pdf (56.91 KB)

Submission to the Australian Communications and Media Authority by

the Office of the Privacy Commissioner

August 2005

1. Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

In addition, the Office has responsibilities under the Telecommunications Act 1997 (the Telecommunications Act) in relation to telecommunications industry Codes and Standards (Part 6) and monitoring compliance with the record-keeping requirements under that Act (Part 13 Division 5).

2. Contributions by this Office

The Office welcomes the opportunity to make a submission to the Australian Communications and Media Authority (ACMA) on the draft Telecommunications (Use of Integrated Public Number Database) Industry Standard 2005 (the draft standard). The drafting of an industry standard is an important step in clarifying how individuals’ personal information is handled in the telecommunications context.

The Office has previously commented on this issue, in its May 2004 submission[1] to the (then) Australian Communications Authority’s Who’s Got Your Number? Regulating the Use of Telecommunications Customer Information Discussion Paper.

3. Background

What is the Integrated Public Number Database?

The Integrated Public Number Database (IPND) is a database of all listed and unlisted public telephone numbers. It is managed by Telstra under the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997 (the Declaration). The purpose of the IPND is to make telecommunications customer information available for a number of purposes specified in the Declaration. These include, for example, to assist the operation of emergency call services, to assist enforcement agencies, and to publish public number directories.

Regulation of the Integrated Public Number Database

Part 13 of the Telecommunications Act deals with the protection of telecommunications customer information, including information held in the IPND. Part 6 of the Telecommunications Act provides for the development of industry codes and industry standards. Under this Part, ACIF C555:2002 Integrated Public Number Database (IPND) Data Provider, Data User and IPND Manager Industry Code[2] (the IPND Code) was registered in August 2000. Its purpose was to expand upon the protections provided under Part 13 in relation to the IPND.

Under section 125 of the Telecommunications Act, if ACMA is not satisfied that an industry code is operating effectively, it has the power to determine an industry standard. It is within this regulatory context that the draft standard has arisen. As the Office understands it, ACMA had become concerned that customer information was being used for purposes beyond those specified or contemplated within Part 13, and that the IPND Code was not providing appropriate community safeguards, nor adequately regulating the industry participants.[3] In particular, ACMA held the view that “many database enhancement services are not related to the authorised publishing of a public number directory and constitute unauthorised uses of customer information”.[4] These uses are generally referred to in the draft standard as “data washing services”.

Purpose of the draft standard

As the Office understands it, the purpose of the draft standard is to protect the telecommunications customer information held in the IPND from improper use or disclosure. In particular, it seeks to prevent uses (such as data washing services) which are considered to be beyond those contemplated by Part 13.

4. Key Principles of This Submission

The Office is aware of the complex nature of the issues addressed by the draft standard, and the regulatory environment and the telecommunications industry in which they arise. The Office believes that there are a number of key guiding principles that remain central to considering privacy in this context. It is on these principles that this submission focuses, rather than providing detailed comments on the wording of the draft standard.

Generally speaking, the Office considers these key guiding principles to be:

• notice
• choice
• use for purpose
• regulatory consistency.

The aim of the first three principles is to ensure that individuals have the opportunity to understand what will happen to their personal information, the ability to make choices about the uses of their personal information, and the right to expect that those choices will be respected. These are cornerstone principles of the Privacy Act, and they also form the basis of this submission. For these goals to be achieved, telecommunications customer information should be subject to consistent regulation.

In order to successfully address the issues with which the draft standard is concerned, the Office believes that the primary challenge is to achieve the appropriate mix of these guiding principles, so as to maximise privacy protections in the specific context of telecommunications customer data. The extent to which the draft standard employs these various options is discussed later in this submission.

5. Regulatory Parameters

The Office is aware (as noted by ACMA in its May 2005 Consultation Paper[5] on the draft standard) that the draft standard has been “developed within the confines of the current legislative and regulatory parameters”. The Office understands that, due to the way Part 6 of the Telecommunications Act operates, a draft standard issued in circumstances where an industry code has been deemed to be operating ineffectively, can only deal with matters that were dealt with by that code (i.e. the IPND Code).

In some respects, the scope of these parameters is not absolutely clear. As a consequence, this submission focuses on the key regulatory outcomes required to ensure the protection of telecommunications customer information, most of which it appears can be achieved through the issuing of a standard. However, some regulatory outcomes may require consideration of broader changes to the regulatory scheme.

6. Telecommunications Landscape

Before discussing in more detail what the Office believes to be the key guiding privacy principles, there are two aspects of the telecommunications landscape that are worth reflecting upon.

Value of public number directories

The Office acknowledges the value that many members of the community (both individuals and organisations) have come to place upon the availability of public telephone number listings (e.g. the White Pages), and appreciates that the community relies on such listings for a range of purposes. In considering the draft industry standard, it is timely to reflect upon whether the value of such directories has changed over time.

For example, the number of mobile phone services in Australia (16.5 million) now significantly outstrips the number of fixed telephone lines (11.7 million).[6] This proliferation of mobile phones may have, to some extent, eroded the importance of fixed line numbers as a means of contacting individuals.

Despite this, mobile phone numbers (in contrast to fixed line numbers) remain unlisted unless an individual specifically requests otherwise, a generally recognised mobile number directory has not yet evolved, and it remains unclear whether there is a community need for such a directory.

A function of the IPND is to ensure that certain activities which are considered important by the community (e.g. emergency call services; law enforcement activities) are not hampered by a lack of availability of phone numbers. The production of public number directories is currently included as one such activity.

Changes to industry landscape

It is also important to consider the degree to which the draft standard will continue to be effective in the future. The possibility of changes in the industry landscape needs to be borne in mind. For example, the recently announced decision by the Government to fully privatise Telstra may affect the context in which the draft standard is required to operate. The draft standard will need to be robust enough to meet such changes.

7. What do individuals expect?

The Office’s community attitudes research shows that individuals are more reluctant to give organisations their home phone number than all other sorts of information, with the exception of bank account details and income. The Office’s research also shows that this sensitivity has increased over the years[7].

In relation to telecommunications customer information which individuals disclose to a telecommunications company in order to receive a telecommunications service, answers to questions such as the following are instructive.

• For what purposes do individuals expect their personal information to be handled?
• How much do individuals actually understand about how their personal information is able to be, and is being, handled? For example:
  • is it possible that technological developments are outstripping individuals’ awareness and understanding about what is happening with their personal information and, if so, would they have any specific concerns?
  • in the particular context of the draft standard, do individuals understand the nature of public number directories and would they have any specific concerns about their operation?
• What choices would individuals want, and what choices have they actually been given?
• How would individuals like to be able to exercise those choices?

These are not always easy matters to resolve, particularly in complex information handling environments such as the telecommunications industry. However, the answers to these questions should underpin any model that seeks to meet community expectations with regard to the regulation of the handling of individuals’ personal information.

8. Understanding the IPND and Public Number Directories

What should individuals know?

In the context of the draft standard, the initial situation in which individuals typically disclose their personal information to a telecommunications company is for the purpose of receiving a telecommunications service. Individuals’ expectations about the handling of their personal information will therefore, to a large extent, be set by this original transaction.

However, individuals may not appreciate that, due to the intervention of other factors (for example, legal requirements), the handling of their personal information does not end with their telecommunications company.

Recognising this, it is therefore even more important that individuals (at an appropriate stage and by an effective mechanism) be given the opportunity to understand what will happen to their personal information. To take as an example the current regulatory environment and industry practices, this information could include:

• that the law requires that their personal information be disclosed to the IPND;
• that the IPND is to be used for approved purposes only, and what those approved purposes are (e.g. disclosure to law enforcement agencies, emergency services and for public number directory production);
• the practical consequences of this disclosure of their personal information:
  • for example, in relation to public number directories in the current environment, this might include an explanation that it will be used for certain commercial purposes, and that it may lead to unexpected commercial contact; and
• that their personal information will also be disclosed to Sensis, and the practical consequences of this disclosure:
  • for example, that their personal information will be listed in the White Pages and other Sensis directory products, that this currently means that their personal information will be used for certain commercial purposes, and that this may lead to unexpected commercial contact.

The nature and detail of this explanation may need to change from time to time, depending on what uses are permissible within the regulatory environment at the time, and taking into account any changes in industry practices within that environment.

Mechanisms to help individuals understand

National Privacy Principle (NPP) 1.3 in the Privacy Act requires organisations (including telecommunications companies) to notify individuals of “the organisations (or the types of organisations) to which the organisation usually discloses” personal information.

As disclosure to the IPND is a legal requirement, it is reasonable to expect individuals to be more fully informed of how their personal information will be handled.

The exact point at which, and the exact mechanism(s) by which, this information is given to individuals will need to be further explored. It is an issue that needs to be considered to ensure that individuals are provided with a full understanding of what will happen to their personal information.

9. Choice and Consent for Directories

What choices should individuals have?

Unless the law provides otherwise, individuals’ understanding of how their personal information is handled should be accompanied by opportunities for individuals to choose legitimate uses and disclosures of their personal information.

Once again, taking the current regulatory environment and industry practices as an example, relevant choices for an individual could include whether their personal information is:

• unlisted;
• listed, with the exclusion of particular details (e.g. address);
• included in the White Pages (and/or related Sensis directory products), but only for the purpose of traditional published directory use;
• included in the other public number directories, but only for the purpose of traditional published directory use;
• included in the White Pages (and/or related Sensis directory products) to be used for other specified uses;
• included in the other public number directories to be used for other specified uses;
• included in the White Pages (and/or related Sensis directory products) to be used for all legitimate uses; and/or
• included in the other public number directories to be used for all legitimate uses.

Again, the exact point at which, and the exact mechanism(s) by which, these choices can be made by individuals will need to be explored further, and may require other regulatory options outside the context of the current draft standard. A national Do Not Contact register, for example, might have a role to play here (see further 13. Additional Mechanisms below). This approach would be consistent with this Office’s recommendation, in its March 2005 report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the Review Report)^[8], that the Australian Government consider exploring options for establishing such a register.

The nature of these choices may also need to change from time to time, depending on what uses are permissible within the regulatory environment at the time, and taking into account any changes in industry practices within that environment.

Choice and cost

Irrespective of the mechanism which is implemented, it is important to consider whether individuals are provided with the ability to make these choices free of charge. One of the stated objects of the draft standard (clause 5(d)) is that an individual “may choose whether his or her customer data is to be included in a public number directory”. A relevant question then is whether it is appropriate for individuals to be expected to pay for the right to make privacy choices. Charging a fee for a silent number or to make other choices may limit some individuals’ ability to make such choices freely, and thereby hamper their ability to control their own personal information. The effect that free silent listings may have on the number of individuals that appear in directories of public numbers may also need to be considered.

NPP 2

NPP 2.1(b) provides that individuals can consent to uses of their personal information that are unrelated to the purpose for which the information was collected initially. However, to the extent that uses and disclosures of personal information are permitted by Divisions 3 and 4 of Part 13 of the Telecommunications Act, they are “authorised by law” for the purposes of NPP 2.1(g) (see section 303B of the Telecommunications Act). As a consequence, in the absence of further choice being provided for in an industry standard, individual control over the uses and disclosures of their telecommunications customer information is limited to that provided for in Part 13 of the Telecommunications Act.

10. Use for purpose

In some circumstances, the ideal of complete choice for individuals is not always available. For example, in the current context, disclosure of telephone customers’ personal information to the IPND is a mandatory requirement of law.

The significance of this mandatory requirement becomes clearer when one considers the extent of phone services in Australia. As noted in this Office’s Review Report^[9], there are 11.7 million fixed telephone lines and 16.5 million mobile phone services in Australia.[10] These figures demonstrate that a very large proportion of the Australian population has a phone service, and reflect the almost universal importance phone services play in enabling participation in modern Australian society.

These figures also show that a very large proportion of the population do not have any choice in relation to the disclosure of their personal information to the IPND. In this context, where the option of choice is less available as a privacy protection tool, reliance on other options to protect privacy may also be required. For example, as disclosure to the IPND is compulsory, tighter controls on the subsequent uses of this information may need to play a more active role.

11. Regulatory Consistency

One of the major themes of this Office’s Review Report was that of national regulatory consistency. In order for individuals to have a clear understanding of their privacy rights, and the ability to act upon them, it is important to have a regulatory system that is as consistent as possible. Organisations also see value in regulatory consistency, as it can reduce the costs and complexity of compliance. The importance of this goal was highlighted by many submitters to the Review, both generally as well as specifically in the context of telecommunications customer information (see Part 2.3 of the Review Report[11]). Its importance was also reflected in the series of recommendations made to Government which were aimed at achieving greater national regulatory consistency.[12]

Relevantly, the Office understands that, under current industry practices for the production of the White Pages and its other related directory products, the entity that produces these directory products (currently Sensis) collects the required data directly from telecommunications companies under a series of bilateral agreements, rather than collecting it from the IPND. As this data is not drawn from the IPND, and the draft standard in its current form will only regulate those who create public number directories drawn directly from the IPND, the draft standard will not regulate this entity.

It seems timely to consider the reasons that have given rise to these current industry arrangements. Even leaving aside the issue of regulatory consistency (discussed below), drawing all directories of public numbers from the IPND (thereby eliminating double-handling) might be a more efficient process.

If the current industry arrangements remain, it seems that allowing the entity that produces the White Pages and its other related directory products to remain outside the scope of the draft standard creates a situation where there is inconsistency in the application of the regulatory scheme. This inconsistency could have implications for individuals’ understanding about the handling of their personal information and how they can control it.

Despite the difference in the precise route followed by the information, essentially the same personal information is involved. From the perspective of the individual, this distinction may be of little consequence. For an individual who discloses their information when they sign up for a telecommunications service, the issue is that their information is subsequently used in a way that they did not expect.

This being the case, many of the issues surrounding the production of directories (whether derived directly from the IPND or not) remain the same, and as such it makes sense that their regulation should also be consistent. Such an approach would also be consistent with the recommendations relating to consistency that this Office made in its Review Report.

12. Approach of the Draft Standard

The considerations in this submission have focused on the key principles of notice, choice, use for purpose, and regulatory consistency. The principles of notice and use for purpose in particular are reflected in the draft standard.

Use for purpose

With reference to these key principles, the draft standard seems to a large extent to adopt an approach of regulating “use for purpose”. That is, the draft standard seeks to protect personal information from misuse by limiting uses of personal information compulsorily disclosed to the IPND. Most notably, the draft standard seeks to prevent those uses (generally referred to in the draft standard as “data washing services”) which are considered to be beyond those contemplated by Part 13.

This approach is an effective way in which the privacy of personal information can be protected. By clarifying which uses are appropriate and permissible, the draft standard can assist in restricting some uses which individuals may not expect or which are not permitted by law.

Notice

The draft standard also specifies in seemingly more detail than the IPND Code some of the information that should be provided to individuals by telecommunications companies. By requiring that individuals are provided with extra information about the handling of their personal information, the draft standard could assist in raising community awareness, which is a positive privacy outcome.

Broader solution

Whilst the above are examples of some positive outcomes likely to result from the draft standard, there appears to be further scope to address aspects of the other key principles outlined in this submission.

For example, a greater focus on extending the information and choice available to individuals may have an important role to play. This may be done within the draft standard, or by mechanisms beyond the draft standard (e.g. a national Do Not Contact register: see 13. Additional Mechanisms below). Regulatory consistency will also be important, otherwise there may be a risk that the issues will only be partly addressed.

The Office believes that the further implementation of these key principles will contribute to a broader overall solution to the issues which this draft standard is addressing.

13. Additional Mechanisms

This submission has focused on key principles. Some of the outcomes might be appropriately achieved through the use of mechanisms additional to the determination of an industry standard.

Some examples of other possible mechanisms that may be considered useful, either during the current process or as part of a broader process, are provided below.

• Do Not Contact register Upon further analysis, it may be found that the preferred mechanism for providing individuals with choice and consent (as discussed in 9. Choice and Consent for Directories above) is through the implementation of a national Do Not Contact register. This Office has previously recommended (through Recommendation 25 of its Review Report) that the Australian Government consider exploring options for establishing such a register, with the aim of reducing unwelcome direct marketing contact. Nothing in the draft standard should prevent the subsequent implementation of such a register, should that be deemed appropriate.
• Regulatory Consistency As discussed at 11. Regulatory Consistency above, if it is the case that it is not possible for the entity that produces the White Pages and its other related directory products to be regulated by this standard, separate regulatory mechanisms may be appropriate to achieve this.

14. Other Options

Reverse search directories are, generally speaking, databases which allow an individual’s name and address to be obtained by a search which uses their phone number. Comprehensive reverse search directories have the potential to undermine some of the privacy protections which enactments such as the Telecommunications Act and the draft standard are designed to achieve.

Whilst it is recognised that there is current regulation in place which is intended to help prevent such directories, this regulation appears confined in scope to the jurisdiction of the Telecommunications Act, as it relates to IPND data. Further consideration should be given to whether the current regulation is adequate, or whether more could be done to prohibit the availability of such directories. The Office acknowledges that there may be difficulties associated with effectively regulating this issue, but the matter nonetheless bears reconsidering, particularly because of the potential which reverse search directories have to undermine privacy protections in the telecommunications environment.

15. Conclusion

It is the Office view that the draft standard has the potential to contribute positively, to the extent that it seeks to restrict some uses of individuals’ personal information which may either go beyond what is permitted by the Telecommunications Act or which may be outside of individuals’ reasonable expectations, and to the extent that it will increase community awareness of how IPND data is handled.

However, the Office also believes that there remain some broader opportunities to assist individuals to more fully understand what is happening to their personal information and to control it in a manner they prefer.

16. Summary of Recommendations

In summary, the Office makes the following recommendations. To the extent permitted by the Telecommunications Act, the draft standard should ensure that:

1. Individuals are given full notice of what will happen to their personal information as a result of disclosing it to a telecommunications company for the purposes of receiving a telecommunications service.

2. Individuals are given opportunities to make choices about legitimate uses and disclosures of their personal information.

2.1. It would be preferable that individuals should not be charged a fee for the opportunity to exercise these choices.

2.2. Nothing in the standard should prevent the subsequent implementation of a national Do Not Contact register.

3. Any uses and disclosures of personal information derived from the IPND which are beyond those contemplated by Part 13 of the Telecommunications Act should be restricted.

4. All handling of telecommunications customer information in order to produce directories of public numbers or related directory products is consistently regulated, particularly in relation to notice and choice.

If any of these recommendations cannot be achieved through the issuing of a standard, then other regulatory mechanisms may be appropriate.

The Office also makes the following recommendations, which may not be able to be delivered through the draft standard, but which could form part of a broader regulatory scheme.

5. Options for establishing a national Do Not Contact register should be explored.

6. Further measures to restrict the production of reverse search directories should be considered.