You are here:
WorldLII >>
Databases >>
Privacy Law Resources >>
2001 >>
[2001] PrivLRes 4
Database Search
| Name Search
| Recent Documents
| Noteup
| LawCite
| Help
Raiche, Holly --- "Telecommunication Privacy - The Interaction of the Privacy and Telecommunication regulatory systems" [2001] PrivLRes 4; [2001] CyberLRes 10 (14 March 2001)
You are here:
WorldLII >>
WorldLII Databases >>
PrivLRes >>
2001 >>
[2001] PrivLRes 4
[Global Search]
[PrivLRes Search]
[Help]
'Telecommunication Privacy - The Interaction of the Privacy and Telecommunication regulatory systems' ([2001] CyberLRes 10) - [2001]
PrivLRes 4
Raiche (2001)
TELECOMMUNICATIONS PRIVACY - THE INTERACTION
OF THE PRIVACY AND TELECOMMUNICATIONS REGULATORY SYSTEMS
by
HOLLY RAICHE
Presented at
The New Australian Privacy Landscape
Continuing Legal Education Seminar
Wednesday 14 March 2001
The three Issues which I will address in this paper
are:
- Privacy Protection under telecommunications legislation
- Privacy protection under the recently amended Privacy
Act
- Whether and/or how the two sets of privacy protections
fit - or not.
1. PERSONAL INFORMATION WHICH IS PROTECTED
UNDER TELECOMMUNICATIONS LEGISLATION
Telecommunications content issues which raise privacy concerns
are generally considered to concern the protection of conversations
between
individuals. Increasingly, however, content issues also include data communication
such as emails and whether the inter-personal
exchange of data is covered by
telecommunications legislation
Telecommunications carriage is also a privacy issue because
carriers and carriage service providers necessarily collect personal
information
about individuals. That information includes:
- personal details held by carriers/carriage service
providers - name/service address/telephone and other numbers, etc
- calling information - the calling and called number
called, the time, duration etc
Both sorts of personal information must be passed
between service providers in a competitive telecommunications environment. Indeed,
under Part 13 of the Telecommunications Act 1997, there is a specific
exemption from the prohibitions for exchange of information between carriers
and carriage service providers
for a purpose connected with the carrier/CSP
carrying on business as a carrier or CSP.[1]
1.1 Privacy Regulation of Content: Interception Legislation
The protection of content is covered by two different pieces
of telecommunications legislation:
The Telecommunications (Interception) Act 1979 and
related state legislation on listening devices provides the prohibition on listening
to or recording of a communication
passing over a telecommunications system
without the knowledge of the person making the communication.[2]
There are, however, some significant gaps in that protection.
Those gaps include
- whether the prohibition against interception without
the knowledge of the person making the communication covers only third
parties
to the conversation or also requires that both parties to the communication
know that listening to or recording
of the conversation is taking place;[3]
and
- what is meant by a communication passing over a telecommunications
system [4]
There is open question as to whether the National Privacy
Principles[5]
can also be used to protect the privacy of inter-personal communications passing
over a telecommunications system. For example,
would the listening to or recording
of personal communications be protected by the Collection Principle.[6]
For the purposes of this paper, however, I will concentrate
on the protections provided under the Telecommunications Act 1997 for
both content and carriage issues.
1.2 Part 13, Telecommunications Act 1997
The primary prohibition on the disclosure of both content
and carriage information is contained in Part 13 of the Telecommunications
Act 1997.
Specifically, section 276 prohibits:
- the use or disclosure of the information (which includes
the contents or substance of a communication that has been carried;
and the
personal particulars of any person)
- by a Carrier/CSP, their employees, former employees,
contractors
- of information which came into the person s knowledge
or possession in their capacity as a carrier/CSP etc
Exemptions to the prohibition include use or disclosure
of information for law enforcement purposes, the protection of public revenue,
assistance to the regulators, emergency services purposes, provision of information
to the IPND or the business needs of that
or other carriers of carriage service
providers,[7]
Disclosures under Part 13 are, however, monitored by the
Privacy Commissioner, who may report to the Minister on such disclosures.[8]
and a breach of Part 13 would be a criminal offence and would attract criminal
sanctions.
1.3 Telecommunications Privacy Codes and Supporting
Regulatory Structures
Apart from provisions of the Telecommunications Act itself,
there are additional privacy protections under industry codes developed under
the Act and the surrounding telecommunications
regulatory structure.
Part 6 of the Telecommunications Act 1997 provides
for industry to develop codes of practice. The industry codes to date have been
developed by the telecommunications
industry body, the Australian Communications
Industry Forum (ACIF).
ACIF is a telecommunications industry forum established
and funded by the industry that develops Codes and Standards on a variety
of
telecommunications issues including customer equipment, cabling, radiocommunications,
network, and inter industry operational
issues.
ACIF Codes Dealing with privacy issues include:
- Protection of Personal Information of Customers of
Telecommunications Providers (called the Customer Personal Information, or
CPI Code)
- Calling Number Display
- Integrated Public Number Database
- Other network and operational codes
The main provisions of the CPI Code are based on the National
Privacy Principles, as included in the recent amendments to the Privacy
Act,
and the CPI Code applies to all telecommunications carriers and carriage service
providers.[9]
Enforcement of ACIF Codes is, at an individual complaints
level, through the Telecommunications Industry Ombudsman (TIO), with
the regulator,
the Australian Communications Authority (ACA), also having powers in relation
to the enforcement of industry
codes.
- Telecommunications Industry Ombudsman (TIO)
The TIO is established under Part 6 of the Telecommunications
(Consumer Protection and Service Standards) Act 1999. All eligible carriage
service providers (which supply a standard telephone service, a mobile service
or a service that
enables end users to access the internet) must join and comply
with the TIO scheme.[10]
The TIO has general jurisdiction to handle complaints, including complaints
about privacy under provisions of the Constitution of the TIO[11].
If industry Codes are registered by the ACA, the TIO treats
the Code provisions as industry standards against which the behaviour
of the
industry member is measured, and reports on all Code breaches to both ACIF and
the ACA
Under the TIO corporate documentation, the TIO can, after
investigating a complaint, make binding decisions on all TIO members
for payment
of up to $10,000, and/or orders for the carrier or carriage service provider
to do or refrain from doing an act.[12]
- The Australian Communications Authority (ACA)
The ACA has the power to register codes covering sections
of the industry engaged in telecommunications activities.[13]
Once a Code is registered, the ACA can enforce Code provisions against all those
subject to the Code, whether or not they have
signed the Code.
ACA enforcement can be either through Formal Warnings or
Directions for compliance with Codes, and ACA Directions can be enforced
through
court proceedings.[14]
If the ACA is satisfied that a registered Code is deficient
(ie, does not provide appropriate community safeguards or is not otherwise
operating
to regulate adequately participants in the relevant section (s) of the industry)
it can determine an industry standard
on the matter.[15]
Once the ACA has determined an industry standard, compliance with that standard
is required under the Act and a breach can
be brought before the Federal Court.[16]
The ACA is also required to report to the Minister and
publish annual reports on carrier and carriage service provider compliance
with
codes and standards.[17]
2. PRIVACY AMENDMENT (PRIVATE SECTOR) AMENDMENT
ACT 2000: RELEVANT PROVISIONS
2.1 Privacy Prohibition - With/Without Approved Code
The amended Privacy Act will apply to private sector organisations
(with some exceptions) and will ensure the National Privacy
Principles - contained
in Schedule 3 of the Act- apply to telecommunications through the new prohibitions
under Section 16A
of the Act.
The new amendments require that organisations do not do
an act or engage in a practice that breaches an approved privacy Code that
binds
the organisation.[18]
To the extent that an organisation is not bound by an approved code, an organisation
will be required not to do an act or engage
in a practice that breaches the
National Privacy Principles.[19]
Given the requirement that an approved code either incorporates
all the National Privacy Principles or sets out obligations which
are at least
the equivalent of the National Privacy Principles, the effect is that the private
sector will be bound by the
National Privacy Principles, or their equivalent.
2.2 What is a privacy code: -
The first requirement for a Code to be an approved code
is that it be a privacy code. Under the Act, a privacy code is defined
as
a written code regulating acts and practices that affect privacy.[20]
In the telecommunications arena, that definition would cover a range of ACIF
codes, including the Calling Number Display and
Integrated Public Number Database
Codes, codes on the Handling of Life Threatening or Unwelcome Calls as well
as other operations
and network codes
2.3 What is An Approved Code
Under the Act, the Privacy Commissioner must be satisfied
about a range of matters before approving a Code. (see Appendix A)
The most important requirement is clearly that the Code
either incorporates all of the National Privacy Principles or at least
their
equivalent.
If the Code contains a complaints handling mechanism, there
are additional criteria which must be satisfied including:
- meeting set standards for a complaints mechanism
- provision for an independent adjudicator, and the powers
he or she can exercise
- obligations on the organisations bound by the Code
to comply with an adjudicator s orders (including redress for loss or damage
suffered by the complainant
- quite specific reporting requirements on the adjudicator[21]
2.4 Consequences of approval of a Code by the Privacy
Commissioner:
If there is a complaints mechanism in the Code, then the
complaint about an interference with privacy[22]
is handled under the complaints mechanism provided by the Code rather than by
the Privacy Commissioner and the Commissioner
cannot handle that complaint.[23])
Otherwise, the Privacy Commissioner may handle the complaint, whether or not
the organisation the subject of the complaint
is bound by a code which is not
an approved code.
There is also provision for the Privacy Commissioner to
handle complaints if they are referred to the Commissioner by the independent
adjudicator.[24]
3. INTERACTION OF TELECOMMUNICATIONS LEGISLATION
AND THE PRIVACY LEGISLATION
3.1 Part 13 of the Telecommunications Act 1997
and the Privacy Act 1988
Coverage of the National Privacy Principles in the Privacy
legislation is broader than Part 13 of the Telecommunications Act. The
privacy legislation goes beyond the use and disclosure provisions of Part 13,
to other privacy issues covered by the NPPs such as data quality and security,
access, anonymity, etc. The Privacy legislation
will also provide an accessible
complaints mechanism (the Privacy Commissioner s office) for the public which
is not now available
under Part 13, as a breach of the Telecommunications
Act is a criminal offence.
3.2. Interaction of Telecommunications Codes and the
Privacy Legislation
Under the privacy legislation, to be an approved code,
the Code must either incorporate the NPPs or provide equivalent obligations
to the Principles. Therefore, only the CPI Code could be considered for approval.
In one sense, that is not an issue. The CPI Code will be
enforceable against all carriers and carriage service providers and therefore
any interference with an individual s privacy will be determined in accordance
with the NPPs. If therefore the CPI Code becomes
an approved Code, while an
individual will not be able to have their complaint handled by the Privacy Commissioner,
their complaint
will be dealt with in accordance with the NPPs and by an adjudicator
with similar powers to those of the Commissioner.
However, some of what would be considered telecommunications
privacy codes (eg, the CND Code or the IPND Code) have far more detailed
provisions
for privacy protection in the context of the issues the Codes are dealing with.
Yet because those codes cannot be
privacy codes, an individual will still be
able to take their complaint about breaches of those codes either to the industry
regulatory structures or to the privacy commissioner.
3.3 Options for the Telecommunications Industry
- Seek Approval of the CPI Code and Surrounding regulatory
structure
Consequence of Approval of CPI Code: All complaints
on a breach of the CPI code would be handled only through the current regulatory
structure unless the adjudicator,
under the approved complaints scheme, has
referred the complaint to the Privacy Commissioner and the Commissioner has
consented
to handle the complaint. For all other alleged interferences with
privacy a complainant could use the current telecommunications
regulatory structure
or complain directly to the Privacy Commissioner. The issue is the handling
of interferences with privacy
that fall outside of the NPPs.
- Approval of the CPI Code without surrounding structure
(ie, not submitted as containing a complaints mechanism
Consequence: Complaints for interferences with privacy
(ie, a can be handled under the current regulatory structure or the complainant
can
go to the Privacy Commissioner s office, as would be the case for all Codes
which raise privacy issues but are not approved codes.
- CPI Code not submitted for approval
Consequence: Complaints can be handled under the
current telecommunications regulatory structure or the complainant can go to
the Privacy
Commissioner s office
3.4 Submission for Approval Or Not
- Only the CPI Code could be submitted for approval.
The issue would be whether only the CPI Code is submitted - or the surrounding
regulatory framework is submitted as the relevant complaints mechanism
- If the CPI Code and framework were to be approved,
issues arising from it would only be handled by the industry framework ; interferences
with privacy falling outside of the NPPs, as contained in the CPI code could
still be handled by the Privacy Commissioner.
- If the Code were to be approved WITHOUT surrounding
regulatory structure, complainants could continue with the current regulatory
structure - or go directly to the Privacy Commissioner for all privacy issues
- Since the CPI Code has been registered with the ACA,
another issue is what would happen to that registration. The Privacy amendments
have also amended the Telecommunications Act, allowing the ACA to deregister
an industry Code.[25]
If the Code is deregistered, the enforcement powers of the ACA would lapse.
The ACA s powers to give formal warnings and
directions or issue standards
are dependent on a Code being registered. So while the TIO could still enforce
individual
findings, the back up powers of the ACA would lapse.
[1]
Section 291, Telecommunications Act 1997.
[2]
Sections 6 and 7 Telecommunications (Interception) Act 1979.
[3]
See, for example, Duncan v The Queen (1991) 5 WAR 249, T. v Medical
Board of South Australia (1992) 58 SASR 382, Carbone and anor v National
Crime Authority (1994) 52 FCR 516 and Green v R (1995) 135 ALR 181
for differing views on this issue.
[4]
See Miller v Miller [1978] HCA 44; (1978) 141 CLR 269.
[5]
Contained in Schedule 3, Privacy Act 1988.
[6]
Clause 1, Schedule 3, Privacy Act 1988.
[7]
Sections 277-297 Telecommunications Act 1997.
[8]
Section 309. Telecommunications Act 1997.
[9]
All published ACIF codes are available on the ACIF website www.acif.org.au.
The CPI Code is ACIF C523:1999, the CND Code is
ACIF C522:2000, and the IPND
Code is ACIF C555:2000.
[10] Sections
128 and 132 Telecommunications (Consumer Protection and Service Standards)
Act 1999.
[11]
Clause 4.1, Constitution, Telecommunications Industry Ombudsman.
[12]
Clause 6, Constitution, Telecommunications Industry Ombudsman.
[13]
Section 117 Telecommunications Act 1997.
[14]
Sections 121-122 and 570 Telecommunications Act 1997.
[15]
Section 125 Telecommunications Act 1997.
[16]
Section 128 Telecommunications Act 1997.
[17]
Section 105 Telecommunications Act 1997.
[18]
Section 16A(1) Privacy Act 1988.
[19]
Section 16A(2) Privacy Act 1988.
[20]
Section 6(1) Privacy Act 1988.
[21]
For a complete list of the matters about which the Privacy Commissioner must
be satisfied under section 18BB, Privacy Act 1988, see Appendix A.
[22]
Interference with privacy is defined in Section 13A of the Privacy Act 1988
to mean, generally, an act or practices in relation to personal information
that relates to the individual which either breaches
the NPPs or an approved
code which binds the organisation.
[23]
Section 36(1a) Privacy Act 1988.
[24]
Section 36(1B) Privacy Act 1988.
[25]
A new section 122A Telecommunications Act 1997.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2001/4.html