Tuesday, November 12, 2013

Why Australian councils and other governments need to be very careful using SurveyMonkey & other US-owned online engagement tools

I've had an interesting and robust conversation online in the last day regarding how Australian councils and governments are using overseas services like SurveyMonkey to collect information from citizens and residents.

It's no secret that SurveyMonkey in particular is widely used, with other tools like SurveyGizmo and Wufoo also used by many Australian councils and governments to collect personal information from citizens in consultations.

I think these are great tools - well-made and cost-effective. In the past, I have also encouraged and supported their use.

However every council and agency using them needs to be very careful in doing so.

Many of these tools are owned by US companies, which makes them subject to the Patriot Act and Foreign Intelligence Surveillance Act (FISA). The Patriot Act, passed in 2001, was designed to fight terrorism in the US and strengthened FISA, originally passed in 1978 , to make it legal for certain US agencies to request data from US companies pertaining to non-US citizens, while prohibiting the company from revealing that the data has been taken.

What this means in practice is that any data collected by an Australian government or council in a US owned services such as SurveyMonkey may be provided to the US government, without informing or requiring the permission of the Australian jurisdiction or the individuals whose personal data is taken.

Whether or not the US government exercises its rights under the Patriot Act and FISA, any Australian government using US-owned online services (regardless of where in the world they are hosted), cannot legally make the guarantees they are required to make under the Australian Privacy Act to control how any personal information they collect on citizens and residents is distributed or used and to only use the data for the purpose for which it was collected.

This poses a major challenge to Australian councils and agencies as they are open to being found in breach of the revised Privacy Act, which now includes million dollar fines for governments that do not comply with it.

I recommend reading the new Australian Privacy Principles (APPs), as provided by the Office of the Australian Information Commissioner, to get an overview of the impact of the privacy changes, in particular APP 1 (which requires actual privacy documentation from entities), APP 2 and APP 8.

APP 2 outlines the requirement to support anonymous and pseudonymous responses to consultations - meaning that any service or approach (including RSVPs to a physical event) that requires a user's real name may no longer be legally able to be the only channel for consultation responses.

APP 8 is particularly worth reading for how organisations that collect personal data are allowed to share it across jurisdictions. I'll let people read it for themselves and source their own legal interpretation, as it places a large legal question mark over the use of US-owned services due to the Patriot Act and FISA.

Any council using US-owned online engagement tools must decide whether convenience and saving a few dollars is worth the risk - knowing that they are breaking Australian law.

Of course this shouldn't stop councils or agencies from using online engagement services. Provided an online engagement service meets the requirements of the Privacy Act it is fine for an Australian government to use them.

This covers data collection services from companies domiciled in nations which do not have an equivalent to the Patriot Act and FISA - such as the UK, New Zealand and Canada, amongst others.

It also doesn't exclude the use of US-owned services such as Facebook, LinkedIn and Twitter where citizens have directly chosen to sign-up to the service based on its terms of service. The presumption is that citizens will do due diligence and make their own risk assessment regarding whether they are happy to comply with US laws. Where governments have a presence, they are not the direct intermediary for citizens using the service and therefore only need to be mindful of the privacy ramifications of information published on the council or agency's own account pages.

It may also be possible to mitigate legal risks around tools like SurveyMonkey through excluding all personal questions in surveys - although this could be more difficult to defend in some cases as the IP address and other metadata automatically collected by these services may be sufficient to built a connection and identify a respondent.

Or government agency or council could require all respondents to agree explicitly before engaging that they understand that the Australian jurisdiction collecting their data cannot guarantee the safety of that information due to US law - although this could seriously damage the level of actual engagement and trust.

Fortunately, however, when agencies and councils look into the use of online engagement tools they don't need to only look at US or other overseas providers.

There are local providers of online engagement tools, including the company I now lead, Delib Australia.

Local providers are required to meet all Australian laws and, for the most part, host their services locally (as Delib does), removing jurisdictional risk and potentially making them faster to use (as data doesn't have to travel over congested international networks).

That can raise prices a little - hosting in Australia is more expensive than hosting in the US and local providers can't access the same economies of scale or venture funding as US companies.

However it doesn't raise the price that much, when considering the benefits of local support (in Aussie timezones) and greater responsiveness to local government needs.

Speaking with my Delib hat on, as I know Delib's prices best, councils and not-for-profits across Australia can access Delib's combined Citizen Space and Dialogue App services for under $500 per month.

State and federal agencies, who need greater flexibility and control, won't pay much more for Delib's robust, well-tested, online survey and discussion tools, which were co-designed with governments for government use, and comply with Australian privacy, security and accessibility requirements.

Other local providers offer a variety of other online engagement tools and should also be considered.

So when an Australian council or government agency wants to engage online its staff should think very carefully about whether they select a US-based service, or a local provider - considering whether they are willing to trade a little in cost for a great deal in legal risk, loss of control and less support.

They also consider whether they wish to support Australian or US businesses, Australian jobs or US venture capitalists.

The choice shouldn't be too hard, even on a tiny engagement budget.

No comments:

Post a Comment