Privacy Law and Policy Reporter
Warwick Smith, Telecommunications Industry Ombudsman
The following is an edited version of the speech, ' Privacy in the Telecommunications Industry - A TIO Perspective' delivered by the Telecommunications Industry Ombudsman, Warwick Smith, to the IIR Conference on Information Privacy in the Public Sector, 24 April 1995. In his speech the Ombudsman surveys current developments in telecommunications privacy including amendments to telecommunication interception laws, privacy impact statements, audit trails, service providers, a code for phone 'churning' , and the mechanisms for dealing with privacy issues within the telecommunications industry.
The jurisdiction of the TIO scheme covers 'interference with the privacy of an individual in terms of non-compliance with the Information Privacy Principles contained in s 14 of the Privacy Act 1988 or any industry specific privacy standards which may apply from time-to-time.'
As I pointed out in the first Annual Report of the Telecommunications Industry Ombudsman's Scheme released late last year, the level of complaints relating to individual privacy way surpassed our earlier expectations. Almost 10 per cent of our total complaints related to nuisance calls, telemarketing calls, silent line invasion and third-party access to billing data.
During the course of 1994, our office established Voice Monitoring Guidelines for Telecom to which Optus and Vodafone also committed. This was done after consultation with the Federal Privacy Commissioner and the Law Council of Australia.
Also recommended in the process was the establishment of an Independent External Privacy Audit Unit for Telecom and this has now been established. The unit is chaired by Janine Haines.
The main features of the guidelines are:
The broad acceptance of the guidelines by industry and by government is reflected in the Telecommunications (Interception) Amendment Bill which I will discuss shortly. The guidelines have been accepted by government and will, I understand, form the basis of a code being developed for possible inclusion in the Telecommunications Act.
This has been a quantum leap in the embrace of privacy issues within the industry and is a good example of a co-regulatory approach which I see in the fast-moving telecommunications industry as the most appropriate way to go forward.
Another milestone was the final acceptance of aspects by the Federal Government in its response to the December 1990 report of AUSTEL on Telecommunications Privacy. That report recommended that a Telecommunications Privacy Advisory Committee be established to develop appropriate standards for the protection of privacy. This was undertaken and the Committee has now been established within AUSTEL. The TIO sits on that Committee.
The early work of the Privacy Advisory Committee has focused on the development of an approach to the maintenance of silent lines and a draft has gone to the Minister prior to being considered by the AUSTEL Board. Considerable telemarketing work has also been undertaken in the compilation of a report which is due shortly. This has had the advantage of actively involving the Australian Direct Marketing Association (ADMA) in the development of an industry-wide approach.
The question of caller ID and the Calling Number Display Trial at Wauchope in NSW is yet to be fully considered. It is clear that that trial can be seen in part as a 'privacy impact' exercise. This is something that I have previously advocated and such an exercise has been undertaken in the US. It would be far more appropriate to question the impact on personal privacy of new technologies prior to their introduction. The US process is an example I believe should be followed in this country.
The convergence of telecommunications and information technology has the capacity to lay bare the very democratic principles on which our nation is founded. It has certainly been a revelation to me following a decade in public life, that the pervasiveness of information gathering and dissemination has extended as far as it has. It is time to take stock. It is time to weigh the necessary balance between access and protection in this 'knowledge era' that is now on us.
When one tries to define privacy it is not an easy undertaking. It is clear that Australians do value privacy and they expect their rights to privacy to be recognised and protected. While we seek to find a balance between the protection of individual privacy and collective community privacy and the development of new technologies, we must be careful that there is not an over-reaction against the development of new technologies.
The benefits that can flow to regional and remote communities from the development of health communications networks, and the delivery of education services to urban, regional and remote educational establishments, are such that they should be pursued with vigour.
I am one who believes the technology, information and computing capacities need to be harnessed for the benefit of the overall community, and while I have the highest regard for and believe the greatest support should be afforded to the privacy principles as enunciated both in the Privacy Act and in the Australian Privacy Charter, I would not like that to act as a barrier to the enrichment of the lives of ordinary people.
There is thus a great responsibility of the providers of telecommunications services to commit themselves to the meaningful co-regulatory approach to privacy regimes. In my view, based on nearly two years as Ombudsman, I believe that the carriers have taken steps in a positive direction to this end.
There are still, however, matters for concern. The recent decision by the Director of Public Prosecutions (DPP) not to proceed with a prosecution, following an Australian Federal Police (AFP) investigation into voice monitoring issues, raises questions which have already been canvassed elsewhere and are not appropriate for me to discuss. However, and I quote from the DPP's decision in the matter of Bray in that he was unable to proceed on the basis that:
as a result of legislative changes made in 1991, Telecom employees are no longer officers of the Commonwealth for the purposes of the Crimes Act 1914. It follows that charges are not available under the Crimes Act. I am not aware of any other legislation under which charges could be brought. In the circumstances, I have not considered whether there would be a proper basis for charges in this matter if the Crimes Act did apply.
This begs the question that had the Act covered the employees, would there have been, on the evidence, a breach? I have been asked to inquire as to whether or not there has been a breach of internal privacy arrangements by Telecom and have conducted interviews with Telecom employees. I am yet to conclude that inquiry.
The recent discussions about the amendments to the Telecommunications (Interception) Amendment Bill focused on the alleged breach of the Act by Telecom employees. It was found by the DPP following an AFP investigation, that no breach had, in fact, occurred. However a greater focus on the Act was deemed necessary by the government and myself as the Ombudsman. My conclusion was that an objective standard needs to be applied to ascertain whether or not an employee acted in accord with a set of pre-determined criteria, that is, the existing Voice Monitoring Guidelines.
This, in fact, was provided for in the proposed amendment and it remains to be seen what the final outcome will be.
It is clear that a higher hurdle needs to be erected over which carriers should be asked to jump prior to entering into voice monitoring, even if it be a process only for maintenance purposes.
The publicity stating that some 4.2 million telephone calls each year had been listened to without callers' knowledge has created concern in the community and clearly greater elaboration is required. A stricter regime is clearly in order via proposed amendments to the Act, which would take as their basis the Voice Monitoring Guidelines. The establishment of these guidelines is one of the major achievements on the TIO Scheme to date.
In preparing my comments to the Attorney-General's Department Security Division on the proposed amendments to the Telecommunications (Interception) Act, I focused on the following points. The amendment related to the authority of employees of carriers to intercept communications. It sought to strengthen the existing legislation by 'tightening' the circumstances in which carriers performing maintenance functions which involve interception and listening to voice or data traffic may apply for exemption. As we know this matter arose following allegations of a breach of the maintenance function by a carrier in Brisbane. This matter as I mentioned was the subject of an AFP Report and has now been dealt with by the Director of Public Prosecutions.
The real questions are what is the meaning of 'reasonably necessary' and how does one 'perform duties effectively'?
My view is that the proposed amendment would only add meaningful assistance to limit the exercise of the exemption given to carriers if some external explanation of proposed action is required. Where would the burden of proof lie for someone who might seek to obtain redress for an alleged breach of the section? The aggrieved party must prove that the carrier did not act 'reasonably' - a very difficult task.
The solution is to link the 'reasonableness' test plus the requirement that the employee must have acted in accordance with any code (industry, internal carrier or legislatively-endorsed code) applicable at the time of exercising the maintenance function from which a breach of the exemption may arise.
If that is included then the proposed amendment is an improvement and in my view should be supported. I hope the Senate will embrace this change which is now before it for consideration.
A community that relies increasingly on telecommunications services beyond the normal telephone system cannot tolerate, and ought not be asked to tolerate, anything other than the highest standards of those who provide those services with a commitment to a meaningful privacy regime.
As technology develops it will be increasingly important for the establishment of audit trails in cases where privacy has been breached or could be breached. In my view the audit trails in the telecommunications industry are not yet as good as they could be when compared against the Social Security system.
The development of personal safety is of great concern, particularly to women and to the elderly, and the premium placed on silent numbers is therefore something that will continue to increase.
Part of the difficulties that we face in the Ombudsman's Office are complaints about nuisance calls which are for many people both disruptive and distressing. A regime to better deal with these basic breaches of privacy is still required.
The whole question of 'stalking' legislation is also an issue. We have had, for example, complaints involving nuisance calls made from pay phones which obviously are not easy to resolve. When identified, a clear regime and early response to such difficulties needs to be developed. I am alarmed at the cases that I am asked to refer to the AFP for attention. Any delay in response time to ongoing situations is extremely difficult for individuals involved.
One of the other emerging issues within the Ombudsman's context is the privacy aspect of service providers as those service providers become more active in the marketplace. We are presently seeking to provide the opportunity for service providers to join the TIO Scheme. We have already received complaints of breach of privacy by people receiving calls from someone with prior knowledge of their change of carrier; that is, with access to details of 'churning'.
This has also been a concern for AUSTEL, who are in the process of developing and establishing (in conjunction with industry) a code to deal with the controversial issue of 'churning'. The Churn Code of Practice is certainly welcome.
However, one of the early parts of the proposal related to the establishment of a separate and distinct complaints regime to deal with individual complaints against 'churn' action. That would seem to me to be 'reinventing the wheel'.
Something that is required in the consumer complaints interface is the ability to define exactly where one should go in order to solve a problem. A complaints regime that has the capacity to address in an independent fashion any mischief that manifests itself in the marketplace is required.
The emergence of yet another complaints regime within one segment of the telecommunications industry would, in my view, be totally detrimental to the development of the TIO Scheme, to which government, consumers, and industry have already committed. I hope the proposal for a special 'churn' complaints regime does not see the light of day.
Clearly, the issue of privacy and the role it plays in telecommunications, the public policy response and market response, will be a matter of continuing discussion. The fact of convergence and emerging technological capacity means that many existing approaches will be challenged. Hence the obvious advantage of privacy impact statements being undertaken in advance of new technological introductions.
The interests of the maintenance of privacy are not well served in a confused environment - therefore it must be a commitment of all - not just to privacy per se in its widest context, but also to explaining to the broader community what is taking place, how it will impact on people, and to assuring people that positive outcomes, and not just base commercial interests, are being pursued. It will certainly be a challenging time for all.
Telecommunications Industry Ombudsman.