Open in app

Sign in

Write

Sign in

Other People’s Data

Financial institutions’ other big responsibility

Jonathan Steffanoni
Scrambled Nest Eggs
Published in
9 min readApr 23, 2018

--

The terms and conditions of use for Google or Facebook have much in common with a financial Product Disclosure Statement.

Nobody reads them.

Well, hardly anybody does. And those who do, seldom understand what they’re agreeing to.

It’s difficult to go about life without either financial services or data hungry online services. This quasi-mandatory character of both online and financial services pronounces the information asymmetry and weak bargaining position that people are in when it comes to negotiating a fair and balanced contract.

We just click to agree en masse.

Financial institutions are in a particularly important position, having dual responsibilities for managing both money and data.

Both the public and financial institutions would benefit from better management of conflicting interests and a higher standard of care in managing other people’s data.

Other people’s data…

Social licence and public trust are outcomes of an industry which is seen to adopt a responsible approach in dealing with their customers.

If financial institutions hope to maintain social licence and public trust, it will require that loyalty and prudence are present in their handling of other people’s data.

The challenge facing financial institutions is currently visible in two forms: the misconduct and improper behaviour exposed by the Royal Commission into Banking and Financial Services, and the controversy related to the use (or misuse) of Facebook user data by Cambridge Analytica.

At the nexus of both issues lies. the conflict of interest inherent in managing a valuable commodity on behalf of another, and an overreliance on disclosure and contract in regulating the relationship between the institution and individual.

Most people simply do not have the time, attention, or understanding to grasp the complex and detailed disclosure in either financial product documents or the terms and conditions agreed to by clicking when using online services.

Accordingly, we need to consider better ways of regulating the use of people’s data by financial institutions.

Who owns “my” data?

It is common for most of us to refer to information which relates to us as “my data”. It would probably come as a shock to most of us to hear that we don’t own much of our “own” data.

The challenge remains, that not all of a “person’s data” is property, and therefore can’t be owned at all. This lies at the heart of many of the risks and responsibilities which are likely to become increasingly visible.

If we are to make sense of regulating the use of people’s data, we need to have a clearer picture of what exactly we mean by people’s data.

Data that makes you… you.

Financial institutions collect and hold information about people which is best described consistently with privacy law as personal information. In Australia this includes information such as our identity, health, credit, and employment details.

This kind of data isn’t generally property and therefore can’t be owned. It is however very important to individuals, and there are protections in place.

Privacy law places a duty of care in the form of privacy principles regulating the access too, and ways in which this kind of information is used by financial institutions.

Mandatory data breach reporting recently commenced, placing an obligation on financial institutions to notify individuals where unauthorised access likely to result in serious harm occurs.

Regulation of the use of personal information by financial institutions is reasonably well developed and places a duty of care on financial institutions.

Yet, the definition of personal information does not include much of the data which people would consider as their ‘own data’.

Data you’ve created

While we might not be able to own much of our personal information, we do own some of the data which we supply to institutions.

Anything original which we create (and by that, I mean the expression of ideas rather than the underlying idea) is owned by its creator as intellectual property.

This could be the content of correspondence such as emails, messages or phone calls, photographs, sound recordings or computer program code.

Where this is provided to companies such as Google or Facebook, individuals usually retain their ownership of the intellectual property which they’ve created, but grant a licence to the company to use the information for certain purposes.

Financial institutions don’t tend to hold much of this kind of information about their customers or members.

Yet it is important that financial institutions have measures in place to provide certainty about protecting individual rights over any intellectual property that they provide.

More important though, is the need to maintain trust by being responsible in using this information only in ways which have no prejudice to the best interests of individuals.

Data about what you do

The most important kind of data we provide to financial institutions is data about what we do… meta-data.

It’s also the most under-regulated kind of data, with a 2017 court ruling narrowing the definition of personal information in determining that metadata needed to be ‘about the individual’ rather than ‘reasonably identifiable’ in order to fall within the scope of privacy law.

Financial institutions collect and manage huge volumes of data about what people do. It’s not exactly clear whether this data is property – and even if so – who owns it.

Is it owned by the organisation who has facilitated the collection and storage, or the individual to whom the meta-data relates?

This kind of data typically includes banking payment transactions, trading data, other financial transactions, product and service application history, balances, and online activity.

This data is often the basis and essence of administration of financial products and services which financial institutions provide to customers and members, and is therefore naturally very valuable to these institutions.

However, there is a growing awareness amongst individuals that this data is also valuable for the purposes of better understanding their own financial behaviour.

It’s also becoming increasingly valuable as the basis for comparing alternative products and services and predicting future behaviour and needs.

Transactional meta-data held by financial institutions has been the driving force for the development of open banking policies intended to promote better consumer outcomes and competition.

The Open Banking regime might also see such data collected by another institution being shared in a standard format and manner.

It is a long term strategic imperative that financial institutions manage this meta-data in ways which promote trust. Ensuring that the use of this data puts the interests of individuals first should be the guiding principle.

Commercially created data

There is also a need to draw a clear distinction between people’s data and commercial property which is created by commercial and other institutions by way of imputing or deriving and analysing customer data.

Financial institutions derive immense value from the complex analysis of individual and collective data. It is a significant source of competitive advantage in the information economy of the financial sector.

This makes it critical that financial institutions have certainty over their ownership of such data which has become their intellectual property through the investment of labour and expertise into its development.

However where commercially created data is imputed or derived from personal data, there are important considerations in ensuring that such property isn’t derived for purposes which are inconsistent with the interests of customers.

While privacy law provides some protection of how personal information is used, there is no such restriction where derived or imputed data relies on meta-data which is not covered by the definition of personal information.

Third party meta-data

Over the past decade, advances in information technology have seen the automated collection of third party meta-data explode.

Financial institutions are on the cusp of being able to integrate this kind of data into the financial services ecosystem. This meta-data includes:

  • Health Data (exercise, diet, sleeping patterns)
  • Location Data (where you are, every minute of the day)
  • Social media preference and interest data
  • Search engine history data (what you want to know)
  • Calendar and contact information

The potential benefits to individuals of the prudent integration of such information is profound. So too is the possibility of exploitation.

This makes it so important that there is an appropriate duty of care on financial institutions as the controllers of meta-data.

Consent in the form of a click to accept the terms and conditions is not robust enough to regulate the approaching wave of meta-data sharing.

Data loyalty and prudence?

What might aligning the regulation of data use by financial institutions with public expectations look like?

There are existing legal principles which provide possible mechanisms for regulating the use of non-proprietary, non-personal information meta-data.

Contract, Negligence, Fiduciary Duty…

Agreement by consent and the formation of a contract between the financial institution and customer sounds good in theory – with parties entering into the contract freely. This is the basis for most authorisation of data use by individuals.

It is however becoming increasingly clear that this is inadequate.

The real issue in the Cambridge Analytica scandal is not that the laws were broken; it is that such activities occur with the consent of individuals.

Even where disclosure and contracts are extremely well drafted in simple, concise, and clear wording – the practical reality is that so many individuals do not fully understand what they are agreeing to.

It’s therefore necessary to consider alternate approaches to regulating the use of data by financial institutions.

The common law tort of negligence places a duty of care on financial institutions where conduct falls below the standard that can reasonably be expected, causing damage to the individual.

A major drawback of relying on the law of negligence to regulate the ways which financial institutions manage customer data is the ability for financial institutions to limit or exclude liability by way of contract – including this in the fine print of disclosure which many customers will click on without reading and fully understanding.

It only takes a few institutions to exclude this to create uncertainty and undermine public trust.

The finance sector has a long history of relying on the archetypical fiduciary relationship of the trust as a means of protecting the vulnerable and regulating the management of property in the best interests of others.

The trust relationship separates the legal and beneficial ownership of property. It was developed to deal with situations where one party is in a position of dependency and reliance on the other party.

It requires that the fiduciary adheres to principles of loyalty (managing conflicts of interest) and prudence (adopting an appropriate standard of care).

On face value, such a relationship has appeal as a means of regulating the use of other people’s data by financial institutions.

However, a fiduciary duty in general law is problematic (or impossible) where property rights don’t exist.

Furthermore, the fiduciary relationship can be fashioned by the express trust between the parties, making it possible for the same problems which arise in contract and negligence.

The flexible nature of private law (or self regulation) leaves us with statutory reform as being the only realistic alternative if financial institutions are to maintain trust in the long term management of other people’s data.

While unconventional, legislating an inalienable beneficial right to our “own data” where it records the our behaviour and activities should be considered.

Such as approach would ensure that where data were held by an institution, it would have to be managed in the best interests of the individual.

It may provide an innovative approach to ensuring that institutions have the legal certainty required to own and manage data while ensuring that this property is managed in the best interests of individuals it relates to.

This right could include giving individuals the power to transfer or license the legal right of ownership between financial institutions and themselves.

It would also enable a financial value to be placed in data, and could see consumers deriving financial benefits from licensing data to third parties.

A cross industry prudential standard issued by APRA on Information Ownership and Use could provide the principles based mechanism for achieving this.

Rebuilding trust

If we hope to avoid a future Royal Commission into the misuse of data by financial institutions, it is an imperative that trust is entrenched in the management of both money and data, and that both are managed in the best interests of individuals.

The public trust and social licence which can come from general regulation of the use of customer and member data is an opportunity which financial institutions should embrace and actively pursue.

Privacy
Finance
Law
Data
Open Banking

--

--

Jonathan Steffanoni
Scrambled Nest Eggs

Written by Jonathan Steffanoni

102 Followers
Editor for

Lawyer with expertise superannuation, investments, and financial services. Partner at QMV Legal. Fellow of ASFA.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams