As we often hear, we live in the ‘information age’. Although marketing has always required getting the right information to the right people at the right time, that is now more important than ever, particularly with the progression of mainstream media from a few mass markets to many customer-chosen niches.
Information matching, being a comparison of different sets of information that relate to the same person, can prove an invaluable tool in that respect. However, as some high-profile cases such as the Facebook-Cambridge Analytica scandal have shown over the past few years, the clash between sharing useful information about individuals and those individuals’ right to privacy can be severe.
Helpfully, in New Zealand we have some underlying legal guidance in this area in the form of “Privacy Principles”, set out in the Privacy Act 1993. Failure to adhere to these Principles risks investigation by the Privacy Commissioner, referral to the Human Rights Tribunal or the initiation of civil court proceedings.
An example of a common issue is when sharing information with advertising suppliers gives rise to risks that the information may subsequently become available to other clients of the advertiser, and in doing so breach the privacy of the individual. Ensuring that each step in the advertising process is subject to appropriate terms and conditions is essential in the management of such risks.
A new Privacy Bill is currently making its way through parliament (it passed its second reading on 7 August 2019, though there is no date set for when it comes into force) that will be more in tune with the modern privacy environment; in particular, the needs of the digital age.
When enacted, the bill will make it compulsory for an agency to report to the privacy commissioner and to any affected individuals, any privacy breach that causes or risks harm to people. It also recognises the global environment in which information now exists, by specifically regulating disclosure of information overseas. Importantly, an organisation will also remain accountable for information held by another organisation as its agent. Without these provisions, there is a danger that information will continue to become increasingly abstract – irretrievably removed from the individual concerned.
A ‘privacy statement’ that an individual can, before sharing their information, reasonably understand and agree to, is an essential tool in protecting any organisation. It is vital for any business that engages in information matching, to any extent, to keep its privacy statement current, relevant and written in plain English. While a privacy statement will not protect against all possible breaches of privacy principles, its importance cannot be overstated as the information age continues to become more complex and unavoidable, making privacy breaches harder and harder to prevent.