Data & the understanding gap

HealthEngine provides an app requiring users to provide details of their medical conditions (including recent accidents) when booking GP appointments and is accused of disclosing these details to one or more personal injury law firms.

"Common market practice for privacy compliance… does not match up with consumer expectations regarding data transparency.” 

Regardless of whether HealthEngine did in fact breach privacy law the case reveals a bigger issue lying beneath the surface – common market practice for privacy compliance in this space does not match up with consumer expectations regarding data transparency.

To make things more confusing, just what does amount to ‘consent’ in the eyes of the law in this area is not clear.

Although outrage over this particular case is understandable given the sensitive nature of the information and the purpose for which it was disclosed (what some may describe as ‘ambulance chasing’) privacy lawyers will not be particularly surprised by the theme of this story.

In essence, it reveals a common approach to privacy compliance for providers of app and web-based services in Australia.

Consent

HealthEngine says it had "express consent" from users to disclose the information. But stating in a privacy policy or "collection statement" you might disclose personal information in a particular way does not necessarily make you compliant with Australian Privacy Law.

Put another way, just because you have expressly pointed something out in a statement to an individual - or even in your online terms and conditions - doesn't mean you have ‘express consent’.  A lot can depend on the placement of the statement and whether or not a user has an opportunity to positively opt in or opt out.

There is nothing unusual about the practice of seeking consent to the use or disclosure of personal information through the inclusion of statements like this in online terms and conditions.

In fact, this is common practice in corporate Australia despite it being well known the vast majority of consumers do not read such terms and conditions.

So while organisations may attempt to seek users' consent to disclose their data to third parties the outcry in response to this case makes it clear consumer expectations were out of step with the reality of data use.

By and large, regardless of what's been written in the terms and conditions, users in cases like this do not actually expect their data to be disclosed for this purpose - perhaps because they didn't actually read the online terms or, where they did, because they didn't understand them.

Disconnect

This disconnect between organisations attempting to be (and believing they are) transparent, on the one hand, and individuals' actual expectations on the other, is bad for consumers, who are often stunned when the ways their data is actually being used are revealed (take the Facebook Cambridge Analytica scandal for example).

It's also bad for business – the prevalent lack of understanding as to how data is used means a constant threat of revelation and scandal, irrespective of whether or not the law has actually been broken.

Individual expectations of how their data may be used and shared have evolved as rapidly as the digital economy over the past five years. This will continue and the world will keep spinning, but business needs certainty and individuals require transparency.

To meet these needs the law needs to be clearer about what is expected of businesses on transparency of data use.

 Although the Privacy Commissioner has issued guidance setting out the elements of valid consent (such as the need for individuals to be ‘adequately informed’ and for consent to be ‘specific’) there is no clear guidance on the required level of detail of proposed data uses, or how the relevant information needs to be presented to the user to ensure they truly understand what they are agreeing to.

This could be addressed, for example, if providers of online services were required to clearly summarise, on a single screen, all the possible uses and disclosures of an individual's data, and allow users to self-select the uses and disclosures they agree to (as recommended by the federal government's Review into Open Banking).

Without greater clarity, corporate activity and individuals' expectations of data use will continue to clash.

If Australia is to take full advantage of the immense value data offers to our economy, we need to work towards a common goal.

Michael Morris is a Technology, Media and Telecommunications Partner at Allens