It’s all well and good to talk about data-driven strategy and values alignment, but if your senior execs, marketing or IT folks don’t know what data is regulated as ‘personal information’, or when consent is needed under the Privacy Act, your privacy management program may need to start with a C-suite privacy bootcamp.
~
A couple of years ago we conducted a survey of Privacy Officers, and asked them an open-ended question: ‘What do you see as your organisation’s biggest privacy challenge?’
We were expecting to hear about sexy topics like data analytics, de-identification and artificial intelligence, but instead the majority of responses boiled down to one thing: understanding of the law.
This is not just an issue for junior staff; your senior execs need to understand at least the basics of privacy law too. Otherwise costly mistakes can happen, often because managers believe they already know what privacy is, or what the scope of the law is, so they don’t need training about it.
(It’s the same as confidentiality, right? Or… we’ve already covered that in our cyber strategy, right? Or… our marketing team says they de-identify customer details before sharing them with Facebook, so we’re all good, right? Or… we made our customers tick something on the website, so we’ve got their consent, right?)
Notice and consent, and opt-in versus opt-out, are classic examples where confusion leads companies to fall foul of the regulator. As Flight Centre discovered, you can’t use your Privacy Policy as a collection notice, let alone as evidence that you have someone’s consent to a secondary use or disclosure.
Another example is that of companies which don’t realise that their activities will constitute a ‘collection by creation’ of new personal information, when generating new data or drawing inferences from existing data. That kind of data analytics or passive collection still needs to comply with the rules for collecting personal information.
I also often see a particular disconnect between how industry talks about data, and what the law says constitutes ‘personal information’ for the purposes of privacy compliance. Maybe it is misunderstanding based on tech vendors and IT security professionals and journalists using the phrase ‘PII’, as if it is interchangeable with ‘personal information’. (Tip: it’s not. Unlike the notion of ‘personally identifying information’, the legal definition of ‘personal information’ in Australia is much broader than whether or not someone is identifiable from this piece of data alone. It also encompasses not only direct and indirect identifiers, but all the other data relating to a person.)
Or maybe it is deliberate obfuscation by tech vendors or data brokers trying to make out their solutions to be privacy-compliant or ‘risk-free’. But if someone can be singled out from the crowd, and targeted (shown an ad, excluded from an offer, shown a different price or delivered curated content) as a result, then the fact that the data in the middle was de-identified, while it might be a nice data security strategy, does not solve the privacy-based limitations on using that data in the first place.
Further disconnects exist between what is communicated to customers, and the reality of data sharing. Loose language, disingenuous terms or muddled understandings could start to get companies into hot water with both the OAIC and ACCC.
This is happening not only at the bleeding edge of tech deployments like facial recognition, but with data brokers, publishers and others in the AdTech ecosystem who have been managing customer data for years.
For example, contrast what News Corp said recently about their customer data, with what the OAIC says is ‘personal information’.
In the context of criticism for describing to consumers its practice as involving ‘anonymous’ or ‘not personally identifiable’ information when it engages in data collection about, sharing of and advertising to 16 million Australians, from across different logins, email addresses, brands and platforms including newspapers and magazines, online gambling, TV streaming and real estate listings, a spokesman for News Corp Australia said: “While we can recognise a user as a discreet user, with a particular unique identifier, we do not know who they actually are”.
But the OAIC has, since guidance published in 2017, said that data will be considered ‘personal information’ (and thus in scope for regulation) even without knowing who the person ‘actually’ is: “Generally speaking, an individual is ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of a group. For the purposes of the Privacy Act, this will be achieved through establishing a link between information and a particular person”.
If companies are using pseudonyms or other identifiers to track, link, profile and target distinguishable individuals, that’s ‘personal information’, and those activities need to comply with the APPs.
Are you confident that your senior execs understand that?
Plus, as UNSW Law professor Dr Katharine Kemp has argued, privacy policies should not use language like ‘anonymised’ or ‘not-PII’ to suggest otherwise to consumers, lest you face claims of misleading and deceptive conduct under consumer law as well. Especially since the ACCC is now taking action against tech companies for misleading conduct in relation to their collection of personal information, with a $60M fine for Google just the first enforcement action to come out of its digital platforms inquiry.
Now those penalties should get the attention of your C-suite!
While you might not be able to convince the time-poor senior execs in your organisation to attend privacy training to delve into the nuances of privacy law, you might just be able to slip a briefing paper in front of their noses, especially in the context of the law reforms likely coming our way.
We have drafted an executive briefing paper to help you out. Designed as a primer on privacy law for busy people, The Privacy Act in a Nutshell describes the law as it is today, with sidebars offering additional explainers of key topics, as well as the more significant law reform proposals currently being considered.
Our new ‘101’ guide explains what your C-suite needs to understand about:
- Who and what is regulated
- Authorising data flows: the rules when collecting, using or disclosing personal information
- When consent is needed, and what it entails
- Privacy and marketing
- The role of transparency, privacy policies, accountability and data quality
- Data security and data breach notification
- Data rights, and
- Penalties and powers.
Take a look at our executive briefing paper, as a way to teach your busy execs what they need to know, to keep your organisation out of hot water and prepare for the road ahead.
~
The Privacy Act in a Nutshell is available as a standalone publication, or as an inclusion in a number of our Compliance Kits. We keep our guidance updated regularly. Past customers get a 75% discount when purchasing an updated version of one of our Compliance Kits, so you can afford to buy now with confidence, and update again later as the reform process plays out.
Photograph © Michael Fousert on Unsplash