Privacy commissioner puts Australia's loyalty schemes on notice

Privacy commissioner Timothy Pilgrim has issued a warning to the operators of Australia’s biggest loyalty schemes to prepare their privacy frameworks for assessment.

Timothy Pilgrim

Pilgrim, heading a re-invigorated OAIC, told attendees at a privacy awareness week launch event that his office would spend the next year conducting a series of privacy assessments into the most popular loyalty schemes in Australia.

He stopped short, however, of naming which programs would be in the firing line - that would be “a little bit too much of a spoiler", Pilgrim said.

The privacy commission has already taken a comb over privacy compliance inside two of the country’s customer loyalty giants, the points programs run by supermarkets Coles and Woolworths.

Publicly available summaries of the resulting reports are due to be published in the not-too-distant future, Pilgrim said.

The OAIC team is now looking to go after others on the same scale.

An obvious choice would be Qantas’ frequent flyer program, which lays claim to the largest membership in Australia with roughly 11 million customers.

At the same time, competitor Virgin boasted in recent financial results that it is signing 4300 customers per day to its Velocity awards program during peak periods.

However, the privacy commissioner made it clear that being assessed should not be viewed as a sign of suspicion.

“Being the subject of a privacy assessment does not necessarily mean there is anything untoward going on,” Pilgrim said.

“Our assessments are vital to providing consumer and public transparency to how our individual privacy rights are being protected and respected.”

He said the OAIC would also consider assessments of government agencies with “significant personal information holdings".

In 2015-16 the office undertook 19 formal privacy assessments, which touched 101 different organisations across government and business.

Pilgrim said the office received 12,200 privacy-specific enquiries, opened nearly 3000 complaints and closed close to 2000, and handled 117 voluntary data breach notifications from organisations.