Happy anniversary to the Privacy Act amendments. We’ve been together one year today. However, like most newlyweds, can we say that we really know each other yet?
Take this quiz to see just how well you understand Australia’s privacy laws. Is your future rosy or is the honeymoon over?
Answer “true” or “false” to each of the following:
- You are not allowed to send personal data overseas
- You can’t put personal data in the cloud
- You can’t share event attendee data with exhibitors
- You can contact existing customers for direct marketing purposes
- You can’t contact your database if you’re not sure whether you have their consent
Answers are below (no peeking!):
1. You are not allowed to send personal data overseas
False – You can send data overseas. However, there are strict controls around how you do it. In short, unless you have someone’s clear and express consent to override the privacy laws you must ensure that any country that you send data to has substantially similar privacy laws to Australia. If not, you must replicate those provisions contractually and ensure that the contract can be enforced in the country concerned. Also, don’t forget that you are obliged to state whether data is being disclosed overseas and, where practical, to list countries where you are disclosing data.
2. You can’t put personal data in the cloud
False – You can put personal data in the cloud provided you are compliant in how you do so. There are different obligations at play depending on whether the provision of data constitutes a use or a disclosure. The APP Guidelines speak to these differences and the Privacy Commissioner has offered some further guidance with respect to the obligations surrounding APP 8. Further guidance from the Privacy Commissioner is expected during 2015 and ADMA will be focusing on this as a regulatory training area.
3. You can’t share event attendee data with exhibitors
False – You can share data with anyone provided you have the appropriate consent in place. Use of a properly worded and clearly placed Privacy Statement (aka Collection Notice) is key here and must be given at the time of data collection.
4. You can contact existing customers for direct marketing purposes
This could go either way – The fact that someone is an existing customer is just one of the circumstances in which consent may be inferred. Other factors to consider: whether they have opted-out of or limited their consent to receive your marketing communications, whether they have consented to the content of the communication (a customer who regularly buys groceries from you is not going to expect communications about purchasing car insurance unless you have built that expectation) and whether they have consented to a particular communication channel.
5. You can’t contact individuals on your database if you’re not sure whether you have their consent
False – Again this comes down to how you do things. Firstly you would need to understand the data profile (e.g. how long has the data been there, how was it collected etc.) and then it may be possible to contact the data list, depending on the circumstances and which communication channel you use. For example, the Privacy Act provisions differ to those in the Spam Act (which in turn differ from those in the Do Not Call Register Act). So it may be possible for you to make contact via direct mail in circumstances where email and telemarketing may not be possible.
So, how did you go? Are you feeling that your privacy relationship may not be as rosy as you thought it was? If you need help, feel free to visit ADMA’s Spotlight on Privacy and ADMA members also have access to member-only regulatory resources including the Compliance Hub, an online repository of regulatory guidance.
Jeannette Scott is the Director of Legal & Regulatory Affairs at the Association for Data-driven Marketing and Advertising.