Public Interest Determination No.6
PART VI - PUBLIC INTEREST DETERMINATION No. 6
(PID 6)
In respect of
| Application No : |
6 (dated 10 December 1990) |
| Applicant : |
Australian Telecommunications Corporation (Telecom) |
| Nature of the Application: |
Disclosure of modified electronic white pages to law enforcement
agencies for law enforcement purposes. |
| Information Privacy Principle Concerned: |
Information Privacy Principles 2 and 11 |
| Issued : |
27 September 1991 |
| Effective : |
27 September 1991 |
DETERMINATION
1. The application as it relates to the requirements of Information
Privacy Principle 11.1 is unnecessary.
2. The application as it relates to non-compliance with the requirements of
Information Privacy Principle 11.2 is dismissed.
3. The application as it relates to non-compliance with the requirements of
Information Privacy Principle 2 is dismissed.
Dated 27 September 1991
KEVIN O'CONNOR
Privacy Commissioner
REASONS FOR DETERMINATION
CONTENTS
REASONS FOR DETERMINATION
1. Nature of Application
This application (dated 10 December 1990 - Attachment A) is made
by the Australian Telecommunications Corporation (Telecom) and relates to practices
involving the provision of the names (and other particulars) of customers to
law enforcement agencies where those agencies only have the customers' numbers.
This practice has traditionally been known as "number-to-name" access.
The application is made under Part VI of the Privacy Act, which
requires agencies which propose to engage in a practice that infringes an Information
Privacy Principle to obtain permission to do that, by way of a public interest
determination issued by the Privacy Commissioner. Any determination to that
effect is subject to disallowance.
Telecom is an agency within the meaning of the Act (s.6) and its
activities in respect of personal information are ordinarily subject to the
Act. An exclusion applies in connection with any of its competitive activities
(see s.7 (1)(c), referring in turn to Part II of schedule 2 of the Freedom of
Information Act 1982).
Telecom's application has three parts:
(1) to be permitted to disclose customer information on a number-to-name
basis to approved law enforcement agencies without having to satisfy itself
that any such disclosure is reasonably necessary for the enforcement of criminal
law: see IPP 11.1.
(2) to be permitted not to record such disclosure: see IPP 11.2.
(3) to be permitted not to comply with the notice-to-customers
requirements: see IPP 2.
As to (1), Telecom considers that it needs a waiver because it
proposes to provide automated access to its modified electronic white pages
database and not exercise any independent judgement or discretion in relation
to the validity of the request.
As to (2), Telecom does not propose to log any such accesses but,
by way of agreement, would require approved law enforcement agencies to maintain
logs of their accesses to the modified electronic white pages database.
As to (3), Telecom does not wish to give any notice to customers
of its disclosure of number-to-name information, other than by way of general
advice in the telephone directory.
IPP 11.1 provides that an agency may not disclose personal information
contained in a record in its possession (other than to the individual concerned)
unless one of five exceptions is satisfied. The main exception relevant to the
first part of Telecom's application is (e), which allows disclosure where it
is "reasonably necessary for the enforcement of the criminal law."
IPP 11.2 provides that where an agency discloses information because
it is reasonably necessary for the enforcement of the criminal law, it must
make a note of the disclosure.
IPP 2 requires agencies to give individuals notice of usual disclosure
practices.
2. Number-to-Name Disclosure Practice
Past Practice
For many years Telecom has provided law enforcement agencies with
"number-to-name" information on a case by case basis. Under this arrangement
a law enforcement agency would contact the Protective Services Unit in Telecom
and ask for the customer particulars held against a number of interest. The
provision of this information was subject to detailed administrative guidelines
(Security and Investigation Policy Guidelines, Division G, section 2 dealing
with Release of Customer Information). The normal procedure was that the agency
required a written request signed by a commissioned officer of the rank of inspector
or above and a certification from the requesting law enforcement agency. The
certification was expected to address the nature of the legal authority under
which the request was made in each case. A response was normally provided in
writing, if an officer of the agency (with a relevant delegation) was satisfied
as to its propriety. Emergency requests could be dealt with orally, but had
to be confirmed in writing by close of business on the next day. Eight conditions
have been attached to the practice, one of which specifically addressed customer
privacy:
"(iv) the information is to be [provided] subject to security arrangements
that are in keeping with preservation of the `need to know' principle and
respect of the privacy of Telecom customers."
The practice was accompanied by a detailed log of disclosure. The logging requirement
was as follows:
"Appropriate records are to be kept in each Telecom Protective Services Regional
or Sub-Regional Office of all requests made, the information given out and
the identity of the Telecom Protective Services officer who handled the request.
Such record to be kept for six years and then destroyed by secure means in
the same way as disposable sensitive business records."
The agency has advised that there are approximately 100,000 requests actioned
per year. No information is available as to distribution of these requests.
In a twelve month period the agency estimated that the provision of this service
costs $200,000 (gross).
Recent Legislation
Prior to 1989 this practice did not have any clear legislative basis. Since
September 1989 such case by case disclosures have been authorised by section
97 of the Australian Telecommunications Act 1989 and Regulations made under
that Act. "s.97
(1) Subject to subsection (2), it is the duty of a person who is an employee
of Telecom not to disclose any fact or document that:
(a) relates to:
(i) the contents or substance of a communication that has been carried
by Telecom or a communication in the course of telecommunications carriage;
(ii) telecommunications services supplied, or intended to be supplied, to
another person by Telecom; or
(iii) the affairs or personal particular (including any unlisted telephone
number or any address) of another person; and
(b) comes to the person's knowledge, or into the person's possession, because
the person is an employee of Telecom.
(2) Subsection (1) does not apply in relation to a disclosure by a person:
(a) in the performance of the person's duties as an employee of Telecom;
(b) as a witness summonsed to give evidence, or to produce documents, in
a court of law:
(c) under the requirements of a law of the Commonwealth; or
(d) in prescribed circumstances."
The "prescribed circumstances" referred to in Section 97(2)(d) are defined
as follows in Regulation 3 of the Australian Telecommunications Corporation
Regulations:
"Disclosure of facts or documents
3. For the purposes of subsection 97(2) of the Act, the following circumstances
are prescribed:
(a) where the disclosure of the fact or document is:
(i) to a person authorised under subsection 12(1) of the Telecommunications
(Interception) Act 1979; and
(ii) for the purposes of the issuing of, or in connection with information
obtained under, a warrant under Part III of that Act; or
(b) where:
(i) the fact or document disclosed comes to the employee's knowledge, or
into the employee's possession, because of a call to the emergency number
000; and
(ii) disclosure is to a member of the police force or ambulance or fire
service to which the call was connected; or
(c) where the fact or document relates to the affairs or personal particulars
(including any unlisted telephone number or any address) of a person and:
(i) the person is reasonably likely to be aware that information of that
kind is usually disclosed in the circumstances; or
(ii) the person has consented to the disclosure in the circumstances; or
(iii) the employee believes on reasonable grounds that disclosure is necessary
to prevent or lessen a serious and imminent threat to the life or health
of a person; or
(d) where the disclosure is authorised by or under a law of the Commonwealth,
or required or authorised by or under a law of a State or Territory; or
(e) where the disclosure is reasonably necessary for the enforcement of the
criminal law or of a law imposing a pecuniary penalty, or for the protection
of the public revenue."
These provisions were intended, it seems, to provide a clear legal basis for
existing practices. The traditional practice in relation to "number-to-name"
information, as explained, involved case-by-case disclosure with a specific
decision to disclose being taken, according to the guidelines, in response to
each request. Regulation 3 paragraphs (a), (b), (c) reflect this view; while
paragraphs (d) and (e) re-state the last two exceptions in Information Privacy
Principle 11 of the Privacy Act. (I should note that para (d) may be unconstitutional
in so far as it purports to permit a federal agency to disclose information
under the authority of a State law.)
Electronic White Pages
The agency, over recent years, has developed a directory product called "electronic
white pages" (EWP). This product is continuously updated and allows users to
separately search all Telecom white pages directories throughout Australia.
EWP does not allow access to silent number information. EWP can be purchased
for a fee and access can be obtained on a computerised dial-up, on line basis
to Telecom's public directory information. Inquiries are made within a particular
directory area by customer name and in response that user is provided with the
usual public directory particulars of address and telephone number.
Modified EWP Facility
The same basic technology that makes EWP possible can also allow a user to
search by means other than the name of the customer, for example, by telephone
number. The latest edition of Telecom's Policy guidelines addresses access to
the modified electronic white pages (this facility is explained more fully below)
as follows:
2. Electronic White Pages - Provision of access to Electronic White Pages
(Number-to-Name) is subject to:
a. Demonstration by the agency that it has legislative responsibilities
and/or provisions that meet the requirements of the above legislation;
b. A written undertaking that:
i. the information will be used only in circumstances defined in Regulation
3 that are consistent with the agency's legislative responsibilities or
provisions;
ii. access to the Number-to-Name facility will be controlled on a strict
"need to know" basis;
iii. terminal/s and information will be subject to security arrangements
that are in keeping with the preservation of the "need to know" principle
and respect for the privacy of Telecom customers; and
iv. the agency accepts that Telecom may suspend its access to the Number-to-Name
facility should the agency fail to comply with any one of the above conditions;"
The "need-to-know" standard, one commonly used in official circles, is vague;
and is clearly lower than the threshold set by Information Privacy Principle
11.
Modified EWP: Arrangements with Users
During 1989 Telecom, for cost effectiveness and efficiency reasons, made the
EWP facility available on a "number-to-name" basis to law enforcement agencies.
This facility is commonly referred to as "modified EWP". Organisations using
this facility can interrogate the Telecom database using their own terminal
for access. Either number or name may be entered, with the name, address and
number being displayed if it is found in the particular directory being searched.
Access to the modified EWP database is controlled by two levels of security:
a "user password" and an encrypted "security password". There is no formal request
made which is reviewed by Telecom. As a consequence the form of disclosure is
not subject to the main condition which previously applied.
In effect Telecom is now wishing to allow automated provision of customer information
to approved law enforcement agencies. It no longer wishes to act as a gate-keeper.
The present application was brought forward following concern that the provision
of automated access may infringe the Privacy Act, in particular Information
Privacy Principles 2 and 11.
The object of the application is to clarify the status of this practice and
to seek approval for the practice.
Current Users
Organisations already provided with this new facility are:
- Australian Bureau of Criminal Intelligence, Canberra
- NSW Crime Commission, Sydney
- National Crime Authority, Sydney
- Australian Federal Police, Canberra
- Victorian Police Special Projects, Melbourne
- Northern Territory Police Force, Winnellie, NT
- Independent Commission Against Corruption, Sydney
- Queensland Criminal Justice Commission, Brisbane
- Australian Taxation Office (South Sydney Audit)
- the Australian Security Intelligence Organisation
New requests for the modified EWP were to be no longer actioned pending the
outcome of this determination.
Each of the above organisations only has one EWP terminal located at the nominated
site with access to modified EWP.
3. Notice of Application
In accordance with section 74 of the Act, I published, on 9 January 1991, a
notice in two leading newspapers advising of the application and seeking expressions
of interest or submission from interested parties - see Attachment B. In addition,
invitations for submissions were mailed to a cross section of potentially interested
organisations.
I received, in response to the mailout and notice, fifteen submission, seven
expressions of interest and nine acknowledgments: see Attachment C.
The Australian Taxation Office has also written to me requesting that their
access to modified EWP be maintained. However, the Taxation Office is not included
within the scope of Telecom's application which is confined to law enforcement
agencies as defined in Part VIIC of the Crimes Act 1914.
The Victorian Police submitted that the question of providing additional records
to law enforcement agencies should also be addressed by the determination. These
records are silent numbers; mobile telephone numbers and Calling Line Information.
The matters raised fall outside the scope of Telecom's application. They can
not be addressed by this public interest determination.
4. The Privacy Issues
The modified EWP facility which permits "number-to-name" access is substantially
different to the "White Pages". It has an additional function which allows it
to be interrogated by number. Telecom's policy is to retain control of this
database and not to make it available to the public.
Telecom's concern in this regard is understandable. Customer privacy would
be reduced if it made available generally automated "number-to-name" facilities.
People with no legitimate social need for that information could find out personal
particulars beyond that which a person may wish to reveal. In advertising it
is common for people to give a telephone number to solicit interest, and to
give out their personal particulars only when they have screened an inquiry.
In the worst-case situation, thieves could identify the location of expensive
goods, cars, furniture and the like advertised for private sale. People living
on their own who advertise, for example, for a flat-mate may also feel vulnerable
if "number-to-name" search facilities become widely available. If the modified
EWP were to be made generally available there may be increased community pressure
for silent-number listings, leading to a new cost for the agency to absorb.
Automated access to the modified EWP database raises the possibility of bulk
disclosure of potentially sensitive information regarding the majority of households
in Australia to law enforcement agencies. Telecom itself has recognised the
sensitive nature of the modified EWP facility by the fact that the present application
is restricted to law enforcement agencies only. This reflects the concern that
privacy intrusive uses can be made of the facility. There are a number of situations
where individuals may consent to their telephone number being disclosed but
not their address.
An additional privacy concern is the probability that there will be an increase
in the overall volume of searches made on the modified EWP once access to it
is made available directly to law enforcement agencies.
Further, there is the issue of whether the increase in access to the modified
EWP facility leads to the possibility for increase in unauthorised access, use,
modification and disclosure. A number of disturbing allegations are presently
before criminal courts and official inquiries regarding the improper disclosure
of personal information initially obtained for official purposes.
I consider that Telecom's current policy of seeking to limit the availability
of the modified EWP serves the reasonable privacy interests of individuals.
(In making these comments I am aware that there is a commercial product generally
available ("Australia on Disc") which has the "number-to-name" search feature.
Its price and the relative lack of up-to-dateness of its data appear to be limiting
its use.)
5 Significance of Application
This application is significant both operationally and legally.
There is a widespread desire among Australian law enforcement agencies to be
allowed to have automated number-to-name access to customer data held by Telecom.
Telecom itself would prefer to move to this system; and not continue, as it
has done in the past, the practice of dealing with applications for number-to-name
access on a manual, case-by-case basis. As indicated earlier number-to-name
requests are lodged in great volume with Telecom. It estimates that it handles
100,000 enquiries per year.
Legally, the application is significant because it raises a number of questions
of interpretation relating to IPP 11.1, and in particular exception (e).
These questions include:
- Is customer information held in the modified electronic white pages database
subject in any way to the protections of the use and disclosure provisions
of the Act-
- If it is in general terms subject to the protection of the Act, is it necessary
for Telecom to obtain waiver from compliance with IPP 11 or is its proposed
practice one that it is able to undertake without infringing exception (e)-
- In that regard, can automated disclosure by an agency of personal information
in its possession be undertaken lawfully under exception (e) if procedures
exist to ensure that a particular disclosure can be shown to have been "reasonably
necessary for the enforcement of the criminal law", in the event of complaint
or audit-
6. Draft Determination
A draft determination (Attachment D) was issued by me on 2 May 1991. It allowed
the application, but required that disclosure for law enforcement purposes be
made subject to a number of conditions. The most significant aspect of the determination
from the point of view of law enforcement agencies was that it considered that
Telecom must obtain a waiver because IPP 11.1 (e) could not be satisfied by
it in a situation where it gave automated access. Others who commented on the
draft determination questioned whether the application, in so far as it related
to IPP 11, was necessary at all, arguing that the modified EWP database was
not a "record" subject to IPP 11
7. Statutory Conference
Numerous expressions of interest in the draft determination were received and,
as contemplated by the Act, I convened a statutory conference to consider it.
The statutory conference was held on 29 May 1991, and attended by representatives
of several Commonwealth departments, numerous Federal, State and Territory law
enforcement agencies as well as representatives of privacy and civil liberties
groups.
A transcript (78 pages) of the statutory conference is available.
At the conference Mr N Reaburn, Deputy Secretary, Commonwealth Attorney-General's
Department, raised a number of legal objections to the application by Telecom,
arguing that it was unnecessary as the practice in issue was either not governed
at all by the Act or if governed by the Act permitted by it without the need
for a determination. I will now deal with these submissions.
8. Applicability of Information Privacy Principle 11 to Use of Modified
Electronic White Pages
The Commonwealth Attorney-General's Department submitted:
(i) that personal information held by federal agencies which replicated information
which is publicly available in some form is not protected by the Act.
(ii) If (i) is not accepted, that the modified electronic white pages database
from which number-to-name information is given by Telecom is not a "record"
within the meaning of the Privacy Act because it falls within one of the exclusions
from the meaning of record, that of a "generally available publication".
(1) Position of Personal Information which is coincidentally publicly available
As I indicated at the conference, I regard the first proposition as extraordinary.
What is being suggested is that personal particulars lodged by an individual
with a Commonwealth agency are deprived of the protection of the Act if it can
be shown that those particulars are available somewhere else in the community
in a publicly available source. So, for example, if a social security client
lodges address details with that department and those address details are the
same as those contained say in a phone directory or the electoral roll, the
address loses the protection of the Act. Consequently, a social security officer
could give out the address to anyone he or she cared to without infringing the
Privacy Act.
Personal information held in "generally available publications" does not have
the protection of the use and disclosure provisions of the Privacy Act because
the protections attach to "records" and "records" are defined so as to exclude
"generally available publications". (See generally opening words of IPP 11,
and definitions of "record" in s.6.)
The argument of the Attorney-General's Department appeared to be that the concept
of a "generally available publication" embraces any personal information held
in an agency that coincidentally happens to be publicly available even if the
agency did not derive it from the public source. I can find no foundation for
this argument in the terms of the Privacy Act; nor in any of the explanatory
notes underlying the Act, which notes were substantially drafted by the Attorney-General's
Department.
If the proposition advanced were to be upheld the Privacy Act would become
unworkable, as no clear guidance could be given to agencies as to when the identification
particulars they hold are covered by the Act or not covered by the Act, since
it would never be known with certainty whether the identification items appeared
somewhere in a public record (e.g. land titles records, electoral rolls etc).
Virtually every adult's name appears in a public record somewhere. If this submission
were correct, the names of virtually all adult Australian's would not have the
protection of the Privacy Act, nor in most instances would individuals' addresses.
Lists of clients of federal government agencies could be given out, without
redress under the Privacy Act.
(2) Position of Personal Information provided by modified EWP
This aspect of the application raised a number of important issues relating
to the application of the Privacy Act to complex computerised systems.
The fields of data - name, address, telephone number - are central to the operations
of Telecom. Different ways of interrogating and reporting these data items are
built into Telecom's computer system. In the case of the Electronic White Pages,
that database is capable of outputting its data items in two ways:
- Name-Address-Number, with name as the access key, or
- Number-Name-Address, with number or name as the access key.
As noted earlier, Telecom has historically recognised that the same data items
can give rise to reports of quite differing levels of sensitivity. As a result
its policy is one of general availability in relation to one kind of report
produced by the EWP database (the report that mirrors that found in the paper
phone directories); and one of restricted availability to the kind of report
produced by the modified EWP facility.
The Attorney-General's Department advanced a series of arguments to the effect
that Information Privacy Principle 11 did not apply to number-to-name reports.
The arguments go to the interaction in the Act between the definitions of "personal
information", "record" and "generally available publication". The interaction
of these definitions is important because Information Privacy Principles 4 to
11 contained in the Privacy Act only apply to agency activities as they affect
a "record" containing personal information.
The Act includes within its definition of a "record" (s.6) the following -
a "document", a "database (however kept)" and a "photograph". So on the face
of it the EWP database is a record within the meaning of the Act.
But the definition of record then goes on to exclude from its scope a "generally
available publication". It was contended that the EWP database was a generally
available publication and accordingly that its use in a modified way so that
data within it could be obtained in a manner not generally permitted is unaffected
by the Act. If this argument is correct then IPP 11 does not need to be complied
with.
This argument fails to take account of the complexities of modern database
administration. It also fails to take account of the range of meanings that
tends to be attached to the term "database". For example, in a letter of information
to me dated 23 June 1991, Telecom described its computerised data-management
system as having five databases. These were its main customer record database
(includes full details on all numbers connected to the public switched telephone
equipment details); the main directory database; the directory assistance database
(used by directory assistance staff); the EWP; and the modified EWP. However
in describing the modified EWP Telecom refers to it as using the same database
as the EWP with the variant that in the case of silent line information the
message is displayed "This number is not for publication". Some, I suggest ,
would contend that all of these arrangements involve particular operational
applications within the context of one database.
Meaning of "Database"
"Database is not defined in the Act. The Macquarie Dictionary definition is:
"1. A large volume of information stored in a computer and organised in categories
to facilitate retrieval.
2. Any large collection of information or reference material."
Another definition in a standard computing text is as follows:
"A database is a collection of stored operational data used by the applications
systems of some particular enterprise." (C J Date, An Introduction to Database
Systems 1981, 3rd ed.)
The same text also acknowledges that the associations or relationships between
data entities (items) are just as much part of the operational data (and therefore
of the database) as are the entities themselves.
A database is usually organised as a collection of fields of information. It
can have both generally available and selectively available characteristics.
A material factor is the way in which it is made available. This can comprise
both technical capabilities (e.g.: access and search limitations) and procedural/contractual
limitations.
If the view were to be taken that the entire Telecom customer record system
comprised one database then it becomes clear that the database may be so organised
as to have elements which are publicly available and elements which have varying
levels of restricted availability. So in the case of the Telecom arrangements
referred to, only directory assistance staff normally have access to the "database"
of that name whereas most staff in the billing and technical areas would have
access to the main customer record system. In the case of the EWP system there
are two levels of access operating - one general and unrestricted where the
use is on a name-basis and the other highly restricted where the use is on a
number basis. These complexities in operation are typical of modern database
systems.
In my view whether the entire Telecom system is more properly seen as one database
of customer information having many operational segments or as a series of databases
one of which is the EWP, it is possible for the system to be so organised that
its data when reported in one format is available on an unrestricted basis and
when reported or organised in another format has restricted availability.
Relationship between Databases and Records
Equally I consider that while an entire database can be a record within the
meaning of the Act it is also possible for a database to be open to different
"views", or to make or produce reports, all of which are "records" individually
subject to the Act. It is also possible for a database which is generally viewed
as a publicly available one to have operational features which restrict the
availability of its data when that data is sought to be organised or reported
in certain ways.
A good current illustration of this situation is found in Australian Electoral
Law. Sections 91, 91A and 91B of the Commonwealth Electoral Act 1918 specifically
limit the availability and use of the Habitation Indexes (street order rolls)
even though they contain the same data drawn from the same overall database
as the alphabetic rolls which are available on demand and for public reference.
These technical features of databases would I believe have been well understood
when the Privacy Act was passed in 1988. I believe that the explicit reference
to database in the definition of record was designed to ensure that these complex
systems were brought under the regime of the legislation. The exclusion that
then appears, relating to generally available publications, comes into play
in respect of a database in circumstances where there are agency policies which
allow for public use or access. It is quite possible, as I have explained, for
an agency to allow its data to be configured by its database in a way which
allows that configuration to be generally available while preventing the same
data to be configured in some other way. Each of the configurations involves
the making and producing of a record - one of which is excluded from the application
of Information Privacy Principles 4-11 as a generally available publication,
while the other remains subject to all the Principles.
Conclusion
Accordingly, I consider that when the EWP system is used to produce a record
on a number-to-name basis that activity is subject to the Act. What is occurring
is that a record with restricted availability is being generated; a feature
of the database is being employed which seeks to restrict the availability of
the personal information stored by the database. When a database is being operated
so as to generate information about individuals on a restricted basis (ie: non-public)
its operations are subject to the Act.
9. Compliance with IPP 11.1
The principle which governs this matter is Information Privacy Principle 11,
which states:
"1. A record-keeper who has possession or control of a record that contains
personal information shall not disclose the information to a person, body
or agency (other than the individual concerned) unless:
(a) the individual concerned is reasonably likely to have been aware, or
made aware under Principle 2, that information of that kind is usually passed
to that person, body or agency;
(b) the individual concerned has consented to the disclosure;
(c) the record-keeper believes on reasonable grounds that the disclosure
is necessary to prevent or lessen a serious and imminent threat to the life
or health of the individual concerned or of another person;
(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary for the enforcement of the criminal
law or of a law imposing a pecuniary penalty, or for the protection of the
public revenue."
Of the above exceptions (a) cannot apply as Telecom has not at any material
time given customers notice of the existence of this disclosure practice. Exceptions
(b) and (c) are not relevant to this application.
The two exceptions which were suggested as permitting the practice of number-to-name
disclosure were exceptions (d) and (e).
Exception (d)
Here the argument is that the disclosure is authorised by a regulation recently
made under the Australian Telecommunications Act 1989, referred to in part 2
of these reasons.
It seems to me that this regulation is unhelpful in deciding whether number-to-name
searching of the modified EWP database is a lawful disclosure for the purposes
of exception (d). The text simply mirrors the language of the Information Privacy
Principles. In the case of exception (d) reg. 3 does not take the matter any
further. It simply says that the disclosure must be "authorised under a law
of the Commonwealth": see para. (c) of reg. 3, mirroring exceptions (a) (b)
and (c) of IPP 11.1 and para. (d) mirroring substantially exception (d) and
para. (e) mirroring exactly (e). No law specifying this disclosure practice
permitted has been drawn to my attention. Further I note that the number-to-name
disclosure practice has existed in Telecom for many years and could readily
have been identified in the regulation as a permissible practice had it been
intended that the regulation should have that effect.
Exception (e)
Much of the discussion at the statutory conference centred on this exception
to Information Privacy Principle 11.1.
Telecom's past practice, as I have noted earlier, in handling number-to-name
inquiries involved requiring an application to be submitted and for it to be
assessed by an officer as to its justification. If Telecom considered the application
justified on law enforcement grounds, the information was provided. Provided
the criteria applied were at least as strong as those provided for in exception
(e), (i.e. they met the requirement of "reasonable necessity") this practice,
if continued, would in my view comply with exception (e), and no public interest
determination is required. While it appears that in the past the criteria were
not as strong, my understanding from discussions with Telecom over this matter
and from its submission at the conference, is that it would propose to offer
the facility in future on terms that require satisfaction of the "reasonable
necessity" test in exception (e).
The complication in the present case is that Telecom no longer wishes to be
actively involved in the number-to-name searching process. It in effect wishes
to license certain users to access its database, with the users being responsible
for ensuring that the justification is in accord with exception (e).
The question which arises is whether exception (e) permits a record-keeper
to disclose information without it exercising any judgment as to the lawfulness
of that event for the purposes of the Privacy Act.
The Attorney-General's Department, and others, have argued that the types of
disclosure permitted by Information Privacy Principle 11 only in one case clearly
requires a record-keeper to make a specific judgment on the merits of a request.
That arises in the case of exception (c) which limits the relevant disclosure
to circumstances where "the record-keeper believes on reasonable grounds" that
it is "necessary" (emphasis added). In contrast, it is said, exception (e) permits
disclosure where it is "reasonably necessary" to assist the social interests
mentioned in the exception, without imposing an obligation on the record-keeper
to form a belief as to whether reasonable grounds exist. Accordingly, it is
argued, that it is possible for a situation to exist where the record-keeper
has no active involvement in the access/disclosure transaction. It is sufficient,
it is argued, that the access disclosure transaction can be shown to be "reasonably
necessary".
This discussion has considerable significance in relation to the general operation
of exception (e) in Commonwealth administration. If the arguments that I have
outlined are valid, it would mean that it would be possible for agencies to
allow on-line links to their databases with those using the facility in effect
bearing responsibility for ensuring that any accesses that take place are "reasonably
necessary" to the protection of the social interests listed in exception (e).
On the other hand, it was argued by me in my draft determination and by a number
of public interest groups at the conference that exception (e) should be interpreted
so as to impose a requirement on the record-keeper that it satisfy itself that
the disclosure is "reasonably necessary" to the protection of the social interests
listed there. It is argued that "reasonably" is a word which connotes an obligation
on the part of the record-keeper to form a view as to the need or otherwise
for the disclosure. This view, it is argued, is also supported by IPP 11.2 which
imposes on record-keepers who make disclosures on the basis of the criteria
contained in exception (e) to include in the relevant record a note of the disclosure.
It is argued that this requirement is consistent with the view that the record-keeper
should make a specific decision in relation to each request for disclosure.
While I do not regard the matter as free from doubt, after considering the
arguments made at the conference I have resiled from my earlier views and concluded
that a disclosure can occur lawfully under exception (e) without there being
an active exercise of discretion by the record-keeper. But the record-keeper
remains obliged to demonstrate (if, for example, an individual complains to
me over a specific disclosure) that each access it permits was "reasonably necessary"
to the protection of the social interests enumerated in exception (e).
In reaching this view I have largely been influenced by the variation in language
between exception (c) and exception (e). Clearly exception (c) imposes an active
decision-making obligation on the record-keeper. It is not one that it can give
up to a third party.
But exceptions (d) and (e) both attach the conditions which they specify for
lawfulness to "the disclosure". It seems to me, therefore, that a disclosure
could satisfy the standard imposed by exception (e) even though the record-keeper
had not satisfied itself directly that that standard has been observed.
There are also, I think some policy arguments which support this view. Circumstances
can be envisaged where it would not be conducive to the protection of the social
interests enumerated in exception (e) (e.g. enforcement of the criminal law)
for the record-keeper to be apprised in any detail of the reasons for the inquiry,
or for the record-keeper not to wish to be so apprised. There may on occasions
be circumstances of urgency which preclude any possibility of practical judgment
by the record-keeper. (Though this argument is weakened by the fact that exception
(c) which deals with a paradigm situation of urgency ("a serious and imminent
threat to the life or health of the individual concerned") does clearly impose
an active decision-making obligation on the record-keeper.)
If a record-keeper does choose to establish an access system which permits
disclosures under exception (e) without active intervention on its part, then
it remains liable for any abuse or misuse of the access facility. If an individual
complains that a particular disclosure was not "reasonably necessary" the record-keeper,
as the respondent, must be able to satisfy the Privacy Commissioner that it
was "reasonably necessary" in order to avoid liability. A similar position would
apply in the event that an audit of an automated-access system is undertaken.
Conclusion
Accordingly an application for waiver from Information Privacy Principle 11.1
is unnecessary. However, as I have previously noted, any access arrangements
provided under IPP 11.1(e) would have to be constructed so it can be demonstrated
that each access meets the requirements of exception (e) as to reasonable necessity.
10. Commissioner's Statutory Discretion
So it is only in relation to Telecom's remaining applications that I am called
upon to exercise my statutory discretion under s.72 of the Act.
Section 72 provides:
"Where the Commissioner is satisfied that:
(a) an act or practice of an agency breaches, or may breach an Information
Privacy Principle; and
(b) the public interest in the agency doing the act, or engaging in the practice,
outweighs to a substantial degree, the public interest in adhering to the
Information Privacy Principle;
the Commissioner may make a written determination to that effect..."
The effect of such a determination is that the agency avoids breaching the
Act.
11. Compliance with IPP 11.2
Telecom indicated that if automated-access to the modified EWP database was
permissible, it sought a public interest determination to relieve it from the
obligation imposed by IPP 11.2.
IPP 11.2 imposes a disclosure-logging requirement in the following terms:
2. Where personal information is disclosed for the purposes of enforcement
of the criminal law or of a law imposing a pecuniary penalty, or for the purpose
of protection of the public revenue, the record-keeper shall include in the
record containing the information a note of the disclosure.
Telecom said that it could log the volume of inquiries made on the database
by each user, but that its technology did not enable it to place a "note of
disclosure" as required by IPP 11.2 against each individual whose name was searched.
These concerns essentially relate to cost and administrative convenience.
Apart from these administrative concerns, Telecom also said that it saw some
dangers in making a note of disclosure against a particular individual, because
if an individual became aware of the fact this might tip the individual off
in relation to police interest. This argument is not in my view meritorious.
The objection is one that could be made in relation to the logging of any disclosure
to police sources. It was clearly rejected by Parliament when it included IPP
11.2. While there may be some extreme circumstances where IPP 11.2 could be
waived or varied for the protection of investigations it was clearly, in my
view, Parliament's intention to impose a logging requirement on the key administrative
agencies of the Commonwealth in regard to those disclosures of personal information
which are made to police. If an FOI application was made for access to such
a record there is a wide law enforcement exemption available to be invoked by
Telecom.
The administrative convenience argument is not in my view a strong one. Historically
Telecom vetted applications and, consequently, had an exact and detailed
administrative record of what occurred and why. My earlier conclusion rids
Telecom of its responsibilities to vet; now it is seeking to rid itself of the
other responsibility it exercised in the past and has been required to exercise
by law since 1989 (to log). Given that in future there is intended to be no
case-by-case vetting as in the past, it becomes even more critical to the
protection of individual privacy that the safeguard contained in IPP 11.2
be maintained.
Allowing Federal agencies to release personal information protected by the
Privacy Act on an automated basis (provided otherwise the release accords with
IPP 11.1 (e)) carries great dangers to the privacy rights of all Australians.
Where an agency is not called on to consider actively why particular information
should be released, the following significant constraints against possible abuse
of privacy are lost:
(i) any actual knowledge that an agency may have regarding the client or individual's
circumstances cannot be brought into consideration before the data is released.
(ii) ordinarily the requesting/accessing organisation will have little or no
knowledge of any personal circumstances that indicate against taking that data
(iii) the requesting/accessing organisation will not be affected by the salutary
constraint of having to justify its request and expose its actions to another
body with less of a stake in the matter.
Moreover if Telecom does not remain responsible for logging, the Privacy Commissioner
would have no specific evidence as to whether a particular disclosure had occurred,
in the event that an individual complained to him about a breach of IPP 11.1(e).
The recipient organisation may well deny that it got the personal information
from Telecom by means of an IPP 11.1 (e) access. There would be no way of testing
the truth of that denial.
It was suggested on this point at the statutory conference that accessing agencies
would invariably for operational reasons keep logs; and that they could be inspected
in their hands, by the Privacy Commissioner's if he had a right to inspect them
under contractual arrangements (or memorandums of understandings) between Telecom
and accessing-agencies.
I do not regard this as a satisfactory suggestion. Logs would be scattered
all over the country. The logs would, most likely in light of a number of comments
at the conference, be organised in a way that reflected the operational practices
of the particular police force or law enforcement agency. Some of those agencies
may resist intervention by the Privacy Commissioner. Most of those using the
system are not subject to his authority; leaving the Privacy Commissioner in
a position where Telecom has to be prevailed upon to sort out the problem. This
would demean the Privacy Commissioner's office in the eyes of complainants and
the community.
Conclusion
Accordingly, I dismiss the application as it relates to giving Telecom a waiver
from the obligation imposed by IPP 11.2.
Telecom is required to ensure that it makes a note of each disclosure from
its modified EWP database made under the authority of IPP 11.1(e). The note
should include a record of the date of the disclosure and the identity of the
accessing organisation, including the password or other key used. Any cost of
logging could be recovered by Telecom from users: it charged a fee for access
under its old manual system. That practice could be maintained; and would act
as some discouragement to overly permissive use.
12. Compliance with IPP 2
Finally, Telecom applied to be relieved of its obligations under IPP 2, in
particular IPP 2 (e). This IPP applies to agencies regardless of whether the
personal information being collected is for inclusion in a "record" or for inclusion
in a "generally available publication".
IPP 2 requires agencies which collect personal information to ensure that they
take:
"such steps (if any) as are, in the circumstances, reasonable to ensure that,
before the information is collected or, if that is not practicable after the
information is collected, the individual concerned is generally aware of:
(e) any person to whom, or any body or agency to which, it is the collector's
usual practice to disclose information of the kind collected, and (if known
by the collector) any person to whom, or any body or agency to which, it is
the usual practice of that first - mentioned person, body or agency to pass
on that information."
It should be noted that the obligation imposed on agencies by IPP 2 applies
"only in relation to information collected after the commencement of the Act"
(i.e. 1 January 1989): s.15 (1) of the Act. Consequently Telecom is not bound
to give customers whose information was collected prior to 1 January 1989 (and
who have not been the subject of any new collection since that date) any notice
under IPP 2. The material placed before me in making this determination indicates
that Telecom has over many years had a number of "usual practices" involving
disclosure of customer information to police and emergency organisations. In
the past the existence of these practices has not been made known to customers.
Number-to-name disclosures on a specific-application basis have continued to
be made since January 1989; while automated disclosure to selected law enforcement
agencies was introduced in 1989. It is arguable that automated modified-EWP
number-to-name disclosure is not yet a "usual practice", so that Telecom's failure
to advise customers of this activity may not be a breach of IPP 2. Nevertheless
the old practice of manual provision of number-to-name information on the basis
of a specific application was clearly a "usual practice"; but its existence
has never been routinely disclosed to customers.
A key theme of information privacy laws, and of the international O.E.C.D Guidelines
on which Australia's Privacy Act is based, is that of "openness" as to the existence
of practices. IPP 2 reflects that theme, and seeks to give it specific expression.
Telecom seeks a waiver from the requirement of IPP 2 to notify customers -
"before the information is collected, or if that is not practicable, as soon
as practicable after the information is collected". Telecom is prepared to put
a general notice in the telephone directory referring to the existence of the
practice.
To grant Telecom's application would I believe seriously weaken the force of
IPP 2 in Commonwealth administration. As a basic matter of fairness, people
who supply information to organisations are entitled to know of any uses that
are likely to be made of the information which do not conform to their reasonable
expectations. While a telephone customer might reasonably expect that their
particulars would be stored in a range of ways within Telecom to enable it to
carry out its service function, the customer would not expect information to
be given to bodies as diverse as State crime commissions, government departments
and State police forces. While such a disclosure practice may be in the public
interest, there is also a public interest (endorsed by Parliament in IPP 2)
in knowing that it occurs.
Telecom's main reason for not wishing to tell customers at the time of application
for the service that it has disclosure practices of the kind under consideration
appears to be that it is concerned that there may be a proliferation of silent-line
listings. An increase in silent-line listings would increase its costs; and,
I note, diminish the commercial value of the public directory e.g: for telemarketing
companies. There may also be some negative public reactions once these activities
become known. These are not in my view meritorious reasons for withholding notification.
A simple and informative notice could be incorporated into information given
to new customers. This would not involve a significant administrative burden.
Telecom routinely provides customer information pamphlets with its bills. A
pamphlet referring to a customers privacy rights - and the exceptions to those
rights - would be a useful practice. I understand that an overall customer information
strategy related to privacy issues is under development by Telecom. A well-presented
explanation would be likely to satisfy many customers.
The Act requires me only to grant a public interest determination where the
public interest in allowing a practice (here to waive strict compliance with
the notice requirements of IPP 2) "outweighs to a substantial degree" the public
interest in adhering to the IPP. Telecom has failed to satisfy me in that regard.
Consequently, Telecom should immediately commence to inform new customers of
the existence of the modified EWP disclosure practice, if it proposes to continue
with that practice. Customers should be informed of the bodies and organisations
to which their data may be given. An appropriate mechanism might be an information
leaflet distributed to new customers.
As to existing customers, it is possibly arguable whether to date automated
use of modified EWP disclosure has been a "usual practice". As a result of this
determination, it appears likely that it will become a usual practice. Without
deciding the point as to the position in the past, I would recommend that steps
be taken to notify all customers of future practice, in conformity with the
spirit of the Act. In that regard a notice given with billing information would
be acceptable.
A prominent and clear notice of this practice should also be included in telephone
directories.
Conclusion
The application for a limited waiver from the obligation imposed by IPP 2 is
dismissed.
13. Summary of Conclusions
(1) Telecom is an agency governed by the Privacy Act in respect of the practices
the subject of this application.
(2) The modified EWP database (and each of its listings) constitute records
within the meaning of the Privacy Act.
(3) Information Privacy Principle 11 applies to disclosure of personal information
contained in records produced by the modified EWP system.
(4) Disclosure pursuant to exception (e) of IPP 11.1 may occur on an automated
basis, provided always that the disclosure is "reasonably necessary" for the
protection of the social interests enumerated in that exception.
(5) Consequently, the proposed practices requiring consideration under s.72
are the proposals that Telecom dispense with logging (IPP 11.2.) and dispense
substantially with the notice of this practice (IPP 2).
(6) The application seeking waiver from the requirements of IPP 11.2 and IPP
2 is dismissed.
LIST OF ATTACHMENTS
A: Application
B: Notice of Application
C: Responses to Notice
D: Draft Determination
Note: These attachments are not being distributed routinely, but
are held with the original determination and are available on request from:
Privacy Branch
Human Rights and Equal Opportunity Commission
GPO Box 5218
SYDNEY NSW 2001
Phone: (02) 229 7600
|
HOME > Public Interest Determination No.6
