Customer Profiling and Privacy
Implications for the Finance Industry
Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 24 May 1997

© Xamax Consultancy Pty Ltd, 1997

Invited Address to AIC Conference on Customer Profiling for Financial Services, 26-27 May, Sydney

This paper is at


Consumer profiling is a threatening technology, and is dependent for its raw material on the expropriation of personal data.

The public is demonstrating increasing concern about privacy threats, and this is resulting in increasing moves by policy-makers in government and parliaments to impose protections.

Application of consumer profiling by financial services organisations will attract considerable opprobrium. It needs to be undertaken very carefully indeed, within frameworks that reflect, and anticipate, increased privacy regulation by governments, and increased demonstration of privacy-sensitiveness on the part of competitors.




Dataveillance and Privacy

Privacy Law and Public Concerns

Privacy Threats in Profiling

Privacy Strategy




Customer profiling appears to be regarded by marketers as a mainstream technique. This paper examines it from the perspective of the consumer. It concludes that there are enormous dangers to consumers, that the public is increasingly aware of and concerned about those dangers, and that marketers who fail to appreciate the dangers will suffer.

The paper commences with reviews of the concepts of profiling, and of the nature and directions of privacy protection law, policy and practice. It identifies the privacy threats inherent in profiling, and suggests elements of a privacy strategy for organisations currently applying, and considering the application of, customer profiling.


The term 'profiling' is used in (at least) two ways:

This Conference appears to be concerned primarily with the second of the two techniques, and hence this paper focuses largely on that sense of the term.

'Personal Profiling' is capable of being applied in (at least) two ways by financial services organisations:

This paper addresses both of these applications of profiling.

Dataveillance and Privacy

Dataveillance is the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons.

Personal dataveillance is the surveillance, through their data, of an identified person. In general, a specific reason exists for the investigation or monitoring. Mass dataveillance, on the other hand, is surveillance-through-data of groups of people, usually large groups. In general, the reason for investigation or monitoring is to identify individuals who belong to some particular class of interest to the surveillance organization.

Dataveillance involves replacing expensive monitoring of people, by less expensive monitoring of data about them. Decisions are therefore taken not about a person and their affairs (as once occurred when, for example, bank managers interviewed applicants), but about a 'digital persona', that is used as a substitute for the person Clarke 1994a).

Data surveillance is examined at length in Clarke (1988). A more populist rendition is to be found in Clarke (1994b).

Privacy is the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations. Privacy protection is most usefully seen as the process of finding appropriate balances between multiple competing interests.

Privacy has the following dimensions:

With the close coupling that has occurred between computing and communications during the last 15 years, the last two aspects have become closely linked, and are commonly referred to as 'information privacy'. Information privacy is the interest an individual has in controlling, or at least significantly influencing, the handling of data concerning him or herself. A starting-point to access the substantial literature on information privacy is

The international framework for privacy protection is provided by the OECD Guidelines and the OECD Data Protection Principles (1980). These reflect the expertise and the technologies of a quarter-century ago, and are in serious need of updating. A more modern set of principles is provided by the Australian Privacy Charter (1994).

Salient elements of privacy protective regimes include:

Privacy Law and Public Concerns

The present state of privacy law, policy and practice in Australia can be gauged by reference to this author's Current Awareness Service, and the Australasian Privacy Law & Policy Reporter.

Briefly, Australian governments have failed to fulfil the obligations the country entered into when it acceded to the OECD Guidelines well over a decade ago. The Privacy Act 1988 (valuably, but imperfectly) regulates most of the Commonwealth public sector, although not yet the companies to which government I.T. is outsourced.

Parts of the Commonwealth Privacy Act also apply to the private sector, specifically the credit reporting area, and Tax File Numbers. Otherwise, there is no coverage of the private sector.

There is virtually no coverage of State public sectors at all.

The flaws in the present regulatory framework are chronicled in Clarke (1997b).

The nature and extent of public concern about privacy-invasive practices is substantial. The primary sources of information are a series of surveys undertaken by the Privacy Commissioner in 1990-94 (PC 1995), and a recent survey, managed on behalf of MasterCard International by this author, reported on at (Clarke 1997a).

The current position is that many industry associations, large corporations and consultancy groups have joined with privacy advocacy groups in urging action by the Commonwealth and State Governments to substantially improve privacy protections. All parties are agreed that this should take the form of what the Liberal Party very reasonably described as 'co-regulation', i.e. corporate complaint-handling procedures, overlaid by industry association codes and procedures, and backed up by legsilative sanctions.

Recent developments in the privacy arena during the months preceding the writing of this paper have included:

Privacy Threats in Profiling

Abstract profiling involves a search for suspects, and is hence a form of mass dataveillance. The construction and use of personal profiles is, on the other hand, an exercise in personal dataveillance.

There are two levels at which concerns arise:

Exhibit 1: Real and Potential Dangers of Mass Dataveillance

From: Clarke (1988), p.505

To The Individual

To Society

Specific threats of profiling include:

To consider profiling in isolation, however, would be to rather miss the point. Profiling is just one of a rather large set of inherently privacy-invasive technologies and practices that corporations and government agencies are seeking to impose on people, largely furtively.

Important examples of related privacy-invasive technologies and practices include:

The combined effect of profiling with these other technologies and practices, is the encouragement of yet more data collection and data-trading. Further information about the large numbers of existing and emergent data trails detailing people's lives is provided in Clarke (1996).

A current example of the 'push' for even greater 'data intensity' in the relationships between consumers and financial services organisations is the intense lobbying being undertaken by the Credit Reference Association of Australia (CRAA) and some of its clients, for so-called 'positive credit reporting'.

The present credit reporting arrangements in Australia are a combination of 'negative reporting' (of such matters as skips, late payers and bankruptcies), supplemented by a trail of all lending organisations that have sought information from the shared database. CRAA argues that all consumer indebtedness should be stored centrally, and made available to every potential lender. The privacy interest is in denial of the creation of any such centralised, or at least logically centralised, register of sensitive personal data, which would be at the mercy of not only financial services organisations, but also all manner of other organisations and individuals.

Privacy Strategy

The privacy-invasiveness of corporations and government agencies has been increasing in leaps and bounds. In parallel with that, public concern has grown enormously, and so has the professionalism, persuaveness and impact of privacy advocacy groups.

Privacy has become an important strategic factor for consumer marketing organisations and government agencies alike. A comprehensive examination of the matter is provided in Clarke (1996). That paper proposes that corporate privacy strategy is essential for any organisation that deals in personal data, and that each organisation's strategy should be based on the following principles:


Consumer profiling is flying in the teeth of the gale of public concern about privacy-invasive practices, and snowballing efforts by advocates and policy-makers to impose regulation on private sector use of personal data.

Organisations applying, and considering the application of, consumer profiling techniques need to seriously consider the nature of their relationships with their customers, and adopt a strategic stance concerning customer privacy.


Australasian Privacy Law & Policy Reporter (1994-), at


ACTG (1997) 'Health Records: Privacy and Access' A.C.T. Government, May 1997

Australian Privacy Charter (1994), at

Carnell K. (1997) 'ACT to Legislate Access to Personal Health Records', Press Release from the A.C.T. Chief Minister, Treasurer and Minister for Health and Community Care, Canberra, 19 May 1997, at

Clarke R. (1988) 'Information Technology and Dataveillance', Commun. ACM 31,5 (May 1988). Republished in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991, at

Clarke R. (1993) 'Profiling: A Hidden Challenge to the Regulation of Data Surveillance', Journal of Law and Information Science 4,2 (December 1993), at . A shorter version was published as 'Profiling and Its Privacy Implications' Australasian Privacy Law & Policy Reporter 1,6 (November 1994), at

Clarke R.A. (1994a) 'The Digital Persona and Its Application to Data Surveillance' The Information Society 10,2 (June 1994), at

Clarke R. (1994b), 'Dataveillance: Delivering '1984', in Green L. & Guinery R. (Eds.), 'Framing Technology: Society, Choice and Change', Allen & Unwin, Sydney, 1994, at

Clarke R. (1995) 'Trails in the Sand', at

Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy', at

Clarke R. (1997a) 'What Do People Really Think? MasterCard's Survey of the Australian Public's Attitudes to Privacy', Privacy Law & Policy Report 3,9 (January 1997), at

Clarke R. (1997b) 'Flaws in the Glass; Gashes in the Fabric', Invited Address to Symposium on 'The New Privacy Laws', Sydney, 19 February 1997 , at

Clarke R. (1997c) 'Privacy and 'Public Registers'', Proc. IIR Conference on Data Protection and Privacy, Sydney, 12-13 May 1997, at

Dixon T. (1997) 'Privacy laws: why they're a must for the public good', Opinion Piece, The Sydney Morning Herald, Tuesday April 29, 1997, p.19, at

Larsen E. (1992) 'The Naked Consumer: How Our Private Lives Become Public Commodities' Henry Holt and Company, New York, 1992

Novek E., Sinha N. & Gandy O. (1990) 'The Value of Your Name' Media, Culture & Society, 12 (1990) 525-543

OECD (1980) 'The OECD Data Protection Principles', Organisation for Economic Cooperation and Development, Paris, 1980, at

PC (1995) 'Community Attitudes to Privacy', Information Paper No. 3, Privacy Commissioner, Human Rights Australia, Sydney, August 1995

QP (1997) 'Privacy in Queensland', Legal, Constitutional and Administrative Review Committee, Issues Paper No. 2, May 1997


Privacy Act 1988 (Clth), at

Privacy Amendment Act 1990 (Cth) (re credit reporting), at


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 20 May 1997

Last Amended: 24 May 1997

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472