The IoT Alliance Australia (IoTAA) has released Good Data Practice: A Guide for Business to Consumer Internet of Things Services for Australia (Guide). The Guide offers providers of Internet of Things (IoT) services and devices a principles-driven framework for managing the data and information that flows through their products, and sets out to encourages the relationship of trust required for Business to Consumer (B2C) IoT to be accepted and ultimately succeed in Australia. The Guide arrives alongside the IoTAA’s updated version of their Internet of Things Security Guideline, which provides top-level guidance concerning the security and privacy of IoT.
- The Guide provides a comprehensive, principles-driven approach to the self-regulation of IoT Providers’ management of data and information, with the objective of encouraging consumer confidence in the use of IoT services and devices.
- The potential impacts of IoT services and devices can apply not only to those users who are customers of IoT providers, but also individuals who simply come into contact with IoT services and devices.
- In the context of IoT services and devices, good data practice should begin at the design level, with the incorporation of privacy by design and security by design principles.
Who is this update relevant to?
Providers of IoT services and devices (IoT Providers) and businesses that partner with IoT Providers or may or expect to be a participant in an IoT supply chain (for example, developers of software utilised by IoT providers).
With IoT applications and services growing at exponential rates, smart homes, connected cars, wearable technology and connected health, drone delivery services, Siri, Alexa, Google Home and other consumer IoT applications are today’s new buzzwords.
Certainly, in the business-to-business (B2B) sector, IoT is generating measurable value and many businesses are already investing in IoT technology across many industries to increase productivity, improve quality and increase decision making as well as reduce labour and production costs. By 2020, Gartner forecasts business spending on IoT hardware alone will reach $1.43 trillion.
However, it remains to be seen whether IoT in the business-to-consumer (B2C) sector has reached a tipping point and moved beyond being a “cool” factor to something that is being systematically adopted by consumers. The current reality is that many businesses remain in the early stages of determining their B2C value proposition, developing and experimenting with building end-user loyalty and data mining opportunities for suppliers. Meanwhile, on the consumer side, individuals are still asking whether self-parking and AI-driven service bookings are essential features when purchasing a new car, and if a washing machine that orders detergent is really something they want, or need.
The Aim and Scope of the Guide
Set against the need to build greater awareness and trust in IoT service and device adoption amongst consumers, IoTAA (the peak industry body for the IoT in Australia) released the Guide on 8 November 2017. The Guide aims to promote consumer and industry awareness of good business practice in the provision of IoT services and devices, with a view to anticipating and addressing possible concerns before they occur.
Notably, the Guide does not limit itself to consideration of only personal information within the IoT realm, nor does it limit its reach to IoT Providers and their direct customers. Rather, the Guide provides for:
- persons that are affected by the use of IoT services and devices, including end-users of those services and devices who do not have a direct relationship with an IoT Provider (because, for example, they have been permitted to use the service/device of a customer of an IoT Provider) (Affected Individuals); and
- information about Affected Individuals who are reasonably identifiable, or information about Affected Individuals who are not reasonably identifiable but who might reasonably regard that information to be private (Relevant Information).
The Guide’s intended audience is IoT Providers and focuses on measures that they can take to build consumer trust and understanding on the safe use of IoT products and services. This includes bringing fair and appropriate considerations and recommendations to the forefront in IoT suppliers’ design of IoT products and services, collection and use data in the course of operating IoT devices and providing IoT services and protection of privacy, and the secure installation and operation of IoT devices.
Promotion of Good Data Practice Principles
The Guide takes a principles-driven approach to achieving its objectives, and in doing so offers IoT providers flexibility as to the exact design and implementation of good data practice within their businesses. The following is a brief summary of the principles only, and clients are advised to read the Guide in full to appreciate the IoTAA’s recommended approach, and take full advantage of their practical advice.
- APPs and Consumer Protection Benchmark Principle: IoT Providers must comply with applicable laws, particularly those relating to privacy and consumer protection, such as the Privacy Act 1988 (Cth) and the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), and not seek to override or exclude the operation of those laws.
- Accountability Principle: IoT Providers should implement end-to-end accountability for the data and information that flows through their IoT service, including where the information flows to the IoT Provider’s partners, ie those entities that help the IoT Provider offer their service to a customer but do not deal with the customer directly. The Guide provides detailed advice as to appropriate steps to achieving this accountability, including the use of plain-English in all customer information, the incorporation of security by design and privacy by design principles, and implementing appropriate processes to deal with consumer complaints.
- Customer Empowerment Principle: The Guide acknowledges that there are circumstances where IoT Providers can reasonably expect a customer to accept responsibility for aspects of the relevant IoT device or service, for example in their set-up or configuration. Where responsibility is assigned to the customer, the IoT Provider should ensure that the customer is aware of and able to comprehend those responsibilities, and is empowered to exercise them, for example through the IoT Provider offering plain-English support information.
- Cyber Protection Principle: In addition to implementing the security by design principle in their IoT devices and services, IoT Providers should ensure their customers are able to understand their responsibilities with respect to security settings and updates, install security patches/updates, and appreciate what security vulnerabilities are relevant to them and how to address them. Among other requirements under the Guide, IoT Providers are asked to ensure the protection consumer data from attack, provide regular security updates, and develop and implement strategies to preserve security and reduce loss/damage from data breaches and data corruption.
- Customer Data Transparency Principle: IoT Providers should implement information handling practices that meet the reasonable expectations of consumers with respect to the collection, use and disclosure of Relevant Information, and ensure that plain-English, customer-friendly information is provided to consumers which explains those practices and how Relevant Information will be collected, used and disclosed.
- Data Minimisation Principle: IoT Providers should ensure that the collection and handling of Relevant Information is minimised to the extent necessary for operation of the IoT device or service, as permitted by law and only as disclosed to the relevant customer. Further, Relevant Information should be de-identified in accordance with good industry practice, and where de-identified information is not fully anonymised it should be handled in accordance with appropriate controls to ensure it remains de-identified. De-identified information that is not fully anonymised should not be made available to persons that might reasonably be expected to be able to re-identify an individual, however Relevant Information may be provided to research organisations for research purposes under appropriately controlled conditions.
Customer Data Control Principle: IoT Providers should inform consumers as to the rights of access to Relevant Information, not only by customers but also other parties, such as law enforcement agencies and regulators. Further, IoT Providers are to inform the customer as to the portability of their Relevant Information (including any limitations), and ensure that any allocation of rights (for example, concerning confidentiality and intellectual property) specified in customer terms of service comply with the Customer Empowerment Principle, particularly with respect to ensuring the customer receives plain-English explanations of their rights of access.
The Guide’s interaction with other laws/standards
The Guide is subject to the applicable privacy and consumer laws of Australia, and is intended as a supplement to those laws only. The Guide clearly indicates that it does not seek to create new legally binding commitments on IoT Providers.
Importantly, the Guide does not apply to Relevant Information that has been ‘reliably and verifiably de-identified’ through practices that are accepted as good industry practice (provided, among other things, that such information remains de-identified and is not provided to an entity that may be able to re-identify an individual). We note this as important because the successful growth of IoT services and devices will necessarily involve the creation of and interaction with inconceivable amounts of Relevant Information that will fall under this exception, and were the principles to apply in these cases there may have been a chilling effect on the growth of IoT services and devices in Australia.
The Guide acknowledges that IoT is a fluid area of development, and the IoTAA indicates that the Guide will be updated to accommodate new developments and concerns. Notwithstanding the pace of IoT’s evolution, the Guide stands as a sound foundation for IoT Providers in managing the data and information that they receive and use.
We recommend that Australian IoT Providers read the Guide closely and contrast it against their current approach to data and information management. Equally, businesses that are using, or are considering implementing, IoT services and devices should also pay close attention to the Guide, applying all due weight to the type of data and information they will provide through the relevant service or device.