Privacy Law and Policy Reporter
The following is an extract from a speech by the Commonwealth Privacy Commissioner to the Life Insurance and Superannuation Association (LISA) — Second Annual Summit, 23 May 1997, ‘Developments in Privacy Related Reforms — How will these impact on the Life Insurance and Superannuation Industry?’.
Sub-headings have been added and amended (Editor).
I want to discuss, more specifically, some of the issues which are of particular concern to the life insurance and superannuation industry.
On the basis of inquiries handled by my office, we have found that there is a level of uncertainty about how information is handled by the industry. That is, people express surprise that certain information has been passed on in a particular way, and their concern is often that they did not know this type of information exchange would or could occur. If personal information is handled sensitively customer trust would increase and uncertainty about how their information is handled could be avoided. As the consumer surveys revealed, there is a lot of work which needs to be done, by both government agencies and businesses, in terms of allowing individuals to have more understanding and control over the way their information is handled.
An example of the sort of inquiry I am talking about is this. A women telephoned the hotline to complain that her husband’s superannuation fund had passed on her personal details to her husband’s ex-wife as a result of the ex-wife lodging a claim for part of the husband’s superannuation amount. I am not sure whether or not this sort of practice is necessary under superannuation law, but the main point I wish to make is that the woman (the current wife) was totally unaware that this sort of exchange could or would occur. Understandably, the situation caused a great deal of distress which could have been greatly lessened had the fund been, at the very least, open about the way it handled its information. If an exchange of information such as that described above is in fact lawful, then there may be a need to look closely at the reasons why this is considered necessary and to review the industry’s practices in this area.
As many individuals may only deal directly with the life insurance and superannuation industry at certain times in their life, they may not go to the efforts they usually would (as say when taking out a personal loan) to find out how their information will be handled. Concerns then arise later when it may be too late for them to avoid what they consider to be a breach of privacy.
Customers may have differing expectations about what their information will be used for, but, in general (and as reinforced by consumer surveys), individuals would not expect information to be used for any other purposes other than what they were providing it for unless they were explicitly told about it — and most customers would expect to be given some choice as to whether or not the information could be used for other purposes. These expectations are reflected in international privacy protection standards and in the Federal Privacy Act.
I appreciate that the life insurance and superannuation industry deals with large quantities of personal information, some of which is of a very sensitive nature (such as medical records), and that as a result the industry would already have many procedures in place which protect misuse of individuals’ information. In fact, many of the issues raised in discussions about privacy are really about fair and accountable business practices which, often, are already implemented by many organisations.
In addition to information handling practices in regards to specific individual claims, there are also broader concerns relating to the use of information for purposes other than the original reason it was collected.
In the life insurance and superannuation industry (as in many other industry sectors) customer information is viewed as an extremely valuable resource for marketing various products and services. And I am aware that one of the frequent concerns raised about privacy regulation is whether or not it will curtail business activities in this area.
One of the main concerns in LISA’s submission to the Attorney-General’s Discussion Paper on Privacy Protection in the Private Sector issued in November last year, was that complying with the Information Privacy Principles as they appear in the Privacy Act would significantly restrict the kind of information collected, the uses to which it is put and those to whom it may be disclosed. I have to disagree with this point of view. I think that the main themes underpinning the Information Privacy Principles (IPPs) as they appear in the current Privacy Act, openness, inclusion and control, are probably directly applicable to the efforts that businesses and putting into improving customer relations and building customer loyalty.
While I do not think that it would be appropriate to apply the IPPs, as they currently appear in the Privacy Act, holus bolus to the private sector (and I think that most people, including my predecessor Kevin O’Connor, would agree with me on this), any principles developed for the private sector must still uphold the same standards which are reflected in these principles — standards which are equivalent to the level of international best practice.
LISA’s submission recommended that the exchange of information within a corporate group should not be restricted. There have been similar views put forward by others in the financial services sector, but it is important to realise that this position may not necessarily reflect the interests or expectations of the broader community. There are real tensions between the need to balance the competing interests of consumers and the industry when deciding on the extent to which personal information should be used for marketing purposes.
For example, an individual receiving marketing material from a company they have never dealt with, where the company is related to another they have dealt with, may not be immediately aware of the connection between the two entities. So, from the individual’s perspective it may appear that there has been an illegitimate disclosure of their personal information by an organisation with whom they have entrusted this information, rather than a legitimate use of information within a corporate group.
People can be very fickle about this. While some people welcome being informed of new products, others become very concerned and frustrated when they receive information from an organisation they have never heard of. Many businesses argue that using information for marketing purposes allows them to operate competitively, but it is important to recognise that this may not always be ‘in step’ with their customers’ expectations of privacy. Remember, again, that the issue for most Australians is not that they need to provide their personal details to a company in the first place, but that they don’t want these details used for other purposes or given to other people without their knowledge — and preferably their consent.
There is, however, scope for discussion about the extent to which information could be disclosed within corporate groups, but, as I highlighted earlier, there are certain points which are pretty fundamental from my point of view and must be considered.
Moira Scollay, Commonwealth Privacy Commissioner.