Privacy Law and Policy Reporter
Office of the Federal Privacy Commissioner
In (2001) 8(3) PLPR 59 we published the executive summaries of the community and government surveys of attitudes to privacy commissioned by the Federal Privacy Commissioner. This issue includes the first half of the business community survey, covering the general overall findings of the research. The next issue will cover the results by industry sector, State, and the location of privacy officers — General Editor.
In order to gain further understanding of attitudes in the business community towards privacy issues and awareness of the new privacy legislation, the Office of the Federal Privacy Commissioner commissioned Roy Morgan Research to conduct a national computer assisted telephone interviewing (CATI) survey among a representative sample of private sector organisations in Australia. Interviews were conducted in June 2001, with appropriate persons (mainly senior and middle management level) in 560 organisations covering six major industry sectors. (Note that the organisations included in the survey were those handling information relevant to privacy issues.) This section of the report summarises the general overall findings of the research, followed by a breakdown of the results by type of industry, State, and the location of privacy officers. This section also incorporates information obtained from interviews of business leaders as part of the qualitative stage of the project, and relevant findings from the quantitative study of community attitudes towards privacy.
Overall, respondents reported highly positive attitudes toward the privacy of customers’ personal information. The overwhelming majority (95 per cent) of respondents said that they considered the privacy of customers’ personal information to be a very important or important issue for their organisations. The main reasons (representing 51 per cent of responses) given for the importance of the privacy of customer information were: ethical/moral reasons; compliance with company policy; and maintaining confidentiality of customer information in line with the requirements of the organisation’s line of business. Other less common reasons (representing 22 per cent of responses) included maintaining the reputation or credibility of the business; consumer confidence; and enhancing customers’ expectations of the trustworthiness of the organisation.
The majority (80 per cent) of respondents stated that their business was dependent to a considerable extent upon their ability to protect and responsibly use their customers’ personal information. Respondents were cognisant of the negative impact of publicity regarding breaches of customer privacy. Most respondents (more than 90 per cent) stated that publicity concerning a breach of customer privacy would be damaging to their organisation’s public profile and customer relations.
When participants were asked what was most likely to make customers trust their organisation with their personal information, the most common responses (representing 70 per cent of responses) were centred on the organisation’s good track record in keeping information confidential; the organisation’s reputation, good name, and length of time in business; and information provided to customers about the organisation’s commitment to privacy and specific privacy procedures in place. Less common reasons (representing 13 per cent of responses) were knowledge about the organisation’s policies regarding selling or giving away private details, and customer relations practices in building close professional relationships with clients.
It is interesting to note, however, that respondents tended to use widely encompassing definitions of the term ‘personal information’. When asked to define the term, the most common responses (representing 60 per cent of responses) were: address (private/ business); phone number (private/ business); name; and income details. Other less common responses (representing 22 per cent of responses) were: age; financial, taxation, credit card information and account details; marriage status; and medical information. It is noteworthy that health casenotes, customer service information and personal opinions were not mentioned by respondents as constituting ‘personal information’. Thus, while respondents held quite positive attitudes toward protection of customer personal information, it is not clear that they interpreted the term ‘personal information’ in the same way as the privacy legislation.
These responses from representatives of business sectors to the question of what constitutes personal information are similar to those expressed by respondents in the community survey. The types of personal information people in the community felt reluctant about divulging included financial details, income, health information and home contact details.
These findings are also in keeping with comments obtained from interviews with business leaders in the qualitative study:
They [people] want to feel that they’ve got control over what’s happening with their information. That’s something we need to think of as an organisation ... ensuring that we meet that expectation test of what our customers expect because it’s in our interests not to get that wrong. Because if we consistently get it wrong, we are going to upset a lot of customers. There’s no business commercial value in that.
If we have a privacy breach, it will be through accident rather than intent. It will be through unconscious act rather than for someone failing to perceive the impact of what they’re doing with the information.
There is a bit of paranoia around here [about media publicity] because a lot of the reporting of privacy to date has focused very much on the abuse.
If history is anything to go on, when there is a privacy breach and it is a high profile one, there would be heaps of media interest, lots of political interest, and that will then be a big beat-up in the press, which will then play on consumers’ minds. So you end up with consumers who become increasingly frightened about these privacy issues, even though generally there may well be very little to be frightened about. That will then in turn affect their take-up of, for example, e-commerce products and also the amount of information they are willing to divulge.
The publicity given to non-compliance will effect people’s concerns about privacy, which is kind of negative, but at the same time they need to be aware, and then that will effect business. So it will definitely affect us all.
I think there have been some fairly high profile issues about privacy in Australia [recently] where databases have gone missing, credit card details have gone missing, all of that kind of stuff, and every time it happens, there is lots of publicity, and rightly so. I mean if you lose a database or a credit base, that is incredible. Again, it will be just another peak, a high point in the privacy issue and the first breaches start. Then eventually, hopefully, it will kind of die off to [people becoming] more comfortable with the way information is being used.
In general, respondents tended to hold responsible views about the use and protection of customer personal information. The majority (76 per cent) disagreed with the statement: ‘Businesses should be able to use the customer information they collect whenever, and for whatever purpose they choose.’ Most (95 per cent) respondents agreed with the statement: ‘It is reasonable that there should be laws to protect consumers’ personal information held on business databases.’ Further, most (86 per cent) respondents agreed with the statement: ‘An organisation’s customer database is a valuable commercial asset.’
It would appear, then, that most respondents realised the value of customer personal information and recognised that protecting such information was in the interests of the organisation and its relationship with customers.
The majority (64 per cent) of respondents stated that their organisations never obtained information about customers or potential customers from other organisations; only 14 per cent of respondents said that they regularly obtained such information from other organisations. Most (90 per cent) respondents said that their organisations never sold, rented out, or transferred customer details to other organisations; only 4 per cent said they regularly engaged in transferring such information to other organisations. This is an interesting finding. Given the large amount of marketing materials people receive, it may be that only a small proportion of businesses are engaging in these activities and these businesses would be responsible for a fairly high proportion of such information transactions.
About half the sample (48 per cent) said that their organisations never transferred customer details internally for use in relation to different services or products offered by other sections of the company. However, a substantial proportion (a little over 20 per cent) of respondents said their organisations did regularly transfer such information internally. Clearly, these organisations need to have adequate knowledge about the new privacy regulations and implement them accordingly to the internal transfer of information.
Overall, respondents expressed considerable concern about the transfer of customer personal information without the customer’s knowledge. Most (90 per cent) of respondents said that such actions would be of great concern or some concern to their organisations. The majority (64 per cent) of respondents also noted that when dealing with the internet, customers would have more concerns about the security of their personal details than usual. About 80 per cent of respondents noted that their organisations had already established a website, and another 10 per cent intended to establish a website. About 55 per cent of these respondents said that their organisations would need to consider special measures such as security protocols, security of data, online privacy policies and password protection in order to protect client privacy online.
Business attitudes towards the protection of privacy seem to be compatible with community attitudes. In the community survey, attitudes reflected a strong desire for people to gain control over how their personal information was used, and wanting businesses to seek permission before using their personal information for marketing purposes. Organisational practices that concerned community members — such as transferring personal information without the owner’s knowledge, and using personal information beyond the purpose for which it was originally collected — were practices that also concerned representatives of the business community.
An interesting area of contrast, however, was in response to the question of factors that customers consider important in choosing whether or not to deal with a company. In the community survey, respondents rated ‘respect for, and protection of, my personal information’ as the most important factor, and over one-third of community respondents rated this service aspect above quality of product, efficiency, price and convenience. In contrast, business respondents rated ‘quality of product or service’ as the most important factor. Further, quality of product, efficiency of service, price, and convenience were rated as more important than ‘protection or security of personal information’. Thus, it would appear that businesses are not fully aware of the high importance that the community places on privacy issues with respect to choice in dealing with a particular organisation.
While the majority (82 per cent) of respondents were aware of the existence of Federal privacy laws before the interview, there appear to be some gaps in specific knowledge about the legislation. Less than 40 per cent of respondents were aware of what organisations the Federal privacy laws applied to. Less than 40 per cent of respondents were aware that new Federal privacy laws come into effect in December 2001.
About half (52 per cent) the sample noted that their organisations had very little knowledge or no knowledge at all concerning the new privacy laws. The majority (74 per cent) of respondents stated that their organisations had not started preparing for the new legislation. Further, most (91 per cent) respondents believed that they did not have sufficient information on the new privacy laws to begin preparing for the new legislation.
However, about 40 per cent of respondents noted that there was an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers’ personal information. Of those who had access to relevant industry association guidelines, the majority (60 per cent) of respondents said that their organisations currently followed the privacy guidelines set out by the industry association and 35 per cent said they followed their own guidelines.
Thus, it would seem that industry associations are an avenue through which organisations can obtain relevant information and guidelines for implementation of appropriate privacy procedures. These findings also confirm the appropriateness of the strategy of the Office of the Federal Privacy Commissioner to work actively through industry associations with respect to providing information about the new privacy regulations. The Office is clearly moving in the right direction in this business communication strategy.
About 60 per cent of respondents who were aware of the new privacy laws stated that they would have considerable impact upon the way their business is conducted. The majority (73 per cent) of respondents viewed the changes to the Federal privacy legislation as a positive event; only 12 per cent said that the changes were somewhat negative. (Note these questions were directed at those respondents who stated that their organisations had a high level or some knowledge concerning the new Federal privacy laws.)
The main reasons for saying the changes to the Federal privacy legislation are a positive event (representing 77 per cent of positive responses) were that it would be beneficial to the business and improve customer relations; give consumers more confidence about what information is kept about them in the organisation, and the way such information is kept; lessen the misuse of private information and prevent unauthorised intrusion; and make businesses more honest and ethical. The main reasons for saying the changes to Federal privacy legislation are a negative event (representing 76 per cent of negative responses) were that it would be expensive to implement; would be too restrictive for businesses; and would require considerable resources to implement.
When respondents were asked about how the new laws will impact upon their business, a considerable proportion of respondents (17 per cent) said that the new laws would have moderate impact or not much impact, and 6 per cent said that they already partly complied with the new laws. A number of responses to this question (12 per cent) showed positive impact of the new Federal privacy laws, with respondents noting that the new laws make businesses more aware of privacy regulations and their responsibility regarding privacy, as well as improving business practice.
The most common responses (55 per cent) showing negative impact of the new laws included: increased work, paperwork and red tape; cost of implementation; requirements for staff training; increased monitoring and control; the need to make new declarations and inform customers about the new laws; and limitations on the amount or type of data that could be collected. Thus, the negative impact of the new laws seems to focus on practical implementation issues, including compliance costs.
When asked about barriers or potential barriers to organisational compliance with the new legislation, the most common responses (23 per cent) were: lack of information; cost of staff education and training; cost of updating technology systems; and the time taken to implement the new laws, update systems, and report to Government.
Comments from interviews conducted with business leaders for the qualitative study complement these findings, showing a mixed reaction to the impact of the new laws on business:
From what we’ve read so far, we should be all right. Obviously the more we read about it [the legislation], the more we need to think about it, but I think overall we shouldn’t be too bad.
I think a lot of it’s in your head in lots of ways. The move to applying similar principles to the private sector doesn’t cause minimum level of disquiet. Some of the other [companies] are going, ‘This is awful.’ In reality, once you set the processes in place, it actually works quite smoothly.
I think business people are going to look at this as yet another government intervention in their jobs. I absolutely see that.
[Similar organisations] are concerned about the costs in terms of once you move into a model where you have got some sort of information privacy principles you are bound to do things in a certain way to comply. There are compliance costs, and the idea of compliance is that quite often you do those things because they make good business sense in any event. You don’t just do them.
I believe in essence the amended Act represents good business sense. The Act is not onerous, the requirements are minimal and by following the National Privacy Principles, we will minimise irritation to the general public, better target our prospects and donors, resulting in more efficient marketing campaigns and better financial results.
When respondents were asked about who they would contact in order to obtain further information on the new privacy laws, the most common responses (74 per cent) were (in descending order): industry association; Privacy Commissioner; solicitor/lawyer; and government department (State or Federal). Those who did not mention the Office of the Federal Privacy Commissioner as a source of information about the new privacy legislation were asked whether they were aware of the Office before the interview. The majority (64 per cent) of these respondents said they had not been aware of the Office of the Federal Privacy Commissioner.
These findings suggest that while the level of knowledge among the business community about the Office is considerably higher than among consumers (as expressed in the quantitative Community Survey), there remain a substantial proportion of organisations that need to direct their attention to the resources available to help implement privacy procedures according to the new legislation.
The last question put to respondents who said their organisations had some knowledge of the new privacy legislation concerned the ways that the Office of the Federal Privacy Commissioner could assist their organisations to prepare for the amended privacy laws that come into effect in December 2001. The majority (72 per cent) of respondents answered this question with the response ‘more information’. Less common responses (representing 18 per cent of responses) were: training for staff; support to industry associations; simplification of information; and workshops or seminars. Clearly, what respondents want is more information. However, the type of information required has not been specified.
Some comments obtained from business leaders in the qualitative study suggest that privacy issues regarding business-to-business exchange of information are likely to need clarification.
It’s the companies like us that haven’t been caught up in this in the past [that need clear guidelines about the new privacy laws]. We have probably been on the periphery, but we didn’t know it. For example, we would process information [provided by another company] and our own security steps would be in place. We are not going to sell that information to anybody; we are not going to pass it on to anybody. We have done as instructed by the owners and it’s their responsibility to make sure they are doing everything right [by the privacy laws]. If we did something under their instructions that was wrong, I guess somebody could come to us and say, ‘You breached the Privacy Act’ and we would say, ‘Hold on, I was just following instructions from the owner of the data who should know.’
The biggest fight that industry has got is perhaps not so much with their customer business interface, but it’s their business to business relationships, and who actually owns the data. The privacy legislation is actually going to drive a lot of decisions to be made by who owns the data. Whoever owns it is therefore responsible for making it compliant, and it’s a joint ownership, then it’s got to be made clear to the customer at the time that it’s a joint ownership.
I think that the people that really have got the most concerns are the people who have already been tied up in the Act anyway: the credit providers, the banks, the finance, the credit and the health area. They have been there, they are already there. It would seem to me that they are pretty well involved.
In order to clarify such issues, it would appear that the Office of the Federal Privacy Commissioner will benefit from continuation of the business communication strategy of working through relevant industry associations, which are viewed by respondents as supportive and understanding of concerns specific to the type of industry.