Hanging out with Nudists: Data, Tech and the Privacy Act
In Australia, 12 March 2014 marked the commencement of a more robust privacy regime for businesses and organisations as changes to Privacy Act 1988 commenced. From this date 10 National Privacy Principles and 11 Information Privacy Principles were harmonised into 13 Australian Privacy Principles.
Heralded as “the most significant privacy reform in 25 years” the practical impact of these changes varied significantly across the financial services industry. For many advisers and Licensees the introduction of the APPs and the introduction of the new regime was as significant as Y2K was for Cuba; simple businesses with sound policies, a common sense approach and respect for their clients probably needed to do little more than basic word processing (“find-replace”) and process refinement to meet the new requirements. (Hopefully, they also recognised the new and broader definition of “personal advice” too).
In reality, big data, mobility, social media, security concerns and industry convergence have practically eroded the privacy of consumer data and the idea that individuals could own and control their personal information. With tagging, status updates and stream-of-consciousness tweeting, consumers have embraced the technologies and behaviours that discredit the classical Liberal idea of personal privacy. It was these factors that led Scott McNealy, the then-CEO of Sun Microsystems, to declare (in 1999!)
McNealy wasn't celebrating technological advances but was instead railing against the erosion of personal freedoms; well in advance of the birth of wired communities and ubiquitous social media platforms, McNealy warned consumers of the negative consequences of full, willing and active disclosure of personal information. Legislation now seeks to protect consumers and reverse this loss of privacy; but when you’re inadvertently hanging out in a nudist colony, it’s difficult (and maybe too late) to maintain privacy, personal dignity or even a sense of mystery. Thankfully, the new privacy regime allows consumers to take back control; to metaphorically slip on a robe, pixelate portraits and have group photos untagged. Better yet, the new Act establishes a regulator who can ensure that Consumers can choose what they reveal, when and to whom and limit who can benefit from their revelations.
Good advisers (and good advice practices) have always protected the personal information of their clients. Even before the introduction of a statutory best interests test, most saw themselves as trustees of their client’s information and custodians of their confidential data. But with increased vertical integration, the emergence of “big data” and the increasing commercialisation of digitised personal information, many consumers found they were more exposed (and more widely known) than they would have expected. The Privacy Act 1988 tried to address these challenges and implemented controls that were generally effectively implemented by many advisers; but technology and commerce outpaced these protections. The new regime built on that foundation and extended consumer protections. Importantly, these common sense reforms were not too challenging for small businesses to implement.
Clearly, if you weren’t a simple business with sound policies and procedures for information management then there was more to be done than simple editing. Nor should one trivialise the scope of the work required by large, complex, international and vertically integrated financial services companies; but the sophistication of your change management and implementation plan ultimately depends on the “nature, scale and complexity” of your business and the breadth and scope of the personal and sensitive information you collect and retain.
Thankfully, implementation was made simpler by the consultative and facilitative approach taken by the Australian Office of the Information Commissioner.
Even though almost every financial services business had to make changes to comply with the new requirements, the Australian Office of the Information Commissioner – the regulatory body for FOI and Privacy matters – provided detailed guidelines on the new requirements, their application and the AOIC’s approach. These documents are available at http://www.oaic.gov.au/ and the Comparison Guide is particularly useful.
In the lead up to 12 March we worked closely with a number of clients to analyse these requirements, audit their processes, amend their documents and train their staff. If you still require assistance please contact us directly, but to act consistently with the new National Privacy Principles use the following tips as a general guide:
- AUDIT. Make sure you understand what constitutes (or can constitute) personal information. Think about what personal information you and your business collect, use and hold. Consider how you collect personal information, when you collect it and what you do with it – this audit of processes, touch points and access is critical. It’s also critical that you appreciate who else outside your business might be able to access or use the information you collect and hold.
- EXPLAIN WHY. Before you collect information (or reconfirm information you already hold), explain to your client the type of information you’ll need to provide the services they want and how, and from whom, you’re likely to collect the information. Explain how you will use the personal information they provide to you.
- OBTAIN THEIR CONSENT. Explain why you are required to collect personal information and ensure that your client understands that they aren’t compelled to provide the information (but, if they don’t, that may limit or affect the services you can provide).
- RECOGNISE THEIR RIGHTS. The law allows clients to engage with you anonymously or by using a pseudonym unless or it is impractical for them to do so (this is often impractical for most advice relationships but is still their right).
- STAY ON POINT. Only collect the information you need to provide the services they’ve requested.
- DELETE. Subject to the law, delete or de-identify personal information you didn’t ask for or don’t need.
- ADDRESS ACCESS AND CONTROL. Explain how you will store their information, where it will be stored and who will have access to it. If it will be stored overseas, and an OS party will have access to it, tell them in what country their information will be stored and what parties will be able to access it. Also tell them how they can access the information you have collected about them.
- MARKETING AND OPTING OUT. If you are, or a related entity is, likely to use their personal information for the purposes of direct marketing then tell your client about this possibility and their right to opt out.
- CORRECTIONS. Tell them how they can access and correct the personal information you hold about them
- ARTICULATE YOUR COMMITMENT. Reassure them that, as a professional adviser, you respect their privacy and comply with the Australian Privacy Principles.
In many respects, the Australian Privacy Principles simply articulate “common sense” ideas that are based on respect for people and an appreciation of their right to ‘control’ their personal information. The devil is in the detail but complying with these new requirements should not be an impossible task for any business. In any event, given the significant enforcement and investigative powers granted to the OAIC you should not underestimate the importance of meeting these expectations.
(c) Sean Graham 2014.