Privacy is a legal issue, but when it comes to collecting and using customer information it is also a relationship issue – Adrian Sim and Chian Kee explain the privacy obligations of small businesses using customer information.
Many businesses compile databases of customer information. In general, tools such as customer relationship management (CRM) software and loyalty programs are a great way to gain an edge over the competition and turn a one-off sale into a repeat customer.
The ability to communicate with past clients via direct marketing or secure new client lists from third parties can be appealing for businesses seeking to consolidate and increase their market share. However, businesses that collect, use, or disclose personal information about customers need to be aware of their legal obligations regarding the privacy of the individuals involved.
There are several privacy laws and principles that may apply to an organisation, depending on its size and type. The private sector is governed by the National Privacy Principles (NPP), which is set out in the Privacy Act 1988. The national privacy laws are only compulsory for big business, which is true to an extent as small business operators with an annual turnover of $3 million or less are exempted under the Act. However, as with many legal exceptions, there are exceptions to the exception. Small businesses may still need to comply with the NPPs—for example, if they provide health services, trade in personal information, or provide services under a Commonwealth contract. Even if your small business is exempt, you can opt into being covered by the Act to help gain credibility for your business and increase customer confidence in your data collection and use practices.
So what are the NPPs, and how do they affect small and medium businesses engaged in data collection and sharing?
National Privacy Principles (NPP)
While the 10 NPPs may not be chiselled in stone, they are legally enforceable. The Privacy Commissioner has the power to hear complaints, require conciliation, and make determinations with regard to breaches of the Act. Possible remedies for breach range from requiring an apology or a change in practice, to an award of compensation.
NPP 1, 8 and 10: Anonymity
Businesses should only collect personal information when necessary. Information should be collected fairly and lawfully and, wherever possible, directly from the individual. Individuals should be made aware of why you are collecting and who else you might give it to.
Wherever possible, individuals should be given the choice to remain anonymous.
Consent must be given to collect sensitive information including information that discloses a person's race, political opinions, religious or philosophical beliefs, membership of a trade association or union, sexual preferences, criminal records and health information.
NPP 2: Use and disclosure
‘Use’ refers to what occurs within the business; disclosure refers to transfer of personal information to a third party—data sharing. In general, personal information should only be used or disclosed for the purposes it was collected for, and which the individual would reasonably expect. If not, consent is required.
NPP 3, 5 and 6: Accurate Data
Businesses should take reasonable steps to ensure personal information collected, used, and disclosed is accurate, complete and up-to-date.
Individuals should always have access to a short document, whether on the company's website or otherwise, outlining the privacy policies of the business. Upon request, an individual should be able to find out what information is being held about them, why and how it was collected, and how it is used and disclosed. Accordingly, individuals should be able to access and update the information held about them to ensure it is accurate.
NPP 4 and 7: Security and Commonwealth identifiers
Personal information must be dealt with securely both when it is being stored, used and disposed of. These obligations on the business extend beyond preventing knowingly using or disclosing for improper purposes within the business and require the business to ensure the information is secured so as to prevent malicious third parties from abusing it.
The use of unique Commonwealth government identifiers such as a person's tax file number is prohibited as it can lead to unwanted cross referencing and data mining (the process where an individual's details can be cross-referenced across various databases). Names and ABNs are not considered to be identifiers.
NPP 9: Transborder data flows
This principle restricts the transfer of data to countries that don't have comparable privacy laws to Australia. Transborder data flows are permissible where the individual's consent is given, where the transfer is for the benefit of the individual and consent is likely, or to perform a contract in the interest of the individual.
Correct Use
So, how do these principles affect the marketing activities of your business?
Data sharing: Trading in personal information isn't just buying a customer database. Businesses are bound by the NPPs if they transact with a third party to disclose or receive personal information in exchange for a benefit, service or advantage. This effectively covers any business engaged in data sharing with third parties. If your small business engages in the transfer of customer information to or from third parties, chances are the NPPs apply. It is important to note, however, that the NPPs do not restrict the movement of personal information between related companies.
Direct marketing: There are specific laws in place to govern the use of personal information for marketing purposes. Aside from the provisions of the Act listed above, the Spam Act 2003 regulates the sending of commercial electronic messages (CEM) such as marketing emails, SMS and MMS. So, if sending direct marketing materials electronically, a business must comply with both the Spam Act and the Privacy Act. Under the Spam Act direct marketers using CEMs must obtain the consent of the recipient unless the message only contains factual information—for example, a legal bulletin sent to clients. The CEMs must include accurate information about the sender and must provide a functioning ‘opt-out’ facility. The Australian Direct Marketing Association (ADMA) have their own guidelines and enforcement measures regulating direct marketing best practices including the protection of consumer privacy. These guidelines effectively reproduce the NPPs and provide another avenue of redress in certain cases.
Under the NPPs, when using personal information for direct marketing, consent is generally required unless it is related to the known primary purpose of collection. Where it is impracticable to seek consent, businesses are exempted as long as they provide a functioning ‘opt out’ option to the receiver. In general, where the cost of contacting the individual is very low, for instance if the business engages email or SMS marketing, it may not be considered impracticable to seek consent.
CRM and loyalty programs: The main concern with maintaining customer information databases such as CRM systems and loyalty programs is to ensure the customer understands the purpose of the information collection. A customer providing personal information to purchase goods may not expect that information to be subsequently used for marketing or passed on to third parties. The easiest way to ensure compliance is to request the customer's consent at the point of collection. As long as the customer knows their information is going into a database and consents to the disclosed uses of it, the NPPs are largely satisfied.
Protecting customer privacy is essential for any organisation. Not only is it required by la
w, it also makes good business sense. Companies found to be in breach of the NPPs are likely to suffer reduced customer confidence on top of potential regulatory sanctions of the Privacy Commissioner. The best way to ensure compliance is to seek consent at the point of collection. Once an individual consents to having their personal information used or disclosed for a certain purpose, there are very few privacy restrictions on carrying out that purpose. Be open with your customers about their right to privacy, you will gain trust, add to your credibility, and stay on the right side of Australia's privacy laws.
*Adrian Sim is a lawyer and Chian Kee a paralegal for Blake Dawson Waldron. www.bdw.com.au