On March 12 2014, the way Australian organisations will have to handle online privacy is going to change significantly. We investigated whether these organisations are ready and found in most cases, they’re nowhere near.
The new Australian Privacy Principles (APPs) replace the current National Privacy Principles and the Information Privacy Principles. They cover organisations with more than A$3 million turnover and some others such as health care providers, including government (Commonwealth and ACT). They will mandate how these organisations have to deal with sensitive private information collected in the course of their activities.
To determine the level of compliance with the new principals, we at the Centre for Internet Safety at the University of Canberra produced the 2013 Australian Online Privacy Index. It benchmarks the public-facing privacy practices of the websites most visited by Australians. The index is an Australian first.
The privacy index lets consumers and regulators assess the privacy implications of interacting with popular websites. Businesses can also compare themselves with peers in their own sector, and how their sector fares against others.
Organisations will need to take reasonable steps to ensure personal information collected is properly protected. The majority of privacy policies we reviewed do not adequately articulate this.
The introduction of privacy principles mean organisations will have to update their privacy policies and risk management protocols. If they combine the principles with best practises for responding to a data breach, they’ll need to have a cultural rethink in the collection, storage, use and dissemination of information which personally identifies customers.
Privacy policies need to clearly state how an organisation collects, uses, discloses, transfers, and stores such customer information.
Our index measures two aspects on an online organisation. First, we derived a score from the number and duration of tracking cookies dropped onto a computer visiting the homepage of the website. We used this to determine how intrusive an organisation is.
Tracking cookies are used by organisations to gather detailed profiles on individuals who visit websites. Profiles can include a real name, address, phone number or other identifiable information such as machine identity.
Analytical tools use this information, extrapolating the types of websites visited over days, weeks, months and even years. This information is extremely valuable for targeted marketing against gender, approximate age, marital status, location, work, hobbies, health issues, political leanings and education.
As a whole, government websites scored the highest and were the most respectful of privacy. Banking and finance sites were the next best.
The vast majority of privacy policies are not compliant with the new privacy principles. The sites which did poorly – such as those of internet service providers TPG and iinet – failed basic tests. Their policies had not been updated recently enough, and do not state sufficiently what information they are collecting and what they do with customer identifying data.
Because of this lack of knowledge, consumers interacting online with these organisations are not fully informed about the amount of personal information being collected and for what reasons it is being collected.
The majority of websites analysed also did not stipulate if personal information was disclosed to overseas entities or given to third-party marketing companies (both are requirements under the new Privacy Act).
Australian websites also contained a large number of tracking cookies which had long expiry dates. Harvey Norman had 43 tracking cookies with an average expiry of 706 days. While there is no mandate on such practises, tracking a user for over two years seems a little excessive.
Changes to the Privacy Act will give the Australian Information Commissioner enhanced powers, including the ability to accept enforceable undertakings and seek civil penalties from individuals and organisations for a serious or repeated breach of privacy.
It is now time for organisations to start taking privacy more seriously.