Privacy and Business, July 2001

and the Australian Taxation Office

Prepared for: Office of the Federal Privacy Commissioner

Prepared by: Roy Morgan Research

Preface

The Privacy Amendment (Private Sector) Act 2000 is due to commence on 21 December 2001. The purpose of the Office of the Federal Privacy Commissioner (OFPC) is to promote an Australian culture that respects privacy. Our strategic Plan 2000 identifies four key result areas in the lead up to the commencement of the Privacy Amendment (Private Sector) Act. Important among these is gaining a comprehensive understanding of current community (including organisations) attitudes towards privacy. The research will contribute significant input into the networks we are developing with, among others, business organisations, community groups and the health sector. Most immediately the outcomes of this research will inform the Office's communication strategy for the Privacy Amendment (Private Sector) Act.

Privacy and Business is among the most comprehensive research of its kind in Australia. It suggests that so far, Australian business has demonstrated a positive attitude to its impending responsibilities. However, this is matched by a low level of understanding about what exactly those responsibilities are. The ramifications of this are potentially serious.

Key trends in today's business world include: Customer Relationship Management , e-Business and e-Commerce; and database mining. In the not-for-profit sector, for example, there is a greater move towards relationship marketing to enhance donor relationships and sustain long term giving. In the health sector, investment in e-heath initiatives is growing rapidly. These trends can involve collection of a large volume of detailed, and possibly intimate, personal information. However many businesses pursuing these strategies will be covered by the new Act and may need to adjust the way they handle personal information in order to comply.

Importantly though, compliance with the Act should not be the sole concern of business. The OFPC research Privacy and the Community illustrates that individuals care about their privacy and these concerns are growing. Organisations, be they on or off line, must attend to the privacy concerns of individuals. As organisations seek increasingly intimate relationships with their customers, relationships that are dependent upon trust, privacy clearly becomes an imperative that no business can afford to ignore.

Finally I would like to thank our Privacy Partners in this project: Australian Information Industry Association; Centrelink; Freehills; and Pricewaterhouse Coopers; and our project sponsor, the Australian Taxation Office. The generous support of these organisations enabled us to take a more thorough look at privacy and the corporate culture in Australia today.

Malcolm Crompton Federal Privacy Commissioner July 2001

Contents

1. EXECUTIVE SUMMARY

2. INTRODUCTION
2.1 Background information
2.2 Research objectives

3. METHODOLOGY
3.1 Interviewing
3.2 Questionnaire design
3.2.1 Pilot testing of the questionnaire
3.3 Sampling frame and sample design
3.4 Response Rates
3.5 SAMPLE CHARACTERISTICS
3.5.1 Size of organisations
3.5.2 Location of organisations
3.5.3 Type of industry
3.5.4 Position of respondents in organisations
3.5.5 Position of respondents in organisations by type of industry
3.5.6 Location of privacy officer

4 MAIN FINDINGS
4.1 Importance of Privacy of Customers' Personal Information
4.1.1 Reasons for Importance of Privacy of Customers' Personal Information to Organisation
4.2 Impact of Breach of Privacy on Public Profile of Organisation
4.3 Impact of Breach of Privacy on Organisation's Customer Relations
4.4 Success of Business and Maintaining Customer Privacy
4.5 Respondents' understanding of the term "Personal Information"
4.6 Organisational Factors and Customer Trust
4.7 Customer Service Factors in Dealing with Organisations
4.8 Privacy Guidelines in Organisations
4.9 Type of Privacy Guidelines Followed by Organisations
4.10 Obtaining Information About Customers From Other Organisations
4.11 Providing Information About Customers To Other Organisations
4.12 Transfer of Customer Information Within Organisations
4.13 Concerns About Transfer of Customers' Personal Information
4.14 Attitudes Toward Use and Protection of Customer Information
4.15 Awareness and Knowledge of Federal Privacy Laws
4.16 Organisational Knowledge About New Federal Privacy Laws
4.17 Impact of New Federal Privacy Laws on Businesses
4.18 Attitudes to Changes to the Federal Privacy Legislation
4.19 Reasons for Viewing Changes to Federal Privacy Legislation as Positive
4.20 Reasons for Viewing Changes to Federal Privacy Legislation as Negative
4.21 Impact of New Federal Privacy Laws on Consumers
4.22 Internet Privacy Issues Relating to Clients' Personal Information
4.23 Organisation Websites
4.24 Protecting Client Privacy On-line
4.25 Future Impact of New Federal Privacy Laws on Businesses
4.26 Ways that New Federal Privacy Laws Impact on Businesses
4.27 Organisational Preparation for New Legislation
4.28 Sufficiency of Information to Prepare for New Legislation
4.29 Barriers to Organisational Compliance With New Legislation
4.30 Sources for Further Information About New Privacy Laws
4.31 Awareness of the Office of the Federal Privacy Commissioner
4.32 Assistance From the Office of the Federal Privacy Commissioner to Organisations

List of Figures

Figure 1: Distribution of Respondents by Position in Organisation
Figure 2: Location of Privacy Officer
Figure 3: Importance of Privacy of Customers' Personal Information
Figure 4: Impact of Breach of Customer Privacy to Organisation's Public Profile
Figure 5: Impact of Publicity Concerning Breach of Customer Privacy on Organisation's Customer Relations
Figure 6: Extent to Which Success of Business is Dependent on Protection and Responsible Use of Customers' Personal Information
Figure 7: Existence of a Relevant Industry Association for Customer Privacy Issues
Figure 8: Type of Privacy Guidelines Followed by Organisations
Figure 9: Extent of Organisation Obtaining Customer Information from Other Organisations
Figure 10: Extent of Organisation Providing Customer Information to Other Organisations
Figure 11: Degree of Concern About Transfer of a Customer's Personal Information to Another Business Without the Customer's Knowledge
Figure 12: Attitudes Toward Use and Protection of Customer Personal Information (Statement 1)
Figure 13: Attitudes Toward Use and Protection of Customer Personal
Figure 14: Attitudes Toward Use and Protection of Customer Personal Information (Statement 3)
Figure 15: Awareness and Knowledge of Federal Privacy Laws (Question 1)
Figure 16: Awareness and Knowledge of Federal Privacy Laws (Question 2)
Figure 17: Awareness and Knowledge of Federal Privacy Laws (Question 3)
Figure 18: Extent of Organisational Knowledge About New Privacy Laws
Figure 19: Extent of Impact of New Federal Privacy Laws on the Way Business is Conducted
Figure 20: Extent of Customer Concerns About Security of Personal Information on the Internet
Figure 21: Organisational Preparation for the New Legislation
Figure 22: Sufficiency of Information on New Privacy Laws to Prepare for the New Legislation
Figure 23: Awareness of the Office of the Federal Privacy Commissioner

[Index][Executive Summary index] [Introduction index] [ Methodology index] [Main Findings index] [List of Figures] [List of Tables]

1. EXECUTIVE SUMMARY

In order to gain further understanding of attitudes in the business community towards privacy issues and awareness of the new privacy legislation, the Office of the Federal Privacy Commissioner commissioned Roy Morgan Research to conduct a national CATI (Computer Assisted Telephone Interviewing) survey among a representative sample of private sector organisations in Australia. Interviews were conducted in June, 2001, with appropriate persons (mainly senior and middle management level) in 560 organisations covering six major industry sectors. (Note that the organisations included in the survey were those handling information relevant to privacy issues.) This section of the report summarises the general overall findings of the research, followed by a breakdown of the results by type of industry, State, and the location of privacy officers. This section also incorporates information obtained from interviews of business leaders as part of the qualitative stage of the project, and relevant findings from the quantitative study of community attitudes towards privacy.

Summary of findings

Importance of maintaining privacy of customer personal information

Overall, respondents reported highly positive attitudes toward the privacy of customers' personal information. The overwhelming majority (95%) of respondents said that they considered the privacy of customers' personal information to be a very important or important issue for their organisations. The main reasons (representing 51% of responses) given for the importance of the privacy of customer information were: ethical/moral reasons; compliance with company policy; and maintaining confidentiality of customer information in line with the requirements of the organisation's line of business. Other, less common, reasons (representing 22% of responses) included maintaining the reputation or credibility of the business; consumer confidence; and enhancing customers' expectations of the trustworthiness of the organisation.

The majority (80%) of respondents stated that their business was dependent to a considerable extent upon their ability to protect and responsibly use their customers' personal information. Respondents were cognisant of the negative impact of publicity regarding breaches of customer privacy. Most respondents (over 90%) stated that publicity concerning a breach of customer privacy would be damaging to their organisation's public profile and customer relations.

When participants were asked what was most likely to make customers trust their organisation with their personal information, the most common responses (representing 70% of responses) were centred around the organisation's good track record in keeping information confidential; the organisation's reputation, good name, and length of time in business; and information provided to customers about the organisation's commitment to privacy and specific privacy procedures in place. Less common reasons (representing 13% of responses) were knowledge about the organisation's policies regarding selling or giving away private details, and customer relations practices in building close professional relationships with clients.

It is interesting to note, however, that respondents tended to use widely encompassing definitions of the term "personal information". When asked to define the term, the most common responses (representing 60% of responses) were: address (private/business); phone number (private/business); name; and income details. Other, less common responses (representing 22% of responses) were: age; financial, taxation, credit card information, account details; marriage status; and medical information. It is noteworthy that health case notes, customer service information and personal opinions were not mentioned by respondents as constituting "personal information". Thus, while respondents held quite positive attitudes toward protection of customer personal information, it is not clear that they interpreted the term "personal information" in the same way as the privacy legislation.

These responses from representatives of business sectors to the question of what constitutes personal information are similar to those expressed by respondents in the community survey. The types of personal information people in the community felt reluctant about divulging included financial details, income, health information, and home contact details.

With respect to trusting organisations with their personal information, community respondents were more likely to trust organisations that gave them control over how their personal information was used, and those that had a privacy policy. The results of the business survey suggest acknowledgment of customers' views regarding privacy and a willingness on the part of business to respect privacy of personal information and work towards obtaining and maintaining their customers' trust in the organisation's commitment to privacy.

These findings are also in keeping with comments obtained from interviews with business leaders in the qualitative study:

They [people] want to feel that they've got control over what's happening with their information. That's something we need to think of as an organisation … ensuring that we meet that expectation test of what our customers expect because it's in our interests not to get that wrong. Because if we consistently get it wrong, we are going to upset a lot of customers. There's no business commercial value in that.

If we have a privacy breach, it will be through accident rather than intent. It will be through unconscious act rather than for someone failing to perceive the impact of what they're doing with the information.

There is a bit of paranoia around here [about media publicity] because a lot of the reporting of privacy to date has focused very much on the abuse.

If history is anything to go on, when there is a privacy breach and it is a high-profile one, there would be heaps of media interest, lots of political interest, and that will then be a big beat-up in the press, which will then play on consumers' minds. So you end up with consumers who become increasingly frightened about these privacy issues, even though generally there may well be very little to be frightened about. That will then in turn effect their take-up of, for example, e-commerce products and also the amount of information they are willing to divulge.

The publicity given to non-compliance will effect people's concerns about privacy, which is kind of negative, but at the same time they need to be aware, and then that will effect business. So it will definitely effect us all.

I think there have been some fairly high-profile issues about privacy in Australia [recently] where databases have gone missing, credit card details have gone missing, all of that kind of stuff, and every time it happens, there is lots of publicity, and rightly so. I mean if you lose a database or a credit base, that is incredible. Again, it will be just another peak, a high point in the privacy issue and the first breaches start. Then eventually, hopefully, it will kind of die off to [people becoming] more comfortable with the way information is being used.

Use and protection of customer personal information

In general, respondents tended to hold responsible views about the use and protection of customer personal information. The majority (76%) disagreed with the statement: "Businesses should be able to use the customer information they collect whenever, and for whatever purpose they choose." Most (95%) respondents agreed with the statement: "It is reasonable that there should be laws to protect consumers' personal information held on business databases." Further, most (86%) respondents agreed with the statement: "An organisation's customer database is a valuable commercial asset."

It would appear, then, that most respondents realised the value of customer personal information and recognised that protecting such information was in the interests of the organisation and its relationship with customers.

The majority (64%) of respondents stated that their organisations never obtained information about customers or potential customers from other organisations; only 14% of respondents said that they regularly obtained such information from other organisations. Most (90%) respondents said that their organisations never sold, rented out, or transferred customer details to other organisations; only 4% said they regularly engaged in transferring such information to other organisations. This is an interesting finding. Given the large amount of marketing materials people receive, it may be that only a small proportion of businesses are engaging in these activities and these businesses would be responsible for a fairly high proportion of such information transactions.

About half the sample (48%) said that their organisations never transferred customer details internally for use in relation to different services or products offered by other sections of the company. However, a substantial proportion (a little over 20%) of respondents said their organisations did regularly transfer such information internally. Clearly, these organisations need to have adequate knowledge about the new privacy regulations and implement them accordingly to the internal transfer of information.

Overall, respondents expressed considerable concern about the transfer of customer personal information without the customer's knowledge. Most (90%) respondents said that such actions would be of great concern or some concern to their organisations. The majority (64%) of respondents also noted that when dealing with the Internet, customers would have more concerns about the security of their personal details than usual. About 80% of respondents noted that their organisations had already established a website, and another 10% intended to establish a website. About 55% of these respondents said that their organisations would need to consider special measures such as security protocols, security of data, on-line privacy policies and password protection, in order to protect client privacy on-line.

Business attitudes towards the protection of privacy seem to be compatible with community attitudes. In the community survey, attitudes reflected a strong desire for people to gain control over how their personal information was used, and wanting businesses to seek permission before using their personal information for marketing purposes. Organisational practices that concerned community members, such as transferring personal information without the owner's knowledge, and using personal information beyond the purpose for which it was originally collected, were practices that also concerned representatives of the business community.
An interesting area of contrast, however, was in response to the question of factors that customers consider important in choosing whether or not to deal with a company. In the community survey, respondents rated "respect for, and protection of, my personal information" as the most important factor, and over one-third of community respondents rated this service aspect above quality of product, efficiency, price and convenience. In contrast, business respondents rated "quality of product or service" as the most important factor. Further, quality of product, efficiency of service, price, and convenience were rated as more important than "protection or security of personal information". Thus, it would appear that businesses are not fully aware of the high importance that the community places on privacy issues with respect to choice in dealing with a particular organisation.

Awareness and knowledge of federal privacy laws

While the majority (82%) of respondents were aware of the existence of federal privacy laws before the interview, there appear to be some gaps in specific knowledge about the legislation. Less than 40% of respondents were aware of what organisations the federal privacy laws applied to. Less than 40% of respondents were aware that new federal privacy laws come into effect in December 2001.

About half (52%) the sample noted that their organisations had very little knowledge or no knowledge at all concerning the new privacy laws. The majority (74%) of respondents stated that their organisations had not started preparing for the new legislation. Further, most (91%) respondents believed that they did not have sufficient information on the new privacy laws to begin preparing for the new legislation.

However, about 40% of respondents noted that there was an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers' personal information. Of those who had access to relevant industry association guidelines, the majority (60%) of respondents said that their organisations currently followed the privacy guidelines set out by the industry association and 35% said they followed their own guidelines.

Thus, it would seem that industry associations are an avenue through which organisations can obtain relevant information and guidelines for implementation of appropriate privacy procedures. These findings also confirm the appropriateness of the strategy of the Office of the Federal Privacy Commissioner to work actively through industry associations with respect to providing information about the new privacy regulations. The Office is clearly moving in the right direction in this business communication strategy.

Impact of new federal privacy laws on business

About 60% of respondents who were aware of the new privacy laws stated that they would have considerable impact upon the way their business is conducted. The majority (73%) of respondents viewed the changes to the federal privacy legislation as a positive event; only 12% said that the changes were somewhat negative. (Note these questions were directed at those respondents who stated that their organisations had a high level or some knowledge concerning the new federal privacy laws.)

The main reasons for saying the changes to the federal privacy legislation are a positive event (representing 77% of positive responses) were that it would be beneficial to the business and improve customer relations; give consumers more confidence about what information is kept about them in the organisation, and the way such information is kept; lessen the misuse of private information and prevent unauthorised intrusion; and make businesses more honest and ethical. The main reasons for saying the changes to federal privacy legislation are a negative event (representing 76% of negative responses) were that it would be expensive to implement; be too restrictive for businesses; and it would require considerable resources to implement.

When respondents were asked about how the new laws will impact upon their business, a considerable proportion of respondents (17%) said that the new laws would have moderate impact or not much impact, and 6% said that they already partly complied with the new laws. A number of responses to this question (12%) showed positive impact of the new federal privacy laws, with respondents noting that the new laws make businesses more aware of privacy regulations and their responsibility regarding privacy, as well as improving business practice.

The most common responses (55%) showing negative impact of the new laws included: increased work, paperwork and red tape; cost of implementation; requirements for staff training; increased monitoring and control; the need to make new declarations and inform customers to the new laws; and limitations on the amount or type of data that could be collected. Thus, the negative impact of the new laws seems to focus on practical implementation issues, including compliance costs.

When asked about barriers or potential barriers to organisational compliance with the new legislation, the most common responses (23%) were: lack of information; cost of staff education and training; cost of updating technology systems; and the time taken to implement the new laws, update systems, and reporting to Government.

Comments from interviews conducted with business leaders for the qualitative study complement these findings, showing a mixed reaction to the impact of the new federal privacy laws on business:

From what we've read so far, we should be all right. Obviously the more we read about it [the legislation], the more we need to think about it, but I think overall we shouldn't be too bad.

I think a lot of it's in your head in lots of ways. The move to applying similar principles to the private sector doesn't cause minimum level of disquiet. Some of the other [companies] are going, "This is awful." In reality, once you set the processes in place, it actually works quite smoothly.

I think business people are going to look at this as yet another government intervention in their jobs. I absolutely see that.

What we will do is obviously put into place a privacy policy which will be an extension to our security policy that's already in place. I think it's [going to be a] challenge to make the transition, the legislative transition, and pick up the bits without creating something everyone has to worry about.

[Similar organisations] are concerned about the costs in terms of once you move into a model where you have got some sort of information privacy principles you are bound to do things in a certain way to comply. There are compliance costs, and the idea of compliance is that quite often you do those things because they make good business sense in any event. You don't just do them.

I believe in essence the amended Act represents good business sense. The Act is not onerous, the requirements are minimal and by following the National Privacy Principles, we will minimise irritation to the general public, better target our prospects and donors, resulting in more efficient marketing campaigns and better financial results.

The Office of the Federal Privacy Commissioner

When respondents were asked about who they would contact in order to obtain further information on the new privacy laws, the most common responses (74%) were (in descending order): Industry Association; Privacy Commissioner; Solicitor/Lawyer; and Government Department (State or Federal). Those who did not mention the Office of the Federal Privacy Commissioner as a source of information about the new privacy legislation were asked whether they were aware of the Office before the interview. The majority (64%) of these respondents said they had not been aware of the Office of the Federal Privacy Commissioner.

These findings suggest that while the level of knowledge amongst the business community about the Office is considerably higher than amongst consumers (as expressed in the quantitative Community Survey), there remain a substantial proportion of organisations that need to direct their attention to the resources available to help implement privacy procedures according to the new legislation.

The last question put to respondents who said their organisations had some knowledge of the new privacy legislation concerned the ways that the Office of the Federal Privacy Commissioner could assist their organisations to prepare for the amended privacy laws that come into effect in December, 2001. The majority (72%) of respondents answered this question with the response "more information". Less common responses (representing 18% of responses) were: training for staff; support to industry associations; simplification of information; and workshops or seminars. Clearly, what respondents want is more information. However, the type of information required has not been specified.

Some comments obtained from business leaders in the qualitative study suggest that privacy issues regarding business-to-business exchange of information are likely to need clarification.

It's the companies like us that haven't been caught up in this in the past [that need clear guidelines about the new privacy laws]. We have probably been on the periphery, but we didn't know it. For example, we would process information [provided by another company] and our own security steps would be in place. We are not going to sell that information to anybody; we are not going to pass it on to anybody. We have done as instructed by the owners and it's their responsibility to make sure they are doing everything right [by the privacy laws]. If we did something under their instructions that was wrong, I guess somebody could come to us and say, "You breached the Privacy Act" and we would say, "Hold on, I was just following instructions from the owner of the data who should know."

The biggest fight that industry has got is perhaps not so much with their customer business interface, but it's their business to business relationships, and who actually owns the data. The privacy legislation is actually going to drive a lot of decisions to be made by who owns the data. Whoever owns it is therefore responsible for making it compliant, and it's a joint ownership, then it's got to be made clear to the customer at the time that it's a joint ownership.

I think that the people that really have got the most concerns are the people who have already been tied up in the Act anyway: the credit provides, the banks, the finance, the credit and the health area. They have been there, they are already there. It would seem to me that they are pretty well involved.

In order to clarify such issues, it would appear that the Office of the Federal Privacy Commissioner will benefit from continuation of the business communication strategy of working through relevant industry associations, which are viewed by respondents as supportive and understanding of concerns specific to the type of industry.

INDUSTRY SECTORS

Impact of breach of privacy

Respondents in the industry sectors Finance/Insurance and Education/Health were most concerned about the impact of a breach of customer privacy on their organisation's public profile and customer relations. Their high level of concern about the negative publicity impact of a breach of customer privacy may relate to their responses to other questions about the importance of the privacy of customers' personal information for their organisations. About 90% of respondents in each of these two industry groups stated that the success of their business was highly dependent on their ability to protect and responsibly use their customers' personal information.

While the majority of respondents in both the Finance/Insurance and Education/Health industry groups noted that ethical/moral reasons, confidentiality and company policy were important reasons for maintaining customer privacy, they also noted that the reputation and credibility of their business as well as consumer confidence were important aspects of maintaining customer privacy. Respondents in these two industry groups were also mindful that their line of business required maintenance of customer privacy as they dealt with confidential information. Respondents in the Finance/Insurance and Education/Health sectors also focused on the issue of trust, stating that their customers expected that the organisation would maintain customer privacy, and they wanted customers to trust the organisation.

In contrast, respondents in the industry sector Retail/Manufacturing were less concerned about the damaging impact of publicity concerning a breach of customer privacy on their organisation's public profile or customer relations. About 40% of respondents in this industry group maintained that the success of their business was relatively independent of their ability to protect and responsibly use their customers' personal information. It is interesting to note that, unlike the other industry groups, respondents in Retail/Manufacturing stated that a primary reason for the importance of the privacy of customers' personal information for their organisation was to ensure that such information was not misused or made available to their competitors.

Most (about 90%) respondents in the other industry groups (Publishers/ Advertisers/Direct Mail, Entertainment/Travel, Business/Personal Services) stated that publicity concerning a breach of customer privacy would be damaging to their organisation's public profile as well as their organisation's customer relations. There was, however, a mixed response pattern in these groups about the relationship between the success of their business and maintenance of the privacy of customers' personal information. The majority (77% to 86%) of respondents in these industry sectors said that the success of their business was dependent on their organisation's ability to protect and responsibly use their customers' personal information, but a substantial proportion (13% to 23%) said the success of their business was relatively independent of maintaining the privacy of customers' personal information.

The primary reasons given by respondents in these industry groups (Publishers/ Advertisers/Direct Mail, Entertainment/Travel, Business/Personal Services) for the importance of privacy of customers' personal information related to ethical/moral issues, confidentiality, company policies, and the nature of the information managed by the organisation. In effect, respondents in these industry sectors seem to hold to the notion that privacy of customer information was important because their organisations dealt with confidential information and they must abide by organisational policies.

Existence of relevant industry associations

The Finance/Insurance sector seems to be best served in terms of relevant industry associations. This was the only industry group where the majority (70%) of respondents stated there was an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers' personal information. The majority (63%) of respondents in Finance/Insurance organisations that had access to industry association guidelines stated that their organisations currently followed the privacy guidelines set out by the industry association.

The industry sectors that seem to be less well served by industry associations are Retail/Manufacturing and Entertainment/Travel. The majority of respondents in both these industry groups (60% and 70%) said they were not aware of an industry association relevant to their organisations that had developed appropriate privacy protocols for customers' personal information. Of those respondents in Retail/Manufacturing and Entertainment/Travel organisations that had access to industry association guidelines, about 60% said their organisations currently followed the guidelines set out by the industry association.

The other industry sectors (Publishers/Advertisers/Direct Mail, Business/Personal Services, and Education/Health) showed much variation in terms of access to relevant industry associations. About half the respondents in each of these industry sectors stated that there were no industry association privacy guidelines available to their organisations, about 40% in each of the industry groups said they did have relevant industry association guidelines, and about 10% in each group did not know whether such guidelines were available. However, the majority (about 60%) of those who had access to industry association guidelines in these industry sectors noted that their organisations currently followed the privacy guidelines set out by the relevant industry associations.

Transfer of customer information by Industry Sectors

Type of industry does not seem to effect the extent to which organisations sell, rent out, or transfer customer details to other organisations. The large majority (85% to 96%) of respondents in each of the industry groups stated that their organisations never provided customer information to other organisations.

There was little variation across industry sectors with respect to the degree of concern about the transfer of a customer's personal information to another business without the customer's knowledge. Most (85% to 95%) respondents in each of the industry groups stated that such a situation would be of great concern or some concern to their organisations.

The particular industry sector does not seem to effect the extent to which organisations transfer customer details internally for use in relation to different services or products offered by other sections of the company. About half (41% to 54%) the respondents in each of the industry sectors said their organisations never engaged in internal transfer of information. Roughly the same proportion (43% to 55%) of respondents in each of the industry sectors said their organisations occasionally or regularly transferred customer details internally for use in other sections of the company. These findings suggest that there is a high volume of industries that are likely to have compliance concerns.

There were, however, differences across industry groups in obtaining customer information from other organisations by purchasing, renting, or swapping lists for marketing. According to respondents, the organisations that were occasionally or regularly obtaining information about customers or potential customers from other

This finding highlights a potential compliance problem. Businesses may believe that purchasing information from another organisation does not require additional compliance procedures on their part. However, there are some industry sectors, such as health, that have particular privacy regulations to consider with respect to use and storage of customer information that are not covered in the privacy policy of the organisation from which they have obtained the information. Such problems are likely to be complex when dealing with business to business exchange of information.

Attitudes toward privacy of customer personal information by Industry Sector

Responses to statements about the use and protection of customer personal information showed little variation across industry sectors. The majority (72% to 80%) of respondents in each of the industry sectors disagreed with the statement that businesses should be able to use the customer information they collect whenever and for whatever purpose they choose.

Most (93% to 99%) respondents in each of the industry sectors agreed with the statement that there should be laws to protect consumers' personal information held on business databases. Similarly, most (83% to 89%) respondents in each of the industry groups agreed with the statement that an organisation's customer database is a valuable commercial asset.

Type of industry does not seem to effect respondents' beliefs about security of personal information on the Internet. The majority (67% to 84%) of respondents in all industry sectors noted that their organisation had already established a website, and a substantial proportion (7% to 15%) said their organisation intended to establish a website. With respect to the question of customer concerns about the security of their personal information on the Internet, a similar pattern of responses appeared across industry groups. Between 60% and 68% percent of respondents in all industry groups stated that there would be more customer concerns about security of personal information on the Internet. However, a considerable proportion (14% to 26%) noted that such concerns would be about the same on the Internet as they are currently in other media.
Awareness and knowledge of federal privacy laws across Industry Sectors

Respondents' awareness and knowledge of federal privacy laws does seem to vary according to the industry sector of their organisations. Respondents in the Finance/Insurance sector, compared to other industry sectors, seem to be most knowledgeable about the federal privacy laws. Most (93%) respondents in this industry group said they were aware of the existence of federal privacy laws before the interview, 55 percent said they were aware of what organisations the federal privacy laws applied to, and the majority (70%) in this group said they were aware that new federal privacy laws would come into effect in December of this year. The majority (58%) of respondents in the Finance/Insurance sector also stated that they had been aware of the Office of the Federal Privacy Commissioner prior to the interview.

In contrast, while the majority (73% to 87%) of respondents in each of the other industry groups said they were aware of the existence of federal privacy laws, about a quarter (25% to 27%) of those in the industry sectors Retail/Manufacturing and Entertainment/Travel were not aware of the existence of the federal privacy laws. A substantial proportion (13% to 18%) of respondents in the industry groups Education/Health, Business/Personal Services, and Publishers/Advertisers/Direct Mail, were not aware of the existence of the federal privacy laws before the interview.

The majority (62% to 71%) of respondents in all industry sectors, except Finance/Insurance, stated that they were not aware of what organisations the federal privacy laws applied to. Similarly, the majority (59% to 77%) of respondents in all industry sectors, except Finance/Insurance, said that they were not aware that new federal privacy laws come into effect in December 2001. Further, the majority (61% to 79%) of respondents in all industry sectors, except Finance/Insurance, were not aware of the Office of the Federal Privacy Commissioner.

This pattern of responses was repeated for the question regarding the organisation's level of knowledge about the federal privacy laws. Most (72%) respondents in the Finance/Insurance sector said that their organisation had a high level of knowledge or some knowledge concerning the new privacy laws. In contrast, 50 percent of respondents in the Education/Health sector and 42 percent of respondents in Publishers/Advertisers/Direct Mail said that their organisations had some knowledge about the privacy laws. About 60 percent of respondents in each of the industry sectors Retail/Manufacturing, Entertainment/Travel, and Business/Personal Services said their organisations had very little or no knowledge about the new privacy laws.

These findings suggest that industry sectors that have a history or culture of following professional ethical guidelines regarding privacy and confidentiality are likely to be more aware of the new privacy laws than those sectors that do not have a shared history. Certainly, more knowledge would mean more awareness of the new privacy laws, but the findings also suggest that some industry sectors will find the notion of implementing new privacy procedures less familiar, and perhaps more onerous, than others that have existing policies.

Impact of privacy laws on business across industry sectors

The greater awareness and knowledge about the new federal privacy laws shown by respondents in the Finance/Insurance sector could be related to the perceived impact that the laws will have on business in this sector. The majority (77%) of respondents in the Finance/Insurance group said that the new federal privacy laws currently have considerable impact upon the way their business is conducted; only 22 percent of this group said the new laws would have no impact on the conduct of their business. In contrast, a substantial proportion (37% to 46%) of respondents in all other industry sectors stated that the new laws would not impact at all upon the way their business is currently conducted.

Preparation for new legislation across industry sectors

The Finance/Insurance sector appears to be most prepared, compared to other industry groups, for the new legislation. Over half (54%) the respondents in the Finance/Insurance sector said their organisation had started preparing for the new legislation. In contrast, the majority (57% to 75%) of respondents in each of the other industry sectors stated that their organisations had not yet started preparing for the new privacy legislation.

Interestingly, type of industry does not seem to effect perceptions of the information available to prepare for the new legislation. Most (83% to 95%) respondents in all industry sectors, including Finance/Insurance, who stated that their organisations had not started preparing for the new legislation, also said that they did not have sufficient information on the new privacy laws to begin preparing for the new legislation.

STATE LOCATION OF ORGANISATIONS

While all States and Territories were included in the interview sample, more detailed breakdown of responses by location was restricted to those States that had at least 60 respondents (Victoria, New South Wales, Queensland, Western Australia). The State location of organisations in which respondents worked did not seem to effect respondents' attitudes toward the importance of the privacy of customers' personal information (all considered such information to be important). Attitudes toward the impact of a breach of customer privacy on the organisation's public profile and customer relations also did not vary across State locations (all considered the publicity impact of a breach of customer privacy would be damaging to their organisation).

There were no noticeable differences between respondents in Victoria and New South Wales in responses to the major questions addressed in the interviews. Respondents in organisations in the larger States, Victoria and New South Wales (compared to those in Queensland and Western Australia) were more likely to say that their organisations had started preparing for the new federal privacy legislation.

Respondents in organisations in Victoria, New South Wales, and Queensland (compared to those in Western Australia) were more likely to say that the success of their business was dependent on their ability to protect and responsibly use their customers' personal information. Respondents in these three States also noted that they had access to an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers' personal information.

PRIVACY OFFICER PRESENT IN ORGANISATION

Less than 40% of respondents said that their organisations had a privacy officer, that is, a nominated staff member to oversee privacy issues relating to the collection, transfer, and use of customers' personal information. The results of the research suggest that organisations that were more likely to have privacy officers were: located in Victoria and New South Wales; larger in size (i.e., more than 20 employees); and in the industry sectors Finance/Insurance, Education/Health, and Publishers/Advertisers/Direct Mail. Organisations that were less likely to have privacy officers were in the industry sectors Entertainment/Travel, Retail/Manufacturing, and Business/Personal Services.

The presence or absence of a privacy officer in their organisations did not seem to effect respondents' attitudes toward the importance of the privacy of customers' personal information or the impact of a breach of customer privacy on the organisation's public profile and customer relations.

Respondents in organisations that had a privacy officer (compared to those in organisations that did not have a privacy officer) were more likely to state that the success of their business was dependent on their ability to protect and responsibly use their customers' personal information. Those respondents who stated that their organisations had a privacy officer were also more likely to have an industry association relevant to their organisation that had developed guidelines outlining privacy protocols for the collection, use and protection or storage of customers' personal information and currently follow the privacy guidelines set out by the industry association.

Respondents in organisations that had privacy officers tended to be more knowledgeable about the federal privacy laws. Compared to respondents in organisations without a privacy officer, those in organisations with a privacy officer tended to be aware of the existence of the federal privacy laws, be aware of what organisations the federal privacy laws applied to, and know that the new federal privacy laws come into effect in December this year. Respondents in organisations with privacy officers also stated that their organisations had a high level of knowledge concerning the new privacy laws and that their organisations had started preparing for the new legislation.

In contrast, respondents in organisations that did not have a privacy officer (compared to those in organisations that did have a privacy officer) tended to lack awareness of the existence of the federal privacy laws, what organisations the laws applied to, and when the laws would come into effect. Respondents in organisations without privacy officers noted that their organisations had very little knowledge concerning the new privacy laws and their organisations had not started preparing for the new legislation.

These findings raise an interesting question of causality: What has led to what? Has lack of organisational knowledge about the new privacy laws led to the absence of a privacy officer in these organisations? Conversely, has the lack of a privacy officer led to lack of organisational knowledge about the new privacy laws? Given the Privacy Amendment Bill comes into effect in December of this year, it would seem important for organisations to nominate a person to start the process of attaining appropriate knowledge and instituting procedures towards the organisation's preparation for the new legislation.

[Index][Executive Summary index] [Introduction index] [ Methodology index] [Main Findings index] [List of Figures] [List of Tables]

2. INTRODUCTION

2.1 Background information

The Office of the Federal Privacy Commissioner (OFPC) is an independent statutory office responsible for promoting an Australian culture that respects privacy. The Office currently has responsibilities under the Federal Privacy Act 1988 for promoting protection of individuals' personal information.

The responsibilities of the Office, however, will alter substantially in December 2001 when the Privacy Amendment Bill (introduced into Parliament in April 2000) comes into effect. The Privacy Amendment Bill proposes to amend the commonwealth Privacy Act 1988 to extend privacy standards to the private sector, thus requiring private sector organisations to meet specified standards for the handling of personal information.

In order to assist in the development of an effective communication strategy to advise the various target groups of the changes, and to inform future policy development, in January 2001, the Office of the Federal Privacy Commissioner commissioned Roy Morgan Research to undertake research into community, business and government agency attitudes toward privacy.

In order to ascertain the views of each target group (i.e., community, business and government) three separate surveys were conducted, each involving a qualitative and quantitative component. For the 'business' target group (the focus of this report), the research included a qualitative component involving face-to-face interviews with senior level management persons in private sector organisations in Sydney and Melbourne. This stage of the research informed the development of the quantitative survey consisting of 560 telephone interviews.

2.2 Research objectives

Broadly, the objectives of the survey involved:
· identifying current practices of organisations in relation to the privacy of personal information;
· identifying business attitudes in relation to privacy issues and practices;
· gauging current levels of knowledge in organisations with regard to privacy; and
· gauging current levels of awareness and understanding of the new privacy laws and the Privacy Commissioner.

3. METHODOLOGY

3.1 Interviewing

Interviews were conducted with a total of 560 business respondents using a Computer Assisted Telephone Interviewing (CATI) methodology.

In order to ensure interviews were conducted with the most appropriate person in the organisation, the introduction of the questionnaire asked for "the person best able to answer questions on the organisation's practices concerning the handling of customer personal information", and provided some examples of the likely position this person might hold. The introduction also contained a screening question to ensure interviews were only conducted with organisations that in some way dealt with consumers' personal information.

The telephone number that Roy Morgan Research used to contact the organisation was, in most cases, that of the CEO or their PA (rather than the receptionist), hence, the suitability of the organisation for inclusion in the survey and the most appropriate person to respond to the questions could be identified relatively efficiently. Once identified, the respondent was given the option of completing the interview at that time, or could make an appointment for the interviewer to call back.

3.2 Questionnaire design

The questionnaire was designed in close consultation with staff from the Office of the Federal Privacy Commissioner who, in turn, sought input from a committee of relevant stakeholders. Questionnaire design was aided by the findings from the qualitative phase of the research in terms of identifying appropriate pre-codes to questions and the suitability of the proposed content. The final questionnaire consisted of 46 questions and took just under 20 minutes (19.5) to complete.

3.2.1 Pilot testing of the questionnaire

In order to ensure the introduction was effective in terms of delivering the most appropriate respondent, and that the questions flowed and were understood by respondents, a pilot of 15 interviews was conducted. Feedback from interviewers revealed that the introduction and questions worked well, hence no changes were made to the questionnaire on completion of the pilot.

A copy of the survey questionnaire is attached at Appendix A.

3.3 Sampling frame and sample design

Contact lists purchased from Dunn and Bradstreet provided the sampling frame for this project. The industry classification system used by Dunn and Bradstreet was the Standard Industrial Classification (US SIC).

The 5,000 individual businesses included in the list were randomly selected from 68 specific industry groups identified by the Office of the Federal Privacy Commissioner. In order to manage industry quotas and reporting, the 68 industries were classified into the following six broad industry groups:

· Publishers/Advertisers/Direct Mail
· Retail/Manufacturing
· Entertainment/Travel
· Finance/Insurance Services
· Business/Personal Services
· Education/Health Services

The type of industries allocated to each of the groups can be seen in Attachment B.

The sample of 500 was allocated evenly across the six broad industry group and quota placed on particular industries within these broad categories to ensure an adequate number of interviews were conducted with organisations of high interest to the Office of the Federal Privacy Commissioner. In order to achieve the quotas and to complete all interviews where appointments had been made, the total number of interviews exceeded the target of 500, and totalled 560.

3.4 Response Rates

The following table shows the number of calls made to achieve the 560 interviews, along with the number of refusals and terminations. Overall, approximately 65% of businesses who were contacted and 'in scope' (i.e., the organisation met the criteria and the best respondent was available) participated in the survey. Of all businesses contacted, that is, those 'in scope' or 'out of scope', 40% participated in the survey.

Table 1: Response Rates for Interviews

Of those who refused to participate in the interview (n=227):

· 61% said they were too busy;
· 17% said they were not interested;
· 11% thought it was not relevant to their business;
· 3% did not do surveys as part of company policy;
· 1% said their organisation was too small;
· 7% gave other reasons (including unwilling to give information over the
telephone, concerns about confidentiality, and needing to get the permission of
the manager).

3.5 SAMPLE CHARACTERISTICS

3.5.1 Size of organisations

Slightly more than half the sample (56%, n=315) represented organisations with less than 20 employees; the remainder (44%, n=245) represented organisations with more than 20 employees.

While small businesses (less than 20 employees) account for approximately 96% of all registered businesses in Australia , larger businesses (those with 20 employees or more) were over-sampled in order to maximise the range of views from this important sub-group.

While only those organisations (large and small) who handled personal information were included in the research, large businesses were seen as important to the study as the majority will be covered by the legislation, and the impact of the change, in terms of staff training and systems preparation etc., is likely to be relatively significant for this group. Alternatively, not all small businesses will be covered by the legislation as some of them will be able to claim the 'small business exception'. The responses of small business, nevertheless, were important to the study as the prevalence of this group necessitates a comprehensive understanding of their views and attitudes towards privacy issues.

Furthermore, as a group, small businesses are more difficult to communicate with and obtain direct feedback from, hence the survey provided an ideal opportunity to glean an insight into their views and needs regarding privacy.

3.5.2 Location of organisations

The location of participants by State/Territory is shown in Table 2.

Table 2: Distribution of Respondents by State/Territory

Base: All respondents.

Over half the respondents (63%) were located in New South Wales and Victoria, 31% were located in Queensland, Western Australia, and South Australia, and the remaining 6% were located in Tasmania, the ACT and Northern Territory.

3.5.3 Type of industry
Table 3 shows the distribution of respondents in each of the six industry groups.

Table 3: Distribution of Respondents by Type of Industry

About a quarter of the sample (24%) was in Retail/Manufacturing industries. The remainder of the sample was distributed about evenly in the other five categories, ranging from 13% to 17% in each industry group.

3.5.4 Position of respondents in organisations
The managerial positions of respondents in their organisations are shown in Table 4.

Table 4: Distribution of Respondents by Position in Organisation

The majority of respondents (60%) were in Senior Management positions (Director/ CEO/ Top Level) within their organisations, about 30% were in Mid-Level Management positions, and the remaining 10% were in Lower Level positions (Lower Level Management/ Supervisory/ Support Staff/ Junior Level).

3.5.5 Position of respondents in organisations by type of industry

The pattern of distribution of respondents' positions in organisations was consistent across industry groups (see Table 5 and Figure 1).

Table 5. Distribution of Respondents by Position and Industry

Base: All respondents.
The majority of respondents in each industry group were in Senior Management (range 56% to 67%) or Middle Management (range 24% to 36%) positions within their organisations.

Figure 1: Distribution of Respondents by Position in Organisation

3.5.6 Privacy officer in organisation

Respondents were asked, Does your organisation have a nominated staff member to oversee privacy issues relating to the collection, transfer and use of customers' personal information? Responses to this question are shown in Table 6 and Table 7.

Table 6: Location of Privacy Officer

"Does your organisation have a nominated staff member to oversee privacy issues relating to the collection, transfer and use of customers' personal information?"

Base: All respondents.

The majority of the sample (60%) noted that their organisations did not have a designated privacy officer, and 36% of the sample said they did have a privacy officer.

Table 7: Location of Privacy Officer by Type of Industry

Base: All respondents.

The majority of organisations within the different industry sectors (range 52% to 76%, except Finance/Insurance, 42%) did not have a nominated staff member to oversee privacy issues. The exception to this pattern is in the Finance/Insurance sector, where 54% of respondents in this group said they did have a designated privacy officer in their organisations (see Figure 2).

Figure 2: Location of Privacy Officer

Table 8 shows responses to the question about designated privacy officers by State location. (Note that data only from those States with more than 60 respondents interviewed are shown in the table.)

Table 8: Location of Privacy Officer by State

Base: All respondents in specified States.

The majority (55% to 73%) of respondents in the four States said that their organisations did not have a privacy officer. Victoria and New South Wales seem better served with respect to privacy officers than Queensland and Western Australia. About 40% of respondents in Victoria and in New South Wales said they had privacy officers in their organisations.

[Index][Executive Summary index] [Introduction index] [ Methodology index] [Main Findings index] [List of Figures] [List of Tables]

4 MAIN FINDINGS

4.1 Importance of Privacy of Customers' Personal Information

Responses to the question, How important an issue would you consider the privacy of customers' personal information to be for your organisation? are shown in Table 9.

Table 9: Importance of Privacy of Customers' Personal Information

"How important an issue would you consider the privacy of customers' personal information to be for your organisation?"

Base: All respondents.

A large majority of the sample (95%) said they considered the privacy of customers' personal information to be important (Very important/ Important); only 3% said it was not important (Not very important/ Not at all important).

The pattern of responses to the question about the importance of privacy to the organisation was consistent across industry groups (see Table 10).

Table 10: Importance of Privacy of Customers' Personal Information by
Type of Industry

Base: All respondents.

The large majority of respondents in each industry group (range 89% to 98%) said they considered the privacy of customers' personal information to be important (Very important/ Important). Less than 10% in each industry group (range 0 to 6%) said it was not important (Not very important/ Not at all important) (see Figure 3).

Figure 3: Importance of Privacy of Customers' Personal Information

"How important an issue would you consider the privacy of customers' personal information to be for your organisation?"

Attitudes toward the importance of the privacy of customers' personal information do not seem to vary by the size of the organisation or whether the organisation has a privacy officer (see Table 11).

Table 11: Importance of Privacy of Customers' Personal Information by
Size of Organisation and Location of Privacy Officer

Base: All respondents.

Most respondents (96%) in organisations with less than 20 employees said privacy of customers' personal information was important (Very important/ Important), as did most respondents (94%) in organisations with more than 20 employees.

The majority (97%) of respondents in organisations with a designated privacy officer as well as the majority (94%) of those in organisations without a privacy officer said that privacy of customers' personal information was important (Very important/ Important).

Attitudes toward the importance of the privacy of customers' personal information do not seem to vary by State location of the organisation (see Table 12).

Table 12: Importance of Privacy of Customers' Personal Information by State

Base: All respondents in specified States.

4.1.1 Reasons for Importance of Privacy of Customers' Personal Information to Organisation

Respondents were asked, What makes the privacy of customers' personal information an important issue for your organisation? Responses to this question were coded into eight categories (see Table 13).

Table 13: Reasons for Privacy of Customers' Personal Information Being Important to Organisation

"What makes the privacy of customers' personal information an important issue for your organisation?"

Note: Respondents could give more than one reason.

The most common reasons (representing over 10% of responses in each category) given for the privacy of customers' personal information being important were:

· Ethical/moral reasons/ Confidentiality/ It's our policy
· Our line of business requires it/ We deal with confidential information
· Reputation/ Credibility of our business/ Consumer confidence
· Customers expect it of us/ We want customers to trust us

Less commonly cited reasons (representing less than 10% of responses in each category) for the privacy of customers' personal information being important were:

· We handle tax/financial/legal information
· Don't want competition to have this information/ Don't want it misused
· Because of legal implications/ It's the law/ Don't want to get sued
· It is important (essential) for any business/ Is good business practice

Responses to the question of reasons for the importance of privacy of customers' personal information by industry group are shown in Table 14.

The most frequently cited reasons (representing 15% to 36% of responses in each industry group) were:

· Ethical/moral reasons/ confidentiality/ it's our policy
· Our line of business requires it/ We deal with confidential information

The least frequently cited reasons (representing less than 10% of responses in each industry group) were:

· Because of legal implications/ It's the law/ Don't want to get sued
· It is important (essential) for any business/ Is good business practice

There are some differences in the pattern of responses across industry sectors to the question, What makes the privacy of customers' personal information an important issue for your organisation? These patterns are shown in Table 15 in order of the five most common reasons (i.e., above 10% of responses) given in each industry group.

Table 15: Most Common Reasons for Importance of Privacy of Customers' Personal Information
by Type of Industry