Privacy Law and Policy Reporter
Lewis Carroll is alive and well and writing the script for members of the IPND Working Committee as we try to work through how to make a voluntary code adequately protect the public from use or disclosure of the IPND’s national data base.
What is at stake? For those who have forgotten, IPND stands for the Integrated Public Number Database (see (1997) 4 PLPR 113 and 196) which contains the names, service and postal addresses and numbers (including unlisted numbers) of everyone in Australia’s telephone, fax, mobile, modem numbers (plus all other numbers included in Australia’s numbering plan, such as the 0055, 1300, 1800 numbers). Currently, the IPND is managed by Telstra, but provision is made in the legislation for the IPND to be managed by another person or organisation.
One other relevant fact. People have absolutely no choice about whether their data is provided to the IPND; the legislation requires that such data is provided to the IPND by the relevant carriage service provider (Telstra, Optus, Vodafone, AAPT, etc).
Apart from L Carroll, the Australian Communications Industry Forum’s (ACIF) IPND Working Committee includes representatives of carriers, directory publishers, consumers and privacy advocates. Consensus has been reached by all Committee members that IPND data must only be released to people who qualify under the Code and who will use the data only for approved purposes — which will specifically exclude things like publication of reverse search directories or the development of marketing lists. Anyone who wants to gain access to IPND data should first be required to sign up to the Code.
Such a requirement may not be so crucial in relation to carriers and carriage service providers, or their agents who may want to publish directories or provide operator services. They are already covered by the privacy protection provisions of the Telecommunications Act 1997 (the Act). The legislation, however, envisages that people and organisations not covered by those provisions can have access to IPND data (with the specific exception of unlisted telephone numbers).
Thus the Committee’s acceptance that the Code should have tight rules covering everyone who gains access to the data. It must spell out exactly who can gain access to the data and what they can and cannot do with the data. The Code should be enforceable in the first instance by ACIF and as a backup, by the regulator, the Australian Communications Authority (ACA).
ACIF, as the industry regulator, will be the first level of code enforcement. The IPND Code will ensure all signatories also comply with ACIF’s privacy code and with ACIF’s own Code covering the monitoring and review of all ACIF code compliance by Code signatories.
The ACA is the next level of enforcement. Under the Act, once the ACA registers a Code, it can issue written directions and formal warnings to any ‘participant’ in the industry for non-compliance with a registered Code — whether or not that ‘participant’ is a Code signatory. Failure to comply with such directions are subject to civil penalty provisions enforceable in court.
The problem for the IPND code is that the telecommunications industry is defined as including carriers, carriage service providers, content service providers, cablers or manufacturers or suppliers or customer equipment or cabling. That definition does not cover directory or operator assistance service providers.
The Act does, however, allow for the ACA to determine that persons carrying on one or more kinds of telecommunications activity constitute a ‘section of the telecommunications industry’ and thus come within ACA code enforcement powers. At this stage, ACIF has written to the ACA requesting that ‘data users’ under the IPND Code be declared as a ‘section’ of the industry and there is reason to believe that such determination will be made.
Thus two levels of IPND code compliance will be achieved: industry regulation by ACIF in the first instance, with ACA backup enforcement powers if necessary.
ACA advice available to the Committee now suggests that the IPND Code cannot insist that anyone who accesses the IPND data must be an IPND code signatory.
As IPND Manager, Telstra’s licence conditions require that it provides carriage service providers with IPND data for specific purposes (repeated in the IPND code). While provision of that information can be on terms negotiated between Telstra and carriage service providers, the ACA’s current view is that those terms cannot require a carriage service provider to become an IPND code signatory.
And the ACA’s current view on other data users — those who are not carriage service providers — is that the language of the Act suggests that the relevant section is permissive and should not be read as permitting a requirement on data users to become IPND code signatories.
If the IPND Code requires that all persons seeking access to IPND data must first become IPND Code signatories, it will fly in the face of ACA advice and run the risk of not being registered by the ACA — thus losing ACA enforcement powers as a backup.
If, instead, the Committee drops the requirement for potential data users to become IPND code signatories before gaining access to the data, ACIF regulation will not necessarily cover all IPND data users. And further, the opportunity to insist that all data users adhere to IPND code requirement, before IPND data is handed over, is lost.
The bizarre result is that the decision to require Code adherence on all IPND data users, made by industry and consumer representatives under the aegis of an industry self-regulatory forum, may be overridden by the current views of a Government regulator — in the name of industry self-regulation.
The mad hatter is serving tea.
Holly Raiche is Consumers’ Telecommunications Network (CTN) Representative on the IPND Working Committee, and a member of PLPR’s Editorial Board