Privacy Law and Policy Reporter
This report by the Office on the New Zealand Privacy Commissioner, is the New Zealand Report to the 23rd Meeting of the International Working Group on Data Protection in Telecommunications, to be held in Hong Kong on 14 April 1998 (General Editor).
New Zealand’s information privacy law is the Privacy Act 1993 (the Act). The Act is based upon the OECD guidelines and came into force on 1 July 1993.
The Act applies 12 information privacy principles to all ‘personal information’ in whatever form it is held. The Act covers all ‘agencies’ unless they are specifically exempted. There are only a few exceptions such as the news media in their news activities, the courts in their judicial capacity and members of Parliament in their official capacities. There is no exception for telecommunications agencies. Accordingly, the Act has broad coverage across practically the entire public and private sectors.
The Privacy Commissioner appointed under the Act has a wide range of functions including to receive and investigate complaints of breaches of the information privacy principles. If a complaint appears justified, and a settlement cannot be reached, it can be referred to the Complaints Review Tribunal. While the Commissioner uses his or her best endeavours to get parties to settle complaints the Tribunal can award damages and issue enforceable orders.
One of the powers of the Commissioner is to issue codes of practice which can modify the information privacy principles. Before issuing a code of practice the Commissioner is obliged to consult widely with affected persons. Once issued, a code is enforceable in the same way as the principles themselves. As mentioned below, a code is in contemplation in relation to telecommunications.
The telephone system in NZ was originally established, owned and operated by the Post Office. From 1986 the public sector underwent radical restructuring. The Post Office was transformed from a traditional Government department into three state-owned trading corporations operating the telephone system (Telecom), the postal service and a savings bank. Subsequently the savings bank and Telecom were privatised.
The Telecommunications Act 1987 opened the way for others to enter the telecommunications industry. There are now a number of competing telecom-munications companies all on the same legal footing. Each is a private sector operator subject to both the Telecom-munications Act and, in respect of data protection, the Privacy Act.
The Ministry of Commerce administers the Telecommunications Act. Avoiding detailed regulation of the industry, the approach has been to allow competition issues to be resolved through the common law, Fair Trading Act 1986 and Commerce Act 1986. As part of its responsibilities the Ministry commissioned a report in 1992 entitled Telecommunications and Privacy Issues. Although preceding the Privacy Act (and therefore less useful now) it does discuss many of the key issues, relevant statutes and approaches in other jurisdictions.
The interception of telecommunications is generally governed under the Crimes Act 1961, New Zealand Security Intelligence Act 1969, Misuse of Drugs Amendment Act 1978 and the International Terrorism (Emergency Powers) Act 1987. The Radiocommuni-cations Act 1989 has some relevance to cellular telecommunications.
The following surveys some notable telecommunications privacy issues in NZ between August 1995 and January 1997.
The collection, holding, use and disclosure of personal information, and the assigning of unique identifiers, has been subject to the information privacy principles in the Privacy Act since July 1993. From the outset people within and outside the telecommunications industry have thought that there may be merit in a code of practice. A code may modify the standards imposed by the information privacy principles or state how the principles are to be complied with. While a code may be desirable, it has not been seen as essential, and telecommunications companies have got by for four years with the direct application of the principles.
For several years, a working group of Telecom, BellSouth and Clear Communications worked on a draft code of practice. Some limited discussions were held with the Privacy Commissioner. In February 1997 the working group presented their draft code to the Privacy Commissioner. They requested that the Privacy Commissioner consider their draft code for possible issue under the Privacy Act.
Neither that code, nor any other code applying to the telecommunications industry, has yet been issued. The draft code received by the Commissioner represents the views of the three telecommunications companies. It may, or may not, be similar to any code that the Privacy Commissioner may eventually issue. The Commissioner publicly announced his intention to accept comment on the telecommunications companies’ draft code but has not taken formal statutory steps to formally initiate the process for issuing a code. Other priorities have precluded any further significant work on the code proposal to date.
A 1978 amendment to the Crimes Act made it a crime to intercept private communications by use of a listening device. The NZ Security Intelligence Service can obtain authority to intercept private communications pursuant to a Ministerial warrant. However, most interception of private communications occurs in the context of investigating, and enforcing, the criminal laws and rely upon judicial warrants.
The police may obtain an interception warrant from a High Court judge to intercept private communications pursuant to provisions in the Crimes Act or Misuse of Drugs Act. In addition to the requirement for judicial authority there are a variety of safeguards including, for instance:
In 1997 the powers to intercept private communications were significantly extended by the Harassment and Criminal Associations Bill. The Privacy Commissioner examined that Bill and made a variety of recommendations. A copy of the Commissioner’s report is separately circulated.
There is a point of interaction between the laws governing radiocommunications and telecommunications in relation to interception of cellular telephone calls. NZ has a law prohibiting the disclosure by a person of the contents of a radiocommunication not intended for that person. The law is being reformed and strengthened. The Commissioner’s report on the proposed measure is separately circulated.
A telephone analyser is a device that can be attached to a telephone line and enables the recording of data generated as a result of telecommunications made using the line. The data recorded, such as the number called or the number of an incoming call and the time and duration of the call, does not include the content of the communications. It is a surveillance technology raising significant privacy concerns.
The NZ Police have been using telephone analysers for a number of years and the Court of Appeal has had to consider their use on at least two occasions since 1990. Since the collection of data by telephone analyser does not amount to an ‘interception of private communications’ there is no obligation on the police to obtain an interception warrant. A search warrant would not be available since the device gathers information in ‘real time’ and not simply documentation or information in existence or available to be seized from particular premises.
During 1997 the law in relation to telephone analysers was reformed. Study was made of the legal regimes existing in the US and Canada and reforms recommended in Australia. As a result a new type of judicial warrant known as a ‘call data warrant’ was created. The law now prohibits attaching a telephone analyser to a telephone network except:
The prohibition on the use of telephone analysers and the call data warrant provisions were enacted as an amendment to the Telecommunications Act 1987 with the support of the Privacy Commissioner. A copy of the Commissioner’s report on the measure, and the new law, are separately circulated.
In the mid-1990s there was considerable discussion about when caller ID might be introduced into NZ. It was not until 1996 that one of the telecommuni-cations companies publicly trialed the technology outside closed networks. In February 1996 Telecom piloted its caller-ID service amongst 250 customers in Greymouth, a remote South Island town. The three-month trial ended in May.
Telecom announced its intention in July to make caller ID available nationwide in August. Technical problems caused the company to later delay the launch to December. The service was introduced with both per call blocking and line blocking. No charge is made for either per-call blocking or line blocking.
BellSouth, a network operator offering only cellular telephone services, launched its caller ID service in November 1996. This company also offers its customers line and per-call blocking.
At one stage it was thought that the telephone companies might delay the introduction of caller ID pending the development of a code of practice. However, it was always open to any of the companies to choose to introduce the service if it believed it could do so consistently with the information privacy principles. Perhaps influenced by work on the draft code of practice, the companies made their own judgments and separately introduced the service. Clearly, the free availability of blocking was directed towards ensuring that any risk of breach of the privacy principles would be minimised.
Currently the Office of the Privacy Commissioner receives about 1200 new complaints each year. The results of individual complaints are not generally made public. However, anonymised case notes are prepared for a selection of cases which raise interesting or important issues. Three of the case notes so far issued touch upon telecommunications issues.
This involved the disclosure of a ‘restricted listing’ by a telephone company. The complainant received a telephone call from a political party and enquired how the caller had obtained her telephone number which was subject to a restricted listing. She was told that the party had an agreement with a telephone company whereby they obtained a directory of numbers. The Commissioner was unable to formally investigate this disclosure as it was outside his jurisdiction, having occurred prior to 1 July 1993. However, an informal enquiry of the telephone company established that an error had occurred in loading the complainant’s number on to the company’s database. Following discussions the telephone company made a voluntary settlement involving an apology, free telephone card and one month’s free line rental.
This involved a complaint of disclosure of information through the use of calling line identification technology. At the time of the 1994 complaint CLI technology was not publicly available but was in use in the telephone company. The complainant’s spouse had made a telephone enquiry of the telephone company. The customer services representative greeted the enquirer by name and revealed contents of a screen of personal information held about the subscriber. The screen of information was available for customer services representatives as a security device to enable enquiries to confirm if a caller was the subscriber. Information was not generally to be released. The customer services representative had not followed the company’s rules and the complaint was settled by an apology with a reminder being sent to all staff concerning correct procedure.
A subscriber had sought a confidential listing. The telephone company, through a series of errors, actioned the request incorrectly and the subscriber’s details were published in the telephone book. The subscriber wished to keep her whereabouts secret from a family member as her child feared that person. The complainant blamed a detrimental change in the child’s behaviour and health on the disclosure. The investigation involved considering whether the company’s actions had been a breach of the security safeguards principle and the disclosure principle. A settlement was achieved involving, amongst other things, the visit of a company representative to the child to explain the mistake, a reassessment of company procedures and staff training, and improvements to the complainant’s home security.
The full text of these case notes can be obtained from the NZ Commissioner’s web site.