CONTACT US: 
Site Changes
- Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
- Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.
Types
Public Interest Determination No. 6
pdf (65.41 KB)
PART VI - PUBLIC INTEREST DETERMINATION No. 6
(PID 6)
In respect of
| Application No : | 6 (dated 10 December 1990) |
| Applicant : | Australian Telecommunications Corporation (Telecom) |
| Nature of the Application: | Disclosure of modified electronic white pages to law enforcement agencies for law enforcement purposes. |
| Information Privacy Principle Concerned: | Information Privacy Principles 2 and 11 |
| Issued : | 27 September 1991 |
| Effective : | 27 September 1991 |
DETERMINATION
1. The application as it relates to the requirements of Information Privacy Principle 11.1 is unnecessary. 2. The application as it relates to non-compliance with the requirements of Information Privacy Principle 11.2 is dismissed. 3. The application as it relates to non-compliance with the requirements of Information Privacy Principle 2 is dismissed.
Dated 27 September 1991
KEVIN O'CONNOR Privacy Commissioner
REASONS FOR DETERMINATION
CONTENTS
REASONS FOR DETERMINATION
This application (dated 10 December 1990 - Attachment A) is made by the Australian Telecommunications Corporation (Telecom) and relates to practices involving the provision of the names (and other particulars) of customers to law enforcement agencies where those agencies only have the customers' numbers. This practice has traditionally been known as "number-to-name" access.
The application is made under Part VI of the Privacy Act, which requires agencies which propose to engage in a practice that infringes an Information Privacy Principle to obtain permission to do that, by way of a public interest determination issued by the Privacy Commissioner. Any determination to that effect is subject to disallowance.
Telecom is an agency within the meaning of the Act (s.6) and its activities in respect of personal information are ordinarily subject to the Act. An exclusion applies in connection with any of its competitive activities (see s.7 (1)(c), referring in turn to Part II of schedule 2 of the Freedom of Information Act 1982).
Telecom's application has three parts:
(1) to be permitted to disclose customer information on a number-to-name basis to approved law enforcement agencies without having to satisfy itself that any such disclosure is reasonably necessary for the enforcement of criminal law: see IPP 11.1.
(2) to be permitted not to record such disclosure: see IPP 11.2.
(3) to be permitted not to comply with the notice-to-customers requirements: see IPP 2.
As to (1), Telecom considers that it needs a waiver because it proposes to provide automated access to its modified electronic white pages database and not exercise any independent judgement or discretion in relation to the validity of the request.
As to (2), Telecom does not propose to log any such accesses but, by way of agreement, would require approved law enforcement agencies to maintain logs of their accesses to the modified electronic white pages database.
As to (3), Telecom does not wish to give any notice to customers of its disclosure of number-to-name information, other than by way of general advice in the telephone directory.
IPP 11.1 provides that an agency may not disclose personal information contained in a record in its possession (other than to the individual concerned) unless one of five exceptions is satisfied. The main exception relevant to the first part of Telecom's application is (e), which allows disclosure where it is "reasonably necessary for the enforcement of the criminal law."
IPP 11.2 provides that where an agency discloses information because it is reasonably necessary for the enforcement of the criminal law, it must make a note of the disclosure.
IPP 2 requires agencies to give individuals notice of usual disclosure practices.
2. Number-to-Name Disclosure Practice
For many years Telecom has provided law enforcement agencies with "number-to-name" information on a case by case basis. Under this arrangement a law enforcement agency would contact the Protective Services Unit in Telecom and ask for the customer particulars held against a number of interest. The provision of this information was subject to detailed administrative guidelines (Security and Investigation Policy Guidelines, Division G, section 2 dealing with Release of Customer Information). The normal procedure was that the agency required a written request signed by a commissioned officer of the rank of inspector or above and a certification from the requesting law enforcement agency. The certification was expected to address the nature of the legal authority under which the request was made in each case. A response was normally provided in writing, if an officer of the agency (with a relevant delegation) was satisfied as to its propriety. Emergency requests could be dealt with orally, but had to be confirmed in writing by close of business on the next day. Eight conditions have been attached to the practice, one of which specifically addressed customer privacy:
"(iv) the information is to be [provided] subject to security arrangements that are in keeping with preservation of the `need to know' principle and respect of the privacy of Telecom customers."
The practice was accompanied by a detailed log of disclosure. The logging requirement was as follows:
"Appropriate records are to be kept in each Telecom Protective Services Regional or Sub-Regional Office of all requests made, the information given out and the identity of the Telecom Protective Services officer who handled the request. Such record to be kept for six years and then destroyed by secure means in the same way as disposable sensitive business records."
The agency has advised that there are approximately 100,000 requests actioned per year. No information is available as to distribution of these requests. In a twelve month period the agency estimated that the provision of this service costs $200,000 (gross).
Prior to 1989 this practice did not have any clear legislative basis. Since September 1989 such case by case disclosures have been authorised by section 97 of the Australian Telecommunications Act 1989 and Regulations made under that Act. "s.97
(1) Subject to subsection (2), it is the duty of a person who is an employee of Telecom not to disclose any fact or document that:
(a) relates to:
(i) the contents or substance of a communication that has been carried by Telecom or a communication in the course of telecommunications carriage; (ii) telecommunications services supplied, or intended to be supplied, to another person by Telecom; or (iii) the affairs or personal particular (including any unlisted telephone number or any address) of another person; and
(b) comes to the person's knowledge, or into the person's possession, because the person is an employee of Telecom.
(2) Subsection (1) does not apply in relation to a disclosure by a person:
(a) in the performance of the person's duties as an employee of Telecom;
(b) as a witness summonsed to give evidence, or to produce documents, in a court of law:
(c) under the requirements of a law of the Commonwealth; or
(d) in prescribed circumstances."
The "prescribed circumstances" referred to in Section 97(2)(d) are defined as follows in Regulation 3 of the Australian Telecommunications Corporation Regulations:
"Disclosure of facts or documents
3. For the purposes of subsection 97(2) of the Act, the following circumstances are prescribed:
(a) where the disclosure of the fact or document is:
(i) to a person authorised under subsection 12(1) of the Telecommunications (Interception) Act 1979; and (ii) for the purposes of the issuing of, or in connection with information obtained under, a warrant under Part III of that Act; or
(b) where:
(i) the fact or document disclosed comes to the employee's knowledge, or into the employee's possession, because of a call to the emergency number 000; and (ii) disclosure is to a member of the police force or ambulance or fire service to which the call was connected; or
(c) where the fact or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of a person and:
(i) the person is reasonably likely to be aware that information of that kind is usually disclosed in the circumstances; or (ii) the person has consented to the disclosure in the circumstances; or (iii) the employee believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of a person; or
(d) where the disclosure is authorised by or under a law of the Commonwealth, or required or authorised by or under a law of a State or Territory; or
(e) where the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue."
These provisions were intended, it seems, to provide a clear legal basis for existing practices. The traditional practice in relation to "number-to-name" information, as explained, involved case-by-case disclosure with a specific decision to disclose being taken, according to the guidelines, in response to each request. Regulation 3 paragraphs (a), (b), (c) reflect this view; while paragraphs (d) and (e) re-state the last two exceptions in Information Privacy Principle 11 of the Privacy Act. (I should note that para (d) may be unconstitutional in so far as it purports to permit a federal agency to disclose information under the authority of a State law.)
The agency, over recent years, has developed a directory product called "electronic white pages" (EWP). This product is continuously updated and allows users to separately search all Telecom white pages directories throughout Australia. EWP does not allow access to silent number information. EWP can be purchased for a fee and access can be obtained on a computerised dial-up, on line basis to Telecom's public directory information. Inquiries are made within a particular directory area by customer name and in response that user is provided with the usual public directory particulars of address and telephone number.
Modified EWP Facility
The same basic technology that makes EWP possible can also allow a user to search by means other than the name of the customer, for example, by telephone number. The latest edition of Telecom's Policy guidelines addresses access to the modified electronic white pages (this facility is explained more fully below) as follows:
2. Electronic White Pages - Provision of access to Electronic White Pages (Number-to-Name) is subject to:
a. Demonstration by the agency that it has legislative responsibilities and/or provisions that meet the requirements of the above legislation; b. A written undertaking that:
i. the information will be used only in circumstances defined in Regulation 3 that are consistent with the agency's legislative responsibilities or provisions; ii. access to the Number-to-Name facility will be controlled on a strict "need to know" basis; iii. terminal/s and information will be subject to security arrangements that are in keeping with the preservation of the "need to know" principle and respect for the privacy of Telecom customers; and iv. the agency accepts that Telecom may suspend its access to the Number-to-Name facility should the agency fail to comply with any one of the above conditions;"
The "need-to-know" standard, one commonly used in official circles, is vague; and is clearly lower than the threshold set by Information Privacy Principle 11.
Modified EWP: Arrangements with Users
During 1989 Telecom, for cost effectiveness and efficiency reasons, made the EWP facility available on a "number-to-name" basis to law enforcement agencies. This facility is commonly referred to as "modified EWP". Organisations using this facility can interrogate the Telecom database using their own terminal for access. Either number or name may be entered, with the name, address and number being displayed if it is found in the particular directory being searched. Access to the modified EWP database is controlled by two levels of security: a "user password" and an encrypted "security password". There is no formal request made which is reviewed by Telecom. As a consequence the form of disclosure is not subject to the main condition which previously applied.
In effect Telecom is now wishing to allow automated provision of customer information to approved law enforcement agencies. It no longer wishes to act as a gate-keeper.
The present application was brought forward following concern that the provision of automated access may infringe the Privacy Act, in particular Information Privacy Principles 2 and 11.
The object of the application is to clarify the status of this practice and to seek approval for the practice.
Organisations already provided with this new facility are:
- Australian Bureau of Criminal Intelligence, Canberra
- NSW Crime Commission, Sydney
- National Crime Authority, Sydney
- Australian Federal Police, Canberra
- Victorian Police Special Projects, Melbourne
- Northern Territory Police Force, Winnellie, NT
- Independent Commission Against Corruption, Sydney
- Queensland Criminal Justice Commission, Brisbane
- Australian Taxation Office (South Sydney Audit)
- the Australian Security Intelligence Organisation
New requests for the modified EWP were to be no longer actioned pending the outcome of this determination.
Each of the above organisations only has one EWP terminal located at the nominated site with access to modified EWP.
In accordance with section 74 of the Act, I published, on 9 January 1991, a notice in two leading newspapers advising of the application and seeking expressions of interest or submission from interested parties - see Attachment B. In addition, invitations for submissions were mailed to a cross section of potentially interested organisations.
I received, in response to the mailout and notice, fifteen submission, seven expressions of interest and nine acknowledgments: see Attachment C.
The Australian Taxation Office has also written to me requesting that their access to modified EWP be maintained. However, the Taxation Office is not included within the scope of Telecom's application which is confined to law enforcement agencies as defined in Part VIIC of the Crimes Act 1914.
The Victorian Police submitted that the question of providing additional records to law enforcement agencies should also be addressed by the determination. These records are silent numbers; mobile telephone numbers and Calling Line Information. The matters raised fall outside the scope of Telecom's application. They can not be addressed by this public interest determination.
The modified EWP facility which permits "number-to-name" access is substantially different to the "White Pages". It has an additional function which allows it to be interrogated by number. Telecom's policy is to retain control of this database and not to make it available to the public.
Telecom's concern in this regard is understandable. Customer privacy would be reduced if it made available generally automated "number-to-name" facilities. People with no legitimate social need for that information could find out personal particulars beyond that which a person may wish to reveal. In advertising it is common for people to give a telephone number to solicit interest, and to give out their personal particulars only when they have screened an inquiry. In the worst-case situation, thieves could identify the location of expensive goods, cars, furniture and the like advertised for private sale. People living on their own who advertise, for example, for a flat-mate may also feel vulnerable if "number-to-name" search facilities become widely available. If the modified EWP were to be made generally available there may be increased community pressure for silent-number listings, leading to a new cost for the agency to absorb.
Automated access to the modified EWP database raises the possibility of bulk disclosure of potentially sensitive information regarding the majority of households in Australia to law enforcement agencies. Telecom itself has recognised the sensitive nature of the modified EWP facility by the fact that the present application is restricted to law enforcement agencies only. This reflects the concern that privacy intrusive uses can be made of the facility. There are a number of situations where individuals may consent to their telephone number being disclosed but not their address.
An additional privacy concern is the probability that there will be an increase in the overall volume of searches made on the modified EWP once access to it is made available directly to law enforcement agencies.
Further, there is the issue of whether the increase in access to the modified EWP facility leads to the possibility for increase in unauthorised access, use, modification and disclosure. A number of disturbing allegations are presently before criminal courts and official inquiries regarding the improper disclosure of personal information initially obtained for official purposes.
I consider that Telecom's current policy of seeking to limit the availability of the modified EWP serves the reasonable privacy interests of individuals.
(In making these comments I am aware that there is a commercial product generally available ("Australia on Disc") which has the "number-to-name" search feature. Its price and the relative lack of up-to-dateness of its data appear to be limiting its use.)
This application is significant both operationally and legally.
There is a widespread desire among Australian law enforcement agencies to be allowed to have automated number-to-name access to customer data held by Telecom. Telecom itself would prefer to move to this system; and not continue, as it has done in the past, the practice of dealing with applications for number-to-name access on a manual, case-by-case basis. As indicated earlier number-to-name requests are lodged in great volume with Telecom. It estimates that it handles 100,000 enquiries per year.
Legally, the application is significant because it raises a number of questions of interpretation relating to IPP 11.1, and in particular exception (e).
These questions include:
- Is customer information held in the modified electronic white pages database subject in any way to the protections of the use and disclosure provisions of the Act-
- If it is in general terms subject to the protection of the Act, is it necessary for Telecom to obtain waiver from compliance with IPP 11 or is its proposed practice one that it is able to undertake without infringing exception (e)-
- In that regard, can automated disclosure by an agency of personal information in its possession be undertaken lawfully under exception (e) if procedures exist to ensure that a particular disclosure can be shown to have been "reasonably necessary for the enforcement of the criminal law", in the event of complaint or audit-
A draft determination (Attachment D) was issued by me on 2 May 1991. It allowed the application, but required that disclosure for law enforcement purposes be made subject to a number of conditions. The most significant aspect of the determination from the point of view of law enforcement agencies was that it considered that Telecom must obtain a waiver because IPP 11.1 (e) could not be satisfied by it in a situation where it gave automated access. Others who commented on the draft determination questioned whether the application, in so far as it related to IPP 11, was necessary at all, arguing that the modified EWP database was not a "record" subject to IPP 11
Numerous expressions of interest in the draft determination were received and, as contemplated by the Act, I convened a statutory conference to consider it. The statutory conference was held on 29 May 1991, and attended by representatives of several Commonwealth departments, numerous Federal, State and Territory law enforcement agencies as well as representatives of privacy and civil liberties groups.
A transcript (78 pages) of the statutory conference is available.
At the conference Mr N Reaburn, Deputy Secretary, Commonwealth Attorney-General's Department, raised a number of legal objections to the application by Telecom, arguing that it was unnecessary as the practice in issue was either not governed at all by the Act or if governed by the Act permitted by it without the need for a determination. I will now deal with these submissions.
8. Applicability of Information Privacy Principle 11 to Use of Modified Electronic White Pages
The Commonwealth Attorney-General's Department submitted:
(i) that personal information held by federal agencies which replicated information which is publicly available in some form is not protected by the Act.
(ii) If (i) is not accepted, that the modified electronic white pages database from which number-to-name information is given by Telecom is not a "record" within the meaning of the Privacy Act because it falls within one of the exclusions from the meaning of record, that of a "generally available publication".
(1) Position of Personal Information which is coincidentally publicly available
As I indicated at the conference, I regard the first proposition as extraordinary. What is being suggested is that personal particulars lodged by an individual with a Commonwealth agency are deprived of the protection of the Act if it can be shown that those particulars are available somewhere else in the community in a publicly available source. So, for example, if a social security client lodges address details with that department and those address details are the same as those contained say in a phone directory or the electoral roll, the address loses the protection of the Act. Consequently, a social security officer could give out the address to anyone he or she cared to without infringing the Privacy Act.
Personal information held in "generally available publications" does not have the protection of the use and disclosure provisions of the Privacy Act because the protections attach to "records" and "records" are defined so as to exclude "generally available publications". (See generally opening words of IPP 11, and definitions of "record" in s.6.)
The argument of the Attorney-General's Department appeared to be that the concept of a "generally available publication" embraces any personal information held in an agency that coincidentally happens to be publicly available even if the agency did not derive it from the public source. I can find no foundation for this argument in the terms of the Privacy Act; nor in any of the explanatory notes underlying the Act, which notes were substantially drafted by the Attorney-General's Department.
If the proposition advanced were to be upheld the Privacy Act would become unworkable, as no clear guidance could be given to agencies as to when the identification particulars they hold are covered by the Act or not covered by the Act, since it would never be known with certainty whether the identification items appeared somewhere in a public record (e.g. land titles records, electoral rolls etc). Virtually every adult's name appears in a public record somewhere. If this submission were correct, the names of virtually all adult Australian's would not have the protection of the Privacy Act, nor in most instances would individuals' addresses. Lists of clients of federal government agencies could be given out, without redress under the Privacy Act.
(2) Position of Personal Information provided by modified EWP
This aspect of the application raised a number of important issues relating to the application of the Privacy Act to complex computerised systems.
The fields of data - name, address, telephone number - are central to the operations of Telecom. Different ways of interrogating and reporting these data items are built into Telecom's computer system. In the case of the Electronic White Pages, that database is capable of outputting its data items in two ways:
- Name-Address-Number, with name as the access key, or
- Number-Name-Address, with number or name as the access key.
As noted earlier, Telecom has historically recognised that the same data items can give rise to reports of quite differing levels of sensitivity. As a result its policy is one of general availability in relation to one kind of report produced by the EWP database (the report that mirrors that found in the paper phone directories); and one of restricted availability to the kind of report produced by the modified EWP facility.
The Attorney-General's Department advanced a series of arguments to the effect that Information Privacy Principle 11 did not apply to number-to-name reports. The arguments go to the interaction in the Act between the definitions of "personal information", "record" and "generally available publication". The interaction of these definitions is important because Information Privacy Principles 4 to 11 contained in the Privacy Act only apply to agency activities as they affect a "record" containing personal information.
The Act includes within its definition of a "record" (s.6) the following - a "document", a "database (however kept)" and a "photograph". So on the face of it the EWP database is a record within the meaning of the Act.
But the definition of record then goes on to exclude from its scope a "generally available publication". It was contended that the EWP database was a generally available publication and accordingly that its use in a modified way so that data within it could be obtained in a manner not generally permitted is unaffected by the Act. If this argument is correct then IPP 11 does not need to be complied with.
This argument fails to take account of the complexities of modern database administration. It also fails to take account of the range of meanings that tends to be attached to the term "database". For example, in a letter of information to me dated 23 June 1991, Telecom described its computerised data-management system as having five databases. These were its main customer record database (includes full details on all numbers connected to the public switched telephone equipment details); the main directory database; the directory assistance database (used by directory assistance staff); the EWP; and the modified EWP. However in describing the modified EWP Telecom refers to it as using the same database as the EWP with the variant that in the case of silent line information the message is displayed "This number is not for publication". Some, I suggest , would contend that all of these arrangements involve particular operational applications within the context of one database.
Meaning of "Database"
"Database is not defined in the Act. The Macquarie Dictionary definition is:
"1. A large volume of information stored in a computer and organised in categories to facilitate retrieval. 2. Any large collection of information or reference material."
Another definition in a standard computing text is as follows:
"A database is a collection of stored operational data used by the applications systems of some particular enterprise." (C J Date, An Introduction to Database Systems 1981, 3rd ed.)
The same text also acknowledges that the associations or relationships between data entities (items) are just as much part of the operational data (and therefore of the database) as are the entities themselves.
A database is usually organised as a collection of fields of information. It can have both generally available and selectively available characteristics. A material factor is the way in which it is made available. This can comprise both technical capabilities (e.g.: access and search limitations) and procedural/contractual limitations.
If the view were to be taken that the entire Telecom customer record system comprised one database then it becomes clear that the database may be so organised as to have elements which are publicly available and elements which have varying levels of restricted availability. So in the case of the Telecom arrangements referred to, only directory assistance staff normally have access to the "database" of that name whereas most staff in the billing and technical areas would have access to the main customer record system. In the case of the EWP system there are two levels of access operating - one general and unrestricted where the use is on a name-basis and the other highly restricted where the use is on a number basis. These complexities in operation are typical of modern database systems.
In my view whether the entire Telecom system is more properly seen as one database of customer information having many operational segments or as a series of databases one of which is the EWP, it is possible for the system to be so organised that its data when reported in one format is available on an unrestricted basis and when reported or organised in another format has restricted availability.
Relationship between Databases and Records
Equally I consider that while an entire database can be a record within the meaning of the Act it is also possible for a database to be open to different "views", or to make or produce reports, all of which are "records" individually subject to the Act. It is also possible for a database which is generally viewed as a publicly available one to have operational features which restrict the availability of its data when that data is sought to be organised or reported in certain ways.
A good current illustration of this situation is found in Australian Electoral Law. Sections 91, 91A and 91B of the Commonwealth Electoral Act 1918 specifically limit the availability and use of the Habitation Indexes (street order rolls) even though they contain the same data drawn from the same overall database as the alphabetic rolls which are available on demand and for public reference.
These technical features of databases would I believe have been well understood when the Privacy Act was passed in 1988. I believe that the explicit reference to database in the definition of record was designed to ensure that these complex systems were brought under the regime of the legislation. The exclusion that then appears, relating to generally available publications, comes into play in respect of a database in circumstances where there are agency policies which allow for public use or access. It is quite possible, as I have explained, for an agency to allow its data to be configured by its database in a way which allows that configuration to be generally available while preventing the same data to be configured in some other way. Each of the configurations involves the making and producing of a record - one of which is excluded from the application of Information Privacy Principles 4-11 as a generally available publication, while the other remains subject to all the Principles.
Conclusion
Accordingly, I consider that when the EWP system is used to produce a record on a number-to-name basis that activity is subject to the Act. What is occurring is that a record with restricted availability is being generated; a feature of the database is being employed which seeks to restrict the availability of the personal information stored by the database. When a database is being operated so as to generate information about individuals on a restricted basis (ie: non-public) its operations are subject to the Act.
The principle which governs this matter is Information Privacy Principle 11, which states:
"1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;
(b) the individual concerned has consented to the disclosure;
(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;
(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue."
Of the above exceptions (a) cannot apply as Telecom has not at any material time given customers notice of the existence of this disclosure practice. Exceptions (b) and (c) are not relevant to this application.
The two exceptions which were suggested as permitting the practice of number-to-name disclosure were exceptions (d) and (e).
Exception (d)
Here the argument is that the disclosure is authorised by a regulation recently made under the Australian Telecommunications Act 1989, referred to in part 2 of these reasons.
It seems to me that this regulation is unhelpful in deciding whether number-to-name searching of the modified EWP database is a lawful disclosure for the purposes of exception (d). The text simply mirrors the language of the Information Privacy Principles. In the case of exception (d) reg. 3 does not take the matter any further. It simply says that the disclosure must be "authorised under a law of the Commonwealth": see para. (c) of reg. 3, mirroring exceptions (a) (b) and (c) of IPP 11.1 and para. (d) mirroring substantially exception (d) and para. (e) mirroring exactly (e). No law specifying this disclosure practice permitted has been drawn to my attention. Further I note that the number-to-name disclosure practice has existed in Telecom for many years and could readily have been identified in the regulation as a permissible practice had it been intended that the regulation should have that effect.
Exception (e)
Much of the discussion at the statutory conference centred on this exception to Information Privacy Principle 11.1.
Telecom's past practice, as I have noted earlier, in handling number-to-name inquiries involved requiring an application to be submitted and for it to be assessed by an officer as to its justification. If Telecom considered the application justified on law enforcement grounds, the information was provided. Provided the criteria applied were at least as strong as those provided for in exception (e), (i.e. they met the requirement of "reasonable necessity") this practice, if continued, would in my view comply with exception (e), and no public interest determination is required. While it appears that in the past the criteria were not as strong, my understanding from discussions with Telecom over this matter and from its submission at the conference, is that it would propose to offer the facility in future on terms that require satisfaction of the "reasonable necessity" test in exception (e).
The complication in the present case is that Telecom no longer wishes to be actively involved in the number-to-name searching process. It in effect wishes to license certain users to access its database, with the users being responsible for ensuring that the justification is in accord with exception (e).
The question which arises is whether exception (e) permits a record-keeper to disclose information without it exercising any judgment as to the lawfulness of that event for the purposes of the Privacy Act.
The Attorney-General's Department, and others, have argued that the types of disclosure permitted by Information Privacy Principle 11 only in one case clearly requires a record-keeper to make a specific judgment on the merits of a request. That arises in the case of exception (c) which limits the relevant disclosure to circumstances where "the record-keeper believes on reasonable grounds" that it is "necessary" (emphasis added). In contrast, it is said, exception (e) permits disclosure where it is "reasonably necessary" to assist the social interests mentioned in the exception, without imposing an obligation on the record-keeper to form a belief as to whether reasonable grounds exist. Accordingly, it is argued, that it is possible for a situation to exist where the record-keeper has no active involvement in the access/disclosure transaction. It is sufficient, it is argued, that the access disclosure transaction can be shown to be "reasonably necessary".
This discussion has considerable significance in relation to the general operation of exception (e) in Commonwealth administration. If the arguments that I have outlined are valid, it would mean that it would be possible for agencies to allow on-line links to their databases with those using the facility in effect bearing responsibility for ensuring that any accesses that take place are "reasonably necessary" to the protection of the social interests listed in exception (e).
On the other hand, it was argued by me in my draft determination and by a number of public interest groups at the conference that exception (e) should be interpreted so as to impose a requirement on the record-keeper that it satisfy itself that the disclosure is "reasonably necessary" to the protection of the social interests listed there. It is argued that "reasonably" is a word which connotes an obligation on the part of the record-keeper to form a view as to the need or otherwise for the disclosure. This view, it is argued, is also supported by IPP 11.2 which imposes on record-keepers who make disclosures on the basis of the criteria contained in exception (e) to include in the relevant record a note of the disclosure. It is argued that this requirement is consistent with the view that the record-keeper should make a specific decision in relation to each request for disclosure.
While I do not regard the matter as free from doubt, after considering the arguments made at the conference I have resiled from my earlier views and concluded that a disclosure can occur lawfully under exception (e) without there being an active exercise of discretion by the record-keeper. But the record-keeper remains obliged to demonstrate (if, for example, an individual complains to me over a specific disclosure) that each access it permits was "reasonably necessary" to the protection of the social interests enumerated in exception (e).
In reaching this view I have largely been influenced by the variation in language between exception (c) and exception (e). Clearly exception (c) imposes an active decision-making obligation on the record-keeper. It is not one that it can give up to a third party.
But exceptions (d) and (e) both attach the conditions which they specify for lawfulness to "the disclosure". It seems to me, therefore, that a disclosure could satisfy the standard imposed by exception (e) even though the record-keeper had not satisfied itself directly that that standard has been observed.
There are also, I think some policy arguments which support this view. Circumstances can be envisaged where it would not be conducive to the protection of the social interests enumerated in exception (e) (e.g. enforcement of the criminal law) for the record-keeper to be apprised in any detail of the reasons for the inquiry, or for the record-keeper not to wish to be so apprised. There may on occasions be circumstances of urgency which preclude any possibility of practical judgment by the record-keeper. (Though this argument is weakened by the fact that exception (c) which deals with a paradigm situation of urgency ("a serious and imminent threat to the life or health of the individual concerned") does clearly impose an active decision-making obligation on the record-keeper.)
If a record-keeper does choose to establish an access system which permits disclosures under exception (e) without active intervention on its part, then it remains liable for any abuse or misuse of the access facility. If an individual complains that a particular disclosure was not "reasonably necessary" the record-keeper, as the respondent, must be able to satisfy the Privacy Commissioner that it was "reasonably necessary" in order to avoid liability. A similar position would apply in the event that an audit of an automated-access system is undertaken.
Conclusion
Accordingly an application for waiver from Information Privacy Principle 11.1 is unnecessary. However, as I have previously noted, any access arrangements provided under IPP 11.1(e) would have to be constructed so it can be demonstrated that each access meets the requirements of exception (e) as to reasonable necessity.
10. Commissioner's Statutory Discretion
So it is only in relation to Telecom's remaining applications that I am called upon to exercise my statutory discretion under s.72 of the Act. Section 72 provides:
"Where the Commissioner is satisfied that:
(a) an act or practice of an agency breaches, or may breach an Information Privacy Principle; and
(b) the public interest in the agency doing the act, or engaging in the practice, outweighs to a substantial degree, the public interest in adhering to the Information Privacy Principle;
the Commissioner may make a written determination to that effect..."
The effect of such a determination is that the agency avoids breaching the Act.
Telecom indicated that if automated-access to the modified EWP database was permissible, it sought a public interest determination to relieve it from the obligation imposed by IPP 11.2.
IPP 11.2 imposes a disclosure-logging requirement in the following terms:
2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of protection of the public revenue, the record-keeper shall include in the record containing the information a note of the disclosure.
Telecom said that it could log the volume of inquiries made on the database by each user, but that its technology did not enable it to place a "note of disclosure" as required by IPP 11.2 against each individual whose name was searched. These concerns essentially relate to cost and administrative convenience.
Apart from these administrative concerns, Telecom also said that it saw some dangers in making a note of disclosure against a particular individual, because if an individual became aware of the fact this might tip the individual off in relation to police interest. This argument is not in my view meritorious. The objection is one that could be made in relation to the logging of any disclosure to police sources. It was clearly rejected by Parliament when it included IPP 11.2. While there may be some extreme circumstances where IPP 11.2 could be waived or varied for the protection of investigations it was clearly, in my view, Parliament's intention to impose a logging requirement on the key administrative agencies of the Commonwealth in regard to those disclosures of personal information which are made to police. If an FOI application was made for access to such a record there is a wide law enforcement exemption available to be invoked by Telecom.
The administrative convenience argument is not in my view a strong one. Historically Telecom vetted applications and, consequently, had an exact and detailed administrative record of what occurred and why. My earlier conclusion rids Telecom of its responsibilities to vet; now it is seeking to rid itself of the other responsibility it exercised in the past and has been required to exercise by law since 1989 (to log). Given that in future there is intended to be no case-by-case vetting as in the past, it becomes even more critical to the protection of individual privacy that the safeguard contained in IPP 11.2 be maintained.
Allowing Federal agencies to release personal information protected by the Privacy Act on an automated basis (provided otherwise the release accords with IPP 11.1 (e)) carries great dangers to the privacy rights of all Australians. Where an agency is not called on to consider actively why particular information should be released, the following significant constraints against possible abuse of privacy are lost:
(i) any actual knowledge that an agency may have regarding the client or individual's circumstances cannot be brought into consideration before the data is released.
(ii) ordinarily the requesting/accessing organisation will have little or no knowledge of any personal circumstances that indicate against taking that data
(iii) the requesting/accessing organisation will not be affected by the salutary constraint of having to justify its request and expose its actions to another body with less of a stake in the matter.
Moreover if Telecom does not remain responsible for logging, the Privacy Commissioner would have no specific evidence as to whether a particular disclosure had occurred, in the event that an individual complained to him about a breach of IPP 11.1(e). The recipient organisation may well deny that it got the personal information from Telecom by means of an IPP 11.1 (e) access. There would be no way of testing the truth of that denial.
It was suggested on this point at the statutory conference that accessing agencies would invariably for operational reasons keep logs; and that they could be inspected in their hands, by the Privacy Commissioner's if he had a right to inspect them under contractual arrangements (or memorandums of understandings) between Telecom and accessing-agencies.
I do not regard this as a satisfactory suggestion. Logs would be scattered all over the country. The logs would, most likely in light of a number of comments at the conference, be organised in a way that reflected the operational practices of the particular police force or law enforcement agency. Some of those agencies may resist intervention by the Privacy Commissioner. Most of those using the system are not subject to his authority; leaving the Privacy Commissioner in a position where Telecom has to be prevailed upon to sort out the problem. This would demean the Privacy Commissioner's office in the eyes of complainants and the community.
Conclusion
Accordingly, I dismiss the application as it relates to giving Telecom a waiver from the obligation imposed by IPP 11.2.
Telecom is required to ensure that it makes a note of each disclosure from its modified EWP database made under the authority of IPP 11.1(e). The note should include a record of the date of the disclosure and the identity of the accessing organisation, including the password or other key used. Any cost of logging could be recovered by Telecom from users: it charged a fee for access under its old manual system. That practice could be maintained; and would act as some discouragement to overly permissive use.
Finally, Telecom applied to be relieved of its obligations under IPP 2, in particular IPP 2 (e). This IPP applies to agencies regardless of whether the personal information being collected is for inclusion in a "record" or for inclusion in a "generally available publication".
IPP 2 requires agencies which collect personal information to ensure that they take:
"such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable after the information is collected, the individual concerned is generally aware of:
(e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose information of the kind collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first - mentioned person, body or agency to pass on that information."
It should be noted that the obligation imposed on agencies by IPP 2 applies "only in relation to information collected after the commencement of the Act" (i.e. 1 January 1989): s.15 (1) of the Act. Consequently Telecom is not bound to give customers whose information was collected prior to 1 January 1989 (and who have not been the subject of any new collection since that date) any notice under IPP 2. The material placed before me in making this determination indicates that Telecom has over many years had a number of "usual practices" involving disclosure of customer information to police and emergency organisations. In the past the existence of these practices has not been made known to customers.
Number-to-name disclosures on a specific-application basis have continued to be made since January 1989; while automated disclosure to selected law enforcement agencies was introduced in 1989. It is arguable that automated modified-EWP number-to-name disclosure is not yet a "usual practice", so that Telecom's failure to advise customers of this activity may not be a breach of IPP 2. Nevertheless the old practice of manual provision of number-to-name information on the basis of a specific application was clearly a "usual practice"; but its existence has never been routinely disclosed to customers.
A key theme of information privacy laws, and of the international O.E.C.D Guidelines on which Australia's Privacy Act is based, is that of "openness" as to the existence of practices. IPP 2 reflects that theme, and seeks to give it specific expression.
Telecom seeks a waiver from the requirement of IPP 2 to notify customers - "before the information is collected, or if that is not practicable, as soon as practicable after the information is collected". Telecom is prepared to put a general notice in the telephone directory referring to the existence of the practice.
To grant Telecom's application would I believe seriously weaken the force of IPP 2 in Commonwealth administration. As a basic matter of fairness, people who supply information to organisations are entitled to know of any uses that are likely to be made of the information which do not conform to their reasonable expectations. While a telephone customer might reasonably expect that their particulars would be stored in a range of ways within Telecom to enable it to carry out its service function, the customer would not expect information to be given to bodies as diverse as State crime commissions, government departments and State police forces. While such a disclosure practice may be in the public interest, there is also a public interest (endorsed by Parliament in IPP 2) in knowing that it occurs.
Telecom's main reason for not wishing to tell customers at the time of application for the service that it has disclosure practices of the kind under consideration appears to be that it is concerned that there may be a proliferation of silent-line listings. An increase in silent-line listings would increase its costs; and, I note, diminish the commercial value of the public directory e.g: for telemarketing companies. There may also be some negative public reactions once these activities become known. These are not in my view meritorious reasons for withholding notification.
A simple and informative notice could be incorporated into information given to new customers. This would not involve a significant administrative burden. Telecom routinely provides customer information pamphlets with its bills. A pamphlet referring to a customers privacy rights - and the exceptions to those rights - would be a useful practice. I understand that an overall customer information strategy related to privacy issues is under development by Telecom. A well-presented explanation would be likely to satisfy many customers.
The Act requires me only to grant a public interest determination where the public interest in allowing a practice (here to waive strict compliance with the notice requirements of IPP 2) "outweighs to a substantial degree" the public interest in adhering to the IPP. Telecom has failed to satisfy me in that regard.
Consequently, Telecom should immediately commence to inform new customers of the existence of the modified EWP disclosure practice, if it proposes to continue with that practice. Customers should be informed of the bodies and organisations to which their data may be given. An appropriate mechanism might be an information leaflet distributed to new customers.
As to existing customers, it is possibly arguable whether to date automated use of modified EWP disclosure has been a "usual practice". As a result of this determination, it appears likely that it will become a usual practice. Without deciding the point as to the position in the past, I would recommend that steps be taken to notify all customers of future practice, in conformity with the spirit of the Act. In that regard a notice given with billing information would be acceptable.
A prominent and clear notice of this practice should also be included in telephone directories.
Conclusion
The application for a limited waiver from the obligation imposed by IPP 2 is dismissed.
(1) Telecom is an agency governed by the Privacy Act in respect of the practices the subject of this application.
(2) The modified EWP database (and each of its listings) constitute records within the meaning of the Privacy Act.
(3) Information Privacy Principle 11 applies to disclosure of personal information contained in records produced by the modified EWP system.
(4) Disclosure pursuant to exception (e) of IPP 11.1 may occur on an automated basis, provided always that the disclosure is "reasonably necessary" for the protection of the social interests enumerated in that exception.
(5) Consequently, the proposed practices requiring consideration under s.72 are the proposals that Telecom dispense with logging (IPP 11.2.) and dispense substantially with the notice of this practice (IPP 2).
(6) The application seeking waiver from the requirements of IPP 11.2 and IPP 2 is dismissed.
LIST OF ATTACHMENTS
A: Application B: Notice of Application C: Responses to Notice D: Draft Determination
Note: These attachments are not being distributed routinely, but are held with the original determination and are available on request from:
Privacy Branch Human Rights and Equal Opportunity Commission GPO Box 5218 SYDNEY NSW 2001 Phone: (02) 229 7600
Get RSS feeds