Peter A Clarke

Today the Office of the Australian Information Commissioner released the report on a survey conducted on the community attitudes to Privacy.  The survey itself can be found here.  The  pdf version of the report can be found here.

The Section 4, containing the detailed findings, provides:

4.0 Detailed findings

This study of community attitudes to privacy covered a number of key areas, namely:

• awareness of Federal privacy laws
• general attitudes towards privacy and personal information
• privacy problems and complaints
• trust
• personal responsibility
• medical and health information
• privacy in the workplace
• ID scanning
• internet and smart phones
• ID theft and fraud
• credit reporting.

The survey findings are organised under these key headings. The questionnaire, which is appended, does not follow this same structure exactly as it was more important to ensure that questions flowed logically for the respondent than for the analyst.

Definition of ‘personal information’

In Australia, privacy law relates to the protection of an individual’s personal information. Therefore, a number of survey questions refer to ‘personal information’. As this was a lengthy survey, the decision was taken to provide respondents a definition of what is meant by personal information based on the definition in the Privacy Act.

In Australia, privacy law relates to the protection of an individual’s ‘personal information’. This is any information about you that identifies you or could reasonably be used to identify you. For example, this includes things like:

• your name or address
• financial details
• photos
• your opinions and beliefs
• membership of groups and affiliations
• racial or ethnic origin
• health information (including genetic information)
• sexual preferences
• criminal record.

In previous studies, while the line of questioning aimed to keep respondents focussed on the area of interest, some of the answers showed that they were straying into the area of personal space in their answers.

Giving survey participants a working definition early in the survey does not seem to have had a major impact on answers to questions that have been asked before. It has, naturally, affected the range of answers given to open-ended questions, particularly those at the beginning of the survey where participants were asked to define perceived privacy risks and areas of perceived infringement of their privacy.

Factors that may have influenced responses

Not surprisingly privacy has rarely been out of the news since the study was last conducted in 2007. The media continues to report on exciting new technologies that raise privacy questions, as well as significant invasions of privacy and data breaches.

Not long before the study commenced the media started to report on US intelligence surveillance programs that involved the participation of technology companies that offer a range of popular online services. Public debate on these revelations grew significantly during the life of the survey and may have had some effect on how people chose to respond to some of the survey questions, in particular questions on general attitudes to privacy, trust and the internet.

 Awareness of Federal privacy laws

The Privacy Act is an Australian law that regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information.

The Privacy Act is of pivotal importance to this study.[4] One of the key reasons for undertaking this study now is to gain a baseline measure of understanding prior to introduction of amendments to the Privacy Act in March 2014. Nonetheless, the name of the legislation will remain the same.

Chart 1 shows that the vast majority (82%) of Australians claimed to be aware of Federal privacy laws prior to this interview. The proportion of respondents who reported they were not aware was one in six (17%) and a very small proportion (1%) of respondents indicated they were unsure.

This compares favourably to the result when last measured when two thirds of Australians claimed awareness of the laws (69%). It continues a gradual increase in awareness from its low point when first measured in 2001 at just over four in ten (43%) to a majority awareness in 2004 of six in ten (60%).

The pattern of awareness has not changed substantially. In 2013, awareness peaks in the 35-64 age range at just under nine in ten (86%). This is similar to 2007 where awareness was also relatively high amongst this age group (74%), compared to younger and older Australians.

Australians maintain a similar level of awareness of Federal privacy laws regardless of gender. In 2013, just over eight in ten males (84%) and females (81%) were aware of Federal privacy laws versus seven in ten of each in 2007 (70% and 68% respectively).

The level of awareness increases in accordance with educational attainment, and is significantly greater amongst those who have completed year 12 than those who have not. In 2013, seven in ten (72%) respondents who completed up to year 10 were aware of Federal privacy laws, compared to around eight in ten of those who have completed year 12 (81%), a Diploma/TAFE (82%) or a Bachelor’s degree (85%) and is at nine in ten (91%) amongst those with a Postgraduate degree.

Chart 1. Awareness of Federal privacy law by age

Q6 Were you aware of the Federal privacy laws before this interview?

 General attitudes towards privacy and personal information

Biggest privacy risk

Survey participants were asked at the outset of the survey interview to name the biggest privacy risks that they think face the community. Nearly half of the population (48%) suggested that using online services and social media sites pose the greatest risk. As can be seen in Table 5, this is by far the biggest risk perceived by six in ten respondents aged 18-24 years (60%). Australians working in white collar jobs are the most concerned about this risk.

ID fraud and theft (23%), and the related problems of fraudulent use of financial information (11%), and easy access to personal details (9%) was considered to be the second biggest issue. People aged between 25 and 45 were the most concerned about this. This may be because people in this age group are also the most likely to have been the victim of this activity, or to know someone who has been (see ‘ID theft and fraud’, below)’. Residents of Queensland (28%) and Western Australia (29%) continued to be more concerned about this issue than other Australians. As was the case in the 2007 study, residents of Western Australia reported higher levels of ID fraud and theft. People aged 55-64, while still concerned about ID fraud and theft, reported the highest levels of concern about fraudulent use of financial details rather than other personal details. Again this seems to relate to personal experience. There was general unease about the lack of security of personal information, which peaked at one in eight people aged 25-34 (13%).

As noted above, during the interviewing period there was global public debate around US surveillance programs such as PRISM which may have led to data security and breaches being considered the third greatest risk, mentioned by one in six (16%) Australians.

Other issues were identified as the biggest privacy risk by less than one in twenty Australians overall, although there were some differences by respondent type. For example, different age groups gave greater importance to some of these risks:

• amongst 25-34 year olds smartphone apps were considered a problem (7%)
• the gathering of profiling information for marketing or commercial purposes was mentioned by more than one in twenty people aged 35-54 (7%)
• people aged over 50 felt more threatened by unsolicited phone calls (5%) than younger Australians
• over one in ten younger adults (11% of 18-24 year olds) could not think of any privacy risks.

Some other points of interest are:

• Only people working in lower white or blue collar occupations felt that information relating to ethnicity or race poses a privacy risk, with the greatest concern being amongst people in lower blue collar occupations (3%).
• Men were significantly more likely than women to worry about information being captured and handled by the government (5% compared with 2%).
• Residents of South Australia, Western Australia and the Northern Territory were the most concerned about organisations collecting profiling information for commercial gain (9%).

Table 5. Biggest privacy risks facing people today by age

Q1. What do you think are the biggest privacy risks that face people today?	Age
	18-24	25-34	35-54	55-64	65+	Total
	(n=104) %	(n=119) %	(n=308) %	(n=274) %	(n=195) %	(n=1,000) %
Online services/ social media sites	60	49	50	46	38	48
ID theft/ fraud	18	28	26	23	17	23
Data security/ data breaches	13	13	19	16	18	16
Credit reporting	–	–	2	2	3	2
Smart phones/ apps	2	7	3	2	3	4
Unsolicited phone calls	–	2	3	5	5	3
Surveillance	4	5	3	2	2	3
ID scanning	–	–	1	2	1	1
Sending information overseas	–	1	1	1	2	1
Workplace privacy	1	–	1	–	–	1
Personal details too easily available/accessible/not secure	9	13	6	12	10	9
Information relating to ethnicity/ race	1	1	1	–	1	1
Unauthorized monitoring of information/data mining	3	1	1	2	2	1
Financial details/ information/ fraud	8	9	10	18	13	11
Commercial interests/ marketing about buying habits/ profile	1	3	6	3	2	4
Government information sharing/ information collection	2	3	3	5	5	3
Information relating to religious beliefs	–	–	–	1	1	<1
Criminal history too easy to access	–	–	–	–	1	<1
How frequently we have to give out personal information	–	–	<1	–	1	<1
Other	–	2	2	3	3	2
Don’t know	11	7	5	5	9	7

Base: All respondents

Note: Bold denotes a significant increase

Table 5 shows these results in more detail by age group, as this was the biggest differentiating factor in views.

Generally, Australians held very consistent opinions. However, some significant differences in results are summarised below.

• ID fraud and theft was of greatest concern to people aged between 25 and 54 years of age.
• Inappropriate access to financial details was of most concern to people aged between 55 and 64.
• Lack of security of personal details was of greatest concern to people aged 25-34 and 55-64.
• Potential risks posed by smartphone apps caused more than one in twenty people (7%) aged 25-34 to mention this as a privacy risk spontaneously – twice the level of any other age group.
• Unsolicited phone calls were of greatest concern with people aged over 55.
• Credit reporting was mentioned increasingly by people aged over 35.
• ID scanning was more of a concern for 55-64 year olds.
• People aged under 24 were the most likely to not hold any fears with one in ten (11%) being unable to identify any risks.

Activities considered a misuse of information

Australians were read a number of scenarios similar to some that had been put to them in a previous study in 2007. They were asked whether or not they considered each scenario to describe misuse of personal information. The majority agreed that all scenarios represented a misuse of information.

Chart 2. A misuse of information

Q12 Which of the following instances would you regard to be a misuse of your personal information?

There is almost universal agreement that the following are a misuse of personal information.

• Revealing personal information to other customers (97%);
• Using personal information for a purpose other than the one it was provided (97%); and
• The collection of personal information by an organisation that a person has not dealt with before (96%).

More than nine in ten (93%) people believe that an organisation asking for information that is not relevant to the transaction and monitoring activities on the internet without the individual’s knowledge are misuses too. Almost eight in ten (79%) believe sending customer data to an overseas processing centre is also a misuse.

Similar scenarios were asked in 2007 and these results are similar with the 2013 results. Over seven in ten respondents reported it is a misuse of their personal information for each scenario.

In 2007, the scenarios were asked for private business and government departments separately. The results were as follows:

• A (business / government department) monitors your activities on the Internet, recording information on the sites you visit without your knowledge (96% / 86% respectively)
• A (business / government department) asks you for personal information that doesn’t seem to be relevant to the purpose of the transaction (94% / 87% respectively)
• You supply your information to a (business / government department) for a specific purpose and the business/agency uses it for another purpose (94% / 86% respectively)
• A (business / government department) you haven’t dealt with gets hold of your personal information (93% / 73% respectively).

Australians have been asked how they feel when an organisation they have not dealt with sends them unsolicited marketing information. It appears that Australians are feeling increasingly annoyed by this practice, with the proportion of people who say it annoys them reaching almost half of the population (45%) from a quarter when it was first measured in 2001 (25%).

The other options, namely it is annoying but harmless (11%) declined by half compared with the last survey in 2007. Only one in twenty Australians now say that unsolicited marketing information either doesn’t bother them (3%) or that they enjoy reading it (2%). Together these categories accounted for three in ten Australians when measured in 2001 and 2004.

Chart 3. Feelings in relation to being sent unsolicited marketing information by an unknown organisation

Q33 Which of the following statements best describes how you generally feel when organisations that you have never dealt with before send you unsolicited marketing information?

The level of concern with how their personal information was obtained seems to have decreased since 2007, however, it is worth noting that when last asked, this question allowed multiple responses. Therefore the decline from a situation where just over five in ten (53%) respondents were concerned in 2007, to just under four in ten in 2013 (39%) may relate to the fact that respondents had to choose one of the options presented to them, not many.

Concern about sending personal information overseas

When asked to express their level of concern over Australian organisations sending customers’ personal data overseas, six in ten (62%) expressed strong concern (in 2007, 63%) with a further three in ten (28%) saying they were somewhat concerned about this practice (in 2007, 27%).

While the results are similar in comparison to 2007, there were some notable differences amongst respondents, particularly:

• Older people were more concerned than younger people. While eight in ten (83%) people aged 18-24 were concerned, the proportion who were very concerned (29%) was considerably lower than amongst people aged over 65. Nearly all (96%) people over 65 were concerned, with eight in ten (83%) of them being very concerned.
• High income households were less concerned than lower income households. Nine in ten (94%) people in low income households were concerned with the majority (71%) being very concerned. Amongst people living in households with incomes above $100,000 eight in ten (83%) people were concerned with just under a half (48%) being very concerned.
• Women were more concerned than men. In particular, two thirds of women (67%) were very concerned out of a total of nine in ten (92%) being concerned, compared with only three in ten (29%) men being very concerned out of a total of nine in ten (88%) being concerned.

Chart 4. Concern about personal information being sent overseas

Q13 How concerned are you about Australian businesses sending their customers’ personal information overseas to be processed?

 Privacy problems and complaints

Respondents were asked whether they had experienced a problem with how their personal information had been handled in the last 12 months. This question has not been asked before and demonstrates that a considerable proportion of the community had experienced problems.

A third (33%) of Australians said that they had a problem with the way their personal information was handled in the last year. The proportion rises steeply amongst working Australians (38% of those working versus 26% of those not working). It increases steeply as household income rises to the point where nearly four in ten Australians (39%) living in households earning over $100,000 have had a recent problem.

Chart 5. Organisations people would report misuse of personal information to

Q17 If you wanted to report misuse of your personal information to someone, who would you be MOST likely to contact?

In previous studies, people had been asked to comment on the organisations they believe are appropriate to report such a misuse to. Chart 5 shows 2013 responses compared to 2007:

• More people are now aware that they should contact the organisation that misused the information. Three in ten (30%) suggest this is the best course of action (versus 13% in 2007).
• Fewer people suggested that reporting such information to the Police would be appropriate, with the proportion dropping to one in six (17%) from three in ten (30%).
• A similar proportion (9%) thought that they would go to the appropriate Ombudsman as when last measured (8%).
• The proportion who mentioned the Privacy Commissioner (4%) declined from 2007 (10%).
• There was an increase in the proportion of people who did not know who to report problems to – now over a quarter (27%) of the population gave this response -up from one in five (20%). These respondents were also less likely to be aware of privacy laws (34%) in comparison to those who were aware (25%).

 Trust

This section examines the extent to which people’s level of trust in certain organisations has a bearing on the amount and nature of information they are willing to provide. Topics examined are:

• the types of information that people are reluctant to provide
• the levels of trust that people place in different types of organisations’ information handling capabilities
• expectations of transparency in information handling practices in both the public and private sectors (including when it comes to data breach)
• attitudes towards providing personal information in exchange for benefits.

Types of personal information people are reluctant to provide

People continue to be the most concerned about providing financial details (58%) and the proportion of people who display this level of concern has been constant since it was first measured in 2001 (59%). While the provision of this information is a concern for all, reluctance to provide these details increases with age, with under a half of people aged 18-24 mentioning it (44%) compared with six in ten amongst people aged 65 or over (60%).

After financial details, there have been some changes – some of which can be explained by the provision of the definition of ‘personal information’ at the beginning of the questionnaire. In particular, mentioning ‘photographs’ and ‘sexual preferences’ in the introduction has clearly raised awareness of the sensitivity of these types of personal information and they have been mentioned spontaneously for the first time (7% and 3% respectively).

The changing technological environment has undoubtedly underpinned other trends. For example, ‘home address’, is becoming a more protected piece of information with a quarter of people saying they are reluctant to give this (24%) in comparison to almost one in five people (19%) in 2007. This result is strongly related to age, with almost twice as many people aged under 35 (32%) being reluctant to provide this information compared to people aged 55-64 (15%) or 65 and over (17%). Victorians are also the least reluctant to give this information (29%).

Other interesting trends are:

• An increased reluctance to provide date of birth details, particularly amongst people who are working, in general, and those who are earning high incomes in particular.
• Reluctance to give a phone number has declined since 2007. Queenslanders are the least concerned with giving out their phone numbers (7%). Women are significantly more reluctant (17%) than men (12%) to give this information.
• An increasing proportion of Australians feeling reluctant to discuss the composition of their households (from 1% in 2001 to 6% in 2013), although there has also been a drop in the proportion of people reluctant to divulge their marital status (from 7% in 2007 to 3% in 2013). Taken together these items have remained consistent, so this may reflect changes in living arrangements in general.
• There has been a continuous decline in concerns over providing genetic information. The proportion of people who are reluctant to provide generic information since it was first measured in 2001 has decreased from over one in ten people (13%) to less than one in ten people (1%) in 2013.

Table 6. Information Australians are reluctant to provide to businesses and Government

Q2. In general, what types of information are you reluctant to provide?	2001	2004	2007	2013
	(n=1,524)%	(n=1,507)%	(n=1,503)%	(n=1,000)%
Financial details	59	58	43	58
(Home) Address	14	20	19	24
Date of birth	7	8	10	16
(Home) Phone number	17	22	25	15
Name	6	7	4	10
Email address	11	19	14	7
Medical information	25	21	6	7
Photo ID/ information/ passport / driver’s licence number/ cards and access numbers	–	–	–	7
Household composition and relationships	1	2	4	6
Religion/ Personal Beliefs/ Affiliations	2	3	2	4
Marital status	9	9	7	3
Sexual preferences	–	–	–	3
Genetic information	13	11	5	1
Other	–	–	4	4
None	16	11	10	9

Base: All respondents

Note: Bold denotes a significant move up between 2004 to 2007; Italics denotes a significant shift down between 2004 to 2007

Note: Answers add up to more than 100 as multiple responses were given

When asked which one of these pieces of information they were most reluctant to provide, financial information was by far the most often mentioned (49%) and all other items shown in Table 7 were mentioned by fewer than one in ten people, namely address (home and email), date of birth, phone number, medical or genetic information and the composition of the household.

The reasons for this reluctance are shown in Table 8. Some interesting trends emerge here. Firstly, the proportion of Australians who simply stated that they were reluctant to give information because ‘it’s none of their business’ has halved over the last 12 years from a half of the population in 2001 (51%) to a quarter (25%) now. At the same time security concerns (19%) and the potential for personal financial loss (15%) have risen significantly (from 2% and 7% respectively in 2001).

Table 7. Piece of information Australians are most reluctant to provide

Q3. Which one of these [answers given for Q2] do you feel MOST RELUCTANT to provide?	2001	2004	2007	2013
	(n=1,524)

%(n=1,507)

%(n=1,503)

%(n=1,000)

%Financial details / Income51515349(Home) Address4777Date of birth1136(Home) Phone number3594Email address2552Medical information7522Household composition and relationships<1<122Genetic information32<1<1

Base: All respondents

Note: Bold denotes a significant move up between 2004 to 2007; Italics denotes a significant shift down between 2004 to 2007

Table 8. Reasons for reluctance to give key piece of information

Q4. What is your MAIN reason for not wanting to provide [answer from Q3]?	2001	2004	2007	2013
	(n=1,524)

%(n=1,507)

%(n=1,503)

%(n=859)

%It’s none of their business/ privacy51443625For safety/ security/ protection from crime261219May lead to financial loss/ people might access bank account7

As one would expect the release of the report has an accompanying media release (found here).  It provides:

 Results from the Office of the Australian Information Commissioner’s (OAIC) 2013 Community Attitudes to Privacy survey were released today. The survey results show that Australians are becoming more concerned about privacy risks. People expect the organisations they deal with to take effective steps to safeguard their personal information.

The survey reports that 48% of Australians believe that online services, including social media, now pose the greatest privacy risk. Only 9% of survey respondents considered social media websites to be trustworthy in protecting privacy.

Australian Information Commissioner, Professor John McMillan, said the survey results confirm the growing community concern about privacy risks arising from the explosion in use of social media since this survey was last run in 2007.

‘In the last 5 years we have seen a significant change in how people communicate and interact online. People’s attitude to the importance of personal privacy protection is changing at the same time,’ said Professor McMillan.

Survey participants were asked whether certain industries were trustworthy. The three most trustworthy industries were health service providers, trusted by 90% of participants; financial institutions, trusted by 74% (up from 58% in 2007); and Government, trusted by 69%.

The survey indicates that the public expects data security protection to be similar in both the public and private sectors. A high majority of survey participants expect to be informed if their information is lost (96% for both government and the private sector). The majority of people (around 95%) also feel they should be made aware how of their information is handled on a day-to-day basis.

Privacy Commissioner, Timothy Pilgrim said it was clear that the Australian public continues to insist that their personal information is handled with the highest possible standards.

‘There is a business imperative for organisations to be transparent about their personal information handling practices and to ensure that privacy is built in to systems and processes right from the beginning,’ Mr Pilgrim said.

The Community Attitudes to Privacy survey has been conducted periodically since 2001. A significant longitudinal finding is that an increased number of people make a choice not to deal with a public or private sector organisation because of a concern over how their personal information has been or may be used.

‘Just over 60% of Australians have decided to not deal with an organisation because of privacy concerns, which is an increase from just over 40% in 2007,’ said Mr Pilgrim.

The Privacy Commissioner said that if organisations take one thing away from the survey results, it should be that in the current environment of constant technological change, they cannot afford to relax when it comes to proper data security and information handling practices.

‘These results send a very clear message that people remain concerned about how their information will be handled. With a significant number of people saying that they have decided not to deal with an organisation due to privacy concerns, I suggest that business needs to listen to this and consider improving their practices,’ Mr Pilgrim said.

The survey showed that Australians are increasingly concerned about the international sharing of personal information; 79% of people feel that cross-border disclosure is a misuse of personal information, and 90% have concerns about the practice.

‘This is an interesting finding given the increasing frequency with which data is being sent off-shore. New privacy laws commencing next March will increase protection around the handling of Australian information that is transferred off-shore, and it will be interesting to see how attitudes change as a result of this,’ Mr Pilgrim said.

The research data will be de-identified and made publically available in line with the OAIC’s role in ensuring that government information is open and accessible.

‘There is certainly a wealth of information contained in this research and there is great value in opening this data up to others to see the different ways it can be utilised,’ said Australian Information Commissioner, Professor John McMillan.

And where there is a report and media release a media story or three can’t be far behind.  As with the Age piece Australians more concerned about privacy than ever before which provides:

Australians are more concerned about their privacy than ever before, quickly abandoning companies they believe abuse their information, a new report shows.

An overwhelming 97 per cent of respondents believe their personal information is misused when it is collected for one reason and used for another, according to findings published by the Office of the Australian Information Commissioner on Wednesday.

The Community Attitudes to Privacy study, which has tracked Australians’ attitude on privacy since 1990, found nearly half of the respondents agreed social media and online services posed the biggest risk to privacy.

But one of the biggest changes has been how consumers deal with companies they believe are misusing their data, the report showed. More than 60 per cent of respondents said they had stopped engaging with companies over privacy concerns. This was up by 40 per cent since 2007.

Privacy Commissioner Timothy Pilgrim said the report showed people were more mindful of their data and how it was being used.

“People in the broader community are aware of their personal information,” said. “What we’re seeing is people’s awareness growing and starting taking action against companies that they are not comfortable with,” he said.

Data being sent offshore was also a growing concern for all respondents. Eight in ten people aged over 65 were very concerned about their information being sent overseas. This compared with younger respondents, aged 18 to 24, who said they were concerned.

Fewer than one in ten thinks social media websites are trustworthy when it comes to protecting users’ privacy.

The survey did not ask if people were concerned about governments snooping on their private communications in light of the Edward Snowden revelations that the US National Security Agency had citizens under surveillance. Mr Pilgrim told ABC radio the survey was already under way at the time of the revelations.

The other big risks worrying people were ID fraud and theft, data security, and the risks to financial data in general.

A majority of people believed most or all websites and smartphone apps collected user information and were uncomfortable with that practice.

But half of respondents admitted not reading online privacy policies while under a third of people habitually falsify their name or details to protect themselves.

Professor Barbara McDonald, lead Commissioner of the Australian Law Reform Commission’s inquiry into Serious Invasions of Privacy in the Digital Era, said it was increasingly difficult for consumers to escape privacy concerns when shopping and banking online or engaging in social media.

“Consent should make it clear, transparent, well drafted, not too long and should be short,” she told the audience at the launch.

Yet despite increasing consumer concern over privacy, there were delays of up to 19 weeks for privacy complaints to be allocated to case officers at Pilgrim’s office.

In the past two months complaints have doubled, Mr Pilgrim said.

“That has had a significant impact on our ability to complete the complaints we have on board,” Mr Pilgrim said.

In addition, he said there were “some challenges” around resources within his office.

“There has been a series of reductions around all sectors [in federal government] and we wear our fair share of those as well,” he said. “We have reducing resources and increasing complaint numbers.”

But Mr Pilgrim said the increased powers his office receives next March are likely to allay critics’ concerns that the Privacy Commissioner is a toothless tiger.

The amendments will give his office increased powers to fine those who negligently breach peoples’ privacy up to $340,000 for individuals and $1.7 million for corporations.

“They will increase how I can resolve investigations,” Mr Pilgrim said. “[The powers are] an incentive for organisations to handle information well.”