pdf (87.5 KB)

Submission by the

Office of the Privacy Commissioner

December 2005

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers federal and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information, credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way agencies and organisations collect, use, store and disclose individuals’ personal information.

Background and Discussion Paper

The Office welcomes the opportunity to make a submission on the Introduction of a Do Not Call Register: Possible Australian Model Discussion Paper (the Discussion Paper) which it is understood was prepared by Department of Communications, Information Technology and the Arts (DCITA) in response to concerns expressed by the general public about telemarketing. In this submission, the Office has considered the issues identified by DCITA as relevant in the development of a national strategy to address intrusive telemarketing practices.

In this Office’s report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the OPC Review), which was released by the government on 18 May 2005, the Privacy Commissioner recommended that the Australian Government consider exploring options for establishing a national ‘Do Not Contact' register[1]. The Discussion Paper proposes an Australian model for a ‘Do Not Call’ register, whereby consumers would be able to register to ‘opt out’ of receiving unsolicited phone calls with the exception of calls from a number of exempt organisations.

In general, the prohibition of particular unsolicited telephone calls is an important step towards regaining individual control in what is viewed by many as an intrusive practice. It is a move that this Office strongly supports.

The most important objective of such a register, from a privacy perspective, is to facilitate the choice and control individuals have over the handling of their personal information. Ultimately, allowing consumers the choice about whether to be contacted may result in increased community acceptance of appropriate marketing contact.

Application of the Privacy Act to telemarketing

In the exploration of a possible model for a ‘Do Not Call’ register, the Discussion Paper notes that some regulation currently affects the operation of telemarketers. In particular,

“Sections of Commonwealth legislation under the Telecommunications Act 1997 and the Privacy Act 1988 are relevant, however there have been claims that these Acts need revision to accommodate new operating situations and technological innovations.[2]”

The private sector provisions of the Privacy Act, which include the 10 National Privacy Principles (NPPs), cover many private sector organisations. However, most businesses with a turnover of less than $3m, and registered political parties are exempt.

The NPPs do apply to direct marketing and include specific direct marketing provisions. However, the application of the specific direct marketing provisions is limited. The use or disclosure of personal information for direct marketing is covered by NPP 2.1. This principle distinguishes between the primary purposes of collecting personal information and any secondary purposes, and limits the use and disclosure of information for a purpose other than the primary purpose of collection.

Under the NPPs, an organisation that collects information for the primary purpose of direct marketing can generally use and disclose it for that purpose. Similarly, NPP 2.1(a) permits personal information to be used or disclosed for direct marketing if such an activity is related to the purpose for which the information was collected (directly related in the case of sensitive information) and the person from whom it was collected would reasonably expect the organisation that collected the personal information to use or disclose it for direct marketing.

In some circumstances an organisation can use an individual’s personal information for direct marketing even if direct marketing was not the primary purpose of collection and direct marketing is unrelated to the purpose of collection and not within the reasonable expectations of the individual. The organisation may use the information if:

• the person from whom the information was collected has consented to the use or disclosure of the information for direct marketing (NPP 2.1(b) or
• (if the information is not sensitive information) it is impracticable to get consent before using the information and
  • the direct marketing organisation gives the individual the opportunity to opt-out of receiving material at no cost (NPP 2.1 (c)(ii) )
  • the individual has not already asked the organisation not to send material (NPP 2.1 (iii))
  • in every communication the organisation draws the individual's attention to the fact, or prominently display a notice, that he or she may opt-out of receiving further material (NPP 2.1(iv)) and
  • each communication includes the relevant contact details of the organisation (including electronic contact details if the material was sent by electronic means. (NPP 2.1(c)(v))

In general, then, it is possible that many of the telemarketing phone calls that individuals receive either comply with NPP 2.1 or are made by companies that are not required to comply.

Which type of register?

The Privacy Commissioner has recommended that the Government explore options for establishing a ‘Do Not Contact’ register. The Discussion Paper acknowledges that this type of model would have strengths, including that “the benefit for consumers of this type of register would be that the broad range of direct marketing approaches and practices could be dealt with through a single register.”[3]. Certainly, from a privacy perspective the focus is on the handling of personal information, rather than the method by which contact is made. Relevantly, research commissioned by the Office suggests that individuals feel “angry and annoyed” when receiving any type of direct marketing material[4].

Despite having recommended in the Report that government explore options for a ‘Do Not Contact’ register, the Office strongly supports establishing an effective ‘Do Not Call’ register. The development of this type of register is an important mechanism to help address community concerns over the intrusiveness of some direct marketing methods. There is evidence that individuals are more reluctant to give organisations their home phone number than all other sorts of personal information, with the exception of bank account details and income, and that this sensitivity has increased over the years.[5] A move to assist individuals to ‘opt out’ of unwanted telephone contact would no doubt be welcomed by many in the community. While very supportive of a ‘Do Not Call’ register the Office sees this as a first step towards consideration of a more comprehensive ‘Do Not Contact’ register that would cover all forms of unwanted contact.

The Discussion Paper defers to the review of the Spam Act 2003 in relation to its potential coverage of commercial messages sent via facsimile. It is important that this method of contact be addressed, and not be left as a potential loophole within the existing mesh of regulatory schemes. As such, it may be useful to build in a mechanism within the proposed ‘Do Not Call’ register to deal with facsimile contact. This would ensure the capacity exists for this type of contact to be covered in the event that other regulatory coverage is not realised.

From the perspective of the consumer receiving an unwanted call, it should be clear what steps need to be taken to address the issue, whether the call is made by a fax, a person, an automated dialler, or via any other means. The register itself should be technologically neutral in order to enable it to deal with issues that may arise from the use of eNum, VoIP and other such developments.

Opt in or Opt Out Model

A key underlying privacy principle is the concept of an individual’s control over how their personnel information is handled to the greatest extent possible.

Generally speaking providing individuals with choice to opt-in to receiving telephone calls may give them a greater degree of control over the contact that is initiated with them. However, it is important that mechanisms for control are balanced against efficient and effective communications between organisations and individuals. Consequently, if there was a decision to establish a register based on an opt-in approach, recognition may need to be given to pre-existing relationships between organisations and individuals.

The NPPs in the Privacy Act, on the other hand, allow for an opt-out approach in the context of personal information being used by an organisation for the secondary purpose of direct marketing. Should an opt-out approach be adopted in the context of a ‘Do Not Call’ register the Office would strongly recommend public awareness raising, including a Government or business driven educational campaign to ensure the effectiveness of the scheme for individuals and the community.

An opt-out approach also puts the onus on the individual to act if they wish to restrict calls, therefore if that approach is taken careful consideration should be given to ensure that the mechanism by which individuals register phone numbers is simple and does not place an undue burden on them.

Coverage

Offshore initiated calls

A key underlying principle in the Privacy Act is the concept of individual control. Many of the provisions of the Act are built around the notion of facilitating a degree of individual control over one’s own personal information. The idea that organisations may be able to engage in intrusive direct marketing practices from offshore, with no opportunity for individuals to ‘opt out’ of coverage or seek redress, would undermine the sense of control which may be delivered through a ‘Do Not Call’ register.

As part of the OPC Review, the Office explored issues related to the adequacy of the Privacy Act in its application to new technologies. As a result it was recommended that the Government consider initiating discussions through appropriate international forums about how to deal with major international jurisdictional issues arising from global reach of new technologies[6]. The adoption of this recommendation may be important in the context of addressing offshore initiated telemarketing. The Discussion Paper notes

“Comprehensive and effective solutions to the problem of ‘rogue’ offshore telemarketing are embryonic and require investigation and analysis”[7].

One possible solution, which may go some way to addressing the problem, is that proposed in the Discussion Paper of adopting the approach taken in Spam Act 2003. Using this approach, the ‘Do Not Call’ register would apply an Australian link concept to ensure that those telemarketers located offshore with Australian links (similar to those set out in the Spam Act 2003) could be subject to ‘Do Not Call’ restrictions. This method for widening the scope of the register would assist in increasing the amount of individual control, a desirable privacy outcome.

Automated Calls/Predictive Diallers

The Discussion Paper notes the increase in the use of automated calling equipment, predictive diallers and automated recorded messages. The significant consideration in relation to these practices is the fact that there is now a technological capacity to store or produce and dial telephone numbers using a random or sequential number generator.

The Privacy Act only applies to ‘personal information’. The term ‘personal information’ is defined as being “information or an opinion… about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” If a predictive dialler is simply randomly selecting a number, without reference to the name or other details of the telephone account holder for example, there may be a question regarding whether the number would constitute ‘personal information’ and subsequently whether the use of that number would be covered by the Privacy Act. However, even when a predictive dialler is used, personal information is often linked to the use of the number.

To ensure clarity in this area, it would be appropriate for the register to facilitate means of reducing the intrusiveness of these types of marketing approaches. It may be useful to investigate the possibility of building in technology which could filter out the numbers on a ‘Do Not Call’ register so that they cannot be selected by an automatic dialler or other similar technology.

Dual purpose calls

The Discussion Paper describes dual purpose calls as those that purport not to be for the purpose of telemarketing, but that actually do have that purpose, either as a primary or other intention.

A key concept underlying the Privacy Act is that of notice. This concept is based on the premise that individuals should be aware of what their personal information is being collected and used for so that they have an element of choice and control over the handling of that information. The Office would support an approach that seeks to ensure transparency, in particular by requiring that organisations acknowledge the primary purpose of these calls. Only if an individual is aware of the purpose for the call can they exercise their choice regarding contact. To attempt to limit this choice by disguising the true nature of the call would undermine the transparency which could otherwise be delivered by a ‘Do Not Call’ register. Accordingly, it would be preferable that these types of dual purpose calls be prohibited to numbers on the register.

Exemptions

The approach suggested in the Discussion Paper is that certain individuals and organisations would be exempt from the prohibition on calling numbers listed on a ‘Do Not Call’ register.

The possible exceptions discussed in the Discussion Paper include:

• individuals or companies with which individuals or small businesses have established business relationships
• charities
• religious organisations
• educational institutions
• government bodies
• registered political parties and registered political candidates and
• market researchers undertaking social research.

The Discussion Paper categorises unsolicited telephone calls as being either those that are commercially driven or those that have a ‘public interest’ function. This distinction provides a useful first cut at determining which acts and practices may only be undertaken in accordance with an individual’s registered choices on the proposed register.

The OPC Review found that, overall, the NPPs have worked well and delivered to individuals protection of personal and sensitive information, in those areas covered by the Act, while not unduly impeding organisations in undertaking their legitimate activities. This is relevant for charities, religious organisations, private educations institutions, and market researchers and demonstrates that the regulation of privacy in relation to these types of organisations can be successful.

The Office’s experience suggests that it is likely that many unsolicited calls arise from the types of organisations suggested for exemption, and as a consequence, exempting these types of organisations may significantly detract from the impact of the proposed register in reducing unwanted calls.

Similar organisations as those proposed for exemption in the ‘Do Not Call’ register are found in the list of groups exempt from prohibitions on sending unsolicited electronic messages in the Spam Act 2003. However, the exceptions in the Spam Act 2003 are more limited than those proposed in the ‘Do Not Call’ register model as they only apply where the message relates to goods or services, and the organisation authorising the message is the supplier of the goods or services.

Relevantly, the Privacy Act also allows for a number of exemptions. These are further distinguishable from those proposed in the register as aside from the exemption for small businesses, the exemptions to the NPPs are generally related in some way to the ‘acts and practices’ of particular of organisations[8].

One of the findings of the OPC Review was that the Privacy Act has not achieved its objective of establishing “a single national comprehensive scheme for the protection of personal information by the private sector”[9]. In order to assist in developing national consistency in the protection of personal information, the Office is of the view that the exemptions to the ‘Do Not Call’ register should follow the approach taken in the Privacy Act and be similarly directed towards the regulated act or practice, in this case the telephone call.

More specifically, the Office recommends that rather than exempting particular organisations from coverage of a ‘Do Not Call’ register, only particular types of telephone calls should be exempt. Careful consideration will need to be given in determining the categorisation of exempt telephone calls. The Office recommends that exemptions be as tightly constrained as possible, and based on a clear public interest test that reflects community attitudes and values.

The Office also recommends that consideration be given to providing individuals with a choice about whether they receive calls that relate to particular acts and practices. For example, individuals may be given the choice of whether to register their numbers to not receive charitable calls, or market research calls, as well as the “default” listing to not receive general commercial marketing calls.

Such an additional opt-out mechanism would provide individuals with greater control over their personal information while lessening the impact on charitable or market research activities in comparison to an “all-or-nothing” register.

Administration and Enforcement

Community trust, efficient administration and effective enforcement will be integral to the success of a ‘Do Not Call’ register.

Administration

The possible approach suggested in the Discussion Paper in relation to administration is that the Australian Communications and Media Authority (ACMA) would either directly administer a ‘Do Not Call’ register or would be the body responsible for tendering out that administration function.

The Office appreciates that there may be benefits in tendering out the actual operation of the register to organisations that have experience and background in the operation of complex and extensive electronic registers, not to mention technical expertise and infrastructure. However, it must be recognised that in order to foster community trust and support it will be important to ensure robust accountability and oversight mechanisms are provided for, with regular monitoring. How this is achieved will necessarily depend on the model that is chosen, for example whether the register is run by ACMA or a private sector organisation contracted by ACMA.

Careful consideration will need to be given to the complaints handling and enforcement procedures relating to the register. The Discussion Paper appears to contemplate that a contracted register operator would accept complaints from consumers and attempt to resolve them informally, with an agency such as ACMA having a role to consider complaints if they cannot be successfully dealt with by the register operator. Care will need to be taken to ensure that contracted register operator was accepted by the community as a fair and appropriate complaints handler.

Privacy Act compliance

As well as complaints about whether an organisation is making calls to numbers on the register, consideration will also need to be given to the handling of complaints about the operation of the register itself. ACMA is an “agency” under s. 6 of the Privacy Act, and so is regulated by the Information Privacy Principles (IPPs) under the Privacy Act. It may be that the provisions of s. 95B of the Privacy Act would apply to a contract between ACMA and a private sector organisation that administered the register. Under s. 95B of the Privacy Act, ACMA is required to take contractual measures to ensure that a contractor does not do an act, or engage in a practice, that would breach an IPP if done by the agency.

A contract between an agency such as ACMA and a contractor (or between a contractor and any subcontractor for such a contract) becomes the primary source of the contractor’s obligations in relation to the personal information collected or handled for the purpose of performing the contract. While this means that agencies continue to have contractual remedies against a contractor that breaches a privacy clause in a contract, the Privacy Act also ensures that contractors and their subcontractors can be held accountable under the Privacy Act for any breaches of privacy obligations that they commit. An individual who considers that a contractor or subcontractor has breached their obligations in the handling of personal information about them can complain to the Commissioner who has jurisdiction to directly investigate the actions of the contractor or subcontractor.[10]

Enforcement

Given that a successful register will contain details pertaining to a large proportion of the Australian population, consideration may need to be given to whether additional privacy protections may be required, for example through legislative provisions, for the register itself.

In the interests of achieving national consistency in the protection of personal information, any legislative changes necessary to provide additional privacy protections should preferably occur through amendment to the Privacy Act.

Whether through the existing mechanisms in the Privacy Act, or through additional legislative protections, there should be a clearly established independent and transparent formal process to enable speedy resolution of complaints, including a mechanism for escalation to the enforcement body.

Along with ACMA and the Australian Consumer and Competition Commission, this Office is included in a list of possible bodies that could enforce an Australian ‘Do Not Call’ register. As is explained in the Discussion Paper, this Office may be an appropriate enforcement body because of its involvement in, and responsibility for the protection of privacy of individuals and its role in enforcing federal legislation. An enforcement role in relation to the operation of the register itself may fall to the Office by virtue of the operation of s. 95B of the Privacy Act. Certainly, the Office has valuable experience in enforcement, combined with a well established complaints handling system.

Given the complexities of enforcing a newly created model, along with the possible scope of the task, it will be vital that any body charged with enforcement of the register be appropriately resourced for the role.

National Contact Standards

The Discussion Paper proposes that all telemarketers be required to adhere to minimum national contact standards. Such standards may include obligations on “disclosure of information”. This is described as requiring “telemarketers and other groups that contact people by phone with the intention of making sales calls or seeking donations or information to disclose certain basic information to consumers when making sales calls. This could include the names and addresses of the organisation that is calling.”[11]

This approach is consistent with organisations’ obligations under NPP 1.3(a) in the Privacy Act which requires that organisations collecting personal information take reasonable steps to ensure that the individual is aware of the identity of the organisation and how to contact it.

Summary of Key Recommendations

Having recommended that Government explore options for the establishment of a ‘Do Not Contact’ register, the Office welcomes the discussion of a ‘Do Not Call’ register. In general, the prohibition of particular unsolicited telephone calls is a move towards regaining individual control in what is viewed by many in the community as an intrusive practice.

Summary of key recommendations:

Type of Register (Discussion Paper Questions 1.1 and 1.2)

• The Office supports establishing an effective ‘Do Not Call’ register but sees this as a first step towards consideration of a more comprehesive ‘Do Not Contact’ register that could cover all forms of unwanted contact.
  • It may be useful to build in a mechanism within the proposed ‘Do Not Call’ register to deal with facsimilie contact if not addressed through the review of the Spam Act 2003.
  • The register itself should be technologically neutral in order to enable it to deal with issues that may arise from the use of eNum, VoIP and other such developments.

Opt in or Opt Out Model (Discussion Paper Questions 3.1 and 3.2)

• Should an opt-out approach be adopted the Office would strongly recommend public awareness raising, including a Government or business driven educational campaign to ensure the effectiveness of the scheme for individuals and the community

Coverage (Discussion Paper Questions 5.1, 6.1, 6.2, 6.3 and 6.4)

• Coverage of the model should be broad enough to address problems associated with offshore initiated calls, automated calls/predictive diallers and dual purpose calls. The complexities of these issues may mean that further investigation is required to find solutions but where possible partial solutions can be offered by the register these should be provided for (e.g. application of the register restrictions to companies with an Australian link).

Exemptions (Discussion Paper Questions 7.1 to 7.12)

• In the interests of achieving national consistency in the protection of personal information the Office recommends that any exemptions from the prohibition on calling numbers listed on a ‘Do Not Call’ register be linked to the ‘act or practice’ regulated, as is generally the case with exemptions to the Privacy Act. In short, the exemptions should apply only to certain types of telephone calls, rather than to all telephone calls from a particular group.
• Whilst the Office accepts that it may be within the ‘public interest’ for certain types of calls to be exempt from the prohibition on calling numbers listed on a ‘Do Not Call’ register, it is recommended that these exceptions be limited only to ‘public interest’ purposes. Any ‘public interest’ test must, by necessity, reflect community expectations.
• The Office also recommends that consideration be given to providing individuals with a choice about whether they receive calls that relate to particular acts and practices. For example, individuals may be given the choice of whether to register their numbers to not receive charitable calls, or market research calls, as well as the “default” listing to not receive general commercial marketing calls.

Administration and enforcement (Discussion Paper questions 8.1 to 8.4)

• The administration and enforcement of the register should provide for robust oversight and monitoring mechanisms to ensure accountability.
  • The type of mechanism will depend on the model which is chosen (e.g. if ACMA is the administrator it will need to comply with the IPPs in the Privacy Act).
  • In the interests of achieving national consistency in the protection of personal information, any legislative change necessary to provide additional privacy protections may most preferably occur through amendment to the Privacy Act.

National Contact Standards (Discussion Paper questions 10.1 and 10.2)

• If telemarketers are required to adhere to minimum national standards then the Office supports a standard imposing obligations on ‘disclosure of information’ which reflects the requirement under NPP1.3(a).