The Privacy Series: The Fair and Reasonable Test Explained

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

This month in The Privacy Series, we are delving into the introduction of an overarching ‘Fair and Reasonable’ test by the Government as part of the imminent overhaul of the Privacy Act. This type of overarching test in relation to privacy will not just be an Australian first, but a worldwide first too – making it a pioneering piece in this legislative reform. Below we will explore what this unique and ambiguous sounding test involves, and what it will mean for marketers moving forward in the way we collect, handle and use personal information and consumer data.

What is ‘Fair and Reasonable’?

The Privacy Act is a principle-based legislation which gives organisations flexibility to apply the privacy principles to their consumer data practices, specifically the handling of personal information, in a way that aligns to their business model. There are currently 13 Australian Privacy Principles (APP) governing the rights and obligations around the collection, use and disclosure of personal information. As we know, this is all set to broaden with the imminent privacy reforms, and the additional introduction of an overarching test will add yet another layer of required compliance. 
So, what is fair and reasonable? You may be surprised to learn that this very ambiguous and seemingly subjective sounding question will actually be assessed objectively. The Privacy Act is set to include a list of matters and further guidance of what is considered ‘Fair and Reasonable’ in the Explanatory Memorandum to assist businesses with their assessments. The Privacy Commissioner is also likely to provide guidance after the reforms become law. 

Essentially though, the Fair and Reasonable test will determine if the collection, use and disclosure of personal information is in the circumstances, irrespective of whether consent has been obtained. Or, to put it in laymen’s terms, or better yet, ‘Aussie terms’ – does it pass the pub test? If you wouldn’t personally like or consent to the way a business is collecting or using personal information, it is probably safe to say that it should not be considered in the circumstances. Just like the 13 APPs allow for flexibility in application by considering a business’s own circumstances, so will the Fair and Reasonable test. What is considered Fair and Reasonable for one business in the circumstances, will not necessarily be the same for another business with different circumstances. As long as a business can adequately justify why their collection and use of personal information is Fair and Reasonable in the circumstances, they should be able to pass the test. 

With that being said, if you consider yourself blessed with the ‘gift of the gab’, this won’t mean you can talk your way into passing the test. The provided justification needs to be sound. Particularly as the privacy reforms will increase regulation as well as breach penalties, and make everyone a ‘watchdog’ of sorts. It will no longer just be up to the relevant governing bodies. Consumers will be able to hold businesses accountable too, especially if they do not feel that it is  in the circumstances of a business to collect their personal information. Remember, when it comes to the pub test, Australians are harsh critics!

The consenting to compliance roadblock 

Before being tempted with the lure of considering potential loopholes, we should point out that a fundamental component of the Fair and Reasonable test is the irrelevance of consent. By this we do not mean that consent by your consumers does not matter as it most certainly does. Particularly as consent practices and transparency, including opt-in and opt-out options for consumers and giving consumers more control, will substantially underpin much of the privacy reforms. Rather it means that having consent from your customers does not mean you automatically pass the Fair and Reasonable test. You cannot simply consent your way to compliance. Your business must be able to justify that your collection and use of personal information is, irrespective of consent being granted. This is an important point to note as you don’t want your business to fall into a misguided privacy fallacy where consent assumes compliance. 

What are the marketing implications?

The new overarching Fair and Reasonable test will demand a lot more accountability of organisations, and particularly those who have a touchpoint with collecting and using customer data. As marketing is the first touchpoint of collecting and using a customer’s personal information, this includes us. In fact, the privacy reforms may even legislate the requirement for an appointed senior employee who is responsible for privacy, like a Privacy Officer – though this would not necessarily be their only role. There would also be the requirement to record the purpose for the collection and use of personal information. If this requirement is not legislated however, it would be a good idea to implement a similar record keeping practice. Whether you’re collecting personal information from campaign activity, a content offering, for events or any other marketing activity, sustaining an ongoing record and audit trail will undoubtedly assist in justifying data collection practices in response to the test.

To help ensure your business can satisfactorily justify why it is to collect and use your customers’ personal information, a good starting point is to determine what your essential data is and discard any data above and beyond that. This might lead to businesses changing their approach with respect to collecting data and shift towards a ‘data minimisation’ model instead. Businesses will also need to consider the type, sensitivity and amount of personal information being collected, used or disclosed. Particularly if the personal information is considered sensitive information such as health data or government identifiers. These will require solid justification as to why this type of personal information is necessary for a business to know. So, if you don’t need it, get rid of it and stop collecting it. 

Additionally, for the first time the Act will specifically factor in minors/children. If a business is collecting personal information relating to a child, a business will need to be able to justify that it is in the best interest of the child to be considered in the circumstances. Essentially the privacy reforms will prohibit targeting children under the age of 18, with very limited exceptions to this rule. This will likely reshape a lot of marketing activity, or at the very least, targeting strategies for businesses. The Privacy Commissioner will provide guidance as to what is in the best interest of the child. This is unlikely to include any commercially related interests.

With the tightening of regulation around the collection of personal information, it is best practice for marketers, and their businesses, to only collect and use the customer data they need to effectively operate. There is too much potential risk and exposure to a breach, to gamble with anything in excess of this. The introduction of the Fair and Reasonable test adds another layer of compliance complexity, and marketers should be prepared to engage with lean data models and dial up the creativity to really maximise the data they can fairly and reasonably attain.