Last week we considered the OAIC reports into the loyalty
programs of Coles and Woolworths, and in particular the data
collection and privacy notification issues (
These reports considered to some degree the notification
requirements in relation to the use of either personal or
de-identified information for data analytics. In each of the
reports the OAIC separately considered the application of the
Privacy Act to the data analytic activities of the parties. The key
issues raised in relation to data analytics were as follows:
The findings were significant for those who conduct data
analytic activities as it pointed to:
Organisational separations: flybuys division has restricted
access and does not have cross access to personal information in
relation to the data the subject of analytics.
The analytic activities are conducted by a separate analytics
area which sees only high-level data and not personal information,
i.e. separation of functions.
The analytics is aimed at targeted marketing and the cross-over
to provide marketing contacts to individuals is monitored and
Where analytics is conducted on behalf of partner entities,
flybuys may conduct a promotion on behalf of those partners but
will not share information about the individuals with those
These organisational, systems and practical separations of
analytic databases and personal information databases are
significant signposts for organisations to consider when designing
the way in which analytics will be conducted and also when
considering how information will be shared with partners or not
All of the above comments are made within the context of the
Privacy Management framework that Coles Group has put in place.
The comments in relation to the Woolworths Rewards program are
similarly within the context of the Privacy Management framework
that had been put in place by the Woolworths group. The comments
made in relation to the Woolworths Rewards program focussed on the
similar issues to flybuys, i.e. the data analytic activities are
conducted with de-identified information and that access to
identifiable data is restricted to a very small number of people
within the team.
In addition, the OAIC was satisfied that the Woolworths terms
and conditions adequately described the analytics and notified
participants in the program that their information may be used and
may be shared with affiliates and related bodies corporate.
The key takeaways from these reports are that at an
organisational level a robust privacy culture and structure is
required to support underlying activities.
Where data analytics are being undertaken, it is necessary to
ensure that only de-identified information is used, that
participants understand how their information will be used, and
that where the results of analytics are that marketing approaches
will be taken, access to personal information to conduct that
marketing is controlled within a small group dedicated to ensuring
privacy is maintained.
We can assist you in establishing these structures within your
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).