Loyalty program assessment:
Woolworths Rewards
Woolworths Limited
Summary report
Australian Privacy Principles assessment
Section 33C(1)(a) Privacy Act 1988
Assessment undertaken: February 2016
Draft report issued: June 2016
Final report issued: July 2016
Contents
Introduction ..................................................................................................................... 1
Background ...................................................................................................................... 1
Overview of Woolworths Rewards.................................................................................... 2
Key findings — Open and transparent management of personal information .................... 2
Implementing practices, procedures and systems to ensure APP compliance ..................... 2
Privacy issues — practices, procedures and systems ............................................................ 3
APP privacy policy .................................................................................................................. 3
Privacy issues ......................................................................................................................... 4
Key findings — Notification of the collection of personal information ............................... 4
Woolworths Rewards registration process ........................................................................... 4
Privacy issues — notification ................................................................................................. 4
Key findings — Data analytic activities .............................................................................. 5
Privacy issues — data analytic activities ................................................................................ 6
Summary of OAIC’s assessment of Woolworths Rewards
loyalty program
Introduction
The Office of the Australian Information Commissioner (OAIC) undertook a privacy
assessment of Woolworths Rewards loyalty program (Woolworths Rewards) to assess
whether the program:
• managed personal information in an open and transparent way as required by
Australian Privacy Principle (APP) 1
• notified individuals of the collection of personal information in accordance with its
APP 5 obligations.
The assessment also considered whether Woolworths Rewards was adequately describing
its main uses and disclosures of information, particularly in relation to any analytical or ‘big
data’ activities, in its privacy notices.
Background
Loyalty programs aim to encourage regular customer spending by ‘rewarding’ individuals for
purchasing from a particular company or group of companies. In the process, the company
operating the loyalty program can collect data about customers’ purchasing activities and,
through the application of analytic techniques, use this data for a variety of purposes
including targeted advertising and marketing. A study by First Point Research and Consulting
found that 88% of Australian consumers over the age of 16 are members of a loyalty
program.1
Big data analytics involves amassing, aggregating and analysing large amounts of data. 2
International data protection authorities, including the OAIC, have signalled an intention
through the Mauritius Resolution on Big Data to closely monitor developments relating to
big data. 3 Where big data analytics involves the processing of personal information, entities
must ensure they are complying with the requirements of the Privacy Act 1988 (the Privacy
Act).
The OAIC decided to undertake an assessment of Woolworths Rewards as it is one of the
largest loyalty programs in Australia. Further, given the popularity of loyalty programs
amongst Australian consumers, the large amounts of data collected via these programs, and
the use of data analytics to process this information, it is in the public interest to ensure that
these programs are handling personal information in accordance with the requirements of
the APPs.
First Point Research and Consulting, For Love or Money? 2013 Consumer Study into Australian Loyalty
Programs, viewed 4 August 2015, Australian Marketing Institute website <www.ami.org.au>.
2
Office of the Australian Information Commissioner (OAIC), Big data and privacy: a regulators perspective,
viewed 26 November 2015, OAIC website <www.oaic.gov.au>.
3
36th International Conference of Data Protection & Privacy Commissioners, Resolution on Big Data, viewed 7
December 2015, International Conference of Data Protection & Privacy Commissioners website
<www.icdppc.org>.
1
Office of the Australian Information Commissioner
1
Overview of Woolworths Rewards
Woolworths Rewards4 is owned by Woolworths Food Group, which is a subsidiary of
Woolworths Limited. Woolworths Rewards was launched in October 2015 and replaced
‘Everyday Rewards’.
Woolworths Rewards’ members are able to earn ‘Woolworths Dollars’ when purchasing
specific ticketed items at participating Woolworths Supermarkets and BWS stores.5 When
an individual’s Woolworths Dollars balance reaches $10, they can redeem this amount off
the cost of a future transaction at Woolworths Supermarkets and BWS stores by scanning
their membership card.
Key findings — Open and transparent management of personal information
The object of APP 1 is ‘to ensure that APP entities manage personal information in an open
and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their
personal information handling practices and can build community trust and confidence in
those practices.
Implementing practices, procedures and systems to ensure APP compliance
APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and
systems that will:
• ensure that the entity complies with the APPs, and
• enable the entity to deal with privacy related enquiries or complaints from individuals.
The OAIC was guided by the Privacy management framework in its consideration of the
reasonable steps Woolworths Rewards has taken to address the requirements of APP 1.2.
During the assessment, the OAIC observed that Woolworths Rewards:
• has appointed key roles and responsibilities for privacy management, including a
Privacy Officer and staff responsible for handling privacy enquiries, complaints and
access and correction requests
• has a dedicated team responsible for reviewing and processing any internal requests
for access to loyalty program data
• reports privacy matters to senior management through Board and Executive meetings.
Any privacy issues or complaints associated with Woolworths Rewards are reported at
the monthly Woolworths Limited board meeting
• demonstrates a commitment to ‘privacy by design’ in business projects by
implementing a Project Lifecycle and Governance Framework, which requires the
completion of a Privacy Impact Assessment (PIA) during the early stages of the project
4
The assessment did not include the Frequent Shoppers Club, which is the loyalty program available to
Tasmanian residents.
5
Participating stores are all Woolworths supermarkets (excluding Tasmania), Woolworths Online and BWS
stores (excluding Tasmania).
Office of the Australian Information Commissioner
2
• has a number of policy and procedural documents that address the handling of
information during the information lifecycle and outline how staff are expected to
handle personal information in their everyday duties
• requires all new staff members (including contractors) to complete either general or
advanced training depending on their role and responsibilities. Privacy training is
delivered and monitored through Woolworths’ human resources system
• delivered a privacy workshop as a refresher to staff after the relaunch of the loyalty
program in October 2015. This workshop was in addition to the mandatory privacy
training that staff must complete every 12 months
• has a privacy portal which is a central repository of privacy specific information
including relevant policies, a privacy organisational chart and procedures for
responding to enquiries and complaints
• has processes for responding to privacy enquiries and complaints about the loyalty
program, and responding to access and correction requests from individuals
• has a number of risk management, audit and assurance processes and is in the process
of developing an audit review plan, which will identify the particular review activity
and prompt the business area to conduct the review.
• has an IT incident response plan, which outlines Woolworths Rewards process for
responding to a data breach or a suspected breach
• has undertaken a number of activities to review its privacy practices, procedures and
systems. This included a comprehensive review of the loyalty program prior to its
launch in October 2015 and engaging an external consultant to conduct a PIA.
Privacy issues — practices, procedures and systems
Assessors consider that Woolworths Rewards is taking reasonable steps to implement
practices, procedures and systems to ensure it complies with the APPs. Assessors note that,
at the time of the assessment, a number of key governance activities were underway,
including the development of an audit review plan and a PIA conducted by an external
provider. The OAIC encourages Woolworths Rewards to continue to take steps to evaluate
and enhance its practices, procedures and systems as the loyalty program matures.
APP privacy policy
APP 1 requires entities to have an APP privacy policy explaining how personal information
will be managed by the entity. The specific requirements for an APP privacy policy are set
out in APPs 1.3, 1.4, 1.5 and 1.6.
Woolworths Rewards is governed by the Woolworths Group privacy policy, which is easily
accessible from the Woolworths Rewards website. Generally, assessors consider that the
Woolworths Group privacy policy is easy to understand with minimal use of overly complex
or technical language. It appears to only include information that is relevant to the
Woolworths’ Group handling of personal information.
Office of the Australian Information Commissioner
3
Privacy issues
Woolworths could consider providing more information around the countries in which the
recipients of personal information disclosed overseas are likely to be located if it is
practicable to specify those countries in the policy. If personal information is disclosed to
numerous overseas locations, Woolworths may consider listing those countries in an
appendix to its privacy policy rather than in the body of the policy or include a link to a
regularly updated list of those countries. Woolworths could identify the general regions
(such as European Union countries) when it is not practicable to specify the countries.
Under APP 1.5, an APP entity is generally expected to make its privacy policy available by
publishing it on its website. As a better privacy practice, Woolworths Group could consider
providing information either in its privacy policy, or on its website, about how individuals
can request or access the privacy policy in other formats.
Key findings — Notification of the collection of personal information
APP 5 requires an APP entity that collects personal information about an individual to take
reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to
ensure the individual is aware of those matters.
Woolworths Rewards registration process
Individuals are able to join Woolworths Rewards via a number of channels, including: online;
by phone through the Woolworths Rewards contact centre; obtaining a temporary card instore and then activating the card online; and by web chat.
The primary form of notice used during the registration process is the Woolworths Rewards
terms and conditions (terms and conditions). During online registration, the terms and
conditions are displayed at the bottom of the registration page. Before proceeding in the
registration process, an individual is required to check a box to indicate that they accept the
terms and conditions.
For phone and web chat registration, staff are instructed to direct new members to the
terms and conditions online and obtain their agreement to the terms and conditions before
proceeding with the registration process.
Privacy issues — notification
Assessors note that the relevant APP 5.2 matters are contained within the broader
Woolworths Rewards terms and conditions. To ensure the APP 5.2 matters are clearly
expressed, Woolworths Rewards could consider:
• layering the terms and conditions by providing a condensed (summary version) of key
matters, with a link to more detailed information. The navigability of the terms and
conditions could also be improved by including a hyperlinked table of contents to
assist individuals locate relevant information
• making the privacy related information more prominent by featuring this section
earlier in the terms and conditions
Office of the Australian Information Commissioner
4
• separating the privacy related information from the broader terms and conditions and
providing as a separate document at the point of registration.
Assessors consider that the content of the section labelled ‘Privacy & Communications’ in
the terms and conditions adequately addresses the APP 5.2 matters.
Key findings — Data analytic activities
Assessors also considered whether Woolworths Rewards is adequately explaining its uses
and disclosures of personal information, particularly in relation to any analytical activities, in
its privacy notices.
Assessors made the following observations about Woolworths Rewards data analytic
activities:
• loyalty program data is held in central systems, which are managed and maintained by
Woolworths. A limited number of people within Woolworths Rewards have access to
the data
• the primary use of data collected via the loyalty program is to analyse past purchasing
behaviour in order to determine which products and offers are most relevant for
members. Woolworths Rewards uses targeted marketing communications, mostly via
email, to promote products and offers to certain customer groups
• analytical models are created to drive marketing campaigns. The models are informed
by past purchasing behaviour and segment members across a number of groups or
sub-populations. Woolworths Rewards also measures the success of particular
campaigns via which emails are opened and which offers are used
• analysis is conducted using de-identified information, which includes an arbitrarily
assigned Customer Reference Number (CRN) and transaction history. Transaction
history includes basket contents, store location, register number, date, time and any
offers used by the customer
• at this stage, analytic activities are confined to targeted marketing only. Woolworths
Rewards does not conduct analysis for third parties or analyse loyalty program data to
assist with broader business decision making such as where to locate new stores or
store layout
• Woolworths Rewards also outsources some analytic activities to a Woolworths
Limited part-owned entity named Quantium. Quantium conducts analysis using CRNs,
which it cannot link back to an individual’s personal information or used to identify an
individual
• Woolworths Rewards outsources some functions to overseas operators which include
a contact centre located in New Zealand and a cloud service provider is located in the
United States.
Office of the Australian Information Commissioner
5
Privacy issues — data analytic activities
Assessors note that Woolworths Rewards conducts its data analytic activities with deidentified information and that access to identifiable data is restricted to a small number of
people within Woolworths Rewards.
The terms and conditions state that Woolworths Rewards collects and uses personal
information in order to ‘promote our goods and services in a way which may be of most
interest to some or all of our customers…’ The terms and conditions also describe, in
general terms, how Woolworths Rewards may share information with contractors, to
affiliates of the loyalty program and to related bodies corporate.
Based on the information provided by Woolworths’ staff, it appears that Woolworths
Rewards uses and disclosures of personal information are consistent with the information
provided to individuals in the terms and conditions.
Office of the Australian Information Commissioner
6