• Home
  • Search
  • FAQs
  • RW Connect
  • Shopping cart
  • Sharing options
  • ESOMAR Directory
  • Search

Stay updated

Subscribe to our newsletter

How Australia's Data Privacy Landscape Changed

21 May 2015

Last year Australia’s privacy laws changed extensively when the Privacy Amendment (Enhancing Privacy Protection) Act 2012 entered into force. In December the Association of Market and Social Research Organisations (AMSRO) registered its Privacy Code under this new act.

Following this first landslide, Australian government this year voted to pass a mandatory data retention plan, resulting in more and more Australians looking for privacy and hiding their digital identities. This demonstrates the importance of respecting respondents’ privacy when conducting market research in Australia.

The Privacy Act and Australian Privacy Principles (APPs)

The Privacy Amendment Act 2012 made many significant changes to the out-of-date Privacy Act 1988. The Privacy Act now includes a set of 13 new harmonized privacy principles that regulate the handling of personal information by government agencies and private sector organisations. The APPs only apply to private sector organisations with annual turnover of $3 million or more.

The Privacy Amendment Act brought along significant, new enforcement powers, penalties and sanctions for the Privacy Commissioner. Significant penalties apply for breaches of the APPs. In the case of organisations that have committed serious or repeated breaches, penalties can hit $ 1,7 million.

There are no specific laws regulating cookies in Australia, but the use of cookies requires appropriate notification to Internet users whenever personal information is collected through them.

The APPs cover topics as:

-       Anonymity and pseudonimity

-       Collection of personal information

-       Privacy policies

-       Use and disclosure of personal information

-       Direct marketing

-       Cross-border disclosure of personal information

-       Quality, security, access and correction of personal information

How market research companies can best apply these principles is set out in the AMSRO Privacy Code, designed to relate the APPs to industry practices in a clear and unambiguous way. Even though the APPs do not normally apply to small business operators, they do apply if the nature of the operator is to provide a service (…) to collect identified information. Since most market researchers collect identified information and provide services based on insights gained from them, they cannot rely on this exemption. Furthermore, the AMSRO Privacy Code applies to all members of AMSRO.

For market researchers already abiding by the ICC/ESOMAR International Code on Market and Social Research, most principles in the APPs will not be new. For example article 7 of the ICC/ESOMAR Code requires market researchers to adopt a privacy policy, to not collect more personal data than necessary, to make sure data is processed securely, the participants have the right to access their data and have it rectified or deleted, and to use personal data only for the specified research purpose. These principles can also be found in the APPs.

However, when drafting or reviewing your organisation’s privacy policy, it would be recommended to review APP1 on privacy policies to make sure it contains all the elements required by law. Furthermore, it would be advisable to review APP8 before transferring personal data abroad.

AMSRO Code Registered

On the 1 December 2014, the Australian Association of Market & Social Research Organisations (AMSRO) was the first and only industry body to get its Privacy Code registered with the Australian Privacy Commissioner. All full and associate members of AMSRO are bound by its code setting out how the Australian APPs are to be applied and complied with by AMSRO members.

The AMSRO Privacy Code aims to ensure that member organisations understand how the new APPs are applied with regards to collecting, retaining, using, disclosing, and destroying personal information about the subjects and participants in market and social research. As such, it is useful for market research agencies doing business or looking to do business in Australia, to have a look at the AMSRO Privacy Code.

As most major research organisations in Australia are members of AMSRO, it means that the great majority of genuine research approaches to the public - ranging from large-scale national surveys to smaller more specialised collections - operate within the framework of the approved co-regulated Code. The AMSRO Privacy Code also offers a dispute resolution mechanism, allowing members to report to AMSRO and seek guidance from its Privacy Compliance Committee, before a privacy matter is escalated to the Privacy Commissioner’s office.

International Data Transfers

The Privacy Act differs in varying respects to common regional and national privacy law frameworks, including national laws in other APEC countries like Singapore, Malaysia and New Zealand. For this reason, caution should be exercised when conducting research in Australia from another APEC country.

According to APP 8, any transfer or provision of electronic access – even read-only – of personal data about an Australian individual, is considered a disclosure of personal information when this information is sent to a third party abroad, even if this third party is employed by the same multinational organisation as the person transferring the data.

Whereas the EU privacy framework relies on the use of binding corporate rules and declarations of adequacy, the Australian Privacy Commissioner has not issued a list of countries whose laws, or binding privacy schemes it considers substantially similar to Australian law. APP 8 holds that: “personal information can only be transferred if the organisation reasonably believes the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is, overall, substantially similar to the APPs.”

For market researchers transferring personal information from Australia to other countries, whether within the same company or not, it is important to adhere to the laws in both countries and to have adequate informed consent for a cross-border transfer, notifying the respondent or research participant that they will not be able to seek redress under the Australian Privacy Act for the disclosed information.

Cloud Storage

In some countries storing personal information in a cloud, with servers located overseas, would be considered a transfer of personal information. The Australian Privacy Commissioner considers storing information in the cloud for the limited purpose of storing, provided that only the Australian organisation has access to the information, a use of data, rather than a transfer or disclosure.

State based laws

Apart from the updated Privacy Act, other laws that could have an effect on market and social opinion research are state based and could differ between the Australian states, such as: regulation of surveillance in public places, use of tracking devices, geo-location tracking and recording technologies.

Australians flocking to VPN to protect their privacy

In March 2015 Australia’s major parties voted to pass a data retention law, mandating the tracking of call records, assigned IP addresses, location information and billing information, among other data and it empowers security agencies to access those without a warrant.

As a result Virtual Private Network (VPN) service providers saw their subscriptions from Australia rise by 500% and as many as 16% of Australians are using a service such as Tor or a VPN to protect their privacy online. According to a report by Essential Media Communications, more than one in five Australians aged 18 - 34 are paying to hide their digital identity.

For market researchers, this may introduce a further bias while sampling. For agencies engaged in audience measurement research, this might also mean an increase in operational costs. It further signals the privacy concerns of young people.

ESOMAR’s Government Affairs Team continues to monitor legal developments that are likely to impact our abilities to conduct and use market, social, and opinion research. If there are any updates on Australian laws that are of concern to market research, the team will keep you informed.