Disclaimer: I will preface this post by stating that I am not a lawyer. The information below is my understanding from reading the documents and consulting with some specialists. It is provided in good faith and with no warranty of any kind.
In Australian, The National Privacy Principles and Information Privacy Principles came into effect on 12 March 2014.
In this post we’ll review how those principles affect your customer feedback process and what do you need to do about it.
Summary of the APP
At a high level the National Privacy Principles are as follows:
The Australian Privacy Principles (or APPs) are the cornerstone of the privacy protection framework in the Privacy Act 1988 (Privacy Act). They apply to any organisation or agency the Privacy Act covers.
There are 13 Australian Privacy Principles and they govern standards, rights and obligations around:
– the collection, use and disclosure of personal information
– an organisation or agency’s governance and accountability
– integrity and correction of personal information
– the rights of individuals to access their personal information
Reference: Australian Privacy Principles
The guidelines effectively apply to organisations with $3m or more in annual revenue.
The Key Customer Feedback Implications
Of course the guidelines cover many areas of information and privacy but I just want to pick out a couple that may have an impact on customer feedback processes.
Chapter 7 — APP 7 Direct Marketing
The first key point of the Australian Privacy Principle 7 — direct marketing is that
APP7.1: An organisation must not use or disclose the personal information that it holds about an individual for the purpose of direct marketing
It is my opinion, and that of many clients here and overseas, that transactional customer feedback is not marketing but part of the service delivery process.
A post interaction email or SMS survey is a part of the service itself not a marketing activity. So the question of needing marketing opt-in is not relevant.
At one point I did speak with an industry player and they suggested that customer feedback could be argued to be direct marketing.
The argument goes something like this: you are collecting customer feedback to improve your business, in order to sell more products, selling more products is marketing thus collecting feedback is marketing.
Personally I think that this is a stretch, especially if you do not include push polling in your survey – which you wouldn’t do anyway.
This interpretation would make any contact with a customer potentially a marketing contact.
However, you should discuss the implication of this section with your legal provider and make a determination for your business.
Chapter 8 — APP 8 Cross-Border Disclosure of Personal Information
Cross-border disclosure is important to customer feedback processes as often the tools that we use to collect customer feedback host customer data off-shore. For instance SurveyMonkey and salesforce.com both store their data in locations other than Australia.
APP8 specifically discusses what organisations need to do when data is transferred outside Australia.
APP 8.1 …The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.
before an APP entity discloses personal information about an individual to an overseas recipient, the entity must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information.
Reference: Australian Privacy Principle 8 – cross – border disclosure of personal information
This is not, it has to be said, a clear principle. The Privacy Act introduces the idea of ‘Disclosure’ but does not define it.
However, the principles go on to say:
8.8 An APP entity discloses personal information where it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control.
From this it would appear that the provision of personal data to an overseas supplier, say loading a feedback invite list to the servers of an overseas survey system supplier, is an act of ‘Disclosure’.
So how do you address the issue of cross border data disclosure?
There are three main ways:
Don’t send you data overseas
Seems obvious, but if you retain a provider with an Australian based data centre the data stays in the country.
Use the “take reasonable steps” approach
APP 8.16 : If you enter into an enforceable contractual arrangement with the supplier that they will handle the data in accordance with the Australian Privacy Principles then you have taken reasonable steps.
Exactly how this is interpreted is however, subject to a “depend on the circumstances” clause (APP 8.17) so you need to read on with the details of what needs to be considered.
APP 8.1 is waived if the recipient has similar laws
This says if the laws in the recipient entity’s country are similar, or stronger, than the APPs then the entire APP 8.1 is waived.
You must have a “reasonable belief” this is the case.
APP8.20 “…must have a reasonable basis for its belief, and not merely a genuine or subjective belief. For example, this might be based on independent legal advice. It is the responsibility of an APP entity to be able to justify its reasonable belief.
Unfortunately there is no “white-list” of appropriate jurisdictions so you will need to contact your legal advisers on this one.
In summary, with the right contracts in place, these changes do not, to my reading, have any impact on the way that companies can collect customer feedback.