Privacy Law and Policy Reporter
This is a very preliminary survey of privacy provisions in the Telecommunications Act 1997, which replaced the 1991 Act on 1 July. At time of writing, it had just come into effect, so there is no information available as to how it will work in practice. There is plenty of scope for others to put forward interpretations of the privacy provisions that are at variance with those expressed here.
The 1991 and 1997 Acts have an important privacy characteristic in common: both prescribe privacy standards for private sector organisations. The provisions in both Acts relating to the ‘protection of communications’ make one of the Information Privacy Principles from the Privacy Act 1988 binding on telecommunications carriers and service providers, whether they are private or public sector organisations. Given the Federal Government’s decision not to proceed with legislation placing privacy requirements on the private sector, this is a significant example of the Federal Government setting privacy standards across an industry sector.
In fact, as a general proposition, it seems that privacy interests and concerns have received better treatment than one might expect in a piece of legislation that places great weight on self-regulation and the non-imposition of regulatory burdens. The new Act goes further in protecting privacy and providing mechanisms for accountability than did the 1991 Act. In particular it:
All this is quite a contrast with the 1991 Act in which the word privacy does not occur, and in which there is certainly no role for the Privacy Commissioner.
Part 13 of the new Act is called Protection of Communications. Broadly speaking it:
This Part replaces a single section in the 1991 Act and while it may be a crude measure, the provisions under this heading take 30 pages in the new Act, whereas in the 1991 Act they took a little over six pages. And what is there that is new that takes up all this extra space? The basic answer is that more aspects of Privacy Principle 11 (limitations on disclosure of personal information) are covered in the new Act than in the 1991 one.
Some background may be helpful here. When Telecom operated as a government agency, it was in the ordinary course of events subject to the Privacy Act 1988. This was deemed to be no longer appropriate from 1992 when network competition was allowed in telecommunications and the continuation of that arrangement would have meant that Telecom was subject to a regulatory regime while its competitors were not. The ‘level playing field’ that was set up was to make all telecommunications carriers’ employees subject to the same level of privacy protection: a prohibition on the disclosure or use of the contents of substance of a communication unless it was for a specified exemption. A subsequent amendment extended this regime to service providers and their employees.
New provisions in this Part include:
As with the earlier Act, penalties for breaches of these provisions are up to two years’ imprisonment. As far as this writer knows, there has been no use made of the offence provisions at all. The former Privacy Commissioner made the point that these sanctions are unrealistic and that a system of fines might lead to more effective deterrence. This view has not prevailed.
Large databases are always of interest to people who pay attention to privacy implications, and this new legislation provides for a very large database indeed: the Integrated Public Number Database (IPND), which is in effect an expansion of Telstra’s existing directories database to include customer information for all public numbers held. Public numbers are for practical purposes standard fixed phone numbers and mobile phone numbers.
The basic idea behind this is to preserve a single source of directory information notwithstanding the multi-carrier environment. It would be a pain if, to find out a number of a friend or business, you had to ring the directory assistance number of each carriage service provider who might be providing that person’s service. So all carriage service providers must, once the IPND is under way, contribute their customers’ information so that the IPND is comprehensive. The provisions about the IPND are a bit inconspicuous in the Act: Pt 4 of Sched 2, up the back of this huge piece of legislation. The details come in a piece of subordinate legislation: Carrier Licence Conditions (Telstra Corporation Ltd) Declaration No. 1 of 1997.
A myriad of questions about this come immediately to mind, both from a privacy and a competition perspective. Those carriage service providers who have taken these provisions in are incredulous and say things like ‘my customer list — I’ve got to give that to Telstra? They have to be kidding. Who can I complain to?’ However, the IPND provisions have been there through successive drafts of the legislation, so complaining is a limited option at this stage.
The privacy concerns are a bit different: what information goes into this database? Who has access to it? For what purposes? On what terms? What about silent numbers?
The information that goes into the IPND for each public number of a customer of each carriage service provider is:
(a) the public number;
(b) the name of the customer; and
(c) the address of the customer; and
(d) the service location, if practicable; and
(e) the name of the carriage service provider ... ; and
(f) whether the phone is for government, business or private use.
There is also a provision that the ACA can require other information to be provided.
Who has access? Carriage service providers have access to the information about their own customers. They also have access for the purposes of providing directory assistance and operator services, and also of assisting emergency services, law enforcement and national security. Law enforcement, emergency service organisations and national security will also have direct access, but only according to the provisions of Pt 13 of the Act as described above. In particular s 285 deals with access to the IPND as an exemption to the general prohibition on disclosing information about customers and their communications. As was mentioned above, the operator of this database (Telstra initially, but there is provision for the telecommunications industry to decide to manage the function differently) is subject to the provisions of confidentiality in the same way as other telecommunications organisations and employees.
The arrangements allow for unlisted numbers to be protected to the extent they currently are. The database is to include unlisted numbers, but to indicate that they are unlisted. Section 285 says the exemption to the prohibition on release of information to other carriage service providers does not apply to unlisted numbers. An interesting provision in s 285 discourages the production of ‘reverse directories’, that is directories which can search by address or number. Access to the IPND for the purposes of publishing or maintaining a public directory is permitted ‘where the directory does not enable a person who only knows a customer’s number to readily identify the customer’s name and/or address’. The effect on those companies currently producing reverse directories on the basis of published directories remains to be seen (see also the article on the IPND by Holly Raiche in this issue, p 113).
The new telecommunications framework places considerable emphasis on industry codes as a major mechanism of self-regulation. It is envisaged that codes will be developed by bodies and associations that represent sections of the telecommunications industry, that they would be voluntary, but that they would be credible and respected because they were developed with broad consensus. There are public interest provisions. Where codes fail or there is a need for a code but none is developed, there is scope for ACA to make an industry standard, compliance with which is mandatory (Pt 6 of the Act).
Section 113 of the Act contains examples of matters that may be dealt with by industry codes and standards, including customer information, handling of customer complaints, debt collection practices etc. One set of examples relates to privacy. Subsection 113(3)(f) contains the following examples of possible privacy codes:
(i) the protection of personal information; and
(ii) the intrusive use of telecommunications by carriers or service providers; and
(iii) the monitoring or recording of communications; and
(iv) calling number display; and
(v) the provision of directory products and services.
Where the ACA is determining an industry standard that deals with privacy, it must consult the Privacy Commissioner.
Despite the newness of codes, significant moves have already taken place. Even before the new Act came into force, an industry working group had produced guidelines on how codes should be developed which were well received. The priority to be given to privacy matters among the many proposals for code development is not yet known; some work to set the scope of privacy codes has been done.
As noted, there are a number of areas where significant accommodation to privacy considerations has been made in the new Telecommunications Act. Certainly there has been acceptance that the information held by telecommunications organisation can be of considerable sensitivity and that there ought to be rules and standards. There are also areas where it may be felt that insufficient attention has been paid.
In February of this year, when a Senate Committee was considering the package of telecommunications bills, the acting Privacy Commissioner was critical of some policy decisions and had some suggestions for amendments to take better account of privacy considerations.
For example, he criticised the nature of the exemption from disclosure prohibitions for law enforcement. Under the 1991 Act, law enforcement agencies seeking telecommunications information had to produce information to back up their request so that the carrier or service provider could be sure that the assistance sought was ‘reasonably necessary’. So, for example, the police force would say what offence was being investigated. Neither the police nor the carriers were particularly happy about this. The police did not want to provide information about their investigations and the carriers did not want to exercise a discretion that was outside their core business. The solution has been to put in a provision that allows the law enforcement agency to certify that the assistance asked for is reasonably necessary, so that the carrier or service provider does not have to exercise the judgment, but to expect that certification to be — in rank terms — fairly high within the police organisation. The position of the Privacy Commissioner was that the judgment should continue to be exercised by the record keeper.
Another example relates to the area of emergency services. For some years now, it has been the practice of Telstra, as required by a licence condition, to make available location information for calls to 000 from fixed network phones. Although emergency service organisations vary in their ability to receive and handle this information, it is valued as a backup to what they are told by the caller and also in those circumstances where the caller is unable to give location information. The new legislation envisages that the information made available to emergency service organisations be expanded to include the name of the lessee of the service from which the call is being made. The acting Privacy Commissioner was critical of this provision, as were some other groups including the Consumer Telecommunications Network. It remained, although there are not immediate plans for its implementation.
Those are both quite specific examples where there is room for various opinions about how to balance the interests. Within the legislative framework, it seems that more comprehensive attention has been paid to privacy considerations than was the case in the earlier Act. Does this meet privacy concerns? Perhaps not, because legislation necessarily lags behind technology, and the technology is increasingly putting rich information about people’s communications (broadly defined) into the hands of people, organisations and systems not effectively regulated by the Telecommunications Act 1997. What about the information held on your organisation’s telecommunications equipment, by the manager of the email, or on the voicemail system? However, for the technology encompassed by this new Act, that is, what goes on in the public networks, there appears to have been pretty reasonable accommodation given to privacy concerns.
Frances Wood, Law Enforcement and Emergency Services Liaison, Australian Communications Authority.