[D]
Background
Methodology
Overview of Results
2001 Audit results in detail
Guideline 1 Openness
Guideline 2 Collection of personal information
Guideline 3 Security
Guideline 4 Publication of personal information
Conclusion
Appendix 1 Complete Results
Appendix 2 - Survey Form
The Internet has become an important means for the delivery of government services and information. Good website privacy practice is important in ensuring that Commonwealth government agencies handling personal information do not interfere with the privacy of individuals.
To assist agencies in adopting best privacy practice and in complying with the Privacy Act, the Privacy Commissioner issued Guidelines for Federal and ACT Government World Wide Websites in May 1999 (see www.privacy.gov.au/issues/p7_2.html). In April 2000 the Government included the guidelines in its Government Online strategy and required agencies to comply by 1 June 2000.
Most non-commercial Commonwealth agencies are required by the Privacy Act 1988to comply with 11 Information Privacy Principles (IPPs). The guidelines provide specific guidance for Commonwealth agencies in the application of the IPPs in Commonwealth websites. They cover four areas of personal information handling: openness, collection, security, and publication.
In 1999 the Office of the Federal Privacy Commissioner (OFPC) conducted a pilot audit of Commonwealth websites to assess compliance with the guidelines. In 2000, the OFPC conducted a more formal audit of compliance. The results of the second audit were presented to agencies in November 2000. In May 2001 the OFPC initiated a follow up audit of Commonwealth government websites to assess progress with compliance.
The data sample for the audit was taken from the Federal Government web site www.fed.gov.au. At the time the audit commenced, the site contained links to 538 websites indexing over one million pages.
Of those sites, 250 (46.5 %) were audited. The sample included 125 sites that had been included in the 2000 audit together with another 125 sites not previously audited.
The audit was conducted from the point of view of the user and sought to determine whether each site was providing the user with sufficient information about the way it handles personal information. No information was used that would not be available to any user of the sites.
The cookie prompt from the Microsoft web browser was used to determine whether a site was using cookies.
It is important to note that websites are in a constant state of change, so that the results of this audit represent the state of affairs at a particular time. The data capture phase of the latest audit was undertaken over a six week period and was finalised on 10 July 2001.
Figure 1 sets out the results from the three audits (1999, 2000 and 2001) for the proportion of sites displaying privacy statements.
Compliance levels were very low in 1999 with less than one quarter (18 %) of websites complying with Guideline 1, which requires every Commonwealth government website to display a privacy statement. While there has been significant improvement since then, in 2001 almost one third (31 %) still did not comply with this fundamental requirement.
A full copy of the results and the survey form used for the collection of data for the current are located at end of this report.
Although a number of questions were used to assess compliance by Commonwealth agencies against the four guidelines, four key questions may be used to illustrate how Commonwealth agencies are handling personal information through their websites:
Figure 2 shows the 2001 audit results for websites that were audited in 2001 only and websites that were audited in both 2000 and 2001. Websites audited in 2000 and 2001 had a considerably higher rate of compliance with the basic requirement to display a privacy statement (80 %), than websites that were audited for the first time in 2001 (57.6 %).
While the proportion of Commonwealth websites that display privacy statements has increased from 18 % in 1999 to 68 in 2001, it is a matter for concern that nearly a third of Commonwealth websites still do not display any privacy statement.
Less than one quarter (21.6 %) of all websites that collect personal information had an adequate Information Privacy Principle 2 (IPP2) statement or a direct link to a privacy statement.
Less than half (42 %) of all websites audited warn users of the risks of transmitting data across the Internet. All websites that collect personal information should provide a warning of the risks associated with using the Internet or provide secure facilities.
Only 2.8 % of sites audited used encryption methods to ensure secure transmission of personal information.
Three quarters (75.2 %) of all websites audited display personal information about agency staff. This includes information relating to names, photographs, work addresses, work and mobile phone numbers, facsimile numbers and biographical details.
Wherever websites collect personal information from individuals concerned, agencies are required to comply with the requirements of IPP 2. The IPP 2 statement must advise the individual of the purpose for collection, the legal authority or requirement for collection and any usual disclosures of the information
A number of agencies whose websites were recorded in 2000 as not containing a privacy statement had complied with this requirement by 2001. This is illustrated by comparing the 2000 data in Figure 3, where approximately half (57 %) of the websites had privacy statements, with the data for sites audited in both 2000 and 2001, which now have a compliance level of 80 %.
Almost one quarter (20.4 %) of larger agencies and one third (37.6 %) of smaller agencies still need to include a privacy statement in their web sites.
The information included in the privacy statements reviewed indicated that most compliance levels ranged between 60 % to 70 %. Information regarding cookies and their use was assessed as low; with only 41.6 % of websites advising individuals that they use them and only 28.4 % explaining what cookies are and how they are used on the particular website.
This guideline requires that agencies that solicit or collect personal information via their websites must comply with IPPs 1-3. In particular, agency websites should provide a statement for each collection of personal information that complies with IPP 2. Where an online form is used to collect personal information the statement should be on the same page as the form or prominently linked to it.
">
[D]
Websites that collect personal information via transmission over the Internet, account for (47.6 %) of sites audited. However less than half of those websites (45.4 %) complied with Guideline 2 and supplied an IPP 2 statement on the page or had a prominent link to an IPP 2 statement forming part of the agencys privacy statement.
If personal information is collected via an agency website this should be done by sufficiently secure means. Individuals should be provided with alternative means of providing personal information to the agency other than via the website. The Privacy statement should address security issues where appropriate.
There are risks involved with the transmission of personal information across the Internet. The audit examined sites to determine whether they were displaying an appropriate warning and, where a site allows for electronic purchasing, whether secure means of transmission were provided.
As seen in Figure 6, 47.6% of websites collect personal information that is transmitted over the Internet. However, less than half of the sites that collect personal information in this way warn users of the risks of transmitting data over the Internet. A very small number of all sites (3.6%) provide online purchasing and 2.8% provide secure facilities for doing so.
The guidelines also require that individuals must consent to having their personal information published on a website, or that one of the other exceptions to IPP 11.1 in section 14 of the Privacy Act applies to the publication. While agency heads and senior staff may expect to have information published about them because of their high profile positions, this would not necessarily be the case for other staff.
Given that the audit looked at the sites from a users viewpoint, it was possible only to record whether personal information is published online. In order to confirm that personal information has been collected in accordance with the Information Privacy Principles, staff from OFPC would need to conduct on-site audits. Conducting audits of Commonwealth agencies is a function of the Commissioner under s.27 of the Privacy Act and it is likely that future audits of Commonwealth agencies will include a review of the collection, use, storage and disclosure of personal information through websites.
Approximately three quarters of all websites audited published some personal information. This information generally related to agency heads (58.8 %) and Board members (61.6 %). Approximately one third of sites (33.6 %) offered Contact Officer details.
Compliance with the guidelines is increasing but overall it is still at a disappointingly low level. Of the 250 sites audited, 31.2 % had no privacy statement at all.
Websites that were not audited in July 2000 have lower compliance rates in relation to privacy statements (57.6 %) than do sites audited in both 2000 and 2001 (80 %). Almost one quarter (20.4 %) of larger agencies and one third (37.6 %) of smaller agencies still need to include a privacy statement in their web sites.
As part of the Governments Online Strategy, agencies were required to comply with the guidelines by June 2000.
Following the 2000 audit, the OFPC has gone to considerable lengths to facilitate Commonwealth agency compliance with the website guidelines. These include:
As shown in Figure 2, websites that were audited in both 2000 and 2001 are performing significantly better in relation to the inclusion of a privacy statement but still not as well as they should. It is also a matter of concern that in the areas of collection and security, levels of compliance with the guidelines remain inadequate.
Overall, it is clear that a number of agencies need to devote more systematic attention to ensuring that their websites comply with the guidelines.
| Question | Totals | Percentage |
|---|---|---|
Site previously surveyed? |
125 |
50 |
|
Survey completed? |
250 |
100 |
|
1. Does the site have a Privacy Statement |
172 |
68.8 |
|
2. Is the statement easy to find? |
156 |
62.4 |
|
2a. Is the statement on the Home Page? |
153 |
61.2 |
|
2b. Links to privacy statement on most pages? |
119 |
47.6 |
|
3. Advise users ofclickstream data? |
167 |
66.8 |
|
4. Identify whatclickstream data collected? |
162 |
64.8 |
|
5. Cookies used? |
104 |
41.6 |
|
6. Statementexplain use of cookies? |
71 |
28.4 |
|
7. Statementindicate that cookies not used? |
48 |
19.2 |
|
8. Statement identify type of personal information collected? |
159 |
63.6 |
|
9. Statement identify how personal information used? |
161 |
64.4 |
|
10. Statementidentfy disclosures of personal information? |
27 |
10.8 |
|
11a. Does the site collect personal information? |
174 |
69.6 |
|
11b Sitecollect personal
information? |
119 |
47.6 |
|
12. How many separate pages collect personal information? |
193 |
77.2 |
|
13. Doesevery page collecting personal info have adequate IPP 2 statement? |
54 |
21.6 |
|
14a. If inadequate IPP2 statement, does page state purpose for collection? |
92 |
36.8 |
|
14b. If inadequate IPP2 statement, does page state how info will be used? |
78 |
31.2 |
|
14c. If inadequate IPP2 statement, does page identify any disclosures? |
5 |
2 |
|
15. What are the URL's of all pages with inadequate IPP2 statements? |
0 |
0 |
|
16. Does this site have printable forms? |
112 |
44.8 |
|
17. Does each form have an adequate IPP2 staement or a prominent link to such a statement? |
37 |
14.8 |
|
18a. If inadequate IPP2 statement, does form state purpose for collection? |
101 |
40.4 |
|
18b. If inadequate IPP2statement, does form state how info will be used? |
88 |
35.2 |
|
18c. If inadequate IPP2statement, does form identify any disclosures? |
10 |
4 |
|
19a. Do any of the forms or pages collect e-mail address? |
139 |
55.6 |
|
19b. Do any of the forms or pages collect name details? |
161 |
64.4 |
|
19c. Do any of the forms or pages collect address (eg postal/home)? |
137 |
54.8 |
|
19d. Do any of the forms or pages collect other information (please state)? |
0 |
0 |
|
20. Does site warn users of the risk with transmitting data across the Internet? |
105 |
42 |
|
21. Does site provide alternative means of providing personal or purchasing info? |
225 |
90 |
|
22. Does site provide online purchasing? |
9 |
3.6 |
|
23. Are there secure facilities for tranmission of purchasing data? |
7 |
2.8 |
|
24. Does site contain personal details of Agency individuals? |
188 |
75.2 |
|
25a(i). Name of Head of Agency? |
147 |
58.8 |
|
25a(ii). Address of Head of Agency? |
29 |
11.6 |
|
25a(iii). Phone number of Head of Agency? |
47 |
18.8 |
|
25a(iv). Position title of Head of Agency? |
136 |
54.4 |
|
25a(v). Biographical details of Head of Agency? |
65 |
26 |
|
25a(vi) Other details of Head of Agency? |
0 |
0 |
|
25b(i). Name of Board members or other senior staff? |
154 |
61.6 |
|
25b(ii). Address of Board members or other senior staff? |
26 |
10.4 |
|
25b( iii). Phone number of Board members or other senior staff? |
49 |
19.6 |
|
25b(iv). Position title of Board members or other senior staff? |
127 |
50.8 |
|
25b(v). Biographical details of Board members or other senior staff? |
58 |
23.2 |
|
25b(vi) Other details of Board members or other senior staff? |
0 |
0 |
|
25c(i). Name of Contact Officers? |
84 |
33.6 |
|
25c(ii). Address of Contact Officers? |
38 |
15.2 |
|
25c(iii). Phone number of Contact Officers? |
85 |
34 |
|
25c(iv). Position title of Contact Officers? |
56 |
22.4 |
|
25c(v). Biographical details of Contact Officers? |
1 |
0.4 |
|
25c(vi) Other details of Contact Officers? |
3 |
1.2 |
Website Survey Follow up Survey 2001
Agency:
Portfolio Department:
URL:
Date site examined:
Guideline 1:
1) Does the web site have a privacy statement? Y N
2) Is the statement prominent eg easy to find? Y N NA
3) Does the statement advise users whether it collects clickstream data? Y N NA
4) Does the privacy statement identify what clickstream data is collected? Y N NA
5) Does the site use cookies? Y N
6) If Y, does the statement explain the use of cookies? Y N NA
7) If N, does the privacy statement state this? Y N NA
8) Does the privacy statement state how personal information is collected, for example, using forms? Y N NA
9) Does the privacy statement clearly state to which uses the collection of personal information will be put? Y N NA
10) Does the privacy statement set out any disclosures resulting from the collection of personal information? Y N NA
Guideline 2:
11) Does the site collect personal information? Y N
12) Through how many separate pages is personal information collected?
.pages
[NB see how this question works in practice and delete if impractical.]
13) Does every page that collects personal information have an adequate IPP 2 statement to address this collection (not forms)? Y N NA
14) If N, does the page:
15) If N, please insert the URL of any page that collects personal information and which does not have an adequate IPP 2 statement .[NB see how this works in practice and delete if impractical.]
16) Does this site have printable forms? Y N
17) If Y, does each form contain an adequate IPP 2 statement or at least a prominent link to such a statement? Y N NA
18) If Y does the form:
19) Do any of these forms or pages collect:
Guideline 3
20) Does the site (either in the privacy statement or elsewhere) warn users of the risk of transmitting data across the Internet? Y N
21) Does the site provide users with an alternative means of providing personal or purchasing information? Y N
22) Does the site provide online purchasing? Y N
23) If Y, does the site provide secure facilities for the transmission of purchasing data (eg credit card details)? Y N NA
Guideline 4
24) Does the site contain personal details of individuals? Y N
25) If Y, is this:
(a) Head of Agency
name Y N NA
address Y N NA
phone number Y N NA
position title Y N NA
biographical details Y N NA
other details Y N NA
(b) Board members or other senior staff
name Y N NA
phone number Y N NA
position title Y N NA
biographical details Y N NA
other details Y N NA
(c) Contact Officers
name Y N NA
address Y N NA
phone number Y N NA
position title Y N NA
biographical details Y N NA
other details Y N NA
(d) Other Staff
name Y N NA
address Y N NA
phone number Y N NA
position title Y N NA
biographical details Y N NA
other details Y N NA
(e) Other people please give details.
name Y N NA
address Y N NA
phone number Y N NA
position title Y N NA
biographical details Y N NA
other details Y N NA
