Findings in the Report
The report reveals that out of the 60 local restaurants visited during the investigation period, all 10 restaurants providing mobile app ordering and 50 restaurants offering QR code ordering services also provided non-electronic ordering methods. This ensures that customers have the option to order food without compromising their personal data. However, four restaurants collecting personal data through QR code ordering services were found to lack proper data collection statements, explaining the purpose and use of the collected data.
Additionally, four out of the ten restaurants offering mobile app ordering required customers to register an account, collecting personal information such as name, phone number, and email address. These restaurants justified the collection of data for purposes beyond dine-in ordering, such as takeaway delivery services and member discounts.
According to the personal data collection statements of the 10 reviewed restaurants that provide mobile app ordering services, the collection of personal data allows them to track customer activities within the mobile app, including data such as cookies, device information, transaction records, location data, preferences and behaviors, activity logs, and purchase history.
Some restaurants state in their data collection statements that they intend to use customer personal data for direct marketing purposes. Nine out of ten restaurants provide options during customer registration to choose whether to consent to receive promotional messages or marketing information and seven of them have this option pre-selected as consent. In total, 80% of the restaurants reviewed default to customer consent for using their personal data for direct marketing. The Privacy Commissioner's Office has initiated investigations into these restaurants.
How ISO 27701 Certification, PIA, and SRRA Services Can Help
ISO 27701 Certification:
ISO 27701 is a privacy extension to the internationally recognized ISO 27001 Information Security Management System (ISMS) standard. This certification demonstrates a restaurant's commitment to protecting personal data and complying with privacy regulations. By implementing ISO 27701, restaurants can establish robust privacy management systems, conduct regular risk assessments, and ensure compliance with relevant privacy laws.
Privacy Impact Assessments (PIA):
A PIA is a systematic evaluation of the potential privacy risks associated with the collection, use, and disclosure of personal data. Conducting a PIA helps restaurants identify and mitigate privacy risks before implementing new electronic ordering systems. By conducting PIAs, restaurants can ensure that privacy considerations are embedded in the design and operation of their electronic ordering services.
Security Risk Assessments and Audit (SRAA):
SRAA services assess the security posture and identify potential vulnerabilities in an organization's IT infrastructure. By conducting SRAA, restaurants and app service providers can proactively identify security risks and be able to implement appropriate controls in the future to protect customer data. This includes measures to prevent unauthorized access, secure data transmission, and ensure data integrity.
