Tips for Retailers’ Privacy Compliance

    Posted on: 17 May, 2010 |  Contact: Melissa Falcone
     

    Most retail businesses, particularly those operating multiple stores, are required to comply with the Privacy Act 1988 (Act) and corresponding National Privacy Principles (NPPs), but many are unaware of their obligations in this regard.

     

    While there are some exceptions, typically businesses with an annual turnover of more than $3 million must comply with the Act and NPPs. The primary obligations are set out in the NPPs, which govern how businesses collect, manage, use and disclose personal and sensitive information relating to individuals in order to protect the privacy of those individuals. The NPPs cover:

    1. collection;
    2. use and disclosure;
    3. data quality;
    4. data security;
    5. openness;
    6. access and correction;
    7. identifiers;
    8. anonymity;
    9. transborder data flows; and
    10. sensitive information.

     

    In practice, most retailers will address the majority of these obligations by preparing and complying with a well drafted, up to date privacy policy. The privacy policy will typically set out the kind of information that is being collected (for example, names, addresses, credit card details, dates of birth etc), how the information will be used (so the business can enter the customer into a competition, send them marketing information, process their mail order), how the information can be accessed, corrected etc. The privacy policy should be referred to wherever information is collected (eg, on a website form, on a paper form in-store) and copies should always be available to customers (usually accessible on the retailer's website or otherwise available from the retailer). Set out below are some things to consider when drafting or updating a retailer's privacy policy.

    What information is collected?

    Retailers must consider what information they collect from customers. For example, are names and contact details collected in-store to join a mailing list? Are credit card details collected for online orders? What about dates of birth and telephone numbers for joining a retailer's loyalty program? The policy should set out what information is collected and the purposes for which it is collected. If a new program is initiated that collects different information for a different purpose, the policy should be updated.

     

    It is important to remember that information should only be collected where it is necessary to fulfil a function or activity of the retailer (ie, to fulfil a customer order or allow a customer to join a loyalty program), and not where it is collected on the off chance that the retailer will need that information to fulfil one of its functions or activities in the future. Further, the collection must be "fair and lawful" and customers must be aware that the information is being collected from them and aware of the reason for its collection.

    What are you going to do with the information?

    Retailers must typically only use or disclose personal information for the primary purpose for which it was collected. Where a retailer collects personal information directly from a customer, the context in which the customer gives the information to the retailer will help identify the purpose of collection - for example, the collection of a name and address in order to deliver mail-order products.

     

    If the information collected is to be shared with any third party (eg, a delivery company, marketing organisation), this must be explicitly stated at the time the information is collected.

    How is the information kept secure?

    Retailers must take reasonable steps to ensure the personal information they hold is kept secure from loss, misuse, unauthorised access, modification or disclosure. Such security measures can include physical security (eg, of the building), computer and network security, communications security (phone and email) and personnel security (eg, adopting procedural and personnel measures for limiting access to personal information by authorised staff for approved purposes). What constitutes "reasonable steps" will depend on a number of factors, including the sensitivity of the information (eg, credit card details as compared to a person's birth date), the harm that is likely to result from a breach of security and the size of the organisation. Given many retailers now operate in the online environment, they must ensure that online security is sufficient and regularly monitored for adequacy.

    Is the information accurate and up to date?

    Retailers are required to take steps to ensure the personal information they hold is accurate, complete and up to date. Clearly, personal information changes over time. Retailers are not required to constantly monitor the information they hold to ensure it is correct, but they must take reasonable steps to retain current information. Reasonable steps will vary depending on the circumstances but will include considerations of whether the kind of personal information collected changes over time, when it was collected, how reliable the information is likely to be, who provided the information and what the retailer uses the information for.

    Who has access to the information? Can it be corrected?

    Customers have a general right to access their personal information and the right to have that information corrected if it is inaccurate, incomplete or out of date. If a request for access is straightforward, it should typically be granted within 14 days of the request, and the customer cannot be charged for making the request (although reasonable administrative costs may be passed on when access is provided - eg, if photocopying is required). A retailer must take reasonable steps to correct information if it is found to be inaccurate, incomplete or out of date, or if a customer requests that their details be changed.

     

    Retailers should also ensure that they have functional "unsubscribe" facilities for any communications sent to customers, allowing customers to elect not to receive further communications. If a customer submits an unsubscribe request (eg, replying to an email they have received or following a link provided), this request should be implemented as soon as practicable.

    What about information that is no longer required?

    If information is no longer required by a retailer (and there is no law that otherwise compels the retailer to retain it), the information should be destroyed. Physical information should be shredded, pulped or otherwise destroyed, and electronic records should be securely deleted to ensure they cannot be retrieved. If information cannot be destroyed for any reason, it should be permanently "de-identified" so that the information is no longer capable of identifying the individual.

    Who is in charge of privacy?

    It is prudent for a retailer to have a designated person (often called the Privacy Officer or Privacy Contact Officer) who is aware of the company's privacy responsibilities and is able to handle complaints and enquiries about the retailer. Store staff should also be aware of their general privacy obligations to ensure everyday compliance.

     

    Compliance with the Act and NPPs is not difficult but there are many things to consider - some of which have been set out above. Retailers would be well advised to seek legal advice when preparing or updating their privacy policies to ensure they are compliant.


    RELATED INTO

    LEGAL EXPERTISE

     

    INDUSTRY FOCUS

     

    SUBSCRIBE

    Register for our Legal Expertise and Industry Focus updates.Register