Privacy Survey - How Well Do You Understand Privacy?
This article was published this week in the journal Privacy Unbound.
In January-February 2016, Service Excellence Consulting, in conjunction with WorkPro, conducted an online survey of 1800 individuals about their understanding of privacy.
The results were surprising and somewhat disappointing.
Privacy affects all individuals - as customers who share their personal information with businesses and services providers; and as employees working in those organisations who collect and use this personal information to provide a service at some level.
The importance of dealing with personal information with care and respect has been raised in recent years. In 2012 there were some amendments made to The Privacy Act 1988, and more recently there have been a host of media stories over breaches of privacy as a result of system hacking, data theft, negligent releases and other inappropriate data practices.
Despite all this attention the results from this survey indicate that there is plenty of room for improvement in the level of awareness and understanding of privacy in relation to personal information.
Summary of findings:
- The "don’t knows" were in the outright majority in most of the questions.
- Only 3% of respondents were confident their businesses understands privacy, and even fewer were confident that appropriate data security measures are in place.
- More than half the respondents had undertaken some form of training on privacy.
The results are so startling, that even considering only the order of magnitude of responses (rather than the actual result), results strongly suggest there is far more to be done to raise awareness of privacy matters by individuals, and for businesses to clarify privacy controls and provide adequate training.
How the survey was conducted
Nine questions were presented on the WorkPro website and over the months of January to February a total of 1800 responses were received. Almost all respondents were engaged as employees or contractors but some were seeking work, and came from across all industries and their roles ranged from blue collar trades to senior management and other professional roles.
The survey consisted of nine questions which were designed to assess:
- their knowledge about how their business should manage personal information; as well as
- their awareness of their rights surrounding how their own personal information ought to be managed.
The questions were:
- On an individual note, do you feel your organisation or business understands the privacy requirements?
- Is there a distinction between privacy and confidentiality?
- On an individual note, has your personal privacy been breached by an organisation or business?
- What industry, profession or trade do you work in?
- Do you think your business has appropriate data security measures in place to protect the privacy of the people you collect information from?
- To which industries, trades or professions does the privacy of personal information apply?
- Have you ever been trained on privacy management in a work environment?
Q 1: On an individual note, do you feel your organisation or business understands the privacy requirements?
Only 2% of respondents could confidently state that their organisation understood the requirements of the Privacy Act. Over 60% thought (hoped) the privacy procedures should be OK, and a significant 37% did not know. So a total of 98% were not too sure about this at all.
Q3: What industry, profession or trade do you work in?
This lack of awareness about privacy management procedures is even more concerning when you factor in that 93% of respondents work in areas that deal with large quantities of personal, and often sensitive, information. The finance sector (which had over 300 respondents), administrative support staff and medical centres would routinely manage highly personal information including pay records, contact details, and health records.
Q4: To which industries, trades or professions does the privacy of personal information apply?
Respondents tended to expect that all businesses are subject to the Privacy Act. In fact, the Act makes exceptions for businesses with a turnover of less than $3 million, except where the business deals with or trade in personal information, such as recruitment, health and finance, in which case are all subject to the privacy legislation, regardless of their size or turnover.
Q5: Do you think your business has appropriate data security measures in place to protect the privacy of the people you collect information from?
Only 1% of respondents were confident appropriate data security measures are in place. A key element of data security is permissions and access levels granted to individuals: who has full and partial access; how well are access restrictions implemented; how well are passwords controlled; what protocols are in place regarding data edits and data downloads?
A sound privacy management system would be understood by all those who have access to personal information. Does this result indicate a disjuncture between what information that employers are providing and what information employees are retaining? Are companies failing to have adequate systems in place? Or is it that their employees don't know about them?
Either way, there appears to be a large risk here.
Q6: Have you ever been trained on privacy management in a work environment?
This indicates significant gaps in knowledge and begs the question: what kind of training was provided and how long ago was it delivered?
Have these organisations been regularly monitoring and updating their employees' understanding of the company's privacy procedures? Have they taken the approach of "I told you once and that should be enough"?
Or have they failed to provide proper training altogether?
Q7: On an individual note, has your personal privacy been breached by an organisation or business?
4 respondents indicated their personal privacy has been breached by an organisation or business. A further 452 indicated that their privacy may have been breached but they weren't very sure.
No one should have their personal privacy compromised, and businesses must be aware that individuals can lodge complaints with the OAIC if they believe that there has been a breach in the management of their personal information.
However, the fact that 452 respondents were not sure leads to another question: do they know and understand what their privacy rights are in the first place?
Q8: Is there a distinction between privacy and confidentiality?
The purpose of this question was to determine the level of understanding of the concept of privacy. Whilst the terms are often used interchangeably, technically the term "privacy" relates to personal information as described in the Privacy Act, and "confidentiality" relates to protecting information which relates to the business (strategic and commercially sensitive information about a business and information about individuals managed by lawyers and health practitioners). It was assumed that a strong understanding of the privacy concepts might differentiate between these two terms. A significant portion of respondents indicated there is a difference - our next question would be to ask what the difference is.
It remains to be seen whether this translates in reality: does the company have privacy policies? Are they available in multiple formats? Are they located in an easy-to-find location on the website?
The Privacy legislation has been around for over 20 years. But it just now seems to be waking up. The dual threats of cyber hacking and of poor data management will no doubt continue to grow, and more stories of breaches will hit the headlines. More legislation and controls may yet emerge and impose even more obligations on businesses that handle personal information. Individuals, both as customers who share their personal information with businesses and services providers; and as employees working in those organisations who collect and use this personal information, will need to learn far more about how to manage data better.
This survey indicates that we all need to do far better than we have to date.
The federal government will soon be considering whether to implement mandatory data breach notifications for serious breaches of privacy. It would require all privacy entities to notify both the privacy regulator (the Office of the Information Commissioner) and the affected individuals when a breach occurs.
Your company's reputation will take a big blow if these laws come into effect and you are forced to explain a breach to your clients.
And even if it doesn't? Customers and employees can still lodge a complaint with the OAIC that their personal information has been mishandled. The Information Commissioner can determine whether or not he wants to open an investigation into the matter and this too, will be publicly listed on the OAIC website and news bulletins.
Privacy and the management of personal information is an issue that has always been bubbling just beneath the surface. But as we hurtle further into the technological era and struggle with data controls and security, this issue could explode.
- WorkPro is a web-based employee screening and induction solution that gets individual’s ‘work ready’ quickly and simply. Providing services across Australia and New Zealand, WorkPro aggregates work health and safety e-learning, licence/ticket management and on-demand background screening in a single platform. Utilised by more than 1 million individuals and partnering with over 800 customers, WorkPro is committed to keeping compliance simple - one login, one password, one destination.