Data is often hailed as the “new oil” – a raw asset which only gains value through refinement.  In 2011, McKinsey predicted that data would become a new type of corporate asset that cuts across business units in much the same way a powerful brand does.  However, here in 2016 many Australian businesses remain blissfully unaware that they are sitting on a veritable data gold mine... 

When properly managed and analysed, an organisation’s data can be an invaluable business tool with benefits ranging from predicting customer behaviour and identifying new market opportunities to streamlining business processes and decreasing churn. In addition to using data to improve operations internally, organisations are increasingly commercialising their data externally through publication, licensing and joint ventures. Indeed, PWC estimated in 2013 that commercialisation of data would yield a revenue of US$175bn for businesses that year, with the potential for total revenue to ramp up to $300bn per year over the following 5 years across capital markets (accounting for 30% of this potential revenue), commercial banking (20%), consumer finance and banking (35%) and insurance (15%). In some cases, data stores can become as valuable as organisations themselves. Case in point is Qantas’ $3bn Frequent Flyer business of over 10 million members which, despite Qantas’ $2.8bn headline loss in 2014, continued to post its fifth year of double-digit earnings growth.  

The International Data Corporation reports that 70% of large organisations now purchase external data (and that 100% will do so by 2019), so it is unsurprising that many companies are now making data their business. Companies like SAS Institute, Oracle, Accenture and Palantir all now operate in the data analytics space, providing services that encompass data mining, predictive analytics, text mining, forecasting and optimisation. 

To ensure that the value of their data is maximised, organisations must carefully protect their data throughout its lifecycle, from collection and storage through to analysis, use, disclosure and commercialisation. 

Collection

Organisations should obtain all consents and licences necessary for the collection, storage, use, disclosure and commercialisation of data as contemplated at or before the point of collection, including through:

  • carefully designed contractual documents, such as customer terms and conditions, privacy policies, employment and contractor agreements;
  • compliance with the requirements of all federal, state and territory laws, such as privacy, metadata retention, surveillance and tracking device laws; and
  • implementing tailored data collection policies and procedures throughout end-to-end business processes.   

Storage and security

With ever increasing threats from cybercrime and hacking, the storage and security of data (including, in particular, customer data and other personal information) is paramount. Organisations should:

  • carefully vet employees, contractors and service providers that will have access to their data;
  • implement security measures that enable them to comply with applicable laws and industry standards to reduce the risk of data breaches;
  • choose outsourced, and in particular off-shore, service providers carefully and ensure that they comply with Australian privacy and security standards (under Australian privacy laws, organisations may remain liable for the actions of their off-shore providers); and
  • have robust response procedures in place to deal with cybercrime and follow those procedures in the event of a data breach.

Use

In making use of data, organisations should:

  • ensure that uses of data comply with all applicable laws, collection consents and licenses;
  • ensure employment, contractor and service agreements include robust confidentiality and intellectual property provisions that maintain proprietary rights in data and limit usage and disclosure rights to the minimum extent necessary; and
  • note that the de-identification of data can significantly increase its scope of use, including by potentially taking the data outside the scope of privacy laws. However, organisations should also be aware that combining data sets may result in data becoming re-identifiable and personal information once again.

Disclosure and commercialisation

Finally, in disclosing and commercialising data externally, organisations need to ensure their terms and conditions:

  • retain ownership of any intellectual property rights in their data, reports and other outputs;
  • require recipients to treat the data and data outputs as confidential (since data will often not be an intellectual property right of itself);
  • make licenses to use and disclose the data and data outputs subject to clearly defined permitted purposes and subject to appropriate restrictions;
  • limit and exclude liability appropriately. For example, it may be appropriate for an organisation to exclude liability altogether where it is simply an aggregator of data (and has no control over raw data sets). However, there are also statutory guarantees and obligations under certain Australian laws (e.g. Australian Consumer Law) that cannot be excluded; and
  • include appropriate remedies to prevent and curtail unauthorised uses and disclosures of data.