While the APPs place significant new requirements on organisations, they have been designed to still enable organisations to conduct many of the data collection and analysis activities they have always undertaken, but with a new emphasis on disclosure and opting out. For this reason, Crompton says the APPs need not spell the death of the use of predictive analytics.
“The new APPs are no more of a hindrance to consumer-focused big data projects than the current NPPs, so it is not as if anything is going backwards,” Crompton says.
This is particularly critical to major banks and retailers, who have become significant users of analytics technology to determine customer behaviours and preferences.
“Today the decision for businesses and their CIOs is how to best to use this data to enhance customer relationship value,” Harte says.
“As a bank, our customers’ trust is absolutely critical to our commercial success. What we know from our own, and from industry research, is that our customers do trust us. They want us to help them secure their financial wellbeing.”
While Harte is confident regarding CBA’s compliance with the APPs, many other organisations may be less entitled to do so. Pilgrim has already identified behavioural targeting – a favourite tool of online advertisers which uses consumer behaviour to make assumptions about their interests – as an area for further investigation.
“That’s an issue that I think is going to be growing, particularly in the online environment,” Pilgrim says. “There are issues around how people’s personal information is being collected and used in that type of situation, and that may be an area down the track where a code might be useful.”
While much of the details around the APPs have yet to be tested in the real world, the need to ensure an organisation is compliant still remains.
Crompton says a successful approach to compliance means ensuring that the organisation has a culture of accountability. When it comes to complying with the new APPs, the best starting point is to run a privacy ‘health check’ to determine exactly where the organisation already lies in terms of compliance.
“You can delegate responsibility, but you can’t delegate accountability,” Crompton says. “The CIO has as much responsibility as anyone else to ensure that at least a health check has been conducted through the organisation on privacy.”
There is also a wealth material available online from the website of the Office of the Australian Information Privacy Commissioner.
“There is a lot of guidance material there, and there is no excuse for not being familiar with that,” Crompton says. “And that will provide a lot of the specificity.”
According to Simpson, organisations that find the transition the easiest are those that already have a robust information framework in place.
“With a formal well-defined framework about information management and information security, you are well on the way to providing some assurance to the rest of the stakeholders and the execs that you’ve got a handle on this,” he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.