notice with users;
  • amend it if necessary.

After roll out:

  • keep your privacy notice under review;
  • take account of any complaints about information handling;
  • update it as necessary to reflect any changes in your collection and use of personal data.