Data Analytic Activities

Last week we considered the OAIC reports into the loyalty programs of Coles and Woolworths, and in particular the data collection and privacy notification issues ( click here).

These reports considered to some degree the notification requirements in relation to the use of either personal or de-identified information for data analytics. In each of the reports the OAIC separately considered the application of the Privacy Act to the data analytic activities of the parties. The key issues raised in relation to data analytics were as follows:

flybuys

The findings were significant for those who conduct data analytic activities as it pointed to:

  • Organisational separations: flybuys division has restricted access and does not have cross access to personal information in relation to the data the subject of analytics.
  • The analytic activities are conducted by a separate analytics area which sees only high-level data and not personal information, i.e. separation of functions.
  • The analytics is aimed at targeted marketing and the cross-over to provide marketing contacts to individuals is monitored and limited.
  • Where analytics is conducted on behalf of partner entities, flybuys may conduct a promotion on behalf of those partners but will not share information about the individuals with those partners.

These organisational, systems and practical separations of analytic databases and personal information databases are significant signposts for organisations to consider when designing the way in which analytics will be conducted and also when considering how information will be shared with partners or not shared.

All of the above comments are made within the context of the Privacy Management framework that Coles Group has put in place.

Woolworths Rewards

The comments in relation to the Woolworths Rewards program are similarly within the context of the Privacy Management framework that had been put in place by the Woolworths group. The comments made in relation to the Woolworths Rewards program focussed on the similar issues to flybuys, i.e. the data analytic activities are conducted with de-identified information and that access to identifiable data is restricted to a very small number of people within the team.

In addition, the OAIC was satisfied that the Woolworths terms and conditions adequately described the analytics and notified participants in the program that their information may be used and may be shared with affiliates and related bodies corporate.

Key takeaways

The key takeaways from these reports are that at an organisational level a robust privacy culture and structure is required to support underlying activities.

Where data analytics are being undertaken, it is necessary to ensure that only de-identified information is used, that participants understand how their information will be used, and that where the results of analytics are that marketing approaches will be taken, access to personal information to conduct that marketing is controlled within a small group dedicated to ensuring privacy is maintained.

We can assist you in establishing these structures within your organisation.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.