Privacy Law and Policy Reporter
This article contains the full text of a survey published by Australian law firm Freehill Hollingdale & Page in February 2000, but without the diagrams or the foreword used in the original. Some headings have been edited.
Approximately 400 companies were surveyed, with a response rate of just under 17 per cent. The 68 survey respondents came from a cross-section of industry sectors, with 48 per cent of respondents from the telecommunications/information technology and banking and finance sectors. Australian empirical data on privacy issues is infrequent, and the responses of 68 companies are a valuable source of information. The generalised conclusions in the Report should be read in light of the response rate and the research methodology. The Report also contains suggestions by Freehills concerning good privacy practices — General Editor.
In the 12 months to August 1999 it has been estimated that 41 per cent of the Australian adult population accessed the internet. However, the Australian Bureau of Statistics’ research shows that the development of internet based e-commerce has not been keeping pace with the growth in internet usage. In the 12 months to May 1999 it is estimated that a little under 5 per cent of Australian adults used the internet for online shopping. The relatively slow development of consumer e-commerce is partly due to the reticence of consumers to supply information about themselves over the internet.
Internet users are concerned about their privacy. In particular, internet users are:
Bringing about a change in current perceptions of the internet as an insecure and a potentially privacy invasive medium is a challenge facing any organisation wishing to develop or expand its presence on the internet.
The survey has been undertaken to assess how Australian based companies are addressing internet users’ privacy concerns. The Freehills survey extends the existing data on internet privacy issues by addressing additional issues such as attitudes to privacy regulation and compliance. It also provides valuable insights into how personal information is used and disclosed by Australian based businesses, the extent to which emails are monitored, how consumer complaints are dealt with, and attitudes to website privacy notices and privacy seal programs. We believe that the findings of this survey will assist companies, consumer groups and policy makers in developing strategies and policies for the protection of internet privacy.
For internet users the results of our survey contain a mix of good and not so good news. Key findings that are encouraging include:
Other findings which are indicative of the need for a greater commitment to and better communication of privacy protection policies include:
The implications of the Freehills Internet Privacy Survey results for Australian companies seeking to grow their businesses through use of the internet are clear. Greater effort is required in the communication to and reassurance of internet users that fair information handling procedures will be followed when personally identifiable information is collected over the internet. Internet users need to feel confident that their privacy will be protected before they can be expected to take full advantage of the convenience of e-commerce.
Enhancing the level of confidence in internet usage will involve:
With the rapid expansion in internet usage in Australia, internet privacy has emerged as a key issue for consumers, businesses and legislators. While there has been a significant amount of overseas research undertaken on consumer concerns about internet privacy, there has been little research undertaken to ascertain how Australian based organisations are addressing the issue of internet privacy.
The Freehills Internet Privacy Survey has been undertaken by Freehill Hollingdale & Page to fill that gap. We believe that the results of this survey will assist Australian based organisations, consumer groups and policy makers in the development of strategies, policies and standards for the protection of internet privacy.
The Freehills Internet Privacy Survey extends the existing data on internet privacy issues by addressing additional issues such as attitudes to privacy regulation and compliance. It also provides valuable insights into how personal information is used and disclosed by Australian based businesses, the extent to which emails are monitored, how consumer complaints are dealt with, and attitudes to website privacy notices and privacy seal programs.
Some of Australia’s leading companies completed this survey. Survey respondents were from a cross-section of industry sectors with 48 per cent of respondents being from the telecommunications/ information technology and banking and financing sectors. This is a reflection of the heavy reliance placed by these two sectors on the handling of information by electronic means.
We would like to thank all of the companies that took part in the survey as well as the Internet Industry Association for its support. We would also like to thank the staff of the Federal Privacy Commissioner’s Office and the Tele-communications Industry Ombudsman for their invaluable comments on the content of the survey questionnaire.
Australians are taking to the internet in ever increasing numbers. As at August 1999 it has been estimated that 1.6 million Australian households have internet access and that in the preceding 12 months 5.6 million adult Australians (41 per cent of the adult population) had accessed the internet. The proportion of young Australians using the internet is even greater, it being estimated that in the 12 months to August 1999, just over 74 per cent (1.3 million) of 18 to 24 year olds had accessed the internet.
Of the households with internet access, it is estimated that 40 per cent are accessing the internet on a daily basis. Australians use the internet for social, educational and work related purposes and increasingly, for the purchase or ordering of goods and services. It is estimated that nearly 5 per cent of Australian adults used the internet in the 12 months to August 1999 for online shopping.
As the cost of the technology required to access the internet continues to fall we can expect to see a continuing trend of Australians utilising email, home banking and shopping from home. While the growth in internet usage by Australians has been rapid, it is only in recent times that business and governments have begun to grapple with the social, economic and regulatory implications of the internet.
As a sales channel and a medium for building one-to-one relationships with existing and potential customers, the internet offers a unique but, in Australia at least, largely untapped potential. There has been a noticeable trend for Australian businesses to concentrate on the cost reduction potential of the internet for business-to-business e-commerce. Comp-aratively few Australian companies have taken up the challenge of using the internet to better service their existing customers, win new customers and grow their business. This approach can be expected to change as organisations gain expertise in utilising the internet both as a sales channel and as a vehicle for building customer relationships.
From a consumer’s perspective there are obvious advantages in using the internet for the purchase of goods and services. Information about different products and services can be speedily accessed and readily compared at any time. Service providers, such as some of the leading banks, are already providing online facilities for consumers, including the submission of loan applications.
The benefits for consumers in terms of time savings and convenience are obvious, and yet there is some reluctance from consumers to use the internet for home shopping. This can be partly explained by the relative ‘newness’ of this phenomenon, as consumers are still learning how to use the internet for activities such as transferring money between bank accounts and bill payment.
There is also a widely held belief among consumers that the internet is an unregulated and insecure medium. This gives rise to a number of concerns — the chief of these being the protection of personal privacy and the security of personal data provided over the internet.
The privacy concerns of internet users are quite complex. These concerns arise in part from a natural wariness of new communications technology and the level of privacy and information security that this technology might provide. Privacy concerns are also fuelled by doubts about the commitment of organisations engaging in e-commerce to fair information handling practices. Individuals are unsure as to how the information that they may provide will be used or disclosed by the recipient organisation.
Contrary to some earlier industry expectations, greater usage of and familiarity with the internet has not alleviated users’ concerns. Several well publicised privacy breaches by internet based organisations have only served to reinforce internet users’ scepticism.
The privacy concerns for internet users involve:
The strength of internet privacy concerns should not be underestimated. Privacy concerns will continue to impede the development of householder e-commerce until companies make concerted efforts to instil confidence in the way that personal information provided over the internet will be handled. Confidence in internet privacy and security must be enhanced before the full potential of e-commerce can be realised. Only when individuals feel confident that information they might provide will be handled in a way that is consistent with sound privacy protection practices will they be willing to take full advantage of e-commerce opportunities.
Slightly more than a third (34 per cent) of the respondents are using the internet only to provide information about their respective companies and their products or services. A little more than a quarter of respondents (27 per cent) are currently using their websites for e-commerce purposes. These results indicate that major Australian companies have yet to fully embrace the internet’s potential as a sales channel.
The Federal Privacy Commissioner has published a National Privacy Code for the private sector — however, at present, observance of this code is voluntary. The Federal Government has foreshadowed the introduction of ‘light touch’ privacy legislation for the private sector with emphasis on the observance of industry codes.
Forty two per cent of respondents support a legislative approach to privacy regulation, while 39 per cent favour a self- regulated approach and 19 per cent of respondents have no formal view on this issue. Given these results, the government approach of industry based privacy codes with a legislatively based default code would seem to be appropriate.
A significant proportion of respondents (80 per cent) have adopted one or more codes of privacy protection standards. These standards are either legislative (16.5 per cent), industry based codes (47 per cent), other voluntary codes (10 per cent) or overseas based privacy legislation and codes (6.5 per cent).
This high level of adoption of privacy standards is encouraging and reflects the strong commitment to privacy protection by a number of key industry bodies.
A significant proportion of respondents (58 per cent) monitor their compliance with privacy standards and a further 28 per cent recognise the need to do so. This commitment to monitoring observance of privacy standards is encouraging but would likely carry greater weight with internet users if the monitoring were to be carried out by an external and independent group. On the basis of our results only 6 per cent of organisations currently commit themselves to external privacy audits.
A high proportion of respondents (92 per cent) collect personal information through their websites. Personal information is defined as any information that can be linked to an individual and for the purposes of this survey includes names, email addresses, home addresses, telephone and fax numbers, and credit card numbers.
The high proportion of respondents collecting personal information through their websites is surprising given the comparatively low level of e-commerce activity. A possible explanation is that the internet is being used by marketing departments and customer service areas but not to the same extent as a sales channel. This explanation is consistent with other results of this survey.
A significant proportion of respondents (53 per cent) use personal information collected through their websites for marketing related functions, including contacting visitors, building visitor profiles and monitoring the effectiveness of marketing campaigns.
Use of personal information to improve the quality of service offered to customers is a legitimate function of a commercial organisation. However, usage of personal information should be clearly and unambiguously explained to customers and potential customers if good privacy practices are to be observed.
Only 3 per cent of respondents indicated that they disclose personal information collected through their websites to external organisations. Most respondents (97 per cent) either do not disclose this information or disclose information in a de-personalised form only.
This approach to the disclosure of personal information is encouraging and shows a recognition and acceptance of good privacy standards for the disclosure of personal information. For most internet users the disclosure of their personal information to other organisations is the area of greatest concern.
Only 33 per cent of respondents have a policy of providing site visitors with access to information about themselves if requested. The majority of respondents (67 per cent) either have no policy on this issue or do not offer individuals access to information about themselves as a matter of policy.
Good privacy practice requires that individuals be given access to information that they have provided about themselves as well as being given the opportunity to seek amendment to that information if it is inaccurate or out of date. The comparatively low rate of adoption of this standard of good privacy practice is somewhat disappointing.
Email content is periodically monitored by 76 per cent of respondents, mostly for systems maintenance and trouble shooting purposes or where email abuse is suspected. Only 5 per cent of respondents monitor emails on a routine basis. Nineteen per cent of respondents do not monitor emails and 5 per cent have no policy on this issue.
Of the respondents who monitor emails, 35 per cent notify their customers or staff members while 65 per cent of respondents undertake email monitoring without notification.
Good privacy practice would require the notification of any email monitoring. As the monitoring of any communication will always be a sensitive privacy issue, there is an urgent need for companies who are not currently notifying customers or employees of their monitoring practice to review their policies in this area.
It is good privacy practice for companies operating websites to incorporate a readily accessible and clearly explained notice of the privacy protection practised by the website operator. Currently only 12 per cent of respondents include a privacy notice on their websites and a further 18 per cent of respondents are giving consideration to the inclusion of a notice on their websites.
Given the comparatively high level of observance of privacy protection standards, it is disappointing that this commitment to privacy protection is not being communicated to website visitors.
An example of a privacy option is to give visitors a choice about whether they want to be contacted for marketing purposes. Currently only 18 per cent of respondents offer visitors to their websites options to protect their personal privacy while a further 18 per cent of respondents are giving consideration to providing such options.
Offering website visitors options to protect their privacy is a highly effective means of educating site visitors and consumers in general about sound privacy protection measures to adopt when using the internet.
The importance of data encryption to protect privacy is well recognised by survey respondents. Seventy seven per cent of respondents offered electronic payment facilities with secure (encrypted) transmission of data. A further 18 per cent of respondents are considering offering secure transmission of data.
A total of 44 per cent of respondents participate in some form of industry based scheme for complaint handling, including complaints about privacy breaches. Participation in the Telecommunications Industry Ombudsman (TIO) scheme accounts for 26 per cent of respondents. The majority of respondents (56 per cent) deal with complaints, including complaints about privacy breaches, through internal complaint handling procedures.
The proper handling of complaints and the rectification of any systemic breakdowns in privacy protection is clearly an issue of importance to website operators as well as internet users. Complaint handling procedures will be one of the matters addressed by the foreshadowed national privacy legislation.
Privacy seals are certifications offered by independent industry recognised privacy programs. Participants in privacy seal programs agree to periodic assessments and monitoring of their websites for compliance with privacy policies.
In other countries, principally the US, privacy seals have been widely adopted and are seen as a valuable means of reinforcing the confidence of internet users in the privacy practices of participating websites. Such programs have not been widely adopted in Australia to date:
Industry and consumer groups could give consideration to developing a website privacy seal program, in consultation with appropriate regulatory bodies.
The implications of the Freehills Internet Privacy Survey results for Australian companies seeking to grow their businesses through use of the internet are clear. Increased usage of and familiarity with the internet has not allayed users’ concerns about privacy. Greater effort is required in the communication to and reassurance of internet users that fair information handling procedures will be followed when collecting personally identifiable information over the internet. Internet users need to feel confident that their privacy will be protected before they can be expected to take full advantage of the convenience of e-commerce.
Enhancing the level of confidence in internet usage will involve:
Copies of the Report may be obtained from Freehill Hollingdale & Page, contact Emma Rousch (02) 9225 5105; for further information on the survey, contact Gayle Hill, Special Counsel, on (03) 9288 1599 or 0419 370 513.