New conduct code for data sharing
Graeme Samuel: Launched a code of behavior for data governance
Data Governance Australia has launched a draft code of practice regarding data collection and use. It hopes this will dovetail with the Feds’ yet-to-be-released response to the Productivity Commission’s data recommendations published in May.
Data Governance Australia (DGA) is the brainchild of the Australian Data-Driven Marketing and Advertising association and the code is an attempt to set a best practice benchmark for its membership.
DGA members will be obliged to adhere to the final code or risk losing their membership status. Graeme Samuel, former competition tsar and chair of the DGA, also believes companies which fail to sign up to the code risk losing a competitive edge with increasingly data-savvy consumers.
However the data game has moved on somewhat since DGA first announced its intention to create a code last October.
For one the Government’s legislation mandating serious data breach notification has been passed. From 22 February 2018 organisations experiencing significant data breaches will have 30 days to notify the Office of the Australian Information Commissioner and also any affected individuals.
Associated with that regime are pecuniary penalties of up to $2.1 million for failure to comply.
Leading enterprises are already scrambling to establish the systems needed to ensure compliance with that legislation; navigating a voluntary code of conduct slated for launch by December could prove a challenge to already stretched resources.
For example the DGA claims that its “no-harm” rule goes beyond the requirements of the Privacy Act and obliges members to consider the potential impact of their data practices “and use best endeavours to ensure that its data practices do not result in harm to consumers.”
The code will also have to somehow co-exist with the Government’s yet-to-be-released response to the Productivity Commission’s Data Availability and Use report. That called for a new Data Sharing and Release Act to be introduced – which if accepted by Government could further reshape Australia’s data landscape.
Already Federal and State Governments have started to open their data stores, and some sectors are having openness forced upon them.
Budget 2017 for example made clear that from 2018 Australia’s major banks will have to participate in a more open banking regime and share with their customers the information they have gathered about them so that customers can use that data to try and get more competitive products and services.
Professor Samuel said that a voluntary code of conduct could help avoid the “bureaucracy of government regulation” and also be more easily tweaked than regulation or laws, allowing it to react swiftly to changing market conditions and shifting consumer expectations.
According to DGA chief executive Jodie Sangster; “Self-regulation is the right approach in the era of rapid transformation. Introducing laws and regulations run the risk of stifling innovation and creating a regime that is not flexible enough to respond to the rate of change.”
And change is imminent in terms of private enterprise use of personal data in Australia with the much anticipated arrival of Amazon on the retail scene. Professor Samuel described Amazon’s plans as an “example of the tidal wave of data and data analytics” now impacting all sectors.
“Fifteen years ago data was hard to collect and even harder to analyse.” Now though he said that data analysis was the lifeblood of industries ranging from banking, through retail, airlines and insurance.
Professor Samuel said that the DGA code had been designed to steer all organisations toward more responsible use of data. “Initially the sole regulatory regime was around privacy. Now we have nine headlines that cover the broad gamut of data collection...which are flexible enough as new issues arise so that we can build into the code new provisions.”
The nine core requirements include the no harm rule; fairness; choice; accuracy and access; accountability; stewardship; security; and, enforcement.
The enforcement element of the code will be addressed by a seven member panel led by chairman and consumer advocate Christopher Zinn. Its biggest stick will be to throw infringers out of DGA, but Professor Samuel said there would be a competitive deterrent to organisations which were seen to flout the code as savvy consumers might take their business elsewhere.
Despite its noble intent, some of the code’s nine requirements are drafted as fairly airy ambitions, and the language of the draft code still leaves room for a good deal of interpretation.
The flip side however is that the code’s lack of prescription does mean it could move with the times more swiftly than legislation which can lag community expectations by a year or two according to Professor Samuel.
Organisations and individuals have until 21 July to comment on the draft code.
Professor Samuel said that the DGA intended to put the final code into practice by the end of the year, and that in combination with a public awareness campaign it would help elevate the issue of data collection and use among consumers.