Computerworld

Beware of websites with no privacy statement: NetSafe

Warning comes in the wake of a check of nearly 400 New Zealand websites and apps by the Privacy Commissioner

Online safety advocate NetSafe says users should be wary of websites that lack a privacy statement.

The warning comes in the wake of a check of nearly 400 New Zealand websites and apps by the Privacy Commissioner that found a third had no privacy statement.

“It shows how many businesses are establishing a web presence without ensuring they have all the aspects in place. We see similar concerns about the quality of website security,” says NetSafe executive director Martin Cocker.

Although there is no legal requirement for a website to have a privacy statement, organisations must adhere to the principles of the Privacy Act. Principle 3, among other things, requires agencies that collect personal information “to tell the person concerned what they are doing, the purpose for which the information is being collected and how the information will be used”.

Cocker says a website that makes no reference to privacy leaves users in the dark about whether the site has no policy or whether the owner has merely omitted to outline it. The proportion of surveyed sites that are silent on the subject is cause for concern, he says.

“It’s part of the rush to get online, unfortunately, before ensuring everything has been done 100 per cent correctly.”

It is particularly bad practice for sites that collect user data, but less of an issue for those that impart information without recording anything about the user, Cocker says.

The Privacy Commission check was carried out in May as part of a Global Privacy Enforcement Network sweep, the first such exercise by 19 privacy enforcement agencies around the world. Nearly a quarter of the 2186 websites and smartphone apps in the sweep displayed no privacy policy. More than 90 per cent of surveyed apps triggered privacy concerns.

That figure is alarming given apps’ potential for collecting user data, Cocker says.

“There are two aspects of concern. First, a large number of apps are not up front about the data they’re collecting and how they’re using it, and second, consumers are not aware of how much information apps can collect and how it can be used.”

Cocker says apps routinely record a user’s location, details of the device he or she is using and information about other services or sites used.

“All of those things can create a significant profile about a person.”

With so many sites and apps failing the privacy test — concerns were found with more than half of the New Zealand sample — Cocker believes the Privacy Commissioner’s role needs beefing-up. “That’s necessary in the digital age with the speed at which businesses can make mistakes. We need to be able to react at the equivalent speed.”

Commissioner Marie Shroff says the survey shows there is a lot of room for improvement in simple things such as providing privacy officer contact details, instead of an apparent focus on legally protecting site owners.

“The websites that collect information from people need to be less defensive and become more pro-active in shifting the emphasis on informing consumers about their information, why it is necessary to collect it and how it will be protected.”

Sites in the sweep ranged from schools to listed companies and government agencies. The commission plans to tackle the issue by initially getting schools, clubs and associations, legal practices and retailers to lift their game.