The collection and commercial use of personal information is now a multibillion-dollar industry.
Rapid advances in technology have fuelled the collection of vast quantities of personal information by making it viable to collect, share, mine, manage and match information about individuals without their involvement (or even knowledge).
The collection of personal information is often justified under the guise of convenience, and sometimes mistake – although many people now understand that personal information is also being collected for the purposes of targeted advertising.
Facebook offers a tool which allows businesses to exploit their customer information by matching it with Facebook data/users in order to create a “custom audience” for targeted advertising.
The strike rate or success of an advertising campaign can be massively increased by targeting advertising at consumers with traits, demographics and behavioural variables more aligned to the advertised subject.
This is where data matching comes in: one set of data is compared with another in order to find records in both sets that relate to the same individual. By making that comparison, data matching aims to discover new facts or traits about an individual which, in turn, enables businesses to understand more about their customers: the more information you have, the more you can target your advertising. As a result, data matching and the trading and exploitation of customer databases has now become big business.
However, before businesses can take full advantage of their databases, they need to be conscious that customer databases almost always contain personal information. This gives rise to important legal issues including:
- Whether the information been collected lawfully?
- What the permitted uses of the information are?
In New Zealand, the collection of personal information is governed by the Privacy Act 1993. The Act contains a number of “Privacy Principles” which relate to the collection, storage and use of personal information.
In summary, the Principles include:
1. Personal information must be collected for a lawful purpose connected with the function / activity of the business, and must be necessary for that purpose;
2. Personal information obtained for one purpose, shall not be used for another purpose (except in limited circumstances);
3. Personal information may not be disclosed to others, except in certain circumstances, including where the disclosure is authorised by the individual;
4. The information must be collected directly from the individual concerned, unless:
- The information is publically available;
- The individual has authorised the collection of the information by someone else; or
- The information is anonymous (i.e. the individual cannot be identified);
5. Where information is collected directly from the individual, reasonable steps have been taken to ensure that the individual is aware of:
- The fact that information is being collected;
- The purpose for which the information is collected;
- The intended recipients of the information;
- The right to access and correct any personal information held;
6. Information must not be collected by unlawful means or by means that, in the circumstances, are unfair or intrude to an unreasonable extent upon the personal affairs of the individual; and
7. Unique identifiers (i.e. user IDs) may not be assigned to personal information unless necessary to carry out the business’ functions.
As a result of rapidly emerging online and EDM (electronic direct marketing) technologies, the number of businesses engaging in data matching is increasing.
The practical realities of online advertising, as well as services such as hosting, backup and cloud, mean that personal data is now being collected by several parties, including service providers that have no direct contact with the consumer, nor the ability to communicate with them. This can make compliance with the Privacy Act difficult.
Assuming that customer data has been lawfully collected, a number of key issues arise in relation to data matching, including:
1.Whether the business sharing the information is lawfully entitled to share the information with EDM or advertising service suppliers or other entities for the purposes of data matching;Read more: By 2020, over a quarter of identified attacks in enterprises will involve IoT
2. The lawfulness of data matching itself; and
3. Maintaining control of that information.
While the Privacy Act legitimises data matching between specified public sector agencies (provided a number of rules are adhered to) the Act is silent on data matching in the private sector. As a result, data matching in the private sector is, for the most part, regulated by the privacy principles relating to the collection, use and disclosure of personal information, and the use of unique identifiers.
Where a receiving business has not directly obtained consent to collect, hold or use that information, it will be heavily reliant on the terms on which the supplying business obtained the information from its customers.
Businesses therefore need to be vigilant in ensuring that documented, forward-thinking consent (which captures all potential uses) has been obtained, whether by them or their business partners. Otherwise, the value of the information held may be seriously diminished (both for immediate use and any future business sale). Worse, an EDM campaign undertaken without appropriate consent risks prosecution, reputation damage and loss of consumer trust/loyalty.
When information is shared between parties, it is important to ensure the security of the information and manage the permitted uses of that information by each party involved.
For example, where information is shared with online advertising suppliers, the business sharing the information needs to make sure that the information:
a. Is separately identifiable to avoid comingling with other information held by the provider; and
b. Will not subsequently become available to competitors, or other clients of the advertising provider.
These risks can be managed by ensuring that all steps in the online advertising process, starting with the collection of customer data and culminating in the targeting of advertising to current and prospective customers, take place under appropriate terms and conditions.
An abbreviated version of an article produced by Clendons Lawyers. For the full version of the article please visit http://www.clendons.co.nz/resources/articles-and-publications/technology/data-matching-and-privacy-laws-new-zealand/.
This Article by its nature cannot be comprehensive and cannot be relied on by any reader as legal advice. Please consult the professional staff of Clendons for advice specific to your situation.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.