PRIVACY ACT SEMINAR

welcome

DATA HAS ALWAYS BEEN CENTRAL TO OUR APPROACH TO MODERN MARKETING

Privacy act & data

DATA IS THE NEW FRONTIER IN MARKETING

THE WORLD HAS BECOME AWASH WITH DATA

THE CMO IS NOW MORE FOCUSED ON MARKETING AUTOMATION & OPTIMISATION

46% PLAN TO INCREASE

BRAND AWARENESS�

30% INCREASED FOCUS ON

LOCATION BASED MARKETING�

61% PLAN TO INCREASE

INVESTMENT IN DATA & ANALYTICS

60 % PLAN TO INCREASE

INVESTMENT IN MARKETING AUTOMATION�

57 % PLAN TO INCREASE

SOCIAL MEDIA�SPEND

IN 2014, CMO’S:�

*ExactTarget Cloud Marketing Survey 2014

1ST �PARTY 2ND

�PARTY 3RD

�PARTY

CAMPAIGN DATA�TRANSACTIONAL DATA

MEDIA DATA�SOCIAL DATA

PERSONAL DATA

CRM GOOGLEANALYTICS

DATAEXCHANGES

SOCIAL

MEDIA DATA

NEST

BILLIONS SPENT ON NEW DATA

$

INSTAGRAM

DMP'S/PERSONALISATION

TWITTER

WHATSAPP

U

ALL FOCUSED ON:

CUSTOMER INTELLIGENCE

MARKETING

PROFIT

>>

NOTHING IS ANONYMOUS� EVERYTHING IS IDENTIFIABLE

BEHAVIOURS/ ACTIONS CAN BE PREDICTED

FAIR PURPOSEFAIR USE

CONSUMER PROTECTION

?

???

?

?

?? ? ? ?

?

?

issues we will cover

AUSTRALIAN PRIVACY PRINCIPLES

REASONABLE EFFORTS TO ENSURE COMPLIANCE

IT SECURITY

THE POWERS OF THE COMMISSIONER

SOME CASE STUDIES

what is personal information?PERSONAL INFORMATION IS INFORMATION OR AN OPINION ABOUT AN IDENTIFIED INDIVIDUAL, OR AN INDIVIDUAL WHO IS REASONABLY IDENTIFIABLE WHETHER THE INFORMATION OR OPINION IS TRUE OR NOT, AND WHETHER THE INFORMATION IS RECORDED IN A MATERIAL FORM OR NOT.

what is personal information?

The Australian privacy principles

THIRTEEN PRINCIPLES WHICH SET OUT HOW ORGANISATIONS MUST DEAL WITH PERSONAL INFORMATION

APPLY TO COMMONWEALTH GOVERNMENT AGENCIES AND BUSINESSES WITH TURNOVER OF MORE THAN $3M

Personal information must be managed in an open and transparent way.

You must take reasonable steps to ensure you comply with the APPs, and you

must have a clearly expressed and up to date Privacy Policy (usually posted on

your website).

OPEN AND TRANSPARENT MANAGEMENT OF PERSONAL INFORMATION1

You must provide individuals with the option of not identifying themselves, or

of using a pseudonym when dealing with you.

This obligation doesn’t apply where it is impracticable to do so.

ANONYMITY AND PSEUDONYMITY2

PERSONAL INFORMATION IS INFORMATION OR AN OPINION ABOUT AN IDENTIFIED INDIVIDUAL, OR AN INDIVIDUAL WHO IS REASONABLY IDENTIFIABLE WHETHER THE INFORMATION OR OPINION IS TRUE OR NOT, AND WHETHER THE INFORMATION IS RECORDED IN A MATERIAL FORM OR NOT.

You can only collect personal information where it is reasonably necessary for

your functions or activities.

Higher standards apply to the collection of ‘sensitive information’ (e.g. race,

religion, health information, sexual preference), in which case the individual

must consent to the collection of this information.

COLLECTION OF PERSONAL INFORMATION3

This APP sets out how you must deal with unsolicited information you receive.

Broadly, you will have to determine whether you would have been able to

collect the information in accordance with APP 3. If not, you must destroy or

de-identify the information.

Unsolicited information is that which you receive when you have taken no

active steps to collect it. For example, random job applications, flyers,

purchased mailing lists.

DEALING WITH 4

ANONYMITY AND PSEUDONYMITY

APP 5 sets out when and in what circumstances you must notify an individual

of certain matters including your identity and contact details.

You should notify the ‘APP 5’ matters at or prior to the point of collection.

‘APP 5’ matters include:

Your identity and contact details

The purposes for which you collect the information

To whom you may disclose the information (including overseas)

Details of your privacy policy

Generally a clear and prominent link to the privacy policy at the point of

collection is OK.

NOTIFICATION OF THE COLLECTION OF PERSONAL INFORMATION�5

You can only use information for the purposes for which you collected it,

unless the person has consented or should reasonably expect that you would

use it for other related purposes.

USE OR DISCLOSURE OF PERSONAL INFORMATION�6

Imposes a general prohibition on use or disclosure of personal information for

direct marketing, unless certain criteria are met:

the person has consented or would reasonably expect you to; and

you provide a simple opt out mechanism.

Note this does not include electronic commercial messages (email, text

message), which are covered by the SPAM Act 2003.

DIRECT MARKETING�7

You cannot disclose personal information to overseas recipients unless you

take reasonable steps to ensure that the overseas recipient will comply with

the APPs.

Unless:

You believe that the overseas recipient is subject to a privacy regime

substantially similar to Australia’s;

The individual provided express consent to the disclosure and agreed

that the APPs wouldn’t apply.

What is ‘disclosure’? Cloud computing etc generally not disclosure.

CROSS-BORDER DISCLOSURE OF PERSONAL INFORMATION�8

You cannot use an individual’s government related identifier (eg. passport

number) as your own identifier for that individual.

Example: An accounting firm can’t use tax file numbers as the basis for its

identification system.

You can only use or disclose government related identifier if you reasonably

need to use the identifier to verify the identity of an individual.

ADOPTION, USE OR DISCLOSURE OF GOVERNMENT RELATED IDENTIFIERS9

You must take reasonable steps to ensure that the personal information you

collect, use and disclose is accurate, up-to-date and complete.

‘Reasonable steps’ depend on the size of your organisation, the types of

information, the consequences of having wrong information.

The Commissioner recommends reviewing personal information regularly,

and providing individuals with a simple means of updating details.

QUALITY OF PERSONAL INFORMATION�10

You must take reasonable steps to protect personal information

you hold from:

Misuse;

Interference and loss; and

Unauthorised access, modification or disclosure.

You must destroy personal information which you don’t need.

SECURITY OF PERSONAL INFORMATION11

Generally, you must give individuals access to personal information you hold

about them.

There are a number of exceptions, including where access would threaten life

or safety, it relates to legal proceedings, or the request is frivolous.

You must respond to a request within a reasonable time.

You must verify the identity of an individual before handing over information.

ACCESS TO PERSONAL INFORMATION12

If you know (or the individual tells you) personal information is incorrect,

then you must correct it within a reasonable time.

If you have disclosed information, you must also advise those entities of the corrections.

CORRECTION OF PERSONAL INFORMATION13

REASONABLE EFFORTS to ensure

information security WHAT DOES YOUR BUSINESS NEED TO DO TO PROTECT PERSONAL INFORMATION?

SOME THINGS TO CONSIDER:

Access (eg. strong passwords)

Backing up

Communications security (eg. docs left on printers, emails, discussions outside the office)

Data breaches (have a response plan and know what to do)

Physical security (physical access to the workplace/desks)

Personnel security and training (including contractors and service providers)

Workplace policies

The powers of the commissioner

The Commissioner could always investigate breaches, but in the absence of a complaint had no powers but bad publicity.

Now the Commissioner has the full range of remedies even in the event of ‘own motion’ investigations.

investigations

The Commissioner may determine:

To dismiss a complaint;

That a person must take certain steps to redress loss or ensure the breach doesn’t occur again;

That a person is entitled to a specific amount of compensation.

No further action to be taken.

If a person does not comply with a determination, the Commissioner may apply to the Federal Court for an order to enforce.

determinations

The Commissioner has the power to accept undertakings from an entity that it will do certain things to ensure compliance.

If the entity doesn’t comply, the Commissioner may apply to the Court for enforcement.

Enforceable undertakings

The Commissioner may determine:

To dismiss a complaint;

That a person must take certain steps to redress loss or ensure the breach doesn’t occur again;

That a person is entitled to a specific amount of compensation.

No further action to be taken.

If a person does not comply with a determination, the Commissioner may apply to the Federal Court for an order to enforce.

This is new!

If serious or repeated interferences with privacy, the Commissioner may seek a civil penalty order from the Court.

Currently, the maximum penalty for a corporation is $1.7 million, and an individual $340,000.

penalties

Real world stuff ups and

their consequences

CASE STUDIES

A mail out to 60,300 customers inadvertently had the wrong customer addresses.

Telstra’s security measures included:

The contract with the mailing house included privacy and confidentiality obligations;

They always conducted privacy impact assessments on each new job;

Each mail-out went through a series of approvals

Quality control procedures for staff handling of all campaigns

In the circumstances Telstra got off – the Commissioner said it was due to human error, and Telstra’s systems were adequate.

Telstra

McDonalds ran a campaign in which it encouraged customers to send their friends a link on its Happy Meal website, which included promotional games

Result

The Australian Communications and Media Authority (ACMA) thought this was a breach of the SPAM Act as the recipients did not consent to receiving commercial electronic messages from McDonald’s, and they didn’t have an unsubscribe facility.

McDonald’s serves spam

AAPT customer data held by contractor Melbourne IT was hacked and published online.

The Commissioner found AAPT had breached the Act for failing to adequately protect customer data from unauthorised access.

The Commissioner said:

It was not clear contractually who was responsible for addressing and identifying data security issues;

Old versions of applications and software were used; and

Data which was no longer needed was not destroyed.

Under the current Act he couldn’t impose a penalty, but under the changes to the Act he can.

AAPT

Grays sent an email to its customers introducing its new website ‘GraysEscape’.

They had decided that it was not commercial, and therefore sent it to customers who had previously unsubscribed, and it also did not have an unsubscribe facility.

ACMA found that it was commercial, and hit them with a $165,000 fine.

It was made worse by the fact that Grays made a conscious determination that the email was not promotional (ie it was not the result of an error).

Grays don’t escape

Crisis management

CUSTOMER INFORMATION (INCLUDING BANK ACCOUNT DETAILS) OF ABOUT 600 PEOPLE IS INADVERTENTLY EMAILED TO A HOUSEWIFE IN MILWAUKEE.

WHAT DO YOU DO?

CUSTOMER INFORMATION (INCLUDING BANK ACCOUNT DETAILS) OF ABOUT 600 PEOPLE IS INADVERTENTLY EMAILED TO A HOUSEWIFE IN MILWAUKEE.

WHAT DO YOU DO?

What should you do?

FIRST STEP – LOOK AT YOUR OWN PROCEDURES.

HAVE YOUR SYSTEMS FAILED?

NO OBLIGATION TO NOTIFY THE CUSTOMERS OR THE COMMISSIONER.

LOOK AT IMPACT OF THE DISCLOSURE, THREAT TO THE CUSTOMER?

BE REASONABLE

QUESTIONS?

THANK YOU