Privacy Law and Policy Reporter
The new telecommunications legislative package, tabled in the House of Representatives on 5 December 1996, is a mixed bag in privacy protection terms. Some of the privacy issues identified in the Exposure Draft telecommunications legislative package have been addressed in the Bills (see <3 PLPR 53>). Others remain.
Specifically, the Australian Communications Authority (ACA) must make a determination covering all carriers, carriage service providers and `emergency service persons' and, in making that Determination, have regard to the objective that calls to emergency services should, as far as practicable, provide the emergency service person with that information (cl 255(2)(b)).
Yet the same clause also requires that such Determination is consistent with Privacy Principle 11 (cl 255(2)(e)). The absolute contradiction between the two requirements shows a worrying lack of understanding of the Privacy Principles.
As was pointed out in earlier comments on the Exposure Draft, some years ago the Privacy Commissioner made a very specific determination that the only caller information which should be passed on to emergency services is the caller's number and address -- not the subscriber's name. As the Privacy Commissioner found at the time, the identity of the subscriber is in no way relevant or necessary to emergency services when responding to calls.
Also a plus, before registering any industry Code covering privacy, the ACA must be satisfied that the Privacy Commissioner has been consulted about the development of the Code (cl 115(1)(i)).
Presumably, industry Codes will include processes for handling complaints about Code violations (as happens under the Broadcasting Services Act). The ACA also has power to receive and investigate complaints about breaches of the Codes.
Once satisfied about a Code has been breached, the ACA may issue directions requiring compliance with the Code and failure to comply attracts `civil penalty provisions' (cl 119). The ACA may also issue a formal warning for breach of a Code, although the implications of issuing such warning are not spelled out (cl 120).
If industry has not developed a Code covering privacy, or if the ACA is satisfied that the Code either is not operating to provide adequate community safeguards on the issue or is not adequately regulating industry participants, the ACA can also issue a standard.
Again, the Privacy Commissioner must be consulted before any standard on privacy is determined by the ACA (cl 131(2)). And again, the penalty for failure to comply with a standard is a direction attracting civil penalty provisions or a formal warning (cls 125 and 126).
The Bill's system of industry Codes and Standards can work to protect privacy. The effectiveness of this structure will depend, however, on the strength and comprehensiveness of the Code itself, the willingness and ability of the ACA or other relevant bodies to handle complaints about privacy Code breaches, the effectiveness of the civil penalty provisions as a deterrent to Code breaches and the ACA's commitment to privacy protection.
The Part begins with the general prohibitions on the disclosure or use of information by an `eligible person' where that information was gained through that person's business or employment related to carriage service. The information includes any content or substance of communication that has been carried or received by a carrier or carriage service provider or the affairs or personal particulars (including any unlisted telephone number or any address of another person (cl 262).
The specific addition of a person's address is new and welcome. It reflects the current practice of Telstra directory assistance services to provide only a subscriber's telephone number, not their address.
Another welcome addition is in the expansion of coverage for a prohibition on information disclosure.
Under the s 88 of the Telecommunications Act 1991 (Cth), the prohibitions on disclosure of information relate to carrier employees, service providers and service provider employees -- but not to carriers.
Because carriers must exchange information on customers' numbers, addresses and calls for billing purposes, carriers are not included in the general prohibition, although licence conditions on carriers require them to comply with privacy principles in exchanging customer information. The worry has been that the omission of carriers from the prohibition did not extend to the ways in which carriers themselves used their own customer information.
The definition of `eligible person' in the Bill (cl 259) now specifically includes carriers and carriage service providers, thus extending the current prohibition on information disclosure to include not only carrier employees but the carriers and carriage service providers themselves.
That's the good news. Part 13 also includes some bad news: wide exceptions to the basic prohibition on disclosure of information.
Clause 267(2) potentially creates a very wide exemption from the disclosure provisions for people disclosing information or documents (however obtained) if it is reasonably necessary for the enforcement of a law imposing a pecuniary penalty or for the protection of public revenue. The subclause has no restrictions on who the information or documents are given to.
The rest of the clause appears to confine that exemption to situations where a senior officer of a criminal law-enforcement agency or of a civil penalty-enforcement agency have certified that disclosure is, in fact, reasonably necessary for those purposes. However, the wording of the Bill is unclear and should be clarified.
The disclosure prohibition also does not hold if the disclosure is made to a member of the ACA staff and the information may assist the ACA to carry out its functions (cl 269(1)). The breadth of ACA's functions make this exemption unjustifiably wide. Similar provisions apply when the disclosure is to the ACCC and the TIO (cls 269(2) and (3)).
The exemption for calls to emergency numbers is also unnecessarily wide. Under this exemption, knowledge or information which comes into a person's possession because someone has called emergency services (the information can include the subscriber's name, number, address, and matters raised by the call) can be made to the police, fire service, ambulance service or emergency services person for purposes `dealing with the matter(s) raised by the call (cl 271).
Another exemption is allowed if `having regard to all the circumstances it might be reasonably expected that the sender and recipient of the communication would have consented to the disclosure' (cl 275). One asks who is deciding what might be reasonably expected, and what are the limits on `all the circumstances'. Nothing in the Privacy Principles would extend to that level of disclosure.
Happily, Pt 13 does require records be maintained of disclosures of information (cls 290 and 291) and also gives the Privacy Commissioner the specific function of monitoring compliance with the Part's provisions.
The final exclusion from the prohibition on disclosure arises because of its extension to `eligible persons' which, as discussed above, include carriers and carriage service providers and the employees of both. Providers of what are, essentially, private networks are not covered, because of the way carriers and carriage service providers are defined.
The Bill's definition of, in essence, private networks largely relates to communication among Commonwealth departments and agencies, which are already covered by the Privacy Act provisions. Private networks can also, however, include, state departments and agencies and bodies corporate established under Corporations Law, where privacy protection is not guaranteed.
Carriers and service providers can also be directed by the ACA to consult with an advisory committee about the development and use of new technologies for their networks. The consultation can include bodies such as a state or territory policy force, the Australian Federal Policy, state anti-corruption bodies and ASIO (cl 314-5).
The ACA may obtain information and documents not only from carriers and services providers but from anyone the ACA has reason to believe has information relevant to the performance of any of the ACA's powers and functions, and under the Act, the person is required to produce that information (cl 505-6).
More alarming, an individual is not excused from complying with a direction to produce documents or give evidence because to do so might incriminate the individual or expose the individual to a penalty. However, the evidence or documents may not be used in evidence against the individual in a criminal matter or one involving a pecuniary penalty (cl 508).
Given the potential seriousness of this power, it should either be confined very strictly to apply only in very serious, emergency situations, or obtaining such information should only occur through normal judicial processes.
Hopefully, part of the Committee's work will include recommendations to tighten the privacy provisions of the Bill. In the final analysis, the Government's initiatives to extend privacy protection to the private sector may prove the better safeguard.
Holly Raiche, Communications Consultant.