If one of your customers requested all the information you have about them, would you be able to provide it? The Australian Privacy Commissioner will shortly decide on the outcome of a 15 month battle between Telstra and Ben Grubb, Deputy Technical Editor of smh.com.au and theage.com.au. The case will determine the actual meaning of Australian Privacy Principle (APP) 12 – Access to Personal Information, and could have enormous implications for retailers entering the world of Big Data.
Ben Grubb published an article last week giving a full account of his battle. In short, Grubb requested Telstra to provide him the same information they would provide law enforcement agencies regarding his “metadata” – the phone numbers he has called or have called him, websites he has visited, email correspondents that Grubb has communicated with, and even his geolocation at given times. Given that Telstra can and will provide this information to various Government agencies on demand, it seems reasonable that the same information should be made available to Grubb himself.
The case is a real test of APP 12, which is part of the privacy legislation that came into force in March this year. The principle states “If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information”. The key question is what is the definition of personal information? From Grubb’s article, it appears that Telstra’s main contention is that data that does not directly contain a person’s identity is not personal information, even if the data can be linked through identifiers such as account or customer numbers.
In the broadest interpretation, personal information may be seen to be all the information that a company such as a retailer records and store, and uses to understand and communicate with a customer. This could include all sales associated with the customer through a loyalty or credit card; all website and phone app behavior when the customer was logged in to their account; all campaigns sent to the customer, including whether or not the customer activated or executed the campaign; and any interaction the customer may have had through call centres, Facebook or Twitter.
Providing all this information to customers on request will be an administrative overhead that retailers would prefer not to incur. More critically however, if customers start accessing this data and understanding the extent to which retailers record and use information, will this cause a backlash against customer loyalty programs and one-to-one marketing campaigns? Or will this remain the concern of a very small number of more extreme privacy advocates and civil libertarians? (plus the odd conspiracy theorist).
A sub-clause of APP 12 states “the entity is not required to give the individual access to the personal information to the extent that …. the request for access is frivolous or vexatious”. This may provide a get-out clause for retailers should they choose to argue the issue – although arguing the point may just bring more attention to an issue that retailers would probably prefer to stay in the background.
Either way, I will be paying close attention to the outcome of Ben Grubb’s hearing with the Privacy Commissioner.