Loyalty program assessment: Woolworths Rewards Woolworths Limited
Summary report Australian Privacy Principles assessment Section 33C(1)(a) Privacy Act 1988
Assessment undertaken: February 2016 Draft report issued: June 2016 Final report issued: July 2016
Contents
Introduction ...... 1 Background ...... 1 Overview of Woolworths Rewards...... 2 Key findings — Open and transparent management of personal information ...... 2 Implementing practices, procedures and systems to ensure APP compliance ...... 2 Privacy issues — practices, procedures and systems ...... 3 APP privacy policy ...... 3 Privacy issues ...... 4 Key findings — Notification of the collection of personal information ...... 4 Woolworths Rewards registration process ...... 4 Privacy issues — notification ...... 4 Key findings — Data analytic activities ...... 5 Privacy issues — data analytic activities ...... 6
Summary of OAIC’s assessment of Woolworths Rewards loyalty program
Introduction The Office of the Australian Information Commissioner (OAIC) undertook a privacy assessment of Woolworths Rewards loyalty program (Woolworths Rewards) to assess whether the program: • managed personal information in an open and transparent way as required by Australian Privacy Principle (APP) 1 • notified individuals of the collection of personal information in accordance with its APP 5 obligations. The assessment also considered whether Woolworths Rewards was adequately describing its main uses and disclosures of information, particularly in relation to any analytical or ‘big data’ activities, in its privacy notices.
Background Loyalty programs aim to encourage regular customer spending by ‘rewarding’ individuals for purchasing from a particular company or group of companies. In the process, the company operating the loyalty program can collect data about customers’ purchasing activities and, through the application of analytic techniques, use this data for a variety of purposes including targeted advertising and marketing. A study by First Point Research and Consulting found that 88% of Australian consumers over the age of 16 are members of a loyalty program.1
Big data analytics involves amassing, aggregating and analysing large amounts of data.2 International data protection authorities, including the OAIC, have signalled an intention through the Mauritius Resolution on Big Data to closely monitor developments relating to big data.3 Where big data analytics involves the processing of personal information, entities must ensure they are complying with the requirements of the Privacy Act 1988 (the Privacy Act).
The OAIC decided to undertake an assessment of Woolworths Rewards as it is one of the largest loyalty programs in Australia. Further, given the popularity of loyalty programs amongst Australian consumers, the large amounts of data collected via these programs, and the use of data analytics to process this information, it is in the public interest to ensure that these programs are handling personal information in accordance with the requirements of the APPs.
1 First Point Research and Consulting, For Love or Money? 2013 Consumer Study into Australian Loyalty Programs, viewed 4 August 2015, Australian Marketing Institute website
Office of the Australian Information Commissioner 1 Overview of Woolworths Rewards Woolworths Rewards4 is owned by Woolworths Food Group, which is a subsidiary of Woolworths Limited. Woolworths Rewards was launched in October 2015 and replaced ‘Everyday Rewards’.
Woolworths Rewards’ members are able to earn ‘Woolworths Dollars’ when purchasing specific ticketed items at participating Woolworths Supermarkets and BWS stores.5 When an individual’s Woolworths Dollars balance reaches $10, they can redeem this amount off the cost of a future transaction at Woolworths Supermarkets and BWS stores by scanning their membership card.
Key findings — Open and transparent management of personal information The object of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.
Implementing practices, procedures and systems to ensure APP compliance APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will: • ensure that the entity complies with the APPs, and • enable the entity to deal with privacy related enquiries or complaints from individuals. The OAIC was guided by the Privacy management framework in its consideration of the reasonable steps Woolworths Rewards has taken to address the requirements of APP 1.2.
During the assessment, the OAIC observed that Woolworths Rewards:
• has appointed key roles and responsibilities for privacy management, including a Privacy Officer and staff responsible for handling privacy enquiries, complaints and access and correction requests • has a dedicated team responsible for reviewing and processing any internal requests for access to loyalty program data • reports privacy matters to senior management through Board and Executive meetings. Any privacy issues or complaints associated with Woolworths Rewards are reported at the monthly Woolworths Limited board meeting • demonstrates a commitment to ‘privacy by design’ in business projects by implementing a Project Lifecycle and Governance Framework, which requires the completion of a Privacy Impact Assessment (PIA) during the early stages of the project
4 The assessment did not include the Frequent Shoppers Club, which is the loyalty program available to Tasmanian residents. 5 Participating stores are all Woolworths supermarkets (excluding Tasmania), Woolworths Online and BWS stores (excluding Tasmania).
Office of the Australian Information Commissioner 2 • has a number of policy and procedural documents that address the handling of information during the information lifecycle and outline how staff are expected to handle personal information in their everyday duties • requires all new staff members (including contractors) to complete either general or advanced training depending on their role and responsibilities. Privacy training is delivered and monitored through Woolworths’ human resources system • delivered a privacy workshop as a refresher to staff after the relaunch of the loyalty program in October 2015. This workshop was in addition to the mandatory privacy training that staff must complete every 12 months • has a privacy portal which is a central repository of privacy specific information including relevant policies, a privacy organisational chart and procedures for responding to enquiries and complaints • has processes for responding to privacy enquiries and complaints about the loyalty program, and responding to access and correction requests from individuals • has a number of risk management, audit and assurance processes and is in the process of developing an audit review plan, which will identify the particular review activity and prompt the business area to conduct the review. • has an IT incident response plan, which outlines Woolworths Rewards process for responding to a data breach or a suspected breach • has undertaken a number of activities to review its privacy practices, procedures and systems. This included a comprehensive review of the loyalty program prior to its launch in October 2015 and engaging an external consultant to conduct a PIA.
Privacy issues — practices, procedures and systems Assessors consider that Woolworths Rewards is taking reasonable steps to implement practices, procedures and systems to ensure it complies with the APPs. Assessors note that, at the time of the assessment, a number of key governance activities were underway, including the development of an audit review plan and a PIA conducted by an external provider. The OAIC encourages Woolworths Rewards to continue to take steps to evaluate and enhance its practices, procedures and systems as the loyalty program matures.
APP privacy policy APP 1 requires entities to have an APP privacy policy explaining how personal information will be managed by the entity. The specific requirements for an APP privacy policy are set out in APPs 1.3, 1.4, 1.5 and 1.6.
Woolworths Rewards is governed by the Woolworths Group privacy policy, which is easily accessible from the Woolworths Rewards website. Generally, assessors consider that the Woolworths Group privacy policy is easy to understand with minimal use of overly complex or technical language. It appears to only include information that is relevant to the Woolworths’ Group handling of personal information.
Office of the Australian Information Commissioner 3 Privacy issues Woolworths could consider providing more information around the countries in which the recipients of personal information disclosed overseas are likely to be located if it is practicable to specify those countries in the policy. If personal information is disclosed to numerous overseas locations, Woolworths may consider listing those countries in an appendix to its privacy policy rather than in the body of the policy or include a link to a regularly updated list of those countries. Woolworths could identify the general regions (such as European Union countries) when it is not practicable to specify the countries.
Under APP 1.5, an APP entity is generally expected to make its privacy policy available by publishing it on its website. As a better privacy practice, Woolworths Group could consider providing information either in its privacy policy, or on its website, about how individuals can request or access the privacy policy in other formats.
Key findings — Notification of the collection of personal information APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters.
Woolworths Rewards registration process Individuals are able to join Woolworths Rewards via a number of channels, including: online; by phone through the Woolworths Rewards contact centre; obtaining a temporary card in- store and then activating the card online; and by web chat. The primary form of notice used during the registration process is the Woolworths Rewards terms and conditions (terms and conditions). During online registration, the terms and conditions are displayed at the bottom of the registration page. Before proceeding in the registration process, an individual is required to check a box to indicate that they accept the terms and conditions.
For phone and web chat registration, staff are instructed to direct new members to the terms and conditions online and obtain their agreement to the terms and conditions before proceeding with the registration process.
Privacy issues — notification Assessors note that the relevant APP 5.2 matters are contained within the broader Woolworths Rewards terms and conditions. To ensure the APP 5.2 matters are clearly expressed, Woolworths Rewards could consider:
• layering the terms and conditions by providing a condensed (summary version) of key matters, with a link to more detailed information. The navigability of the terms and conditions could also be improved by including a hyperlinked table of contents to assist individuals locate relevant information • making the privacy related information more prominent by featuring this section earlier in the terms and conditions
Office of the Australian Information Commissioner 4 • separating the privacy related information from the broader terms and conditions and providing as a separate document at the point of registration. Assessors consider that the content of the section labelled ‘Privacy & Communications’ in the terms and conditions adequately addresses the APP 5.2 matters.
Key findings — Data analytic activities Assessors also considered whether Woolworths Rewards is adequately explaining its uses and disclosures of personal information, particularly in relation to any analytical activities, in its privacy notices.
Assessors made the following observations about Woolworths Rewards data analytic activities:
• loyalty program data is held in central systems, which are managed and maintained by Woolworths. A limited number of people within Woolworths Rewards have access to the data • the primary use of data collected via the loyalty program is to analyse past purchasing behaviour in order to determine which products and offers are most relevant for members. Woolworths Rewards uses targeted marketing communications, mostly via email, to promote products and offers to certain customer groups • analytical models are created to drive marketing campaigns. The models are informed by past purchasing behaviour and segment members across a number of groups or sub-populations. Woolworths Rewards also measures the success of particular campaigns via which emails are opened and which offers are used • analysis is conducted using de-identified information, which includes an arbitrarily assigned Customer Reference Number (CRN) and transaction history. Transaction history includes basket contents, store location, register number, date, time and any offers used by the customer • at this stage, analytic activities are confined to targeted marketing only. Woolworths Rewards does not conduct analysis for third parties or analyse loyalty program data to assist with broader business decision making such as where to locate new stores or store layout • Woolworths Rewards also outsources some analytic activities to a Woolworths Limited part-owned entity named Quantium. Quantium conducts analysis using CRNs, which it cannot link back to an individual’s personal information or used to identify an individual • Woolworths Rewards outsources some functions to overseas operators which include a contact centre located in New Zealand and a cloud service provider is located in the United States.
Office of the Australian Information Commissioner 5 Privacy issues — data analytic activities Assessors note that Woolworths Rewards conducts its data analytic activities with de- identified information and that access to identifiable data is restricted to a small number of people within Woolworths Rewards.
The terms and conditions state that Woolworths Rewards collects and uses personal information in order to ‘promote our goods and services in a way which may be of most interest to some or all of our customers…’ The terms and conditions also describe, in general terms, how Woolworths Rewards may share information with contractors, to affiliates of the loyalty program and to related bodies corporate.
Based on the information provided by Woolworths’ staff, it appears that Woolworths Rewards uses and disclosures of personal information are consistent with the information provided to individuals in the terms and conditions.
Office of the Australian Information Commissioner 6