Submission
14 May 2004
Regulating the Use of Telecommunications Customer Information
Below is EFA's submission in response to the discussion paper Who's Got Your Number?: Regulating the Use of Telecommunications Customer Information issued by the Australian Communications Authority for public consultation in March 2004.
Contents:
- About EFA
- Introduction
- Industry Standard
- Future Options
- Privacy protection mechanisms for future consideration
- Conclusion
- Appendix 1 - Analysis of relevance of existing privacy protection laws
- Appendix 2 - References
About EFA
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.
EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.
Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The ten elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.
EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and Research Reference Committee during 2001. EFA participated in NOIE's privacy impact assessment consultative group relating to the development of a Commonwealth Government Authentication Framework in 2003 and is currently participating in the ENUM Privacy and Security Working Group convened by the Australian Communications Authority. EFA has presented oral testimony to Federal Parliamentary Committee inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.
Introduction
The general principles at stake in the development of an industry standard concerning disclosure and use of telecommunications customers' personal information include that:
- The use of personal information about individuals should be limited to that for which it was originally collected, unless the owner of the information (the data subject) has given express and informed consent (AUSTEL Privacy Report 1992). This principle underlies the informed choice condition under which carriers in Australia were permitted to commence selling or otherwise disclosing individuals' calling number information in 1997 and should apply to all disclosure and/or use of personal information about telecommunications customers. The same principle was re-endorsed by the government and the Parliament in the amendments to the Privacy Act 1988 effective from December 2001.
- Divergences from general principles or laws governing privacy issues should occur only where the telecommunications industry is demonstrated to be unique or at least so special as to require telecommunications specific treatment (AUSTEL Privacy Report 1992).
- Any such divergence should not occur unless it has been demonstrated that there is a public interest in permitting businesses to invade an individual's privacy that outweighs, to a substantial degree, the public interest in requiring businesses to respect individuals' rights to privacy, and that the public interest objective cannot be achieved by a less privacy invasive means.
- It is well established in Australian law that the telecommunications industry is not so special as to be entitled to general exemption from compliance with the Privacy Act 1988. In this regard, the Telecommunications Act 1997 provides for the development of telecommunications industry specific standards and codes dealing with specified matters (s113) including "(f) privacy and, in particular: (i) the protection of personal information; and ...(v) the provision of directory products and services", and states (s116A) that "neither an industry code nor an industry standard derogates from a requirement made by or under the Privacy Act 1988". Hence, a telecommunications industry standard or code cannot be used to reduce the privacy rights and protections afforded to individuals, including telecommunications customers, by the Privacy Act 1988.
- Individuals who currently pay for a telecommunications service would reasonably expect their telephone service provider to be protecting their personal information in compliance with the Telecommunications Act and Privacy Act. In providing their personal information to a telecommunications company as required by law, they did not assume a risk of disclosure to, or use by, marketing businesses (unless they consented to same). Hence a new industry standard must ensure that existing customers' personal information is protected in accord with customers' reasonable expectations arising from existing privacy protection legislation.
Industry Standard
1. Applicability of Industry Standard
The consultation paper states that "the industry standard will apply to the use of customer information by PNDPs" (Public Number Directory Producers).
EFA submits that the industry standard must have broader coverage if it is to achieve the legislated objective of industry standards of regulating the telecommunications industry 'in a manner that reflects the legitimate expectations of the Australian community'.
The industry standard should apply to all persons and organisations that come into possession of customer information for purposes related to either the IPND or the provision of public number directories and directory services. Further, the industry standard should apply not only to use of customer information but also to collection and disclosure of customer information.
In EFA's analysis (see Appendix 1), the current practice of telecommunications companies of disclosing customer information directly to Sensis or other PNDPs would, in many instances, be in breach of the Telecommunications Act and the Privacy Act. Whether or not the practice is in breach of existing law, in our view it should be prohibited by the industry standard for the reasons set out later herein.
In addition, we note that apparently some telecommunications companies are also disclosing their customers' information, including silent line customers' information, to other types of organisations that most customers are unlikely to know about. In this regard, we refer for example to a media release issued by Paradigm.One Pty Ltd dated 1 March 2004 which states:
"Paradigm.One launch IPND bureau serviceThe IPND (Integrated Public Number Database) bureau service offered by Paradigm.One allows CSPs to fulfill their regulatory obligations without the overhead and headaches involved in dealing directly with the IPND.
...
Advanced pre-processing of clients data prior to submission to the IPND, thus removing any errors before they are detected and reported by IPND.
...
A comment often cited by clients is 'this is not a core business activity, it doesn't generate any revenue, we just want to fulfill our regulatory obligation'. Simply talk to us today and benefit from our experience.
The above indicates that Paradigm.One is receiving customer information from some telecommunications companies for the purpose of providing it to the IPND Manager on behalf of the telecommunications companies. The Paradigm.One web site (as at 1 May 2004) does not contain a privacy policy nor any indication of whether that business considers it is required to comply with the Telecommunications Act or the Privacy Act 1988.
Businesses like Paradigm.One may be a telecommunications contractor as defined in s274 of the Telecommunications Act and therefore required to comply with Part 13 in relation to the protection of customer information they obtain from carriage service providers. Nevertheless, EFA considers it is essential that the industry standard apply to businesses like Paradigm.One and any other organisations that obtain customer information for purposes related to the IPND, either as a telecommunications contractor or as a member of a section of the telecommunications industry determined by the ACA.
Should the industry standard apply only to the customer information contained in the IPND, or, apply to all customer information regardless of its source? Why or why not?
The industry standard should apply to all customer information provided by telecommunications companies, regardless of whether it is collected from the Integrated Public Number Database ("IPND"), another source such as Sensis, or directly from a telecommunications company.
The source of the information is irrelevant to customers who are concerned about their privacy and who have no actual control over disclosure and use of personal information they are required by law to provide to a telecommunications company for the purpose of being provided with a telephone service.
With regard to the Sensis repository, apparently Sensis is currently obtaining possession of customer information without individual's express consent (or even knowledge in many cases) because Sensis is a related company of Telstra and Telstra's Carrier Licence Conditions require Telstra to produce an alphabetical public number directory. Individuals are not able to make a choice, let alone an informed choice, about whether or not they will allow to Sensis, or Telstra, to disclose or use their personal information for other purposes. Therefore, in accord with general privacy principles, the industry standard should prohibit Telstra, Sensis and any other of Telstra's related companies (within the meaning of the Privacy Act) from disclosing or using customer information obtained from telecommunications companies for any purpose other than to produce the directory required by Telstra's licence conditions.
Furthermore, in EFA's analysis (see Appendix 1) Sensis and Telstra are currently prohibited from disclosing or using customer information for any other purposes by the Privacy Act, unless the individual has given consent. Telecommunications companies who disclose customer information to Sensis are apparently doing so for the purpose of enabling Telstra to comply with Clause 9 of its carrier licence regarding publication of an alphabetical public number directory (although this disclosure is in our opinion of doubtful legality, as explained in Appendix 1). Therefore, Sensis is obviously collecting the information for the primary purpose of enabling Telstra to comply with its licence condition. NPP2.1(a) prohibits disclosure or use for a purpose that is not related to the primary purpose of collection (unless the individual has consented). There are very few purposes that are related to the primary purpose of collection by Sensis. An example of a related purpose would be printing the White Pages, which allows Sensis to disclose the data to the printing company. Certainly use for the purpose of Sensis's database enhancement products etc is not a purpose related to enabling Telstra to comply with its licence condition.
Moreover, in relation to direct marketing, we draw to attention that although NPP2.1(c) permits secondary use for the purpose of direct marketing without a customer's consent, this exception is only applicable in very limited circumstances. In specified circumstances, it allows the collecting organisation to use, but not disclose, personal information for the secondary purpose of direct marketing. Hence, an IPND data user who collects a customer's personal information from the IPND (or collects from a telecommunications company) for the primary purpose of providing a public number directory but also discloses that information to another organisation for the purpose of direct marketing is in breach of the Privacy Act unless the customer's consent has been obtained.
The industry standard should apply to all customer information regardless of its source to ensure that the industry standard is, and is seen to be, consistent with the National Privacy Principles and ensure, to any extent that Sensis and/or Telstra is uncertain about the applicability of the NPPs, that their collection, disclosure and use practices are in accord with the NPPs.
Should the two repositories of customer information, IPND and Sensis, be treated differently?
The two repositories should be treated in the same way (except of course in relation to unlisted numbers which the Sensis repository should not, and we assume does not, contain).
However, rather than the industry standard referring to two different repositories, we consider that the industry standard should prohibit telecommunications companies from disclosing customer information directly to Sensis without the express and informed consent of the customer. In our view this current practice is, as a matter of law, on very shaky grounds as discussed in Appendix 1. At the very least, it appears contrary to the government and Parliamentary intent set out in the Telecommunications Act. Sensis should be required to obtain customer information for use in its directory products (including the White Pages) from the IPND, the same as any other Public Number Directory Producers ("PNDPs").
Are there implications for industry if the customer information is treated differently, or in the same way?
EFA believes, as a matter of existing privacy protection laws, that the customer information must be treated in the same way and we oppose any change to such laws that would enable the information to be treated differently. In addition to privacy protection reasons for treating the information in the same way, we believe there are undesirable effects on the telecommunications industry if the information is treated differently.
It appears that the existing situation is probably causing telecommunications industry in general an unnecessary amount of time and effort in complying with their alleged legislative obligations. There is no doubt that they are required to provide customer information to the IPND. However, if as stated they are also being required, apparently by Telstra (not by law), to provide information directly to Sensis then presumably the records they supply to Sensis either contain different information or provide the same information in a different format. In either case, this would involve more work on the part of the telecommunications companies than supplying information to the IPND and Sensis obtaining the information it needs from the IPND. Presumably this would be occurring on a daily basis because telecommunications companies are required to provide updates to the IPND daily, and Sensis would need the same information promptly to update their online White Pages service.
If Sensis is to be allowed to continue collecting customer information directly from telecommunications companies, then the reason why Sensis does not obtain the information from the IPND needs to be publicly explained and justified. On the basis of information publicly available to date, it appears that the only reasons could be:
- that Sensis is attempting to skate around legislated restrictions on the use and disclosure of customer information obtained from the IPND; or
- the IPND is established and maintained in a manner that makes its use by IPND Data Users difficult, or the information in the IPND is not accurate and up to date.
If the reason is (b) then it indicates that the legislative intent of the IPND of, among other things, establishing a level playing field in the area of directory services has not been achieved. This has implications for the telephone service providers in terms of their ability to provide directory enquiry services and for PNDPs wishing to provide public number directories in competition with Sensis/Telstra.
If there are problems with using the IPND then the IPND Manager (Telstra) seems unlikely to have a great incentive to resolve them when its related company (Sensis) does not use the IPND for the purpose of enabling Telstra to comply with its licence condition of providing a public number directory. This is another reason why the industry standard should prohibit telecommunications from providing information directly to Sensis. Sensis should be required to obtain customer information from the IPND so that there is a level playing field.
Furthermore, we observe that one of the authorised IPND data users, Baycorp Advantage Ltd, claims on its web site to provide its customers with a service that uses the Telstra/Sensis Electronic White Pages® subscription based desktop service to enable Baycorp customers to locate addresses for marketing purposes and skip tracing and that also "formulates a search on the EWP™ system and matches the EWP™ response with your input to verify the identity details of the applicant". We question whether Baycorp Advantage Ltd, as an IPND user, actually uses information they obtain directly from the IPND to provide any service that might arguably be described as a public number directory service and furthermore why they use a Sensis product to provide marketing and data matching services to Baycorp customers. It appears that the latter may well be to avoid the legislative restrictions on use of information from the IPND.
Are there implications for consumers if customer information is treated differently, or in the same way?
Treating customer information differently would undermine consumers' existing privacy rights. It would be inconsistent with the National Privacy Principles.
In addition, the absence of a level playing field in relation to provision of public number directory services is not in the best interests of consumers.
2. Restricting Access
The consultation paper suggests:
Access to customer details (such as name, address and telephone number) would be confined to specified directory producers. These directory producers could be confined to creating only certain types of directories. This option envisages a prohibition on data cleansing, mailing lists and other database enhancing processes.
Who should be allowed to access customer information?
Access to customer information (such as name, address and telephone number) should be restricted to specified directory producers.
Who should govern or regulate access to data?
The ACA should govern access to customer data, not Telstra or any other commercial organisation. We believe access needs to be regulated by an independent entity, such as the ACA, who can act in the public interest without being at risk of claims that they refuse, or otherwise regulate, access in ways designed to give themselves and/or their related companies a market advantage.
Persons and organisations seeking access to information in the IPND should be required to apply to the ACA for approval as a specified directory producer. The IPND Manager should be prohibited from providing access to persons or organisations other than those specified by the ACA.
Approval as a specified directory producer should be conditional on, among other things, the PNDP commencing to provide a public number directory product to the public within six months of the date of approval and making available an updated version of same at least once each year thereafter. If a specified directory producer does not do so, or ceases to do so, the ACA should revoke the PNDP's authority to access the IPND unless the ACA is satisfied that there are legitimate reasons for the failure to provide a directory product and that the PNDP intends to do so in the near future.
In addition, specified directory producers should be required to, at least annually, notify the ACA of the name/s of the public number directories and/or directory assistance services they provide and how/where members of the public can avail themselves of such directories/services. The ACA should make a listing of that information readily and freely available to the public.
Should directories be subject to legal definitions and have restrictions on what constitutes a directory?
Yes. The definitions of 'public number directory' and 'directory assistance services' should be read within a telecommunications context. As noted on page 21 "This interpretation excludes the use of the IPND in any way that would allow for the mass migration or manipulation of data for marketing purposes from the scope of what is an approved purpose".
Any other interpretation of the terms would constitute function creep and be contrary to the government and Parliament's intent and objective in mandating the establishment of the IPND. It must be remembered that the intent was to ensure that, in a competitive telecommunications market environment, the public would continue to have access to directory services containing telephone numbers provided by all telephone companies, rather than each company only being able to readily provide directories of their own customers' numbers which would be impractical and inconvenient for persons wishing to find another person's number in order to telephone them. The intent was most certainly not to make life easier for marketing companies.
The definitions should ensure that the following uses (extracted from the consultation paper) are unquestionably prohibited:
- use of IPND data to append telephone numbers to name and/or address information in databases that are not associated with an approved purpose;
- use of IPND data to compile, populate, update and verify a database unrelated to, or used for any purpose other than an approved purpose;
- use of IPND data to develop, update or verify mailing lists or databases to be used for marketing or telemarketing purposes;
- provision of a PND in such a form that it is reasonably foreseeable that it could be electronically manipulated to allow the mass transfer of customer data into an unrelated database; and
- use of IPND data to verify the identity or personal details of a customer or to provide services or products for such purposes, unless otherwise provided for under law.
How should 'public number directory' be defined?
We consider the definition in the IPND Code provides a reasonable starting point but requires considerable amendment. The definition should be similar to the following, or alternatively if a shorter definition is used, the industry standard should address all of the matters included below in other sections of the standard.
Public Number Directory is a document or record containing a list of telephone subscribers and their numbers. The numbers are connected to the supply of carriage services to the public in Australia. Such a document or record:
- is provided to end-users of a standard telephone service to help an end-user find the number of another end-user of a standard telephone service; and
- is published in a way that makes it readily available free of charge, or for purchase, to the public generally, as opposed to being made available to only a limited section of the public; and
- does not include information other than the subscriber's name, address and number (unless specifically requested by the subscriber); and
- in the case of residential entries, is ordered alphabetically by the subscriber's name; and
- if the directory includes a search facility:
- in relation to residential entries, requires the end-user:
- to provide both the name and at least part of the address of the telephone subscriber being sought (i.e. does not allow searching by name, or address, only); and
- to search for only one subscriber's number at a time; and
- in relation to business entries, allows the end-user:
- to search by the name and optionally the address (or part thereof) of a telephone subscriber; and/or
- to search by other criteria (including criteria not being part of the public number customer information) other than a subscriber's number; and
- does not provide a reverse search facility; and
- if the directory is made available in electronic format, does not provide facilities that it is reasonably foreseeable would allow an end-user to:
- bulk export information from the directory to establish, compile, populate, maintain or update a database, mailing list or other electronic repository;
- merge information with, or append information to, information in another database, mailing list or other electronic repository;
- validate or confirm the currency of information in another database, mailing list or other electronic repository by an electronically automated method.
Reverse Search Facility means a method by which:
but does not include a listing ordered alphabetically by the subscriber's name, in a public number directory that is not in electronic format, provided the directory contains a sufficient number of telephone subscriber listings to prevent readily obtaining an individual's name or address by searching for a number or address, or a business subscriber's name by searching for a number.
- an individual's name or address can be obtained by reference to a telephone number alone or an address alone, or a combination of telephone number and address; or
- an individual's name or telephone number can be obtained by reference to an address alone; or
- a business subscriber's name can be obtained by reference to a telephone number alone;
With regard to reverse searching of business entries, we note that the prohibition on reverse searching in the Telecommunications Act covers any type of entry. In the event that the ACA receives suggestions for allowing reverse searching by number for businesses' names, it must be recognised that some telecommunications companies prohibit use of telephone services installed in residential premises for business purposes. Hence, individuals who work from their home may have a telephone service for business purposes listed in their personal name. Any proposal to allow reverse searching in relation to business entries would require amendment to the IPND to distinguish between types of business telephone services and ensure that reverse searching business entries would not reveal individuals' names or residential addresses without their express and informed consent.
In relation to the definition of "public number directory" in the existing IPND Code, we note it states that for the avoidance of doubt the directory may "be in a written or electronic format or accessible by means of a website". This seems to blur any distinction between a 'public number directory' and a 'directory assistance service' and as a result presents risks to privacy in relation to reverse search facilities.
A "directory assistance service" is currently defined as follows:
"Directory assistance services means services that are:
(a) provided to an end-user of a standard telephone service to help the end-user find the number of another end-user of a standard telephone service
(b) provided by an operator or by means of:
(i) an automated voice response system; or
(ii) another technology-based system."
The reference to "another technology-based system" appears to bring the online White Pages provided by Sensis within the definition of a "directory assistance service" as well as being within the definition of a "public number directory" in the IPND Code because it is "accessible by means of a website". The Sensis website suggests they consider it to be a "directory assistance service":
"This site and the data contained in it are supplied solely for informational use. ... users may download individual listings for their own private use in the course of the normal use of this site for directory assistance purposes". (emphasis added)
http://www.whitepages.com.au/wp/legal/copyright.html
In our view, the current definition of "directory assistance service" probably precludes inclusion of a reverse search facility because it states that the service is provided to help find a number. However, we do not consider it is sufficiently clear that a service like the online White Pages is prohibited from including a reverse search facility (although it can also be argued that the service is a public number directory under the IPND Code definition which is not permitted to include a reverse search facility). We therefore believe that the industry standard needs to specifically prohibit provision of a reverse search facility in conjunction with a directory assistance service.
EFA also submits that the industry standard should include provisions requiring PNDPs to adopt measures aimed to prevent bulk copying of customer information and reverse searching similar to those in the U.K. Code of Practice on Telecommunications Directory Information Covering the Fair Processing of Personal Data. For example:
- encryption of files containing customer information in directories provided on CDs and in other electronic formats to prevent searching the raw data contained files for numbers or addresses;
- restrictions on the number of records generated from a single search using electronic directories;
- restrictions on the number of directory entries which can be copied and pasted from electronic directories;
- ensuring printed directories contain a minimum number of subscriber's information or cover a minimum geographical area, to prevent the publishing of a small printed directory which would enable searching by location without using a subscribers's name;
- ensuring all directories contain a clearly visible warning that the directory information is not to be used for unsolicited direct marketing purposes.
What do customers expect will happen with their data? Do you think the current uses (see section 4.6) fit with these expectations?
Generally speaking, customers reasonably expect that their personal information will not be disclosed or used in ways that infringe current privacy laws and related regulations. Accordingly, customers would not expect the personal information that they are forced by law to provide to their telecommunications service provider, for the primary purpose of being provided with a telephone service, to end up being sold or otherwise provided by PNDPs to market research companies, call centres, direct mail houses, banking and finance, utilities, credit providers, debt collectors, superannuation and insurance companies (as stated on page 11 of the consultation paper).
We share the ACA's view (page 22-23) that use and disclosure of telecommunications customers' personal information for purposes referred to by the marketing industry as 'database enhancement', 'data cleansing', 'data verification', 'list management' services or 'information management tools' are prohibited by existing law (except if such use is directly related to provision of a public number directory). Accordingly, we believe customers do not expect their personal information to be disclosed or used (unless they have explicitly consented) for the following purposes listed the consultation paper:
- Data integration and management-companies can have their internal customer data reorganised to increase marketing efficiency, by merging customer data from various databases (including the IPND) and profiling customers to help companies target their marketing efforts.
- Validating other sourced data-clients are able to provide files of potential customers' names, addresses and telephone numbers. The IPND data confirms the currency of the telephone numbers.
- Building and maintaining population databases-information from a variety of sources is assembled in an effort to build up a repository of information about much of the Australian population. Information available includes demographics, lifestyle, family features and household composition. IPND data is used to update customer telephone number information in such a database.
- Supplementing existing telemarketing data-businesses submit files which are returned with telephone numbers appended from the IPND, a service promoted as a tool for companies about to undertake telemarketing campaigns.
- Consumer verification services-businesses can verify and authenticate a consumer's details for the purposes of debt collection or credit assessment using the IPND.
In relation to how many people do not want their personal information distributed by and to data matching and marketing businesses without their consent, it is interesting to note that (according to FCS Online as quoted in the Institute of Mercantile Agents' November 2003 newsletter), 45% of people who change their address refuse to allow Australia Post to distribute their new address in the Australia Post National Change of Address File. The 45% who refuse have been informed by Australia Post that their new address would only be provided to organisations that already have the person's name and previous address. We expect the percentage who say they do not want their new address distributed by Australia Post would be significantly higher than 45% if more people knew that Australia Post distributes the information to data matching organisations like FCS Online who already have people's addresses because they collect same from a variety of sources without the individual's knowledge or consent. We also expect the percentage would be markedly higher in relation to provision of telephone numbers to telemarketers than mailing addresses.
Do the services the PNDPs provide (utilising customer information) offer valuable services to business and industry? Do these services benefit consumers? Do they benefit industry?
EFA considers that it is irrelevant whether PNDPs provide valuable services to business and industry. Businesses are not entitled to benefit from the use of personal information about individuals who have no real choice in relation to availability of their information. Currently, individuals who wish to enable friends and acquaintances to find their telephone number in order to contact them are unable to do so without also being, in effect, forced to make their personal information available to PNDPs who sell it to marketing, data-matching and other businesses. Until such time, if ever, as individuals have real choice about whether or not the personal information they provide for the primary purpose of obtaining a telephone service is disclosed or used for unrelated purposes, use of such information should remain restricted to existing legislatively approved purposes.
It is not known whether the PNDPs' services (other than provision, if any, of public number directory services) benefit consumers. EFA assumes that if such services are of benefit to consumers, the PNDPs' web sites would provide relevant information in that regard. However, their web sites primarily refer to alleged benefits to businesses and to the extent that any briefly assert "consumer benefits", they do not make apparent how consumers actually benefit from disclosure and use of their personal information without their consent.
Would limiting the PNDPs' access to customer information affect business practices and profitability?
EFA considers the above to be irrelevant, for the same reasons as stated in relation to the previous question. Further, as stated in the AUSTEL 1992 report "marketing considerations do not justify putting people under pressure to provide their personal information" and such considerations certainly do not justify laws or industry standards that have the effect of forcing people to allow their personal information to be used by PNDPs to make a profit.
How aware are consumers about all the possible uses of their data?
To our knowledge, prior to the issue of the ACA consultation paper, it was not possible for members of the public to even find out which businesses have access to customer information in the IPND. Therefore it was very difficult, if not impossible, for individuals to become aware of the ways the personal information they are required by law to provide to their telecommunications service provider is being disclosed and used.
On reviewing the web sites of the PNDPs named in the consultation paper, we have been surprised to find blatant admission of the use of customer information from the IPND for purposes unrelated to the production of public number directories. For example:
Pacific Micromarketing:
http://www.pacmicro.com.au/pdf/ausData/Australian_Data_Online.pdf
"What is Australiandata-online
Australia's leading consumer database marketing company, Pacific Micromarketing, has made it easier for your company to improve your customer data and enhance your customer knowledge - by offering Australia's first online facility that will handle all your needs for consumer data appending and enhancing, simply and quickly.
...
About to undertake a telemarketing campaign?
If you are about to undertake a telemarketing campaign, simply submit your file and Pacific Micromarketing will return it with telephone numbers appended from the latest version of the Integrated Public Number Database (IPND). Pacific Micromarketing receive updates from the IPND file from Telstra every night and their matching software has been tuned to deliver the highest accurate match rate available."
FCS OnLine:
http://www.fcsonline.com.au/Privacy.htm
"FCS OnLine collects personal information from its clients, from individuals from publicly available data such as the Electoral Roll, the Integrated Public Number Database and other publicly available sources.
FCS OnLine collects personal information for the purpose of assisting clients in the prevention of fraud, debt recovery and skip tracing, to confirm owner/occupier details for residential properties, verification and updating of personal information in client databases."[It is disturbing that FCS Online incorrectly refers to the IPND as a "publicly available source".]
3. Limiting use of customer information
The consultation paper states:"Customer information could only be used for specific purposes. Customers could opt to have their information used for additional purposes."
Should the use of directory information be limited or confined to certain purposes?
Yes. Use of directory information from the IPND (or otherwise provided by telecommunications companies) should be confined and not extended beyond the existing specified approved purposes, unless the customer has given explicit and informed consent.
Should customers be given the opportunity to elect whether their information can be used for purposes (beyond appearing in a public directory) through an opt-in scheme? Should customers choose up front whether their data can be used for other purposes?
EFA notes that neither the Telecommunications Act nor the Privacy Act prevents businesses from giving individuals the opportunity to consent to allowing their personal information to be used for other purposes.
Whether or not a specific opt-in scheme should be established as part of, or in association with, the telecommunications industry regulatory framework depends on exactly how such a scheme would be established and operate. It would certainly be essential that customers "choose up front whether their data can be used for other purposes".
EFA considers there are a number of problems related to the idea of establishing and operating an opt-in scheme and these are addressed in the section titled Future Options later herein.
Should a restriction on the use of data be achieved through a new industry standard, working in conjunction with other laws such as the Privacy Act?
Yes. The industry standard should restrict use to existing approved purposes and explicitly state, for the avoidance of doubt, a prohibition on data cleansing, mailing lists and other database enhancing processes.
In addition, for the avoidance of doubt, all IPND data users who are small businesses (as defined in the Privacy Act) should be required, as a condition of access to the IPND, to opt in to coverage by the Privacy Act 1988 (as provided for in that Act). While such small business organisations may be required to comply with the Privacy Act because they handle personal information for a benefit, service or advantage, this somewhat grey aspect of the law may not be particularly well known or understood. Therefore the industry standard should contain provisions to ensure that all IPND data users are required, and know they are required, to comply with the Privacy Act.
Future Options
EFA considers the options listed under items 4, 5 and 6 of Section 5.2 of the consultation paper to be future options because we do not believe they could be satisfactorily implemented in the near future (if at all). We are of the view that the industry standard should be developed and implemented in accord with existing law as a matter of some urgency. In our view, other options would need to be further developed by the ACA following responses to the current consultation process, and then become the subject of further public consultation.
4. Allowing wider use of customer information with a consent
The consultation paper states:
"Explicit or implied consent to be given by individual consumers if their data is going to be used or disclosed for purposes other than primary purposes."
In order to determine the merits or otherwise of this idea, it is necessary to consider how a customer's consent or otherwise would be obtained, where it would be recorded, who would be responsible for any errors in the relevant record, and how third party organisations (i.e. those other than the customer's telephone service provider, e.g. marketing businesses) who wish to use a customer's personal information would be able to find out whether the customer had consented.
In the context of the consultation paper, we assume that the suggestion refers to requiring telecommunications companies to seek consent for third party businesses' purposes (unrelated to the provision of a telecommunications service) and recording a customer's consent or otherwise in the IPND.
EFA is strongly opposed to such a scheme for the following reasons:
- The use of a legislatively mandated database such as the IPND should not be extended for additional commercial purposes. This would constitute inappropriate function creep and also potentially lead to further function creep.
- The IPND is also not suitable for additional commercial purposes because it contains mandatorily provided strictly confidential information about individuals who have unlisted numbers. Additional uses of the IPND would increase the risk of exposure of private information.
- Use of the IPND would most likely result in additional hidden costs to all telecommunications customers because:
- telecommunications service providers would expect to recover their costs in ascertaining customers' privacy choices in relation to other businesses' purposes and administering related recording systems.
- the IPND Manager (Telstra) would expect to recover its costs in making relevant changes to the IPND to enable customers' choices to be recorded and in subsequently regulating access accordingly. We note that when a similar scheme was canvassed by AUSTEL in 1992, the resultant report stated that AOTC (subsequently Telecom/Telstra) "is reluctant to incur increased costs, especially ones that do not seem related to its core business or to bring it benefits". We expect Telstra's current view point in its capacity as legislatively mandated IPND Manager would be the same, as it is unlikely that a sufficient number of individuals would consent to use of their personal information for marketing purposes to enable Telstra as IPND Manager to profit from selling such information to PNDPs.
- Individuals should not be charged, either overtly or covertly, for the right to have control over use of their personal information by PNDPs.
- Requiring telecommunications service providers to ascertain customer's privacy choices in relation to purposes unrelated to supplying a telecommunications service would be a completely inadequate means of giving customers sufficient information to grant informed consent or refuse consent:
- We do not believe telecommunications companies can be aware of all the purposes for which their customers' information could be used by third party businesses, nor do we consider it practical or reasonable to require them to become aware of uses unrelated to their provision of a telecommunications service.
- Individuals are entitled to make choices in relation to each collecting businesses' purposes. Telecommunications companies being required to ascertain choices is most likely to result in individuals being asked to give or refuse bundled consent, that is, only having a choice in relation to a bundled group of businesses' purposes.
- Telecommunications companies' Terms and Conditions of service are already quite complex. Requiring, in effect, customers to read additional information and make decisions concerning their privacy rights in relation to unrelated businesses would make the process of obtaining a telecommunications service more difficult and time consuming.
- In the event of use or disclosure of a customer's information contrary to their choice, it would be difficult and probably impossible for the customer or regulators to determine who was responsible. The entity responsible could be: the telecommunications company, a business like Paradigm.One, the IPND Manager, or a PNDP such as Sensis depending on how the IPND Manager established the choice recording system and made that information available. We expect that the majority of customers would assume their telecommunications company had failed to record their choice/s correctly and we consider it inappropriate for the regulatory system to unnecessarily place telecommunications companies in this situation. While this is already the case in relation to customers who have unlisted numbers, it is inappropriate to extend a system (of dubious reliability given Telstra's publication of unlisted numbers in 2002) designed for one specific choice to a broader range of choices, particularly those unrelated to provision of a telecommunications service.
Which organisation or organisations should be required to obtain a customer's consent?
Consent to disclose or use an individual's personal information should be obtained by the organisation that wishes to disclose or use the information for a particular purpose. Consent should be obtained from the individual at the time the individual's personal information is collected by the organisation.
Telecommunications service providers should not be required to ascertain whether or not their customers consent to other businesses using the customer's information, unless the telecommunications service provider intends to disclose it to other businesses.
Should telecommunications service providers be required to obtain consent only if it was intended or likely that customers' data would be disclosed to another entity (other than for legislatively prescribed purposes) or an entity outside of the jurisdiction?
No. Telecommunications service providers should be required to obtain customers' express consent prior to disclosing customers' data to any other entity.
What type of information should the organisation obtaining consent be required to provide to a customer before obtaining their consent?
The notification should include, as required by NPP 1.3:
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
It should be noted that (c) refers to purposes, and as such clearly includes both the primary purpose and secondary purposes.
In relation to (d), if a telecommunications company intends to disclose personal information to a PNDP who could use it for purposes other than existing approved purposes, then the telecommunications company should be required to name each PNDP to which it may disclose customer information together with information about the purposes for which each particular PNDP may use the information and the types of organisations to which each particular PNDP may disclose customers' information. Provision of the information about a PNDP's use/disclosure is required by NPP 1.5 unless the PNDP itself provides such notification to the customer as is pointed out in the Explanatory Memorandum to the Privacy Amendment (Private Sector) Act 2000 (the terms 'organisation A' and 'organisation B' have been replaced with 'telecommunications company' and 'PNDP' respectively):
"NPP 1.5 ... [I]f a telecommunications company collected information from an individual, and the telecommunications company usually discloses that type of information to a PNDP, then, at the very minimum, the telecommunications company would be required to tell the individual that it usually discloses the information to the PNDP (this is required under NPP 1.3(d)). Before the PNDP could collect the information, it would need to be satisfied that the individual was aware of the other matters listed in NPP 1.3 as they pertain to the PNDP. If the telecommunications company has given these details to the individual, then the PNDP does not have to do any notifying itself. If the telecommunications company has not notified the individual of the matters listed in NPP 1.3 as they relate to the PNDP, then the PNDP will need to notify the individual of these matters (where relevant) itself." (emphasis in original)
Unless the law requires telecommunications companies to provide customer information to a PNDP, then the telecommunications company should be required to notify customers that they are entitled to refuse to permit their personal information to be disclosed to any particular PNDP.
If a law requires a telecommunications company to collect customer information and disclose it to a particular PNDP, then the telecommunications company should be required to notify customers of the exact name of the relevant law in relation to each particular PNDP.
Would a consent requirement result in customers becoming more aware of the possible uses of their data? What other benefits might consumers derive?
The extent to which a consent requirement could, in future, result in customers becoming more aware of possible uses of their data depends on the extent to which businesses are or are not currently complying with the intent of NPP1.3, 1.4, 1.5 and NPP2. The principle benefit to consumers of a consent requirement is that it enables them to have control over whether or not their personal information can be disclosed or used for particular purposes.
Are there implications for business if consumers are asked to give consent?
It is irrelevant whether there are implications for 'business'. Telecommunications service providers are already required to obtain customers' consent except in relation to a very limited range of uses and disclosures authorised by the Telecommunications Act, which do not include the wishes or claimed needs of marketing or any other businesses that are not carriage service providers.
The privacy and consumer rights of telecommunications users, and the needs of the telecommunications industry in provision of telecommunications services, must take precedence over the wishes and/or claimed needs of any other businesses. Telecommunications companies should not be required to be the obtainers of consent for other businesses' purposes unless the telecommunications company intends to disclose the information to another business.
5. Allowing wider use of customer information subject to disclosure of uses
EFA is strongly opposed to this proposal for the reasons set out below.
The brief outline of the suggested approach in the consultation paper states:
"Regulate telecommunications companies who are aware that their customer data may be used to contact customers for purposes other than the provision of a telecommunications service. Telecommunications companies would be required to fully disclose to their customers the potential uses of their data at the point when information is provided by the customer to the company."
As we understand it, the above proposes that a telecommunications customer's information be allowed to be used for purposes unrelated to provision of a telecommunications services if the collecting telecommunications company has merely informed the individual of potential uses of their personal information by third parties.
EFA is strongly opposed to the above idea. It fails to provide individuals with adequate control over disclosure and use of their personal information and would be a backward step in relation to the protection of telecommunications users' privacy. We believe disclosure and/or use under such circumstances would be in breach of the National Privacy Principles and therefore, to the extent that an industry standard purported to permit use or disclosure in such circumstances, the industry standard would be invalid.
It should be noted that, in relation to the Privacy Act, the mere provision of information in accord with NPP 1.3 and/or NPP 1.5 about the purpose of collection of a customer's personal information does not of itself enable the information to be disclosed or used for secondary purposes. This matter is discussed in detail in Section 4 of Appendix 1.
The consultation paper also states:
"An additional or alternative approach could require companies who contact consumers directly using data obtained from the IPND to identify themselves and how they obtained the customer's contact details.
These measures could also advise consumers about how they can request removal of their personal details for contacting purposes. Some telecommunications providers and other organisations have already implemented this measure."
Contacting customers using data obtained from the IPND, for purposes unrelated to the provision of the associated telecommunications service, should be prohibited in the absence of a customer's prior explicit and informed consent. Merely requiring companies to inform individuals about how they can request removal of their details does not provide individuals with adequate control over use of their personal information - their personal information has already been used. Furthermore, there is no law that requires companies who have collected personal information for the primary purpose of direct marketing to comply with an individual's request to cease contacting that individual at their telephone or fax number or associated street address, nor to remove their details from the company's database/lists.
Should consumer protection mechanisms be boosted in this area?
Yes, with a view to increasing understanding of and compliance with NPP 1.3 and NPP 1.5, but not with the objective of allowing wider use of customer information subject merely to notification about uses. Wider use of customer information should not be permitted to any greater extent than existing law without the customer's explicit and informed consent to a particular use.
Should telecommunications companies be required to disclose to customers the primary and secondary uses of their information?
Telecommunications companies are already required to inform customers of the primary and secondary uses of their personal information. This is required by NPP1.3, but it seems clear that some telecommunications companies are not adequately complying with that requirement.
Telecommunications companies should not be required to know about and inform customers about use by IPND data users, other than about the existing approved purposes, because use of IPND data should be restricted to those purposes and the restrictions should be enforced.
If so, how should a disclosure requirement be enforced? When should disclosure take place? What form should disclosure be given in?
Telecommunications companies should comply with NPP 1.3.
Disclosure, that is, notification to a customer of the purposes of collection and uses of their personal information should take place at or before the time the telecommunications company collects personal information about the customer. We believe it would always be practicable for telecommunications companies to notify their prospective customers before they collect the personal information.
The notification should preferably be made in written form, for example, provided in conjunction with the contract for service the customer is required to sign. If the customer is not required to physically sign a contract prior to provision of a service, then the telecommunications company should inform the customer of the means by which a customer can obtain, read and consider the notification prior to providing their personal information.
How would telecommunications companies be aware of or manage the purposes customers' data would or could be used for?
We do not believe telecommunications can be aware of all the purposes for which customers' information could be used by IPND data users unless access to the IPND is restricted to authorised users and use of customer information contained in the IPND is restricted to approved purposes and the restrictions are enforced by the ACA.
Should PNDPs only be able to use customer data for secondary purposes when consumers have agreed to their data being used in this way?
Yes. PNDPs should not be allowed to use telecommunications customer data obtained from the IPND (or directly from telecommunications companies) for any purpose other than the existing approved purposes, unless the customer has provided explicit and informed consent to other particular uses.
6. Specify additional approved purposes in the Licence Conditions
The consultation paper states:
"Clause 10 (1)(g) of the Telstra Licence Conditions could be amended to specify additional 'approved purposes' in order to, for example, allow IPND data to be used to provide database enhancement services. This could allow companies to use data for some of the purposes outlined in section 4 of this paper."
Should new prescribed purposes for the use of IPND data include database enhancement services or for use in direct marketing?
No, absolutely not. Furthermore, changing Telstra's licence conditions as suggested above appears to be inconsistent with the provisions of Part 13 of the Telecommunications Act and the Privacy Act.
A change that should be made to Telstra Licence Conditions is to specifically require Telstra to obtain customer information for the production of the White Pages from the IPND, not from telecommunications companies.
Would additional approved purposes infringe on individual privacy?
Yes.
What are the advantages and disadvantages of this approach?
This approach is completely contrary to privacy principles and existing privacy protection legislation. There would be no advantage for individuals who want control over the disclosure and use of their personal information. The approach would give them less control than they are entitled to under current legislation. The fact that either Telstra and/or some, or all, PNDPs have not been complying with existing legislation is not a legitimate reason to change the rules.
Privacy protection mechanisms for future consideration
Silent listings
The consultation paper states:
Currently, customers who request a silent telephone number (that is, that their telephone number does not appear in both the print and online telephone directories) are charged by some telecommunications companies for this service. Some customers choose to have a silent listing because they are concerned about others accessing their personal information.
EFA considers that telecommunications companies should be legislatively prohibited from charging individuals to exercise their right not to have their personal information published. Telecommunications companies are legislatively prohibited from disclosing silent line customer information to PNDPs and companies that charge silent line customer are apparently declining to comply with their legislative obligation unless the customer pays them to do so. Individuals should not be required to pay to exercise their legislated right to have control over disclosure and use of their personal information and especially not when they are required by law to provide their personal information to the telecommunications provider in the first place so that it can be recorded in the IPND for law enforcement and emergency service purposes.
Do-not-contact and do-not-call lists
EFA does not consider opt-out lists to be an adequate means of protecting individuals' privacy. Individuals who choose to opt out are forced to provide personal information in order not to called or contacted. Their personal information is then provided to data matching and marketing businesses (who may not have already had the individual's information) with an instruction not to call or contact them. However, there is no effective means of preventing those business from disclosing the information to other businesses, notwithstanding that it may be illegal to do so.
We consider there should be a legislative prohibition on the use of the names and personal contact details of individual customers in public number directories for the purpose of direct marketing unless the individual had expressly consented by registering with an opt-in service. The opt-in register could be established and maintained by an industry association or statutory authority. This approach would be generally consistent with the opt-in approach taken in the Spam Act 2003 (although of course relevant legislation would have to make clear that publication in a public number directory does not constitute consent by way of 'conspicuous publication').
If an opt-out register was to be established in Australia (other than ADMA's existing expensive service), in our view the register would have to be established and run by a national statutory authority, backed up by legislation obligating marketers to comply, and providing the authority with the power to fine offending companies. The authority would need to provide a service whereby businesses provided their lists/database records to the authority and the authority deleted or flagged personal information about individuals who had opted out, so that the businesses were not provided with information about individuals that the business did not already have. Registration of a desire not to be called or contacted would need to be ongoing, that is, not only apply for a defined period such as five years.
Conclusion
In summary:
- Disclosure and use of personal information about individuals should be limited to the purpose for which it was originally collected, unless the owner of the information (the data subject) has given express and informed consent.
- The definitions of 'public number directory' and 'directory assistance services' should be read within a telecommunications context and exclude the use of the IPND in any way that would allow for the mass migration or manipulation of data for marketing purposes from the scope of what is an approved purpose.
- Access to customer information in the IPND (such as name, address and telephone number) should be restricted to specified directory producers approved by the ACA.
- The industry standard should apply:
- to all persons and organisations that come into possession of customer information for purposes related to either the IPND or the provision of public number directories and directory services. Further, the industry standard should apply not only to use of customer information but also to collection and disclosure of customer information; and
- to all customer information provided by telecommunications companies, regardless of whether it is collected from the IPND, another source such as Sensis, or directly from a telecommunications company.
- The industry standard should prohibit telecommunications companies from disclosing customer information directly to Sensis or any other PNDP without the express and informed consent of the customer.
- The industry standard should restrict use of customer information to existing approved purposes and explicitly state, for the avoidance of doubt, a prohibition on data cleansing, mailing lists and other database enhancing processes.
- The industry standard must, at a minimum, be consistent with letter and spirit of the National Privacy Principles and Privacy Act 1988.
- Allowing wider use of customer information without consent would be completely contrary to general privacy principles and existing privacy protection legislation. Such an approach would result in individuals having less control over disclosure and use of their personal information than they are entitled to under current legislation. The fact that either Telstra and/or some, or all, PNDPs have not been complying with existing legislation is not a legitimate reason to change the rules.
Appendix 1 - Analysis of relevance of existing privacy protection laws
According to the ACA consultation paper, the Sensis repository contains customer information obtained directly from telecommunications companies. If that is so, it appears the Sensis repository exists as a result of telecommunications companies having disclosed customers' information in breach of the Telecommunications Act 1997 and/or the Privacy Act 1988 (in instances where they did not obtain the customer's consent). Furthermore, it appears that use and disclosure by Sensis in its marketing and data matching products would in many instances (depending on whether the individual's consent had been obtained) be in breach of the Telecommunications Act 1997 and/or the Privacy Act 1988. Our interpretation and analysis of the legislation in the foregoing regard is provided below.
1. Disclosure by telecommunications companies
Telecommunications companies are prohibited from disclosing customer information by Part 13 (Protection of Communications) of the Telecommunications Act 1997 unless an exception to the prohibition applies. However, none of the exceptions appear applicable to disclosure of customer information by telecommunications companies to Sensis (a subsidiary of Telstra) or any other public number directory producer (PNDP).
1.1 Disclosure to the IPND
Telecommunications companies are required by law to provide customer information to a person or association that is "under an obligation to provide and maintain an integrated public number database". In this regard, Schedule 2 of the Telecommunications Act 1997 states:
Part 4-Integrated public number database
10 Carriage service providers must give information to Telstra
(1) This clause applies if Telstra is obliged by a condition of a carrier licence to provide and maintain an integrated public number database.
(2) If:
(a) a carriage service provider supplies a carriage service to an end-user; and
(b) the end-user has a public number;
the carriage service provider must give Telstra such information as Telstra reasonably requires in connection with Telstra's fulfilment of that obligation.
As Telstra Corporation Limited currently has that obligation (Clause 10 of Telstra's Carrier Licence Conditions), telecommunications companies are required by law to provide customer information to Telstra for the purpose of enabling Telstra to fulfil its obligation to provide and maintain an integrated public number database. Telecommunications companies can disclose information to Telstra for that purpose without breaching s276 (Primary disclosure/use offence-eligible persons) in Part 13 (Protection of Communications) because s280 of the Telecommunications Act provides an exception to the general prohibition on disclosure which permits a disclosure or use that is required or authorised by or under law.
Secondary or later disclosure and use of protected information is also regulated by the Act. Under s297 of the Act, when information "is disclosed to a person for a particular purpose as permitted by section 280 [Authorisation by or under law] or this section, the person [recipient] must not disclose or use the information or document unless the disclosure or use is required or authorised by or under law".
The recipient, i.e. Telstra/IPND Manager, is authorised by law to disclose or use customer information contained in the IPND for permitted/authorised purposes. This disclosure is required by Clause 10 of Telstra's Licence Conditions (with which Telstra is required to comply by s68 of the Act) and is also authorised by s285 when "the disclosure or use is made for purposes connected with:
(i) the provision of directory assistance services by or on behalf of a carriage service provider; or
(ii) the publication or maintenance of a directory of public numbers, where the directory does not enable a person who only knows a customer's number to readily identify the customer's name and/or address; or..."
1.2 Disclosure directly to Sensis and other PNDPs
Part 4 of the Act does not, however, require telecommunications companies to provide customer information to PNDPs such as Sensis, nor does it or any other provision in the Act appear to require telecommunications companies to provide customer information to Telstra for the purpose of producing an alphabetical public number directory (as required of Telstra by Clause 9 of its licence). Clause 10(3) of the Telstra licence permits Telstra to use data in the IPND for the purpose of publishing public number directories, so it is not necessary for Sensis to obtain information directly from telecommunications companies.
It is clear that the legislative intent is that telecommunications companies be required to provide customer information to Telstra (as the IPND operator) and that Telstra be required to make it available from the IPND for authorised purposes to PNDPs.
In the absence of telecommunications companies having a legislated obligation to provide customer information to Sensis, EFA questions how telecommunications companies could be doing so without being in breach of Part 13 of the Telecommunications Act. None of the exceptions in Part 13 appear applicable to disclosure of customer information by telecommunications companies to Sensis or any other PNDP.
While the s285 (Integrated public number database) exception allows a carriage service provider such as Telstra or another specified IPND operator to disclose information from the IPND to PNDPs for specified approved purposes, the exception is not applicable to disclosure by telecommunications companies of customer information contained in their own customer databases to PNDPs, nor to the IPND Manager. (As stated above, such information is allowed to be provided by telecommunications companies to the IPND manager under the s280 exception, due to the requirements of Part 4 of Schedule 2 of the Act and PNDPs can obtain the information from the IPND.)
The only exception that could be applicable in some, but not all, instances is the the s289 (Knowledge or consent of person concerned) exception. This allows telecommunications companies to disclose or use a customer's information if the particular person (customer):
"(i) is reasonably likely to have been aware or made aware that information or a document of that kind is usually disclosed, or used, as the case requires, in the circumstances concerned; or
(ii) has consented to the disclosure, or use, as the case requires, in the circumstances concerned."
However, the s289 exception cannot be relied upon by telecommunications companies in bulk disclosure of customers' information directly to Sensis or any other PNDP because the exception relates to the knowledge of the particular person concerned and not all customers are reasonably likely to be aware of disclosure in the circumstances concerned.
It also appears that telecommunications companies do not consider they are relying on the s289 exception when disclosing a customer's information to Sensis or other PNDPs. Sections 306 and 308 of the Act require carriage service providers to make a record of a disclosure of information authorised by s289 and give an annual written report about such disclosures to the ACA setting out such information as the ACA requires. The ACA requires the number of disclosures authorised by s289 to be reported on their Section 308 Report form. If telecommunications were relying on s289 to disclose their customers' information to a PNDP such as Sensis, the number of instances of disclosures of a customer's information would be millions. However, the ACA's Telecommunications Performance Report 2002-03 states in Chapter 11: National Interest Issues that the total number of disclosures reported as being authorised by s289 in the 2002-03 year was only 3,517. Similarly the number reported as being authorised by s280 (Authorised by or under law) was only 3,109.
Notwithstanding that telecommunications companies apparently do not claim the s289 exception to be applicable, we make the following comments about the relevance of s289.
Generally speaking, customers would be likely to be aware that their information is used (unless they had requested otherwise) to publish the White Pages because that directory is provided to all customers. However, certainly not all customers would be aware that their telecommunications service provider discloses their personal information directly to the publisher (Sensis) or to any other PNDP that claims to publish directories that are not made available to the general public.
Although telecommunications companies may have included information about disclosure of customer information in their Standard Forms of Agreement, these documents are changed without prior notice or provision to customers and have historically been very lengthy and written in a legal document style that is not readily comprehensible. It is highly doubtful that many customers even read such documents. Where telecommunications companies have, in more recent times, made information available in shorter documents phrased in a manner closer to plain English, customers who have read same would be likely to expect that disclosure by their telecommunications service provider directly to Sensis and other PNDPs certainly does not occur.
For example, the Telstra Privacy Collection Statement states (as a 1 May 2004):
"Integrated Public Number Database
Telstra is required by law to maintain an industry-wide database of phone numbers, known as the Integrated Public Number Database (IPND). The IPND is used to publish public number directories, provide directory assistance, operate emergency call services and safeguard national security. The IPND is not used for other purposes.To satisfy its legal obligations, Telstra is required to provide your phone number (as well as other personal information such as your name, address and service location) to the IPND. All other telecommunications carriers are required to do the same." [emphasis added]
Given Telstra's statement that customer information is provided to the IPND which is used to publish public number directories and the IPND is not used for purposes other than as stated above, many Telstra customers would no doubt be surprised to know that Telstra provides their personal information to Sensis who uses it not only to publish a public number directory but also to sell it to unrelated other businesses for data matching and marketing purposes.
Furthermore, the Optus Summary of the Standard Agreement for the supply of the Optus Local Service states:
"(xiv) Optus is required by law to collect certain Personal Information about you, including your name, address, telephone service number and other public number customer details, and to provide it to the operator of the Integrated Public Number Database (IPND) for inclusion in the IPND. Information in the IPND is used to develop directories and to assist emergency service organisations. If your phone number is unlisted, your information will be marked accordingly in the IPND and its use and disclosure will be strictly controlled."
Optus customers who had read the above would expect that the publishers of the White Pages (Sensis) obtains the information from the IPND after Optus provided it to the IPND. They would not be aware of or expect disclosure by Optus to Sensis or other PNDPs.
Moreover, customers concerned about their privacy are reasonably likely to be aware of the restrictions on disclosure and use of information from the IPND (and some certainly are, and have been, aware). Such customers would be unlikely to be aware that their telecommunications service provider discloses it directly to Sensis in a way that allegedly permits Sensis to use and disclose their personal information for purposes unrelated to the provision of their telephone service. (However, in EFA's analysis such use and disclosure by Sensis is caught by the Privacy Act as discussed later herein).
Insofar as it could be argued that all customers would be "reasonably likely to have been aware" of disclosure to Sensis, as the publisher of the White Pages, we note that since 1 May 2000 there had been an ACA registered industry privacy code (C523: Protection of Personal Information of Customers of Telecommunications Providers). The code extended the privacy protections for customer information beyond those in the Act and was enforceable by the ACA. Although the code was deregistered in December 2001, at that time telecommunications companies (and Sensis) became required to comply with private sector amendments to the Privacy Act including the NPPs. We consider that the provisions of the Code and subsequently the NPPs would have given some, and quite possibly many, customers a greater expectation that their personal information would not be disclosed or used for secondary purposes without their consent. In the absence of specific notice from their telecommunications provider, such customers would be even less likely to be aware that their personal information was being disclosed directly to Sensis, let alone in in a way that allegedly enables Sensis to use and disclose their personal information for purposes other than production of the White Pages.
In summary, we consider that in potentially many instances disclosure by telecommunications companies directly to Sensis would be in breach of the Telecommunications Act because none of the exceptions would be applicable to the disclosure of the customer's information. Disclosure to other PNDPs would be even more likely to be in breach.
2. Collection by Sensis and other PNDPs
2.1 Collection from the IPND
PNDPs collecting customer information from the IPND are obviously doing so for the primary purpose of s285(i) or (ii) (as quoted above) because disclosure to them by the IPND manager for any other purpose is unlawful. Furthermore, it is a breach of NPP1.2 of the Privacy Act for organisations such as PNDPs to collect personal information by unlawful means.
2.1 Collection directly from Telecommunications Companies
As discussed above, the disclosure of customer information by telecommunications companies directly to Sensis or other PNDPs appears to be unlawful in the absence of the customer's knowledge or consent because the Telecommunications Act does not require or authorise telecommunications companies to provide customer information to Telstra to enable it to comply with Clause 9 of its licence (alphabetical public number directory), only to comply with Clause 10 (integrated public number database).
However, irrespective of whether the disclosure in the first place is permitted by law, telecommunications companies who disclose customer information to Sensis are apparently doing so for the purpose of enabling Telstra to comply Clause 9 of its carrier licence regarding publication of a public number directory. Therefore, Sensis is obviously collecting the information for the primary purpose of enabling Telstra to comply with its licence condition. (If Sensis claims to be collecting the information for some other primary purpose, then disclosure to Sensis is even less likely to be arguably lawful).
3. Use and disclosure by Sensis and other PNDPs
3.1 Secondary use and disclosure by Sensis
It appears that Sensis is a telecommunications contractor as defined in s274 of Part 13 of the Telecommunications Act and is therefore required to comply with Part 13 in relation to the protection of customer information it obtains in the performance of services for or on behalf of Telstra. We consider Sensis would, in many instances, be unable to meet the evidential burden (s295) of adducing or pointing to evidence that a particular customer of a telecommunications company was made aware (s289) that Sensis uses and discloses their personal information for purposes other than those directly related to publication of the White Pages.
Furthermore, in the absence of legislative authorisation to disclose and use customer information for secondary purposes, Sensis is required to comply with the Privacy Act.
NPP 2.1(a) prohibits disclosure or use for a secondary purpose that is not related to the primary purpose of collection. Very few purposes are related to the primary purpose of collection by Sensis of enabling Telstra to comply with its licence condition. An example of a related purpose would be printing the White Pages, which allows Sensis to disclose customer data to the printing company. However, use or disclosure of customer information by Sensis in relation to the database enhancement and marketing related products and services it sells is certainly not a purpose related to the primary purpose of collection of enabling Telstra to comply with Clause 9 of its licence. Therefore NPP 2.1(a) prohibits such use or disclosure by Sensis unless the customer has consented to the use or disclosure (NPP 2.1(b)).
3.2 Secondary use and disclosure by PNDPs
Use and disclosure of customer information by PNDPs for purposes other than the primary purpose of collection (provision of public number directories) is regulated by the Privacy Act as discussed below.
4. Privacy Act 1988
In relation to PNDPs who collect customer information directly from a telecommunications company for the purpose of providing public number directory services, we note that the case study on pages 23-25 of the consultation paper states that in the absence of more specific legislation both organisations will be subject to the NPPs. The case study states, among other things, that a telecommunications company is obligated to ensure that disclosure to a PNDP is lawful under NPP2 and contends "it is likely that this may be achieved under:
NPP 2.1(a), with public number directory services considered as a related purpose (to the telecommunications company's primary purpose of providing a telephone service to the customer). There is a need also to ensure that this disclosure is within customers' reasonable expectations, including by, giving appropriate notice (under NPP 1.3 and related steps)."
and
"If a proposed secondary purpose is not related to the primary purpose consent is required unless another exception applies. If the secondary purpose is related but individuals would not expect their data to be used or disclosed for that purpose and unless an exception applies, the consent of the individual must be obtained or the expectations of the affected individual must be raised."
We believe the above is an incorrect interpretation of the NPPs to the extent that it states or implies that merely giving notice under NPP 1.3 would ensure the disclosure is within a customer's reasonable expectations and hence enable reliance on NPP2.1(a) when disclosing or using the customer's information.
Provision of information in accord with NPP 1.3 about the purpose of collection of a customer's personal information does not of itself enable the information to be disclosed or used for secondary purposes, whether related or not.
NPP 2.1 prohibits disclosure or use for a purpose that is not related to the primary purpose of collection unless the individual has consented to the use or disclosure (or it is otherwise required or authorised by or under law). Therefore telecommunications companies that disclose their customers' personal information without consent to PNDPs for purposes unrelated to the provision of the telecommunications service would in breach of the Privacy Act (except in the generally unlikely event that one of the limited exceptions in NPP2 applied in a particular instance).
NPP 2.1 also prohibits disclosure or use for a secondary purpose that is related to the primary purpose of collection except in limited specified circumstances. Generally the only circumstance that would permit disclosure to a PNDP is when "the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose" (NPP 2.1(a)(ii)).
As pointed out by the Office of the Federal Privacy Commission in May 2001:
"Expectation is more than awareness. Telling an individual in NPP 1.3 information or by some other method about the proposed secondary use or disclosure is not necessarily enough to create a reasonable expectation although it may help."and
"In applying NPP 2.1(a) the Commissioner suggests that it may help an organisation if it considers whether a reasonable individual in the circumstances, if asked, would have agreed to the proposed use or disclosure."(Extracts from Consultation document on the Draft National Privacy Principle Guidelines issued by the Office of the Federal Privacy Commissioner, 7 May 2001)
Providing an individual with NPP 1.3 information about secondary use or disclosure is not sufficient to enable reliance on NPP 2.1(a) because the aim of NPP 1.3 is to ensure that individuals are able to make a fully informed decision about whether or not they will provide their personal information in the first place. Moreover, with regard to customer information previously collected, if merely giving notice under NPP1.3 was interpreted as a means by which an organisation could change what an individual would reasonably expect, then the protections intended to be afforded by NPP2.1(a)(ii) would not exist. Organisations could simply tell customers they intend to start disclosing information for purposes that the customer did not expect and does not want to occur and the customer would have no control over such previously unexpected secondary disclosure and use of their personal information. This would be contrary to the intent of NPP1 and we believe in breach of NPP 2.
In our view it is made clear in the Explanatory Memorandum ("EM") to the Privacy Amendment (Private Sector) Act 2000 that an organisation cannot rely on NPP2.1(a) unless the individual's expectation existed before their personal information was collected. Giving notice of a secondary purpose later does not enable reliance on NPP2.1(a), the organisation would have to obtain the individual's consent. In this regard the EM states:
"NPP 2 sets out the general rule that personal information must only be used or disclosed for the primary purpose for which it was collected. Use and disclosure for a purpose other than the primary purpose (a secondary purpose) is only allowed in the circumstances listed in NPP 2. In establishing whether use or disclosure for a secondary purpose is permitted under this principle, it would be appropriate to refer back to the purposes identified under NPP 1.3 or 1.5. [emphasis added]
...
NPP 2.1(a) allows information to be used or disclosed for a secondary purpose where the secondary purpose is related to the primary purpose of collection (although where the information is sensitive information it must be directly related to the primary purpose of collection) and the individual would reasonably expect the organisation to use or disclose the information for that secondary purpose. To be 'related', the secondary purpose must be something that arises in the context of the primary purpose. For example, a business that collects personal information about its clients may use that information to notify its clients of its change of business address.
...
The 'reasonable expectations' test would be applied from the point of view of the person in the street, that is, an organisation should be able to use or disclose personal information in ways in which a person with no special knowledge of the industry or activity involved, would expect. For example, if a person has several different types of contact with one bank, he or she could expect the information about themselves to be shared within that bank. If the banking group also ran a health insurance business, the individual would not expect their health claims record to be matched with banking information."
It should also be noted the PNDPs have obligations under NPP 1.5 when they collect customer information from a telecommunications company. The following is an extract from the Explanatory Memorandum to the Privacy Amendment (Private Sector) Act 2000 (with the terms 'organisation A' and 'organisation B' replaced with 'telecommunications company' and 'PNDP' respectively):
"NPP 1.5 is relevant where it is not reasonable and practicable for the organisation to collect personal information directly from the individual concerned and an organisation collects personal information from a third party. In such circumstances, the organisation must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in NPP 1.3. For example, if a telecommunications company collected information from an individual, and the telecommunications company usually discloses that type of information to a PNDP, then, at the very minimum, the telecommunications company would be required to tell the individual that it usually discloses the information to the PNDP (this is required under NPP 1.3(d)). Before the PNDP could collect the information, it would need to be satisfied that the individual was aware of the other matters listed in NPP 1.3 as they pertain to the PNDP [which include the purposes for which the information is collected by the PNDP and the organisations (or the types of organisations) to which the PNDP usually discloses information of that kind]. If the telecommunications company has given these details to the individual, then the PNDP does not have to do any notifying itself. If the telecommunications company has not notified the individual of the matters listed in NPP 1.3 as they relate to the PNDP, then the PNDP will need to notify the individual of these matters (where relevant) itself." (emphasis in original)
Appendix 2 - References
Telstra Carrier Licence Conditions
Privacy Act 1988 including National Privacy Principles
Privacy Amendment (Private Sector) Act 2000, Explanatory Memorandum
Australian Communications Authority, Telecommunications Performance Report 2002-03
AUSTEL Privacy Report, 1992
Office of the Federal Privacy Commissioner, Consultation document on the Draft National Privacy Principle Guidelines, May 2001.
Office of the Federal Privacy Commissioner, Media Release: Telstra Database Mistake, 12 August 2002
"Telstra's publishing of the silent numbers of some of their customers is a serious privacy issue, particularly for those people who have requested a silent number for security reasons."
Australia Post, National Change of Address File and MovePost Terms and Conditions
Baycorp Advantage Ltd, Electronic White Pages services
FCS Online Privacy Statement, (accessed 6 May 2004)
Pacific Micromarketing, What is Australiandata-online, April 2003 (accessed 6 May 2004)
Paradigm.One Pty Ltd, Paradigm.One launch IPND bureau service, Media Release, 1 March 2004
Telstra/Sensis, Electronic White Pages® service
The Institute of Mercantile Agents, The Agent Online, November 2003