Privacy Law and Policy Reporter
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law and Policy Reporter |
|
Office of the Federal Privacy Commissioner
In (2001) 8(3) PLPR 59 we published the Executive Summaries of the community and government surveys of attitudes to privacy commissioned by the Federal Privacy Commissioner. The previous issue of PLPR (8(5)) included the first half of the business community survey, covering the general overall findings of the research. This issue covers the results by industry sector, State, and the location of privacy officers — General Editor.
Respondents in the finance/insurance and education/health industry sectors were most concerned about the impact of a breach of customer privacy on their organisation’s public profile and customer relations. Their high level of concern about the negative publicity impact of a breach of customer privacy may relate to their responses to other questions about the importance of the privacy of customers’ personal information for their organisations. About 90 per cent of respondents in each of these two industry groups stated that the success of their business was highly dependent on their ability to protect and responsibly use their customers’ personal information.
While the majority of respondents in both the finance/insurance and education/health industry groups noted that ethical/moral reasons, confidentiality and company policy were important reasons for maintaining customer privacy, they also noted that the reputation and credibility of their business as well as consumer confidence were important aspects of maintaining customer privacy. Respondents in these two industry groups were also mindful that their line of business required maintenance of customer privacy as they dealt with confidential information. Respondents in the finance/insurance and education/health sectors also focused on the issue of trust, stating that their customers expected that the organisation would maintain customer privacy, and they wanted customers to trust the organisation.
In contrast, respondents in the retail/manufacturing industry sector were less concerned about the damaging impact of publicity concerning a breach of customer privacy on their organisation’s public profile or customer relations. About 40 per cent of respondents in this industry group maintained that the success of their business was relatively independent of their ability to protect and responsibly use their customers’ personal information. It is interesting to note that, unlike the other industry groups, respondents in retail/manufacturing stated that a primary reason for the importance of the privacy of customers’ personal information for their organisation was to ensure that such information was not misused or made available to their competitors.
Most respondents (about 90 per cent) in the other industry groups (publishers/ advertisers/direct mail, entertainment/ travel, business/personal services) stated that publicity concerning a breach of customer privacy would be damaging to their organisation’s public profile as well as their organisation’s customer relations. There was, however, a mixed response pattern in these groups about the relationship between the success of their business and maintenance of the privacy of customers’ personal information. The majority of respondents (77 per cent to 86 per cent) in these industry sectors said that the success of their business was dependent on their organisation’s ability to protect and responsibly use their customers’ personal information, but a substantial proportion (13 per cent to 23 per cent) said the success of their business was relatively independent of maintaining the privacy of customers’ personal information.
The primary reasons given by respondents in these industry groups (publishers/advertisers/direct mail, entertainment/travel, business/personal services) for the importance of privacy of customers’ personal information related to ethical/moral issues, confidentiality, company policies and the nature of the information managed by the organisation. In effect, respondents in these industry sectors seem to hold to the notion that privacy of customer information was important because their organisations dealt with confidential information and they must abide by organisational policies.
The finance/insurance sector seems to be best served in terms of relevant industry associations. This was the only industry group where the majority of respondents (70 per cent) stated there was an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers’ personal information. The majority of respondents in finance/insurance organisations (63 per cent) that had access to industry association guidelines stated that their organisations currently followed the privacy guidelines set out by the industry association.
The industry sectors that seem to be less well served by industry associations are retail/manufacturing and entertainment/ travel. The majority of respondents in both these industry groups (60 per cent and 70 per cent) said they were not aware of an industry association relevant to their organisations that had developed appropriate privacy protocols for customers’ personal information. Of those respondents in retail/manufacturing and entertainment/travel organisations that had access to industry association guidelines, about 60 per cent said their organisations currently followed the guidelines set out by the industry association.
The other industry sectors (publishers/advertisers/direct mail, business/personal services and education/health) showed much variation in terms of access to relevant industry associations. About half the respondents in each of these industry sectors stated that there were no industry association privacy guidelines available to their organisations, about 40 per cent in each of the industry groups said they did have relevant industry association guidelines, and about 10 per cent in each group did not know whether such guidelines were available. However, the majority (about 60 per cent) of those who had access to industry association guidelines in these industry sectors noted that their organisations currently followed the privacy guidelines set out by the relevant industry associations.
Type of industry does not seem to affect the extent to which organisations sell, rent out, or transfer customer details to other organisations. The large majority of respondents in each of the industry groups (85 per cent to 96 per cent) stated that their organisations never provided customer information to other organisations.
There was little variation across industry sectors with respect to the degree of concern about the transfer of a customer’s personal information to another business without the customer’s knowledge. Most respondents in each of the industry groups (85 per cent to 95 per cent) stated that such a situation would be of great concern or some concern to their organisations.
The particular industry sector does not seem to affect the extent to which organisations transfer customer details internally for use in relation to different services or products offered by other sections of the company. About half (41 per cent to 54 per cent) the respondents in each of the industry sectors said their organisations never engaged in internal transfer of information. Roughly the same proportion (43 per cent to 55 per cent) of respondents in each of the industry sectors said their organisations occasionally or regularly transferred customer details internally for use in other sections of the company. These findings suggest that there is a high volume of industries that are likely to have compliance concerns.
There were, however, differences across industry groups in obtaining customer information from other organisations by purchasing, renting or swapping lists for marketing. According to respondents, the organisations that were occasionally or regularly obtaining information about customers or potential customers from other organisations tended to be in the publishers/advertisers/direct mail and retail/manufacturing industry sectors. Organisations that seem less likely to obtain customer information occasionally or regularly from other organisations were in the entertainment/travel sector. However, a substantial proportion (about 30 per cent) of respondents in each of the finance/ insurance, business/personal services and education/health industry groups noted that their organisations occasionally or regularly obtained customer information from other organisations.
This finding highlights a potential compliance problem. Businesses may believe that purchasing information from another organisation does not require additional compliance procedures on their part. However, there are some industry sectors, such as health, that have particular privacy regulations to consider with respect to use and storage of customer information that are not covered in the privacy policy of the organisation from which they have obtained the information. Such problems are likely to be complex when dealing with business to business exchange of information.
Responses to statements about the use and protection of customer personal information showed little variation across industry sectors. The majority of respondents in each of the industry sectors (72 per cent to 80 per cent) disagreed with the statement that businesses should be able to use the customer information they collect whenever and for whatever purpose they choose.
Most respondents in each of the industry sectors (93 per cent to 99 per cent) agreed with the statement that there should be laws to protect consumers’ personal information held on business databases. Similarly, most respondents in each of the industry groups (83 per cent to 89 per cent) agreed with the statement that an organisation’s customer database is a valuable commercial asset.
Type of industry does not seem to affect respondents’ beliefs about security of personal information on the internet. The majority of respondents in all industry sectors (67 per cent to 84 per cent) noted that their organisation had already established a website, and a substantial proportion (7 per cent to 15 per cent) said their organisation intended to establish a website. With respect to the question of customer concerns about the security of their personal information on the internet, a similar pattern of responses appeared across industry groups. Between 60 per cent and 68 per cent per cent of respondents in all industry groups stated that there would be more customer concerns about security of personal information on the internet. However, a considerable proportion (14 per cent to 26 per cent) noted that such concerns would be about the same on the internet as they are currently in other media.
Respondents’ awareness and knowledge of Federal privacy laws does seem to vary according to the industry sector of their organisations. Respondents in the finance/insurance sector, compared to other industry sectors, seem to be most knowledgeable about the Federal privacy laws. Most (93 per cent) respondents in this industry group said they were aware of the existence of Federal privacy laws before the interview, 55 percent said they were aware of what organisations the Federal privacy laws applied to, and the majority in this group (70 per cent) said they were aware that new Federal privacy laws would come into effect in December of this year. The majority (58 per cent) of respondents in the finance/insurance sector also stated that they had been aware of the Office of the Federal Privacy Commissioner prior to the interview.
In contrast, while the majority (73 per cent to 87 per cent) of respondents in each of the other industry groups said they were aware of the existence of Federal privacy laws, about a quarter (25 per cent to 27 per cent) of those in the retail/manufacturing and entertainment/travel industry sectors were not aware of the existence of the Federal privacy laws. A substantial proportion (13 per cent to 18 per cent) of respondents in the education/health, business/personal services, and publishers/advertisers/direct mail industry groups, were not aware of the existence of the Federal privacy laws before the interview.
The majority (62 per cent to 71 per cent) of respondents in all industry sectors, except finance/insurance, stated that they were not aware of to which organisations the Federal privacy laws applied. Similarly, the majority (59 per cent to 77 per cent) of respondents in all industry sectors except finance/insurance said that they were not aware that new Federal privacy laws come into effect in December 2001. Further, the majority (61 per cent to 79 per cent) of respondents in all industry sectors, except finance/insurance, were not aware of the Office of the Federal Privacy Commissioner.
This pattern of responses was repeated for the question regarding the organisation’s level of knowledge about the Federal privacy laws. Most (72 per cent) respondents in the finance/insurance sector said that their organisation had a high level of knowledge or some knowledge concerning the new privacy laws. In contrast, 50 per cent of respondents in the education/health sector and 42 per cent of respondents in publishers/advertisers/direct mail said that their organisations had some knowledge about the privacy laws. About 60 per cent of respondents in each of the industry sectors retail/ manufacturing, entertainment/travel, and business/personal services said their organisations had very little or no knowledge about the new privacy laws.
These findings suggest that industry sectors that have a history or culture of following professional ethical guidelines regarding privacy and confidentiality are likely to be more aware of the new privacy laws than those sectors that do not have a shared history. Certainly, more knowledge would mean more awareness of the new privacy laws, but the findings also suggest that some industry sectors will find the notion of implementing new privacy procedures less familiar, and perhaps more onerous, than others that have existing policies.
The greater awareness and knowledge about the new Federal privacy laws shown by respondents in the finance/insurance sector could be related to the perceived impact that the laws will have on business in this sector. The majority (77 per cent) of respondents in the finance/insurance group said that the new Federal privacy laws currently have considerable impact upon the way their business is conducted; only 22 per cent of this group said the new laws would have no impact on the conduct of their business. In contrast, a substantial proportion (37 per cent to 46 per cent) of respondents in all other industry sectors stated that the new laws would not impact at all upon the way their business is currently conducted.
The finance/insurance sector appears to be most prepared, compared to other industry groups, for the new legislation. Over half (54 per cent) the respondents in the finance/insurance sector said their organisation had started preparing for the new legislation. In contrast, the majority (57 per cent to 75 per cent) of respondents in each of the other industry sectors stated that their organisations had not yet started preparing for the new privacy legislation.
Interestingly, type of industry does not seem to affect perceptions of the information available to prepare for the new legislation. Most (83 per cent to 95 per cent) respondents in all industry sectors, including finance/insurance, who stated that their organisations had not started preparing for the new legislation, also said that they did not have sufficient information on the new privacy laws to begin preparing for the new legislation.
While all States and Territories were included in the interview sample, more detailed breakdown of responses by location was restricted to those States that had at least 60 respondents (Victoria, NSW, Queensland and WA). The State location of organisations in which respondents worked did not seem to affect respondents’ attitudes toward the importance of the privacy of customers’ personal information (all considered such information to be important). Attitudes toward the impact of a breach of customer privacy on the organisation’s public profile and customer relations also did not vary across State locations (all considered the publicity impact of a breach of customer privacy would be damaging to their organisation).
There were no noticeable differences between respondents in Victoria and NSW in responses to the major questions addressed in the interviews. Respondents in organisations in the larger States, Victoria and NSW (compared to those in Queensland and WA) were more likely to say that their organisations had started preparing for the new Federal privacy legislation.
Respondents in organisations in Victoria, NSW and Queensland (compared to those in WA) were more likely to say that the success of their business was dependent on their ability to protect and responsibly use their customers’ personal information. Respondents in these three States also noted that they had access to an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers’ personal information.
Less than 40 per cent of respondents said that their organisations had a privacy officer, that is, a nominated staff member to oversee privacy issues relating to the collection, transfer, and use of customers’ personal information. The results of the research suggest that organisations that were more likely to have privacy officers were: located in Victoria and NSW, larger in size (that is, more than 20 employees); and in the finance/insurance, education/health, and publishers/advertisers/direct mail industry sectors. Organisations that were less likely to have privacy officers were in the entertainment/travel, retail/manufacturing, and business/personal services industry sectors.
The presence or absence of a privacy officer in their organisations did not seem to affect respondents’ attitudes toward the importance of the privacy of customers’ personal information or the impact of a breach of customer privacy on the organisation’s public profile and customer relations.
Respondents in organisations that had a privacy officer (compared to those in organisations that did not have a privacy officer) were more likely to state that the success of their business was dependent on their ability to protect and responsibly use their customers’ personal information. Those respondents who stated that their organisations had a privacy officer were also more likely to have an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers’ personal information and currently follow the privacy guidelines set out by the industry association.
Respondents in organisations that had privacy officers tended to be more knowledgeable about the Federal privacy laws. Compared to respondents in organisations without a privacy officer, those in organisations with a privacy officer tended to be aware of the existence of the Federal privacy laws, be aware of what organisations the Federal privacy laws applied to, and know that the new Federal privacy laws come into effect in December 2001. Respondents in organisations with privacy officers also stated that their organisations had a high level of knowledge concerning the new privacy laws and that their organisations had started preparing for the new legislation.
In contrast, respondents in organisations that did not have a privacy officer tended to lack awareness of the existence of the Federal privacy laws, what organisations the laws applied to, and when the laws would come into effect. Respondents in organisations without privacy officers noted that their organisations had very little knowledge concerning the new privacy laws and their organisations had not started preparing for the new legislation.
These findings raise an interesting question of causality: what has led to what? Has lack of organisational knowledge about the new privacy laws led to the absence of a privacy officer in these organisations? Conversely, has the lack of a privacy officer led to lack of organisational knowledge about the new privacy laws? Given the Privacy (Private Secor) Amendment Act 2000 (Cth) came into effect in December 2001, it would seem important for organisations to nominate a person to start the process of attaining appropriate knowledge and instituting procedures towards the organisation’s preparation for the new legislation.
Office of the Federal Privacy Commissioner.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2001/53.html