CommBank, Coles see future in onshore data

Executives from two of Australia’s largest custodians of customer data, the Commonwealth Bank and Coles, have said growing public concerns around privacy will likely lead them to store less and less information offshore.

Speaking at the OAIC’s annual privacy breakfast yesterday, Coles CFO Rob Scott said the company was “very mindful that there is a perception that if information is in Australia it is safe and if it is not in Australian it is not safe.”

“I don’t think that is necessarily true,” he said. “But I think over time it will lead us to doing more work onshore in Australia,frankly.”

CBA’s privacy, cyber security and risk manager Ben Heyes said he could also see the bank doing more domestically.

“Ultimately it is about trying to find that level of comfort,” he said.

New privacy rules, which came into effect in March, have brought the issue of offshore data hosting to the forefront of industry awareness.

Under the revised Australian Privacy Principles, entities will be held responsible for any unwanted disclosure of personal information that takes place under the watch of their offshore providers, unless they can show that they negotiated contract terms matching the strength of the Australian Privacy Act.

The APPs also demand entities disclose all the offshore locations in which they host customer data in publicly available privacy policies.

Asked whether the introduction of the APPs influenced Coles’ strategy on data offshoring, Scott said the retailer was “even more conscious than we were previously of the customer and the public perceptions of where data goes”.

The supermarket giant is home to some of the largest volumes of retail data in the country. Its loyalty program, FlyBuys, tracks personal details and buying patterns of seven million participating customers.

Last week Coles started using that pool of information to tailor weekly emails to customers by listing the top 12 specials in their local store based on their buying history.

“Some people might think that information is a bit spooky,” Scott conceded. “But interestingly our customers love the communication.”

In a warning to other executives charged with privacy compliance, Scott reminded event attendees that onshore data does not remain that way indefinitely, highlighting the constant diligence required to keep up with information regulation.

For many years Coles relied on an Australian software provider for tools to manage the millions of emails it sends to customers every week, Scott said. But when it was acquired by a US-based multinational, the company was faced with the prospect of some of that data moving to an American facility.

“For us this meant we had to decide whether we were comfortable with their security requirements and whether they could deliver on our obligations under the Privacy Act,” Scott said.

“It was also important for us to change our arrangements from a disclosure point of view."