Disclaimer: I will preface this post by stating that I am not a lawyer. The information below is my understanding from reading the documents and consulting with some specialists. It is provided in good faith and with no warranty of any kind.
You may be aware that the current Australian Privacy Principles will be replaced with the National Privacy Principles and Information Privacy Principles on 12 March 2014. The question is: how will this affect your customer feedback process and what do you need to do about it?
This is a difficult question to answer because at the moment there are no final documents to work from as they are still in a state of review. All we have at the moment are draft guidelines.
In this post I’ll be discussing the two elements, in their current form, that appear to impact the most on customer feedback programs.
Summary of the Changes
At a high level the changes that the National Privacy Principles roll out are as follows:
The Privacy Amendment Act includes a set of new, harmonised, privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses. These new principles are called the Australian Privacy Principles (APPs). They will replace the existing Information Privacy Principles (IPPs) that currently apply to Australian Government agencies and the National Privacy Principles (NPPs) that currently apply to businesses.
Under the changes, there are 13 new APPs. A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.
Reference: Privacy law reform
The new guidelines will effectively apply to organisations with $3m or more in annual revenue.
The Key Guidelines for Customer Feedback Processes
Of course the guidelines and changes cover many areas of information and privacy but I just want to pick out a few that may have an impact on customer feedback processes.
Chapter 7 — APP 7 Direct Marketing
The first key point of the Australian Privacy Principle 7 — direct marketing (DRAFT) is that companies cannot use information they hold for direct marketing purposes except when a person would reasonably expect it to be used for direct marketing.
It is up to each organisation to assess and show this “reasonably expected test”. You must also provide a clear easy way for individuals to opt out.
I have held to date that transactional customer feedback especially is not marketing but part of the service delivery process. The post interaction email or SMS survey is a part of the service itself not a marketing activity. So the question of needing marketing opt-in or showing that it is “reasonably expected” is not relevant.
However, recently I was speaking to an industry player and they suggested to me that that in some quarters customer feedback like this could be argued to be direct marketing. The argument goes something like this: you’re collecting customer feedback to improve your business so you can sell more products, selling more products is marketing thus collecting feedback is marketing.
Personally I think that this is a stretch, especially if you do not include push polling in your survey – which you wouldn’t do anyway would you! This interpretation would make any contact with a customer potentially a marketing contact.
Chapter 8 — APP 8 Cross-Border Disclosure of Personal Information
Cross-border disclosure is important to customer feedback processes as often the tools that we use to collect customer feedback host customer data off-shore. For instance SurveyMonkey and salesforce.com both store their data in locations other than Australia. APP8 specifically discusses what organisations need to do when data is not stored in Australia.
Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. (APP 8.1)
This is not, it has to be said, a clear principle. It introduces the idea of ‘Disclosure’ and ‘Use’ but does not define them.
Disclosure is generally where the Australian entity has released the information from its control to other entities, e.g. sharing a copy of the information with another entity.
Use on the other hand is where the personal data is used by the entity, e.g. to make a decision.
Australian companies can provide customer data to a foreign entity but not Disclose or have the foreign entity Use the data in certain circumstances: e.g. storing encrypted data on a Google Drive based in a US data centre would seem to fit this description.
One way that local companies can provide data to foreign entities and not Disclose the data is in certain sub-contract arrangements. With the correct contracts in place, a local company can have a contractor apply the information to perform a function (say send an email and collect survey data) for the Australian entity and the Australian entity maintains control over the information.
This approach would seem to be one way that organisations can use cloud suppliers anywhere in the world.
The other approach is for the local entity to takes steps to “reasonably believe” that the foreign jurisdiction has laws at least as tight as the Australian laws.
In my experience Europe is seen to been stricter than Australia in this area but as legal firm Minter Ellison points out:
The Privacy Commissioner has long said that he will not provide an approved white list of countries with “substantially similar” laws or binding schemes to Australia.
So it would seem wise to get an opinion on any country you are considering.
In summary, with the right contracts in place, these changes do not, to my reading, have any impact on the way that companies can collect customer feedback.
Do you have an alternate opinion? Please let me know below.