Organisations struggling with privacy policies and handling privacy complaints

May 5, 2015 |

That proper compliance with the Privacy Act 1988 is a news item seems strange to anyone with an interest in the field.  With the possible exception of sectors where privacy sensitivity has always been a priority and reputational damage is a real concern, such as finance and banking, privacy compliance is generally poor in Australia.  That is not surprising given the lack of enforcement powers until 12 March 2014 and the light touch regulation since.  As with most areas of regulation where there is little perceived risk of enforcement there is little incentive to divert funds to comply.  The Fairfax press in Privacy complaints leap as companies struggle with compliance reports on the Privacy Commissioners’ report of an audit of privacy policies of 20 organisations and the launch of the inaugural Privacy Index by Deloitte.

The Privacy Index is a valuable development in providing some independent analysis with an adequate level of rigour of privacy practices of organisations and agencies, consumers attitudes towards organisations and their experiences in dealing with privacy complaints.  Not surprisingly banks and government agencies have, relatively, good practices and reputation in protecting privacy.  Not surprisingly media organisations, which have long had a belligerent attitude towards privacy both as a concept and in practical terms, had a poor reputation.  Telecommunications companies also fared particularly badly.

These reports are useful however only add to the information about the privacy landscape. It is in the doing of things, to remedy the problems identified that requires work and actually improves the level of compliance and protects consumers’ personal information.  Given the number of complaints and the inadequacy of compliance there is work to be done.

The media release and summary of the Privacy Index provides:

The way an organisation responds to a data breach has changed consumers’ perception of privacy, from one of simply trusting an organisation to keep data safe and secure, to one of being transparent, and letting the consumer know of any change in data use or a data breach.

Lead Partner, Deloitte Cyber Risk Services Tommy Viljoen said: “As individuals become more aware of how much personal data is captured through technology and connectivity, we are becoming increasingly sensitive as to how our information is being used and disclosed.”

To determine how Australia’s 104 leading consumer brands perform against privacy best practice, Deloitte surveyed more than 1000 consumers (selected to represent Australia’s demography). Supplemented by website and media analysis, the Privacy Index also includes qualitative verification from the brands across 11 industry sectors.

In this national Privacy Awareness Week (3-9 May) the Australian Privacy Commissioner Timothy Pilgrim is vocal about the importance of privacy governance. He measures the maturity of an organisation’s governance and leadership by the importance it places on privacy.

The national theme for the 2015 Privacy Awareness Week is Privacy everyday. Privacy should be an essential component of everyday life, including transactions such as internet banking, social media and online shopping. The theme emphasises the need for organisations to embed privacy practices into business as usual processes, and for individuals and the community to think about how to protect privacy in their everyday lives.

Deloitte Australian Privacy Index 2015 overall sector ranking
The best performing industries assessed by the inaugural Deloitte Privacy Index were transparent – a key indicator of trust. They also had the best governance policies and procedures, and were up to date with current regulatory change.
  1. Government
  2. Banking & Finance
  3. Social Media
  4. Health & Fitness
  5. Retail
  6. Insurance
  7. Technology
  8. Energy
  9. Travel & Transport (airlines, agencies, hotels, taxis)
  10. Telecommunications (mobile, internet, phone)
  11. Media (news, television, radio, entertainment)

Key insights

  • Government organisations were the clear leaders in privacy across all three components achieving four positions in the top ten.
  • Government and banking & finance organisations tended to have online policies with supporting material explaining different aspects of privacy.
  • Government organisation websites also had the lowest number of third party cookies.
  • The banking & finance sector dominated half of the top ten in the Index, with 70% of organisations in the banking & finance industry assessed, appearing in the top 50% of the Index.
  • While consumer and media sentiment was low regarding social media, the social media sector performed strongly in the Index due to the transparency of its online policies. It leaves the second lowest number of third party cookies on the device of a consumer, just behind Government organisations.
  • Industry sectors featuring in the lower half of the industry ranking tended to have a standard privacy policy online as well as a significant number of third party cookies.

Organisations that did well have:

  • an online privacy policy which is both easily understood by the consumer and layered, and which is often supported with extra materials
  • fewer third party cookies tracking consumer behaviour
  • cookies on their website which do not stay on the consumer’s device for a long time
  • a trusted brand according to consumers
  • few or no major privacy events reported in the media.

Trust, complaints and breach

The more than 1000 consumers surveyed were asked to indicate up to five brands and industries they trusted most and five they trusted least. Deloitte also assessed complaints received as well as how the brands managed breaches. Some18% of consumers surveyed had received a privacy notification after a loss of personal data by an organisation. Of those, 34% said they trusted that organisation more compared with 27% who said they trusted them less.

Findings

  • Australian consumers are most concerned about their credit card details (67%), their passport number (46%), and their driver licence number (43%). They are also most reluctant to share these three items due to their sensitivity.
  • Banking & finance and government are the top two most trusted industries when it comes to safeguarding personal information
  • The insurance industry is trusted less with personal information than banking & finance
  • Overall 67% of the 1000+ consumers surveyed have never had a privacy issue with a brand
  • The remaining 33% have had a privacy issue with an organisation, but only 14% have complained
  • Social media and the telecommunications sectors accounted for 58% of the complaints regarding privacy. 
  • Social media had 32% of the complaints and 28% of people listed the same social media organisation as the organisation they trusted the least with their personal information

The Office of the Australian Information Commissioner’s (OAIC) focus over the past year has been on has been on developing guidance and working with organisations and agencies to ensure compliance with the significant changes introduced in March 2014. These were a new set of unified privacy principles, the Australian Privacy Principles (APPs), with changes to the credit reporting provisions and new enforcement powers for the Commissioner.

The changes have meant that the OAIC has:

  • received 4016 privacy complaints (a 43% increase on the previous 12 months)
  • received 14,064 privacy enquiries
  • received 104 voluntary data breach notifications
  • commenced 13 privacy assessments

The Australian Privacy Commissioner, Mr Timothy Pilgrim has said that ‘good privacy practices are good for business, particularly in building customer trust’.

Viljoen said: “The average cost of a data breach per Australian organisation is more than *$2.5 million per year …and rising, with the average breach involving more than *20,000 records in Australia over the five years to 2014.”

The ongoing focus that the Deloitte Australian Privacy Index has highlighted and the Commissioner has determined for the forthcoming twelve months is for organisations and agencies to build a culture of privacy, and to ensure that organisations and agencies are proactive in meeting their compliance requirements.

Gavin Cartwright, Cyber Risk Services Director and a key author of the inaugural Deloitte Australian Privacy Index, said culture was absolutely critical. He used the Voltaire quote, also popularised by the recent Spiderman movie hit, to stress the point that: ‘With great power comes great responsibility.’ He said: ‘The Power’ today comes from the volume of personal information being gleaned by organisations from users both directly and indirectly. And ‘The Responsibility’ is an increased need and expectation from Australian consumers for transparency, security, ethical use and overall governance.

“It is critical that as organisations derive benefit from personal information, the consumer is kept informed about the use and any changes to their data,” Cartwright said.

The article provides:

More than half of all major Australian companies recently examined by Australia’s Privacy Commissioner have failed to comply with privacy rules.

Privacy Commissioner Timothy Pilgrim said that 55 per cent of the 20 top websites run by the companies examined published inadequate privacy policies, while privacy-related complaints had leapt 43 per cent in the year since the nation’s privacy laws were revamped.

The companies surveyed included the “big four” Australian banks; social media sites Instagram, LinkedIn and Twitter; the Department of Human Services; and major media outlets including news.com.au, ninemsn.com.au, The Guardian Australia, Yahoo!7 and The Sydney Morning Herald, owned by Fairfax Media, publisher of this article.
Government agencies performed the best out of 11 industry sectors when it comes to handling users’ personal data and privacy.

Government agencies performed the best out of 11 industry sectors when it comes to handling users’ personal data and privacy. Photo: Deloitte

A separate report from Deloitte Australia, also launched on Monday to coincide with Privacy Awareness Week, found more than a third of consumers had experienced privacy “issues” with Australian companies.

The findings come just over a year after the Office of the Australian Information Commissioner (OAIC) introduced revamped privacy rules for government agencies and businesses, as well as increased powers for the Privacy Commissioner.

The OAIC’s report found the privacy policies of the websites surveyed did not sufficiently meet the first Australian Privacy Principle (APP) outlined in the new rules. Privacy Principle 1 requires organisations to have a clearly expressed, easy to find and up to date privacy policy on their website.

While all organisations’ privacy policies successfully outlined what personal data was collected from visitors and how, some organisations “had not carefully considered their policy against their obligations” under the APPs, the OAIC said.

This included a failure to disclose how individuals could access or correct their personal data; how they could make a privacy complaint to the organisation; how their personal data was protected and whether their data was likely to be sent offshore.

Forty per cent of the organisations surveyed did not outline how they would deal with a privacy complaint.

In the year since the changes, privacy complaints to the OAIC jumped 43 per cent to 4016.

Mr Pilgrim said consumers were becoming more aware of their privacy rights but also noted an increase in complaints after “some significant data breaches”.

“It is clear that people are more willing to exercise their rights and taking action where they consider their privacy has been compromised,” Mr Pilgrim said.

Deloitte’s inaugural Australian privacy index, which surveyed more than 1000 consumers about 104 leading Australian brands across 11 industries, found some 33 per cent of Australian consumers had experienced a “privacy issue” with an organisation but only 14 per cent had complained.

Most of the reported data breaches involved the accidental loss or release of data; communications being sent to the wrong person; a lack of basic security controls and poorly trained staff.

Fifty-eight per cent of privacy complaints related to social media and telecommunications companies, the index showed.

Deloitte ranked the telecommunications sector 10th out of 11 sectors in terms of its handling of users’ privacy and media companies were ranked last overall.

However, social media companies ranked high in the index at number three, indicating a gap between users’ perception of how the sector handled their personal data and its actual performance.

Social media sites had “transparent, user-friendly and supporting education materials on how to use their services”, Deloitte said, and used the least number of third-party cookies; tools which track users’ browsing history.

Government agencies exhibited the best privacy practices, followed by the financial sector.

Organisations that did well had clear privacy policies that were often supported by extra material; fewer third-party cookies, and/or ones that only remained on a consumer’s device temporarily and, importantly, they built trust with their users through transparency, such as through voluntarily reporting data breaches, Deloitte said.

One Response to “Organisations struggling with privacy policies and handling privacy complaints”

  1. Organisations struggling with privacy policies and handling privacy complaints | Australian Law Blogs

    […] Organisations struggling with privacy policies and handling privacy complaints […]

Leave a Reply