We all should heard of, if not know of Deloitte, one of Australia’s leading professional services firms, and winner of both the Australian Financial Review/CFO Audit Firm of the Year and Accounting Firm of the Year awards in 2013.
Its second annual assessment of the privacy practices of 116 leading consumer brands (operating in Australia) reveals that a more sophisticated Australian consumer has emerged; one that equates privacy with trust around how their data will be kept safe, used and shared.
The report found that 94% of consumers believe trust is more important than convenience; communicating how information is used and shared builds trust; and thinking and acting globally when responding to regulatory change is increasingly necessary.
In deference to the importance and impartiality of the report the remainder is presented verbatim.
The Deloitte Australian Privacy Index 2016 (registration required for a free report) finds that consumers trust organisations that use their information reliably and respectfully. They want adequate security measures when their information is submitted via publicly available means, and that tell them how the information collected by their websites and mobile apps will be used.
Deloitte national lead partner, Cyber Risk Services Tommy Viljoen said: “It is quite straightforward. Privacy for today’s Australian consumer is inextricably linked with trust. Australians, whether millennials or baby boomers, want to be confident that the organisations with which they entrust their personal data, are reliable, and that they treat their information with respect.
“We want to know our information is secure when it is submitted via publicly available means, such as a website or mobile app. And we also want to know how our information will be used.
“One of the most telling findings in this year’s consumer survey is that 94% value trust over convenience, whether using a website or a mobile app..”
The most trusted [with personally identifiable information – PII] industries in the Deloitte Australia Privacy Index 2016 overall are:
Banking & finance
Telecommunications (mobile/internet/home phone)
Travel & transport (airlines/agencies/hotels/taxi)
Health & fitness
Media (news, television, radio, entertainment)
Viljoen said: “Banking & finance organisations overtook government as leaders in privacy this year as both these heavyweight groups continue to vie for pole position. The energy sector came in third followed by insurance and telecommunications, which jumped from tenth position last year to fifth.
“To determine where each of the 13 sectors sits in the overall Index, Deloitte supplemented the survey of the 1000 consumers, with a website analysis, a confidential organisational survey of the 116 brands, and for the first time, analysis of their mobile apps where available.”
When combining the results of three of the components assessed banking & finance organisations took seven positions in the top ten
- A government organisation was the best individual organisation and government bodies took the remaining two places in the top 10
- Industries ranked at the top of the index are highly regulated; those in the lower half are less regulated
- Both real estate and higher education, new industries introduced in 2016, were ranked in the lower half
- Higher education is, nevertheless, perceived to be a top five trusted industry by consumers, but their websites and mobile apps performed less well on the index
- The telecommunications industry improved from 10th position last year to the top five in 2016
- Social media on the other hand plummeted from third position to 11th overall pulled down by consumer sentiment despite doing well in the website analysis with transparent privacy policies.
Organisations that did well had:
- Mobile apps that communicated to the individual user when they took actions on a mobile device
- Implemented security protocols on their website when capturing personal information
- A brand deemed trusted by consumers
- Cookies with a shorter expiry timeframe – the average time was 657 days; the worst were persistent cookies stored for three or more years.
Key insights from the Deloitte Australian Privacy Index 2016 consumer survey:
- Australian consumers are most concerned about sharing credit card details (71%); identification numbers (65%); medical records (34%)
- 18 to 25 year olds are more concerned about sharing mobile numbers or browsing history than medical records; 26-39 year olds are more concerned about sharing their address
- 71% of the 1,000+ consumers surveyed had never had a privacy issue with a brand
- 29% cited 851 privacy issues with organisations included in the survey over the last 18 months
- We complain more about privacy as we get older; more than 38% of 40-64 year olds have made a privacy complaint but less than 8% of 18-25 year olds have.
- 67% of respondents are concerned when organisations send personal information outside Australia
As the Australian Privacy Commissioner Timothy Pilgrim said “Privacy is an international conversation, particularly as information flows have become more complex, traversing national borders and established regulatory jurisdictions.”
Deloitte Client Manager, Cyber Risk Services Marta Ganko, who co-authored the Privacy Index said: “Any organisation which shares data has become a data broker of some sort. As organisations collect and share more of their customers’ data with external parties, consumer confidence, trust, choice, as well as commercial interests, become important elements to balance in an increasingly digitally borderless world.
This requires organisations to break down their own borders and operate transparently to continue building trust with consumers.”
Ganko explained that the combination of emerging privacy regulation and the common practice of sharing data have highlighted new types of borders. “National borders are obvious; however, there are subtler borders such as those between organisations and their subsidiaries or third parties,” she said.
“Until now, the majority of organisations in Australia have only had to consider local privacy laws. However, the need to maximise commercial opportunities, implement efficiencies and reduce costs has led organisations to engage or partner with third parties, which are often located overseas and so are subject to different and sometimes more stringent laws. This means that Australian-based organisations have to now consider global approaches to managing privacy risks associated with trust and reputation.”
National Privacy Awareness Week (15-21 May) PRIVACY IN YOUR HANDS
It would appear that the Commissioner’s call to action in Privacy Week 2015, that organisations and agencies build a culture of privacy, and ensure they become more proactive in meeting their compliance requirements, have been taken on board.
Viljoen said: “Compared with 2015, the number of organisations using a layered approach in their privacy policies in 2016 has substantially increased, which is very pleasing.
The Deloitte Australian Privacy Index 2016 highlights that:
- More than 90% of organisations internally report all privacy incidents and breaches
- Almost 70% of organisations conducted a Privacy Impact Assessment for business changes
- Close to 70% of organisations have developed or intend to develop a privacy strategy
- More than 80% of organisations have considered how global changes such as the EU General Data Protection Regulation will impact their organisation.
Mobile App Analysis
Ganko said: “Given that mobile devices have become the way we connect with the world we thought it important to analyse the top brands’ mobile apps. This included assessing the privacy policies of the apps, as well as the way they behaved.
“Our most surprising finding on behaviour was that after downloading the app and before even logging into most of the 88 apps accessed, the app was reading information from our device, of which 94% was sent overseas. Depending on the app this data could include your contacts and/or your location however individuals were always informed in these cases.”
The industries that performed best against the defined mobile analysis metrics of the Index, with number one ranked the best, were telecommunications; banking & finance; government; media; and retail.
Access to location
- 14% of the 88 apps tested accessed user location information
- The telecommunications industry’s apps accounted for the majority of location access events (90%), followed by social media mobile apps (6%) and travel & transport mobile apps (3%)
- Apps from banking & finance, energy, government, higher education and insurance do not access location information from a mobile device
Information leaving a mobile device
- 85% of the apps analysed made a connection to send or receive data from a location (including Australia)
- The technology sector sent and received the most data (35%), followed by travel and transport (30%) and retail (7%)
- Overall, the government, energy, and insurance sectors sent and received the least data
- 81% of the apps sent data overseas. Of this, 97% of the apps transferred data to the United States, 14% went to Singapore, 4% went to Hong Kong, 4% to Germany, 6% to Ireland and 1% to Japan.
99% of brands implemented layered privacy policies in their apps
52% of brands provided a detailed list of countries to which they disclose privacy data. The banking and finance industry performed best with 76% of app brands tested providing a detailed list. This was closely followed by government and real estate.
Organisations that did well:
- Had mobile apps with a policy notification
- Provided a complete list of countries to which they disclose data
- Allowed users to restrict application permissions.