Privacy Law and Policy Reporter
Office of the Federal Privacy Commissioner
The Privacy Commissioner published findings from three major research projects in July 2001. In this issue, we reprint the Commissioner’s Executive Summaries for the community and government surveys. The Executive Summary for the business survey will be carried in the next issue.
In order to gain further understanding of community attitudes towards the protection of personal information and awareness levels of current privacy laws, the Office of the Federal Privacy Commissioner commissioned Roy Morgan Research to conduct a national Computer Assisted Telephone Interviewing (CATI) survey among a representative sample of the Australian population. Interviews were conducted in May 2001 among 1524 of the Australian adult population (people aged 18 years and over).
Attitudes reflected a desire among the community to gain control over how their personal information was used, with more than nine in 10 people wanting businesses to seek permission before using their personal information for marketing. When asked if permission should still be sought if it inconvenienced consumers with extra forms and so on, support remained strong with percentages in the high 80s. Similarly high proportions of people (around nine in 10) thought it was important that organisations advise customers who may have access to their personal information and how that information might be used.
Those who tended to emerge as more proactive in relation to the protection of the personal information were those aged 40 to 49 years, those on a higher household income and people who were aware of, and knowledgeable about, the privacy laws. Awareness of the privacy laws and knowledge about their privacy rights generally correlated with higher incidences of assertive privacy related behaviour. (We could assume, therefore, that as awareness and knowledge grows as a result of communication campaigns, the proportion of consumers practicing assertive privacy related behaviour is likely to increase.) Younger people were less likely to demonstrate assertive privacy related behaviour, as were those with lower levels of education and those in rural areas.
The types of personal information people felt reluctant about divulging reflected findings from earlier research with financial details, income, health information and home contact details all commonly mentioned (in descending order) as types of information people would prefer to keep private. People aged 50+ years were more likely to be sensitive about providing financial details compared to younger people (18 to 24 years), while those on higher incomes felt more protective of this type of information than those on lower incomes.
People were reluctant to provide this type of information as they felt that often it was ‘none of their business’ (that is, none of the business of the requesting organisation). Other reasons given for not wanting to hand over particular types of personal information included the belief that the information could be misused and/or used in a way that would result in personal financial loss, or passed on without their knowledge. Fear of discrimination was also mentioned in relation to the provision of health information.
Business practices such as transferring personal information without the individual’s knowledge, and using personal information beyond the purpose for which it was originally collected, were practices that caused concern among the vast majority of the community, with large proportions registering the strongest level of concern. These findings were supported by further results which showed that more than 90 per cent of the adult population regarded each of the above practices as an invasion of privacy.
Internet retailers were perceived as the least trustworthy organisations regarding the protection and use of personal information, scoring 1.98 on a scale of 5, with real estate agencies and market research companies rating slightly above them. Health service providers were, by far, perceived to be the most trustworthy type of organisation (scoring 4.16 out of 5), followed by financial organisations, government agencies, charities and retailers. Generally younger people showed higher levels of trust towards more organisations than other age groups, which perhaps indicates a possible correlation between inexperience and high levels of trust.
While the majority of the population appeared to be fairly compliant when asked to provide their personal information to organisations, a relatively sizeable proportion (two in five) had nevertheless refused to deal with businesses they felt did not adequately protect their privacy. This has implications for privacy lax businesses as approximately half of those from the highest income bracket (household income of $60,000+) had decided not to deal with a business on the grounds of privacy concerns.
The importance of good privacy practices to businesses that deal with personal information was further reinforced with the finding that ‘respect for, and protection of, my personal information’ was, overall, the aspect of service that mattered most to the largest proportion of consumers, with more than one third rating this service aspect above quality of product, efficiency, price and convenience. Quality of product, however, rated a close second and was rated above ‘respect for privacy’ by men and people on higher household incomes.
The relatively low importance of price compared to the protection of personal information was further demonstrated with less than one third of people prepared to provide personal information to a business in return for discounts. Younger people were the exception, however, with the majority of 18 to 24 year olds (59 per cent) prepared to trade personal information for cheaper prices. This is consistent with results that show young people also had higher than average percentages who saw price and efficiency as more important than respect for privacy.
While less than a third of the population would provide their personal information for discounts, over 40 per cent were willing to trade their personal details in return for more efficient and personalised service, with more than half of many subgroups, including younger people and those with higher household incomes, prepared to do so. People less likely to trade their personal information in return for particular benefits were those from the 50+ age group, those with a household income of under $30,000, and those with lower levels of education. Hence, this and other findings support aspects of earlier privacy research which suggests that people from lower socio-economic groups register more concern about protecting their privacy.
As indicated earlier, this higher level of concern, however, does not necessarily translate in to proactive behaviour, which is more common among high income earners and those who are aware of their privacy rights. Findings suggest, therefore, that those on higher household incomes and people with an understanding of the issues are making judgements about what’s important and what’s not, and acting on these, while those with lower levels of knowledge and understanding of the issues are possibly less sure of how to actively protect their privacy (and possibly feel more concern because of this), and less able to discern which practices are more harmful or harmless than others. Hence, results reveal higher levels of concern across a broader range of issues.
Just over two in five people (43 per cent) knew that Federal privacy laws existed and 13 per cent knew which types of organisations the laws applied to. Awareness of the privacy laws was lowest in the 18 to 24 year age group (25 per cent), and highest among those aged 40 to 49 years, with almost half knowing about the laws. Awareness was slightly higher among people in capital cities (46 per cent) and lower in rural locations (35 per cent).
When asked directly how knowledgeable they felt about their privacy rights more than half of the population (52 per cent) said they knew very little or nothing at all. A series of statements designed to test people’s understanding of the laws confirmed the relatively low level of knowledge with two thirds of the population scoring 50 per cent or less out of a possible score of 100. Only 4 per cent of the population scored 100 out of 100. Men appeared to know more about the application of the privacy laws than women, as did high income earners and people with a degree, while, overall, younger people appeared to be less knowledgeable.
While more than one quarter of the population (26 per cent) knew of the Privacy Commissioner, only 5 per cent mentioned the Commissioner when asked who they’d report a privacy breach to. The Ombudsman was most commonly mentioned when asked who they’d report a privacy breach to, followed by the organisation involved, Consumer Affairs, a lawyer, an MP and the police — all of whom received more mentions than the Privacy Commissioner.
The majority of people (75 per cent) agreed with the practice of data matching across government agencies as a fraud reduction measure, and also agreed to the monitoring of people’s use of health service facilities through the allocation of a unique number (81 per cent); however, support for police access to a personal information database (on the premise that access would mean that more crimes would be solved) was significantly lower with just over half agreeing with the idea (55 per cent). While these results may indicate lower levels of trust in the police, they may also be explained by findings in the qualitative research which suggests that most people are unaware of the deeper privacy issues surrounding the allocation of unique numbers and data matching. However, as demonstrated in the focus groups, the more they learned about the issues (through a knowledgeable group member), the more they began to heavily qualify their acceptance of the ‘one number’ concept, or to reject it altogether. Hence findings regarding the ‘unique number’ concept (and possibly data matching), may well reflect low awareness among the general population in relation to the more complex privacy issues surrounding such concepts.
The desire for people to control the use of their personal information was again made clear in the survey with the majority of people (66 per cent) believing that inclusion in a national health information database should be voluntary rather than mandatory. Women, younger people and those with a degree were more likely to support voluntary inclusion if such a database existed.
Similarly, over half of the population (61 per cent) thought that an individual’s permission should be gained before their unidentified health information was used for research purposes. (This finding was surprising given that the qualitative work suggested that people generally didn’t mind unidentified health information being used for research purposes.) People with higher levels of education and on higher incomes, however, were less likely to believe that permission to use unidentified information should be sought. Nevertheless, the desire to protect their medical information was quite strong, with over 40 per cent of people believing that medical staff should not discuss a patient’s details with other medical staff without first seeking the patient’s permission, even though disclosure was intended to result in better treatment for the patient. This figure was highest among those with a degree (47 per cent).
Questions regarding the use of public lists for marketing purposes showed that while a clear majority (70 per cent) were against the use of the electoral roll for such purposes, people were split on whether or not it was acceptable to use the White Pages telephone directory for marketing. Again, findings confirm that women and people from lower income groups are more likely to want to protect their personal information, with fewer people from these subgroups supporting the use of either public list.
When dealing over the internet the majority of people (57 per cent) had more concerns about the security of their personal information, hence approximately one third of internet users had attempted to protect their privacy by setting their web browser to reject cookies. Another third, however, were not aware of cookies or what they did. When asked about attitudes towards tracking users over the internet without their knowledge, over 90 per cent of people thought this was an invasion of privacy.
The Office of the Federal Privacy Commissioner (OFPC) commissioned Roy Morgan Research to research the privacy knowledge, attitudes and practices of Commonwealth government agencies. Outcomes of this research will feed into communications, compliance and policy frameworks for the OFPC.
Roy Morgan undertook a process of qualitative and quantitative research, focusing on Privacy Contact Officers (PCOs), officers with responsibility for facilitating compliance with privacy obligations within their agency, and also operational managers, working in areas that involved the handling of personal information.
Currently, it would appear that awareness of privacy responsibilities among Commonwealth agency officers is high. Further, the research demonstrates that these officers confer a high importance on these responsibilities. Privacy is considered to be an important area in terms of its significance to clients, staff and agency stakeholders. Overall, 74 per cent of respondents thought that privacy was very important to their agency.
More than half of the respondents (57 per cent) ranked protection of personal information first or second in order of importance relative to the other business factors listed. Overall, 63 per cent of respondents thought their agency had implemented privacy practices at some level. In addition, 74 per cent indicated that their agencies had privacy guidelines and protocols in place. The areas most commonly thought to be covered by these included: personnel record management (66 per cent); database management (59 per cent); client service functions (56 per cent); and internet based information policies (53 per cent).
However, despite the high level of perceived importance and recognition that some level of implementation of privacy practices had occurred, only a little less than a third (32 per cent) rated their agency’s ‘current level of understanding/ implementation of the privacy principles’ as high.
In terms of their personal knowledge of privacy matters the majority of respondents claimed to have some level of knowledge. Just under half the PCO respondents (48 per cent) and just over half of other officers surveyed (non-PCOs 55 per cent) felt that their privacy knowledge was actually high.
Most also reported having received some form of specific training or information on privacy laws and obligations. PCOs were more likely than other officers to have received such training (86 per cent compared to 75 per cent for non-PCOs). The majority who had received training in privacy had attended a short course and or received written material such as via the agency’s induction or other training manuals.
Despite the high level of general knowledge of privacy issues there were some apparent gaps in the understanding about the types of information included in the term ‘personal information’. Nearly all in the survey thought that the term included a person’s name coupled with home address, phone number and or facts such as income details, age, marital status and so on. However, far fewer people thought ‘opinions about people’ and ‘a person’s business title, business address or phone number’ were also personal information.
PCOs reported awareness of a wide range of information flows and transfers within and between departments. Nearly four out of 10 PCOs reported that agencies were involved in data matching processes.
However, non-PCOs were much less aware of these activities taking place as part of the day to day operations and procedures in government agencies (21 per cent of non-PCOs answered ‘don’t know’ compared to 5 per cent for PCOs).
Awareness among PCOs of imminent change to the Privacy Act 1988 (Cth) was high but non-PCOs were much less aware (86 per cent PCOs compared to 51 per cent non-PCOs). In addition, there appears to be uncertainty about what precise impact these changes might have on Federal agencies.
Among those who were aware of the forthcoming changes, 17 per cent of non-PCOs and 6 per cent of PCOs did not expect any impact on Federal government agencies. The 81 per cent of respondents that were aware of the changes expected effects on ‘government outsourcing contracts and relationships’. Around one third of this group thought that ‘international obligations’ and ‘archiving and access to client records’ might be impacted by the legislative changes.
The OFPC website was the most commonly listed (29 per cent) main source of privacy related information for government officers. PCOs also used internal agency legal staff and OFPC staff as key sources of advice.
Nearly one in four non-PCOs gave the agency PCO as their main source of advice on privacy matters. While the incidence of PCOs as the main source of advice is encouraging, it is probably lower than might have been expected given that the non-PCOs in this survey have key roles in the management of personal information in agencies. Raising the profile of PCOs and the advice they can provide may need to be a focus for OFPC communications, and also a strategy for individual agencies.
In addition, utilisation of other forms of advice and information such as the Attorney General’s Department, private law firms, published materials and other PCOs are all currently quite low.
Online service delivery was the area that created the greatest sense of unease about the capacity of agencies to implement and maintain good privacy practice. Among PCOs, online service delivery was seen as by far the area of greatest challenge (48 per cent) and ‘keeping pace with change in technology such as e-commerce’ was perceived as the main barrier to privacy best practice (29 per cent).
PCOs were more likely to recognise barriers to good privacy than non-PCOs (only 14 per cent of PCOs saw no barrier compared to 23 per cent of non-PCOs). The top areas seen as main barriers by non-PCOs included ‘limited human resources’ (15 per cent), cost of staff education’ (13 per cent), and ‘complexity of government. outsourcing’ (13 per cent). While non-PCOs were less likely to see technological change as a main barrier, this did top the list of other barriers nominated by this group (43 per cent).
Generally government officers showed a high level of trust in their agencies’ handling of employment records and staff personal information. More than two thirds of those surveyed considered the agency where they worked to be highly trustworthy.
However, concern expressed about outsourcing of HR functions may mean that this issue could be significant to many staff in terms of confidence that their personal records are well protected. Nearly one in five said they would be greatly concerned about possible HR outsourcing.
In its ongoing work with Commonwealth agencies, the OFPC may need to consider both promoting existing OFPC services to a higher degree, and also explore the development of new information services. Respondents did not exhibit a high level of knowledge about the services offered by the OFPC, and voiced some needs not currently being met by the current collection of information.
Online information and hotline services were universally supported. However, the types of information required from these services for PCOs and non-PCOs are likely to differ. PCOs are looking for more specific and detailed information that will assist them in delivering advice to managers in the agency on particular privacy concerns. The information required would include case studies, best practice examples and recent court decisions in the area. They also support more effective use of the PCO network in particular mentoring or training of new PCOs by more experienced PCOs (52 per cent).
Non-PCOs felt that training packages (57 per cent), privacy risk assessment service (47 per cent), more online information (45 per cent) and an online hotline service (38 per cent) were the top four ways the OFPC could better assist agencies. Support for privacy risk assessments (an idea that was raised in the earlier qualitative research) is the result of non-PCOs feeling uncertain that processes are in place across all policy and program areas in an agency to identify practices that potentially risk breaching privacy obligations. Greater awareness of PCOs and their role and greater dialogue within agencies on these issues would also help address these concerns.
The survey results confirm that there is a high degree of concern and awareness amongst government officers in relation to privacy responsibilities and obligations. Federal agency personnel are therefore likely to be receptive to OFPC communications that address their knowledge gaps and promote useful information and alternative sources of privacy assistance across the public sector including online services, PCOs and AGs.
Office of the Federal Privacy Commissioner.