Privacy considerations when handling personal information with suppliers

Posted by David Johnson on 11 Feb 2016

Why should you care about privacy in dealing with a supplier?

Privacy is a topic that has received renewed focus for many organisations since March 2014 when the new APP Guidelines (Australian Privacy Principles Guidelines) came into effect.

For businesses like our own, privacy is always an important consideration because we deal with large consumer databases. An important factor for us when determining the legitimacy of a data source is whether the data is publicly available or whether database has very clear privacy statement permitting use of the data for our clients.

If you belong to an organisation that stores and manages a consumer customer database the polices that are adopted when managing the database are critical to ensuring that you operate within the Privacy Act.

The Privacy Act can be quite complicated depending upon your organisation and the imperatives that it has. The purpose of this article is not to provide you with advice regarding how to manage your own privacy obligations, rather to assist in equipping you be able to ask the right questions when dealing with information companies like Acceleon.

As part of our business, Acceleon receives customer files to enable us to enhance, correct and append additional information to customer databases. This business function provides an extremely cost effective mechanism for resolving obligations under APP 10 – Quality of Personal Information. However, it also raises risks and concerns around:

  1. what will happen to that data when disclosing it to information brokers and
  2. whether the data being returned is usable under the Privacy Act.

How will the supplier use your personal information?

If personal information that you have collected for the purpose of managing your business imperatives finds its way into another companies database, then you will be in breach of APP 6 – Use or disclosure of personal information unless you disclosed that you would use the information for this purpose.

In recent times it appears that some data suppliers have emerged who are prepared to use their customer data files for the purpose of enhancing their own. This data is then on sold to the rest of their customers. In an increasingly competitive market place where match rates are king this becomes an attractive business proposition because it bring into play many records that legitimate operators cannot use.

If you discover that your customer data has been disclosed in contravention of the Privacy Act then you have a data breach on your hands. The office of the Australian Information Commissioner has a document that outlines the steps that you should take once you have realised that this has occurred.

Ultimately you need to be comfortable through the terms and conditions of the supplier that the data that you present will be used only for the purpose of fulfilling its obligations to you.

Are the supplier data sources privacy compliant?

The next issue that you need to think about is whether the data that you are being provided with is compliant with the Privacy Act. Obviously the supplier of the earlier scenario is selling data that is not Privacy Compliant, so if you were in receipt of this data how does it affect you?

The answer is it depends.

For example if you are a debt collector and you found a person’s contact details from a database where privacy compliance was not assured, you might find it difficult to find a judge that would find a judgement against a debtor who contested on the basis that information was discovered in contravention of the Privacy Act.

Another example might be that you contact a customer using an unlisted number for which the client had not permitted disclosure. How would you address this customer in such a way as to maintain their patronage?

What happens when the supplier is located overseas?

This is where it gets interesting from an enforcement perspective. Ultimately if a company is in breach of the Privacy Act, then they are responsible for any breach of the Act. However, if the company that is in breach is outside of the jurisdiction of the Office of the Australian Information Commissioner, then APP 8 – Cross border disclosure of personal information provides for the Australian discloser of the information to be in breach of the Australian Privacy Principles.

The result is that you could be held to account for the actions of your supplier because they do not operate within Australia.

Conclusion

If you are disclosing your customers Personal Information for the purpose of improving your own or your clients customer database you need to understand:

  1. where that information is going,
  2. what it will be used for
  3. whether the data suppliers database is privacy compliant
  4. how the information is secured

If these questions cannot be answered such that you are comfortable with your own compliance with the Privacy Act, then you should be avoiding that supplier.