Privacy Principle 6: Openness Principle

Organizations should make available a description of their personal information handling policies and a high level description of the procedures and practices to individuals who ask. They should also provide the name of the person, or the position, responsible for ensuring privacy practices are followed within the organization. Organizations should clearly communicate the existence of the collection of personal information, the types of personal information collected, and the intended purpose for using the personal information.

Question: Do you make available details on the type of personal information you handle, how it is used and disclosed, and how to access it?

Discussion: Many organizations are not prepared to answer questions about their privacy practices, either because they have not been properly defined, or because specific details and procedures have not been disclosed to customer support personnel who should be able to handle these requests.

Some organizations make the mistake of thinking it is good enough to just stick a privacy policy on one of their website pages. To be effective, and to demonstrate due diligence, organizations need to provide information about privacy policies and practices in a number of ways, and on a regular basis. Privacy notices should be included wherever there is interaction with customer, including printed forms and voice communications.

Suggested Policy: Company X must make the privacy policies and practices available to consumers in multiple ways, such as on websites, on printed forms and communications, via email, within records messages, and so on.

Part of the principle of openness is to use clear language that customers can understand. Too often organizations write privacy policies and practices in a manner that uses specifically legal terms, and contains multiple and confusing clauses and conditions. Organizations should communicate privacy practices and policies in simple, easy to understand language.

Read the assessment for Privacy Principle 5: Security Safeguards Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment within the Toolkit contains a complete assessment.