Privacy statements: disclosing personal information

In the interest of public disclosure, agency websites should inform users that third parties may be provided access to information they submit to the website, including via email. The absence of this clear messaging on government websites leaves agencies vulnerable to complaint or protest from affected parties.

The Government Web Usability Standard requires that government website privacy statements indicate the uses to which collected personal information may be put by the collecting organisation and the circumstances in which it may be disclosed. This includes any scenario where a third party vendor might be provided access to users’ personal information, such as for the purposes of administering, evaluating, securing, and improving the site and services it offers.

For instance, as part of good practice security and threat management, government agencies from time to time need to allow third party security vendors to access information that has been collected and submitted by individuals to agency websites, such as when conducting vulnerability and penetration testing.

Other examples of users’ personal information being disclosed to third parties include:

  • the use of cloud-based web analytics
  • web design firms reviewing user interaction to improve site usability
  • third party tools to filter out comment spam

Agencies are encouraged to review their website privacy statements against the requirements of the Web Usability Standard, and update them accordingly. In particular, they should ensure that any possible disclosures of personal information with third parties are properly addressed. For a conformant example, see the Web Toolkit’s privacy policy, which clearly notes that personal information might be viewable by, shared with or held by “third parties providing services related to the administration, improvement, and/or securing of the Site and the information it contains”.

It is recommended that agencies consult with their communications, privacy, and legal advisors before amending their website privacy statements.

Comments are closed.

Navigate Posts