Optus

Strong transparency with comprehensive scope statement covering multiple entities and stakeholder groups, clear section navigation, specific contact details including phone and postal address, current dated version, and meaningful introductory commitments. Missing email contact and plain language commitment statement prevent a higher score.

Comprehensive and specific purpose statements with detailed explanations across five clear categories, explicit secondary use disclosures, marketing opt-out provisions, and express consent requirements for sensitive information. Strong compliance with APP 6 requirements with good specificity, though could be enhanced with more explicit purpose limitation commitments.

The policy provides adequate disclosures with a named privacy officer, specific contact methods, complaint handling timeframes (30 days), and commitment to ongoing security reviews. However, it lacks specific review frequency for the policy itself, detailed governance framework, and formal compliance monitoring procedures beyond basic complaint handling.

Comprehensive and specific disclosures covering data types, collection methods, sensitive information handling, and consent mechanisms with granular enumeration. Strong coverage of APPs 3 and 6 requirements, though could be enhanced with more explicit legal basis statements for different collection purposes.

The policy provides comprehensive and specific third-party sharing disclosures with named recipients (Equifax, Illion, OzTAM, Nielsen, Google, Facebook), detailed categories, clear purposes, and contractual protections. While it covers most key areas well, some aspects like overseas disclosure locations and specific contractual terms could be more detailed.

The policy covers multiple security areas including PCI DSS compliance, technical measures (firewalls, encryption), physical security, and access controls, but lacks specificity in critical areas like encryption algorithms, breach notification procedures, and detailed audit practices. While comprehensive in breadth, the disclosures are generally vague and don't provide the technical specifics that would demonstrate robust security implementation.

The claims acknowledge overseas transfers and mention some specific recipients like Singtel Group companies, but lack crucial specificity required by APP 8 - no named countries/regions, no adequacy mechanisms mentioned, and only generic safeguards described. The reference to 'click here to find out where' suggests information exists elsewhere but isn't disclosed in the main policy text.

The policy provides comprehensive and specific disclosures covering all key consumer rights areas with clear mechanisms, specific timeframes (7-day acknowledgment, 30-day response), multiple contact methods, and proper OAIC escalation pathways. Only minor weaknesses are vague correction timeframes and deletion limitations.

The policy provides adequate disclosure of various automated decision-making activities including profiling, marketing automation, and credit assessment, with specific opt-out mechanisms for different types of ADM. However, it lacks transparency about the logic behind automated decisions and doesn't clearly indicate availability of human review processes, which limits the comprehensiveness of the disclosures.

The policy provides basic age thresholds (15 for parental review, 18 for credit assessments) but lacks comprehensive child protection measures such as active parental consent mechanisms, age verification processes, or specific data handling protections for children's information.