In the interest of public disclosure, agency websites should inform users that third parties may be provided access to information they submit to the website, including via email. The absence of this clear messaging on government websites leaves agencies vulnerable to complaint or protest from affected parties.
The Government Web Usability Standard requires that government website privacy statements indicate the uses to which collected personal information may be put by the collecting organisation and the circumstances in which it may be disclosed. This includes any scenario where a third party vendor might be provided access to users’ personal information, such as for the purposes of administering, evaluating, securing, and improving the site and services it offers.
For instance, as part of good practice security and threat management, government agencies from time to time need to allow third party security vendors to access information that has been collected and submitted by individuals to agency websites, such as when conducting vulnerability and penetration testing.
Other examples of users’ personal information being disclosed to third parties include:
- the use of cloud-based web analytics
- web design firms reviewing user interaction to improve site usability
- third party tools to filter out comment spam
It is recommended that agencies consult with their communications, privacy, and legal advisors before amending their website privacy statements.