	Home \| Databases \| WorldLII \| Search \| Feedback Privacy Law Resources

Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here: WorldLII >> Databases >> Privacy Law Resources >> 2001 >> [2001] PrivLRes 4

Raiche, Holly --- "Telecommunication Privacy - The Interaction of the Privacy and Telecommunication regulatory systems" [2001] PrivLRes 4; [2001] CyberLRes 10 (14 March 2001)

	[Home] [Databases] [Search] [Feedback] [Help]

You are here: WorldLII >> WorldLII Databases >> PrivLRes >> 2001 >> [2001] PrivLRes 4

[Global Search] [PrivLRes Search] [Help]

'Telecommunication Privacy - The Interaction of the Privacy and Telecommunication regulatory systems' ([2001] CyberLRes 10) - [2001] PrivLRes 4

Raiche (2001)

TELECOMMUNICATIONS PRIVACY - THE INTERACTION OF THE PRIVACY AND TELECOMMUNICATIONS REGULATORY SYSTEMS

by
HOLLY RAICHE

Presented at
The New Australian Privacy Landscape
Continuing Legal Education Seminar
Wednesday 14 March 2001

The three Issues which I will address in this paper are:

Privacy Protection under telecommunications legislation
Privacy protection under the recently amended Privacy Act
Whether and/or how the two sets of privacy protections fit - or not.

1. PERSONAL INFORMATION WHICH IS PROTECTED UNDER TELECOMMUNICATIONS LEGISLATION

Content -

Telecommunications content issues which raise privacy concerns are generally considered to concern the protection of conversations between individuals. Increasingly, however, content issues also include data communication such as emails and whether the inter-personal exchange of data is covered by telecommunications legislation

Carriage -

Telecommunications carriage is also a privacy issue because carriers and carriage service providers necessarily collect personal information about individuals. That information includes:

personal details held by carriers/carriage service providers - name/service address/telephone and other numbers, etc
calling information - the calling and called number called, the time, duration etc

Both sorts of personal information must be passed between service providers in a competitive telecommunications environment. Indeed, under Part 13 of the Telecommunications Act 1997, there is a specific exemption from the prohibitions for exchange of information between carriers and carriage service providers for a purpose connected with the carrier/CSP carrying on business as a carrier or CSP.^[1]

1.1 Privacy Regulation of Content: Interception Legislation

The protection of content is covered by two different pieces of telecommunications legislation:

Telecommunications (Interception) Act 1979 and related state legislation on listening devices
Part 13. Telecommunications Act 1997,

The Telecommunications (Interception) Act 1979 and related state legislation on listening devices provides the prohibition on listening to or recording of a communication passing over a telecommunications system without the knowledge of the person making the communication.^[2] There are, however, some significant gaps in that protection.

Those gaps include

whether the prohibition against interception without the knowledge of the person making the communication covers only third parties to the conversation or also requires that both parties to the communication know that listening to or recording of the conversation is taking place;^[3] and
what is meant by a communication passing over a telecommunications system ^[4]

There is open question as to whether the National Privacy Principles^[5] can also be used to protect the privacy of inter-personal communications passing over a telecommunications system. For example, would the listening to or recording of personal communications be protected by the Collection Principle.^[6]

For the purposes of this paper, however, I will concentrate on the protections provided under the Telecommunications Act 1997 for both content and carriage issues.

1.2 Part 13, Telecommunications Act 1997

The primary prohibition on the disclosure of both content and carriage information is contained in Part 13 of the Telecommunications Act 1997.

Specifically, section 276 prohibits:

the use or disclosure of the information (which includes the contents or substance of a communication that has been carried; and the personal particulars of any person)
by a Carrier/CSP, their employees, former employees, contractors
of information which came into the person s knowledge or possession in their capacity as a carrier/CSP etc

Exemptions to the prohibition include use or disclosure of information for law enforcement purposes, the protection of public revenue, assistance to the regulators, emergency services purposes, provision of information to the IPND or the business needs of that or other carriers of carriage service providers,^[7]

Disclosures under Part 13 are, however, monitored by the Privacy Commissioner, who may report to the Minister on such disclosures.^[8] and a breach of Part 13 would be a criminal offence and would attract criminal sanctions.

1.3 Telecommunications Privacy Codes and Supporting Regulatory Structures

Apart from provisions of the Telecommunications Act itself, there are additional privacy protections under industry codes developed under the Act and the surrounding telecommunications regulatory structure.

Part 6 of the Telecommunications Act 1997 provides for industry to develop codes of practice. The industry codes to date have been developed by the telecommunications industry body, the Australian Communications Industry Forum (ACIF).

ACIF

ACIF is a telecommunications industry forum established and funded by the industry that develops Codes and Standards on a variety of telecommunications issues including customer equipment, cabling, radiocommunications, network, and inter industry operational issues.

ACIF Codes Dealing with privacy issues include:

Protection of Personal Information of Customers of Telecommunications Providers (called the Customer Personal Information, or CPI Code)
Calling Number Display
Integrated Public Number Database
Other network and operational codes

The main provisions of the CPI Code are based on the National Privacy Principles, as included in the recent amendments to the Privacy Act, and the CPI Code applies to all telecommunications carriers and carriage service providers.^[9]

Enforcement of ACIF Codes is, at an individual complaints level, through the Telecommunications Industry Ombudsman (TIO), with the regulator, the Australian Communications Authority (ACA), also having powers in relation to the enforcement of industry codes.

Telecommunications Industry Ombudsman (TIO)

The TIO is established under Part 6 of the Telecommunications (Consumer Protection and Service Standards) Act 1999. All eligible carriage service providers (which supply a standard telephone service, a mobile service or a service that enables end users to access the internet) must join and comply with the TIO scheme.^[10] The TIO has general jurisdiction to handle complaints, including complaints about privacy under provisions of the Constitution of the TIO^[11].

If industry Codes are registered by the ACA, the TIO treats the Code provisions as industry standards against which the behaviour of the industry member is measured, and reports on all Code breaches to both ACIF and the ACA

Under the TIO corporate documentation, the TIO can, after investigating a complaint, make binding decisions on all TIO members for payment of up to $10,000, and/or orders for the carrier or carriage service provider to do or refrain from doing an act.^[12]

The Australian Communications Authority (ACA)

The ACA has the power to register codes covering sections of the industry engaged in telecommunications activities.^[13] Once a Code is registered, the ACA can enforce Code provisions against all those subject to the Code, whether or not they have signed the Code.

ACA enforcement can be either through Formal Warnings or Directions for compliance with Codes, and ACA Directions can be enforced through court proceedings.^[14]

If the ACA is satisfied that a registered Code is deficient (ie, does not provide appropriate community safeguards or is not otherwise operating to regulate adequately participants in the relevant section (s) of the industry) it can determine an industry standard on the matter.^[15] Once the ACA has determined an industry standard, compliance with that standard is required under the Act and a breach can be brought before the Federal Court.^[16]

The ACA is also required to report to the Minister and publish annual reports on carrier and carriage service provider compliance with codes and standards.^[17]

2. PRIVACY AMENDMENT (PRIVATE SECTOR) AMENDMENT ACT 2000: RELEVANT PROVISIONS

2.1 Privacy Prohibition - With/Without Approved Code

The amended Privacy Act will apply to private sector organisations (with some exceptions) and will ensure the National Privacy Principles - contained in Schedule 3 of the Act- apply to telecommunications through the new prohibitions under Section 16A of the Act.

The new amendments require that organisations do not do an act or engage in a practice that breaches an approved privacy Code that binds the organisation.^[18] To the extent that an organisation is not bound by an approved code, an organisation will be required not to do an act or engage in a practice that breaches the National Privacy Principles.^[19]

Given the requirement that an approved code either incorporates all the National Privacy Principles or sets out obligations which are at least the equivalent of the National Privacy Principles, the effect is that the private sector will be bound by the National Privacy Principles, or their equivalent.

2.2 What is a privacy code: -

The first requirement for a Code to be an approved code is that it be a privacy code. Under the Act, a privacy code is defined as a written code regulating acts and practices that affect privacy.^[20] In the telecommunications arena, that definition would cover a range of ACIF codes, including the Calling Number Display and Integrated Public Number Database Codes, codes on the Handling of Life Threatening or Unwelcome Calls as well as other operations and network codes

2.3 What is An Approved Code

Under the Act, the Privacy Commissioner must be satisfied about a range of matters before approving a Code. (see Appendix A)

The most important requirement is clearly that the Code either incorporates all of the National Privacy Principles or at least their equivalent.

If the Code contains a complaints handling mechanism, there are additional criteria which must be satisfied including:

meeting set standards for a complaints mechanism
provision for an independent adjudicator, and the powers he or she can exercise
obligations on the organisations bound by the Code to comply with an adjudicator s orders (including redress for loss or damage suffered by the complainant
quite specific reporting requirements on the adjudicator^[21]

2.4 Consequences of approval of a Code by the Privacy Commissioner:

If there is a complaints mechanism in the Code, then the complaint about an interference with privacy^[22] is handled under the complaints mechanism provided by the Code rather than by the Privacy Commissioner and the Commissioner cannot handle that complaint.^[23]) Otherwise, the Privacy Commissioner may handle the complaint, whether or not the organisation the subject of the complaint is bound by a code which is not an approved code.

There is also provision for the Privacy Commissioner to handle complaints if they are referred to the Commissioner by the independent adjudicator.^[24]

3. INTERACTION OF TELECOMMUNICATIONS LEGISLATION AND THE PRIVACY LEGISLATION

3.1 Part 13 of the Telecommunications Act 1997 and the Privacy Act 1988

Coverage of the National Privacy Principles in the Privacy legislation is broader than Part 13 of the Telecommunications Act. The privacy legislation goes beyond the use and disclosure provisions of Part 13, to other privacy issues covered by the NPPs such as data quality and security, access, anonymity, etc. The Privacy legislation will also provide an accessible complaints mechanism (the Privacy Commissioner s office) for the public which is not now available under Part 13, as a breach of the Telecommunications Act is a criminal offence.

3.2. Interaction of Telecommunications Codes and the Privacy Legislation

Under the privacy legislation, to be an approved code, the Code must either incorporate the NPPs or provide equivalent obligations to the Principles. Therefore, only the CPI Code could be considered for approval.

In one sense, that is not an issue. The CPI Code will be enforceable against all carriers and carriage service providers and therefore any interference with an individual s privacy will be determined in accordance with the NPPs. If therefore the CPI Code becomes an approved Code, while an individual will not be able to have their complaint handled by the Privacy Commissioner, their complaint will be dealt with in accordance with the NPPs and by an adjudicator with similar powers to those of the Commissioner.

However, some of what would be considered telecommunications privacy codes (eg, the CND Code or the IPND Code) have far more detailed provisions for privacy protection in the context of the issues the Codes are dealing with. Yet because those codes cannot be privacy codes, an individual will still be able to take their complaint about breaches of those codes either to the industry regulatory structures or to the privacy commissioner.

3.3 Options for the Telecommunications Industry

Seek Approval of the CPI Code and Surrounding regulatory structure

Consequence of Approval of CPI Code: All complaints on a breach of the CPI code would be handled only through the current regulatory structure unless the adjudicator, under the approved complaints scheme, has referred the complaint to the Privacy Commissioner and the Commissioner has consented to handle the complaint. For all other alleged interferences with privacy a complainant could use the current telecommunications regulatory structure or complain directly to the Privacy Commissioner. The issue is the handling of interferences with privacy that fall outside of the NPPs.

Approval of the CPI Code without surrounding structure (ie, not submitted as containing a complaints mechanism

Consequence: Complaints for interferences with privacy (ie, a can be handled under the current regulatory structure or the complainant can go to the Privacy Commissioner s office, as would be the case for all Codes which raise privacy issues but are not approved codes.

CPI Code not submitted for approval

Consequence: Complaints can be handled under the current telecommunications regulatory structure or the complainant can go to the Privacy Commissioner s office

3.4 Submission for Approval Or Not

Only the CPI Code could be submitted for approval. The issue would be whether only the CPI Code is submitted - or the surrounding regulatory framework is submitted as the relevant complaints mechanism
If the CPI Code and framework were to be approved, issues arising from it would only be handled by the industry framework ; interferences with privacy falling outside of the NPPs, as contained in the CPI code could still be handled by the Privacy Commissioner.
If the Code were to be approved WITHOUT surrounding regulatory structure, complainants could continue with the current regulatory structure - or go directly to the Privacy Commissioner for all privacy issues
Since the CPI Code has been registered with the ACA, another issue is what would happen to that registration. The Privacy amendments have also amended the Telecommunications Act, allowing the ACA to deregister an industry Code.^[25] If the Code is deregistered, the enforcement powers of the ACA would lapse. The ACA s powers to give formal warnings and directions or issue standards are dependent on a Code being registered. So while the TIO could still enforce individual findings, the back up powers of the ACA would lapse.

^[1] Section 291, Telecommunications Act 1997.
^[2] Sections 6 and 7 Telecommunications (Interception) Act 1979.
^[3] See, for example, Duncan v The Queen (1991) 5 WAR 249, T. v Medical Board of South Australia (1992) 58 SASR 382, Carbone and anor v National Crime Authority (1994) 52 FCR 516 and Green v R (1995) 135 ALR 181 for differing views on this issue.
^[4] See Miller v Miller [1978] HCA 44; (1978) 141 CLR 269.
^[5] Contained in Schedule 3, Privacy Act 1988.
^[6] Clause 1, Schedule 3, Privacy Act 1988.
^[7] Sections 277-297 Telecommunications Act 1997.
^[8] Section 309. Telecommunications Act 1997.
^[9] All published ACIF codes are available on the ACIF website www.acif.org.au. The CPI Code is ACIF C523:1999, the CND Code is ACIF C522:2000, and the IPND Code is ACIF C555:2000.
^[10]Sections 128 and 132 Telecommunications (Consumer Protection and Service Standards) Act 1999.
^[11] Clause 4.1, Constitution, Telecommunications Industry Ombudsman.
^[12] Clause 6, Constitution, Telecommunications Industry Ombudsman.
^[13] Section 117 Telecommunications Act 1997.
^[14] Sections 121-122 and 570 Telecommunications Act 1997.
^[15] Section 125 Telecommunications Act 1997.
^[16] Section 128 Telecommunications Act 1997.
^[17] Section 105 Telecommunications Act 1997.
^[18] Section 16A(1) Privacy Act 1988.
^[19] Section 16A(2) Privacy Act 1988.
^[20] Section 6(1) Privacy Act 1988.
^[21] For a complete list of the matters about which the Privacy Commissioner must be satisfied under section 18BB, Privacy Act 1988, see Appendix A.
^[22] Interference with privacy is defined in Section 13A of the Privacy Act 1988 to mean, generally, an act or practices in relation to personal information that relates to the individual which either breaches the NPPs or an approved code which binds the organisation.
^[23] Section 36(1a) Privacy Act 1988.
^[24] Section 36(1B) Privacy Act 1988.
^[25] A new section 122A Telecommunications Act 1997.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2001/4.html