Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Telecommunications | Identity and ID

Improving Identity Check Processes for Pre-paid Mobile Services; Submission to the Australian Communications and Media Authority (April 2006)

document icon pdf (67.68 KB)

April 2006

Executive Summary
1. Office of the Privacy Commissioner
2. Background
3. Experience of the Office
4. References to the Privacy Act
5. Identity Management
6. Operation of the National Privacy Principles
7 On-line verification
8 Additional privacy protections
Endnotes

Executive Summary

The Australian Communications and Media Authority (ACMA) is considering a general proposal to establish a new system for verifying the identity customers who purchase pre-paid mobile services. As this proposal is developed further, for example in the drafting of a new regulatory instrument, the Office recommends that ACMA take into account the following matters.

The proposed system whereby the verification of identity is handled by Carriage Service Providers (CSPs), rather than by non-CSP retailers, may bring an overall improvement in privacy protection because all CSPs are subject to the privacy protections in Part 13 of the Telecommunications Act, and most are likely to be subject to the NPPs in the Privacy Act.
A Privacy Impact Assessment (PIA) should be undertaken before the introduction of any new regulatory instrument and consideration should be given in the PIA to privacy protections, additional to those in the Privacy Act 1988, that may be required.
Individuals should retain an appropriate degree of control over how they present themselves to the organisations with which they deal, and regarding how information about them is handled.
An individual's privacy should not be at greater risk because the individual chooses to access services in a particular way, for example, by paying for a service by cash.
Any new regulatory instrument should precisely detail, and place limits upon, the amount and type of personal information which is allowed to be collected by carriage service providers (CSPs), and should require that personal information collected under the Determination be destroyed after a specific period.
- The personal information that is required or authorised to be collected by the Determination should be limited to that which is necessary to fulfil the policy goals of the Determination
In determining which items of personal information need to be collected, consideration be given to the privacy issues arising from the broader framework which supports any new regulatory instrument.
Any new instrument should be consistent with a CSP's obligations under the NPPs, in particular:
- Only collecting information which is 'necessary' for one or more of their functions or activities under NPP 1.1
- Taking reasonable steps' to tell the individual, among other things, the purposes for which the information was collected, to whom the organisation usually discloses such information and the consequences of not providing it, so as to meet their obligations under NPP 1.3 and NPP1.5
- Minimising the handling of Commonwealth identifiers, in accordance with NPP 7
- Taking steps to secure the personal information of customers, proportionate to the sensitivity of the information collected, under NPP 4.
- If a future Regulatory instrument mandates the use of certain data matching, then the quality and reliability of this data matching be ensured.
- Ensuring adherence to the policy intentions behind NPP 8 to the extent possible.
ACMA should take due consideration of the fact that the availability to CSPs of an online Document Verification Service is by no means certain.
That reference to NPP 7 in section 5.1 of the discussion paper may be intended to be a reference to NPP 3.
- Care needs to be taken not to overstate the strength of the obligation in NPP 3 in circumstances where there may not be a privacy benefit to individuals.

1. Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers Australian and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information, credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation, including the Telecommunications Act 1997, to regulate the way Australian and ACT Government agencies and private sector organisations collect, use, store and disclose individuals' personal information.

2. Background

The Office welcomes the opportunity to comment on the Improving Identity Check Processes for Pre-paid Mobile Services discussion paper (the Paper) which was prepared by the Australian Communications and Media Authority (ACMA) to outline and seek comment on a proposal to improve the identity checking processes that apply to pre-paid mobile services. The Paper proposes a single verification process to replace the three alternative processes currently in place under the Telecommunications (Service Provider - Identity Checks for Pre-paid Public Mobile Telecommunications Services) Determination 2000 (the Determination). The Office understands that it is intended that a new regulatory instrument will be made to introduce this new identity checking process.

The Office acknowledges the attention given to privacy issues within the Paper.

3. Experience of the Office

Since the introduction of the Privacy Amendment (Private Sector) Act 2000 on 21 December 2001, the Office has received phone enquiries about this issue though statistics as to how many enquiries were actually received regarding the collection of information in respect of pre-paid mobile applications are not available.

The Office has received at least five complaints which related to the collection of identifying information in relation to pre-paid mobile services during this period. In one of these complaints the respondent was a 'small business'1 and therefore exempt from the National Privacy Principles (NPPs). These complaints and enquiries related either to the NPPs, or to the credit reporting provisions of the Privacy Act.2

The Office also conducted two Own Motion Investigations in relation to businesses conducting credit reporting checks on individuals seeking to purchase a pre-paid mobile service. The credit reporting provisions of the Privacy Act make it unlawful to conduct a credit check where no credit is being provided.

4. References to the Privacy Act

Section 5.1 of the Paper includes a reference to NPP 7, as part of the objective of "improved privacy protections for consumers" by improving the accuracy of customer information in the Integrated Public Number Database (IPND). NPP 7 places obligations upon organisations in relation to identifiers assigned to an individual by an agency, it does not provide protections for individuals regarding the accuracy of that information. However, NPP 3 states that "an organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date".3

This Office's Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 includes a consideration of the operation of NPP 3. Submissions to that Review discussed whether data quality was intended as an overriding obligation on organisations when considering their personal information handling practices. Some organisations argued in favour of certain contentious practices on the basis of their need to comply with NPP 3.4

In the Office's view, it is not reasonable to take steps under NPP 3 to ensure data accuracy where this does not have any privacy benefit for the individual. Generally speaking, the accuracy of the IPND may have important benefits to individuals, including where emergency services make use of the IPND. Nonetheless, the Office recommends that care be taken to ensure that reference to NPP 3 in terms of keeping the IPND up to date is relevant to privacy or other benefits to the individual.

5. Identity Management

Good identity management in the current context involves an appropriate balance between the stated aims of increasing the accuracy of information for law enforcement, national security, emergency, and commercial reasons on the one hand, whilst allowing individuals to retain an appropriate degree of control over how information about their identity is handled. This involves organisations only authenticating identity when it is necessary to do so, and collecting only that information necessary for such authentication to take place. Removing from individuals, control over how they are identified and named, risks losing their trust.

Good identity management also addresses the potential for 'function creep'. 'Function creep' describes the gradual increase in the purposes for which information is used. In some circumstances where data is collected for one purpose, the organisation holding the data may, after a period of time, recognise other purposes for which the data can be used. Privacy legislation guards against function creep through "use-for-purpose" or "use limitation" provisions (for example NPP 2, and Part 13 of the Telecommunications Act) that require that personal information that is collected for one purpose, not generally be used or disclosed for an unrelated purpose.

The Office recommends that any new identity verification process, including any new regulatory instrument, in relation to the purchase of pre-paid mobile phone services, should implement these identity management considerations. Specific recommendations that flow from this approach are discussed in the sections below.

6. Operation of the National Privacy Principles

6.1 Collecting and storing only necessary information

Under NPP 1.1, an organisation must not collect information unless it is necessary for one or more of its functions or activities.

In the context of collecting evidence of identity (EOI) information relating to the Telecommunications (Service Provider - Identity Checks for Pre-paid Public Mobile Telecommunications Services) Determination 2000 (the Determination), while the collection of certain information elements (e.g. name) may be necessary for an organisation to meet its obligations under statute or regulation, and in some circumstances under contract to another organisation or agency, the collection of additional information elements may give rise to a breach of NPP 1. The Determination therefore needs to be understood in the context that carriage service providers (CSPs) need to ensure that they only collect the minimum 'authenticating' information of customers to meet their requirements under the Determination.

The Office notes that with the exception of information in Part 1 of Schedule 1 of the Determination, the Determination only requires sighting of EOI documentation, rather than its collection (see s. 3.4(2)). This reflects the general privacy principle that only the minimum necessary personal information should be collected. For example, organisations may meet their obligations under the Determination through viewing certain documents, without collecting the information on those documents into a record.

Simply viewing an EOI document is not collection for inclusion in a record for the purposes of s. 16B of the Privacy Act. Consequently, an organisation may sight an EOI document, for the purpose of seeking to verify an individual's identity prior to a transaction, without recourse to the NPPs. Other practices may include the photocopying of an EOI document, or the electronic scanning of such documents. The practice of electronically scanning EOI documents has the potential to increase the risks associated with the storage and handling of personal information, in comparison to the creation of a photocopy, for example.

In addition, the collection of detailed information from and about high value EOI documents may pose identity theft or fraud risks.

If the policy goals of the Determination cannot be met without requiring the collection of certain identifying information by CSPs, then a clear limit should be placed on the amount and type of information to be collected. At present, the current Determination does not explicitly limit the collection obligations it imposes on CSPs and their agents when verifying the identity of the purchaser/end user. For instance, while there is a requirement in section 3.2(1)(a) of the Determination to collect certain information (such as the name and address details) and a requirement to see certain EOI documents, it may be unclear whether there is an obligation to collect all the details appearing on the EOI document itself (e.g. the document number, or the class of driver licence). It is therefore the recommendation of this Office that any new regulatory instrument should carefully detail, and place limits upon, the amount and type of personal information which is allowed to be collected by CSPs, and that information should be limited to that which is necessary to fulfil the policy goals of the Determination.

Furthermore, there seems to be a difference between the amount of information being collected about those consumers who meet one of the exemptions to the verification process (e.g. those paying by credit or debit card), and those paying by cash. It also appears that the latter will have to provide information which they may consider to be of greater sensitivity (e.g. birth certificate or driver license details) than the information provided by the former. As the 'sensitivity' of personal which an organisation collects increases, so does the measure of what steps are 'reasonable' to secure that information, in line with NPP 4.

Where a regulatory instrument requires the collection of personal information that would not otherwise be collected, it is appropriate for that instrument ot ensure the destruction of that information once it is no longer of use. While CSPs will be under a general obligation to destroy or permanently de-identify that information in accordance with NPP 4.2, when it is no longer needed for any purpose under NPP 2, this protection could be tightened to ensure that the identity verification obligations on CSPs do not create a store of personal information that may be retained for unrelated purposes. The Office recommends that any new regulatory instrument should require that personal information collected under the Determination must be destroyed after a specific period.

Under the NPPs, CSPs are required to 'take reasonable steps' to tell the individual, among other things, the purposes for which the information was collected, to whom the organisation usually discloses such information and the consequences of not providing it, so as to meet their obligations under NPP 1.3, and under NPP 1.5 where personal information is not collected directly from the individuals concerned. Obligations under the latter principle may be particularly relevant in situations where the identity of an individual in a 'referee capacity' is collected due to the end-user being unable to meet the verification criteria, if that information is not collected directly from the referee.

6.2 The collection of 'Commonwealth identifiers'

NPP 7 seeks to ensure that the increasing use of Australian Government identifiers does not lead to a de facto system of universal identity numbers, and to prevent any loss of privacy from the combination and re-combination of this data, including with other information. Unless prescribed by regulation, NPP 7.1 generally prohibits organisations from collecting an Australian Government assigned identifier from the individuals with whom it deals, then using that identifier to organise and match other personal information with reference to that identifier. A Medicare number, Centrelink number, or Australian passport, would be examples of Commonwealth government identifiers. State and Territory issued drivers' licenses are not Commonwealth identifiers for the purpose of NPP 7.

National Privacy Principle 7.2 limits organisations' handling of Australian Government identifiers. Such identifiers may be used where necessary for the organisation to fulfil its obligations to the agency that assigned the identifier to the individual; or in certain prescribed circumstances in which there is a public interest, set out as exceptions (e) to (h) for NPP 2. These exceptions include uses or disclosures in the interest of lessening or preventing a serious and imminent threat to any individual, or where the use or disclosure is authorised or required by or under law, or is necessary to assist an enforcement agency.

In other words, if an organisation cannot demonstrate a lawful basis for using or disclosing a Commonwealth identifier (e.g. to fulfil its obligations to the agency that issued the identifier, or pursuant to one of the exceptions under NPP 2.1(e) to (h)), it appears collection is not necessary. At present the only Commonwealth identifier listed in Schedule 3 of the Determination, and therefore prescribed by regulation, is passport information. The extent to which CSPs may collect, use or disclose other Commonwealth government documents for identification purposes is less clear.

As noted above, where a government document is used for identification purposes, an appropriate practice may be to sight the document and to only record such information as is necessary to meet the public policy goals of the Determination. This information may be restricted to name, address, date of birth, for example; alternatively, a different scheme could require that only the document number be recorded, without any further identifying details, if that can be done in accordance with NPP 7. The general rule here is that the information to be recorded be carefully limited in a way that maximises the privacy protections provided by the Determination and the supporting framework. The Office recommends that in determining which items of personal information need to be collected in relation to the verification of the identity of individuals who purchase pre-paid mobile services, consideration be given to the privacy issues arising from the broader framework which supports any new regulatory instrument.

6.3 Disclosure of customer information to law enforcement bodies

Section 303B of the Telecommunications Act provides that uses and disclosures of personal information that are permitted by Divisions 3 and 4 of Part 13 of that Act, are 'authorised by law' for the purposes of the Privacy Act. In this context, the use and disclosure of customer information by CSPs is effectively regulated by the Telecommunications Act, rather than by NPP 2.

However, non-CSP organisations that are not regulated by the Telecommunications Act would need to ensure that they comply with their obligations under NPP 2.

6.4 Validating personal information

The Office recognises that the proposed validation techniques can be a valuable tool for ensuring the accuracy of personal information held on the Integrated Public Number Database (IPND) or the databases of CSPs, thereby helping organisations comply with their obligations under NPP 3. The Office does, however, issue a note of caution over the implications of data-matching the personal information of customers with pre-existing data held in other databases.

Most notably, there is an obligation upon those organisations to ensure that the pre-existing data is itself accurate, complete and up-to-date, in line with the requirements of NPP 3. Moreover, there may be some concerns from a consumer viewpoint if customers are denied a service due to the inability of the relevant CSP software to find a data match in the pre-existing database. The Office recommends that if a future regulatory instrument mandates the use of certain data matching, that the quality and reliability of this data matching be ensured.

6.5 Anonymity

The Office notes the reference at s. 4.2 of the Paper to a technical flaw in the Determation that may lead to "exploitation by mobile phone users who seek anonymity". While the Office acknowledges the public interests served by the Determination, it is also important to acknowledge that anonymity is not, of itself, unlawful. NPP 8 provides that, where lawful and practicable, individuals should be able to interact anonymously with organisations. The Office recommends that any future regulatory instrument be made in keeping with the policy intentions behind NPP 8 to the extent possible.

7 On-line verification

The Office notes that the operation and scope of a potential Document Verification Scheme (DVS) that might be available to CSPs, is not clear at this stage. The operation of such a system has the potential to be privacy enhancing, but could also carry privacy risks. Much will depend upon limits placed upon the use of the system, and the safeguards which will be put in place to protect the personal information of individuals from misuse.

As section 8.1 of the Paper acknowledges, "future extension of the DVS to the private sector is by no means certain and, even if access is afforded, it may not occur for several years".

It is the view of this Office that any extension of the DVS to the private sector, including telecommunications companies, should only occur as a considered policy decision encompassing assessment of privacy impacts and involving key stakeholder and broader public consultation.

Similarly, the use of an alternate verification system, such as the option for a 'Telecommunications industry account verification system' (AVS), would need to take into account privacy implications when analysing the intended benefits of the system. As acknowledged in section 8.2 of the Paper, '"consumer privacy issues would also need to be directly addressed". Pertinent to this process would be the undertaking of a Privacy Impact Assessment (PIA) to ensure that necessary privacy protections are 'built-in' to the system early on (see Section 8, below).

8 Additional privacy protections

According to section 2.3 of the Paper, pre-paid services account for "approximately 51 per cent of the 16.5 million mobile services currently in operation in Australia and represented the major area of growth in the mobiles market". Given the significant and growing numbers of individuals that the Determination is likely to effect, consideration should be given to ensuring that any future regulatory instrument includes specific protections for the personal information involved.

This is especially the case where government requires certain practices to occur, which would otherwise be in conflict with pre-existing statutory obligations. For example, the effect of the Determination is to require that CSPs collect certain information, which may otherwise be prohibited under the NPPs. Good privacy practice requires that any increase in the collection of personal information, should be followed by consideration of additional protections for the handling of that information.

In addition, some organisations, such as small businesses, are exempt from the NPPs. In the report of the Review of the Private Sector Provisions of the Privacy Act 19885, the Privacy Commissioner recommended to Government that:

The Australian Government should consider making regulations under section 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector, including Internet Service Providers and Public Number Directory Producers.

The lack of such protections at present, however, reinforces the need for similar protections to be part of any regulating framework which requires these organisations to collect the personal information of individuals. In this way, there is a certain level of national consistency in the way in which the personal information of individuals is protected within the telecommunications sector.

The Office recognises that the proposed system whereby the verification of identity is handled by CSPs, rather than by non-CSP retailers, may bring an overall improvement in privacy protection because all CSPs are subject to the privacy protections in Part 13 of the Telecommunications Act, and most are likely to be subject to the NPPs in the Privacy Act.

A thoroughly conducted PIA can play an important role in ensuring compliance with privacy laws as well as taking into account broader privacy considerations. For example, a PIA can help to identify future risks of an authentication proposal, such as function creep, or to expose unintended consequences which may impact on privacy.

It is important to note that the conduct of PIAs, coupled with adherence to the guiding principle of transparency, will help to engender community trust.

Consequently, it is the recommendation of this Office that a comprehensive Privacy Impact Assessment (PIA) be undertaken before the introduction of a new regulatory instrument, and that consideration be given in the PIA to privacy protections, additional to those in the Privacy Act, that may be required.

Endnotes

Under section 6D of the Privacy Act, a small business is one with a turnover of less than $3 million.
The Office does not keep detailed records specifically about pre-paid mobile services. As a result there may have been more complaints and enquiries about pre-paid mobile services than these figures suggest.
NPP 7 remains an important consideration for organisations to take into account when handling the personal information of pre-paid customers, and is discussed further below.
See section 9.9, and Recommendation 79, of Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, available at http://www.privacy.gov.au/law/reform/review/.
Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 at 2.4