The new age of privacy
Businesses that trade in personal information or collect health information may also fall within the scope of the Privacy Act.The 2014 reforms established 13 Australian Privacy Principles (APPs) that form a collective blueprint governing the collection, use, management, and disclosure of individuals’ personal information by Australian organisations, businesses, and government agencies (personal information privacy).
Retailers have a dual commercial and regulatory burden to discharge their personal information privacy obligations to a high standard. This is because retailers often have large, dynamic workforces comprising employees, contractors, and commercial partners.
Retail businesses also typically invest heavily in customer interfaces as a way to market goods or services, create bespoke experiences, or explore new methods of creating and enhancing customer loyalty.
As a result, individuals’ personal information is integral to retail businesses and should be viewed as a valuable commercial asset to be maintained and protected. In doing so, retail businesses will not only demonstrate their governance capability, but also reduce the likelihood of customer complaints and subsequent damage to goodwill.
The reforms prescribe six compulsory matters that businesses must now address in their privacy policies: date policy is any reference to the National Privacy Principles (NPPs) or Information Privacy Principles (IPPs) – terms used to describe the privacy frameworks that applied to private businesses and government entities respectively.
The NPPs and IPPs have been replaced by the APPs following the 2014 reforms.
The office of the Australian Information Commissioner has a history of auditing businesses’ privacy policies on its own volition to determine whether the documents comply with the Privacy Act.
Retailers should take advantage of the post-reform transitional period to review and update their business’ privacy documentation (including collection statements that comply with APP 5), as well as privacy related internal practices, procedures, and systems (see below).
Internal practices, procedures and systems
The reforms impose a distinct obligation on businesses to take steps to implement and maintain internal practices, procedures and systems to ensure compliance with the APPs in practice.
Unsolicited personal information
The handling of personal information directly related to an individual’s current or former employment relationship or an employee record is exempt from the Privacy Act, however, the 2014 reforms extend the scope of the Privacy Act to unsolicited personal information, which includes resumes or CVs provided to the business by job applicants.
A business must assess unsolicited information within a reasonable period after receiving it to determine whether the business is entitled to collect the information (ie, it is reasonably necessary for, or directly related to, its activities).
If the business is not entitled to collect the unsolicited information, the information must be destroyed or de-identified as soon as reasonably practicable.
Businesses routinely retain the details of unsuccessful job applicants for future reference in the event that a suitable position becomes available. The acceptable length of this retention period is not fixed, however, a retention period of six months would be reasonable.
We recommend that businesses issue a collection statement to job applicants, which includes (among other things) an option to request that their personal information is destroyed or de-identified in the event that their application for the particular position is unsuccessful.
Sensitive information is a sub- category of personal information that attracts more stringent obligations under the Privacy Act.
Sensitive information includes details about an individual’s racial or ethnic origin, religious beliefs or affiliations, sexual preference or practices, trade union or professional memberships, criminal record, and health information.
Photographs can be deemed sensitive information if they reveal a physical characteristic or item of clothing indicative of an individual’s health, religion or ethnicity. The photograph must be reasonably necessary for the business to assess a candidate’s suitability for a particular role with reference to appropriate and relevant selection criteria.
Alternatively, a photograph may be necessary for interviewers to identify and remember particular job applicants, in the event that large numbers of applicants are interviewed for the same position.
Sensitive information can also include an opinion or belief about an individual’s personal characteristics (eg height, weight, race, or religion). Take care when recording opinions and impressions during the interview process in a form that may comprise a record that is retained and referred to by the business.
Direct marketing is an area of privacy law that attracts one of the highest risks of giving rise to consumer complaints.
The 2014 reforms introduced a greater emphasis on the requirements applying to direct marketing. Individuals’ personal information is usually collected by retailers when customers sign up to loyalty programs, enter a competition or complete a survey, or when retailers use data derived from cookies about customers’ online accounts or purchase histories.
The starting position is that businesses are prohibited from using personal information for direct marketing purposes, unless an exception applies.The available exceptions depend on whether the personal information proposed to be used is also sensitive information.
The circumstances in which personal information can be used for direct marketing purposes are set out in the table.
Where personal information is collected from a customer directly, consent may also be required, depending on whether the customer would reasonably expect their personal information to be used for direct marketing purposes.
The following factors are suggestive of the requisite reasonable expectation existing:
- The customer has consented to the use of his or her personal information for direct marketing purposes;
- The customer has a history (including one that arises before 2014) of active engagement with similar marketing material from the same business;
- The business informed the customer that he or she could request not to receive direct marketing communications but the customer did not opt out.
Businesses should avoid using historical data, particularly where the information’s source is unknown, and consider a refresh of distribution lists (with a view to obtaining a customer’s express consent for his or her personal information to be used for direct marketing).
Consent must be current and specific to be effective. For example, businesses should avoid using personal information three years after a customer signs up to a loyalty card program where the customer’s purchase history in the interceding period is negligible or where it has stopped.
Indeed, in this situation there are likely to be other commercial reasons to stop contacting the customer, including a basic cost benefit analysis.
It is also essential to have a compliant ‘opt out’ message in all direct marketing emails and a mechanism to ensure that people who ‘opt out’ are removed from marketing lists.
This article first appeared in Inside Retail Magazine’s October/November 2014 issue. Click here to subscribe.