Digital privacy is top of mind for many Australians. With weekly data breach scandals, individuals are becoming more aware and concerned about who has their data, and more importantly, who controls how that information is gathered, used and shared. Events like the Cambridge Analytica scandal and the passing of the European General Data Protection Regulation (GDPR) have placed a very bright spotlight on data ethics around the world, including Australia. As a business that is either collecting customer data or planning to do so for the sake of business intelligence (BI), you need to know about the ethical considerations around data collection, and what data laws are in place here in Australia.
With that in mind, we’ll have a look at:
- Data legislation in Australia.
- Ethical customer data.
- Unethical customer data.
Data legislation in Australia
Australia's digital landscape is governed by the Privacy Act 1988, which regulates how entities use personal data. Personal data, by the act's definition, is "information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable." Examples of personal information, as given by the act, include people's names, addresses, signatures, phone numbers and so forth. This is different to sensitive information, which includes sexual preference, political opinion, religious affiliation and similar.
Australia is governed by the Privacy Act 1988, which regulates how entities use personal data.
All businesses with an annual turnover of $3 million or more are covered by the Privacy Act, which also covers healthcare providers, government agencies and some small businesses.
- So not all SMBs are covered by the act? Correct. Companies with a turnover of less than $3 million are only covered by the act in certain circumstances, for example if they are a healthcare provider or are trading people's information. If you sell your business and your customer database transfers to another company, this counts as trading people's information (but if you sell it and the business remains the same, it doesn't). To learn more, read the SMB page on the Office of the Australian Information Commissioner's (AIC) website.
Businesses operating in Australia must also be aware of the Notifiable Data Breaches Scheme (NDB), which is housed under the Privacy Act. The scheme applies to all businesses with obligations to the Act, and says that these companies are obliged to notify customers if their personal information is involved in a data breach, and if this is likely to cause them serious harm. The given notice should also make recommendations on how the people involved can respond to the breach, and the company must notify the AIC. In the first six weeks of the country’s NDB scheme, more than 63 data breaches have been reported to the Office of the Australian Information Commissioner. For the public, this might seem like a high number, especially in such a short time, but we should be prepared to see the number continue to grow.
Note that if your business sells goods and services overseas and captures personal data, than you need to be aware and compliant with the European General Data Protection Regulation (GDPR) that came into effect in May this year. The GDPR focuses on ensuring that users understand and consent to the data collected about them, with an emphasis on consent, control, and clear explanations of user data, and everyone is accountable.
How to comply with the Privacy Act
The Privacy Act exists to prevent the misuse of reasonably identifiable information. So for instance, if your company only collects cookies that can't be linked to personal information, the act isn't applicable to you. But if you collect data that could be used to identify a person, you must follow the Australian Privacy Principles (APP), as outlined in the Act. There are 13 principles, and they describe how businesses must be honest and fair about their data collecting, keep the information secure, and allow users control of their information. You can learn about these by reading schedule 1 of the Privacy Act. Of course, if there is a breach in your system, you must notify the relevant individuals as outlined in the NDB.
Ethical use of customer data
One of the tenets of the APPs is that businesses should only collect personal information if it is necessary or reasonably expected. But that's a very broad term, which can include data collection some consider unethical, even if it's legal. So what should Australian businesses know about data ethics?
1. Personal information
Importantly, this data should be necessary to your service. Remember that although you may perceive extra data as a 'nice to have', customers may not agree.
2. Non-identifiable information
Cookies can be a great source of non-identifiable information that is still useful for your business - personalising someone's visit to your website, for instance. It is legal to collect this information, but for ethical reasons you should still be honest about it. This could be in the form of a notice on your website that informs new users of your data collection activities.
3. Anonymity and pseudonymity
These two terms are important to the APPs, and can be found under APP 2. Anonymity is a way of summarising 'non-identifiable information'. Customers who visit your website should be able to do so without your company being able to identify them, if they so choose. As for pseudonymity, this is where a customer chooses to interact with your business using a pseudonym - for instance, an email or username that doesn't contain their real name. In some instances personal information will be linked to a pseudonym, such as credit card information or personal details that are available only to website administrators. Personal information should only be linked to a pseudonym if it is necessary or the user has consented.
Data is a double-edged sword. It can improve your business, but customers will be sensitive about it.
Unethical use of customer data
For the sake of discussion here, we will be focusing on 'data that is technically legal, but considered bad form'. Data is a double-edged sword, you see. While the right data can provide evidence that helps you improve your business and makes people happier, it's also something many are very sensitive about - especially in the wake of data breaches and major scandals from the past decade. So what forms of data are legal, but frowned upon by customers?
1. Forms of incessant direct marketing
Collecting data for the sake of direct marketing is not in and of itself unethical, but be careful with how you use this information. According to HubSpot data, 69%of customers unsubscribe from email lists due to "too many emails". You also can't legally use emails for marketing purposes under the Privacy Act, unless the individual would reasonably expect you to and they have an option to opt out.
2. Asking for too much data at once
When you have greater detail about your customers, you can generally offer an even better service. This helps promote loyalty, not to mention a good experience. But asking for too much data at once is considered a faux pas in the data world. It can be overwhelming, and it seems suspicious. Instead, most customers will react better if you start small, build trust, then ask for more information over time.
So just a quick snapshot around the ethics of data gathering and Australia’s privacy legislation. If you’re looking to improve the use of your business data to better inform business decisions, then reach out we’d love to hear from you.