|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. Personal information handled in the telecommunications sector is regulated by a number of legislative instruments and regulatory bodies. These interrelationships need not be problematic in themselves, and indeed, they can enhance privacy protections in the sector where they operate consistently. Nevertheless, there are aspects of privacy regulation in the telecommunications sector which can benefit from review and improvement. The Office's response to Chapter 10 draws particular attention to the following issues:
2. The adequacy and effectiveness of the Telecommunications Act 1997 (Cth) (Telecommunications Act) in protecting personal information will be discussed across a number of areas. Firstly, and most significantly, the Office's response examines Part 13 of the Telecommunications Act, which regulates use and disclosure of personal information obtained when supplying telecommunications services, and requires the recording of certain disclosures. The role of the Telecommunications Industry Ombudsman is also briefly discussed. Secondly, Part 6 of the Telecommunications Act, on industry codes, is examined. Thirdly, the response examines protection of personal information under the Integrated Public Number Database (IPND).
3. As the Office understands it, Part 13 of the Telecommunications Act (Part 13) imposes obligations on 'eligible persons', 'number-database operators' and 'eligible number-database persons'494 to protect information or documents, that relate to persons, from use or disclosure except in specified circumstances. These obligations are enforceable by way of criminal penalties for improper use or disclosure. However, the Office understands that there have been no referrals by ACMA, or prosecutions for breaches of the prohibitions under Part 13 since the Telecommunications Act was enacted.
4. In the Office's view, Part 13 appears to be directed more towards deterrence and punishment than individual remedy. For example, the Office understands that an individual cannot instigate a prosecution for breaches of prohibited uses or disclosures. In addition, where a prosecution is successful, it is understood that the penalty is remitted to the Commonwealth as consolidated revenue. The individual concerned must consider other avenues for a remedy. The Office understands that the jurisdiction of the Telecommunications Industry Ombudsman (discussed below in response to question 10-3495) does not extend to complaints about alleged breaches of the use or disclosure prohibitions or exceptions in Part 13. However, the same facts may give rise to a breach of the NPPs.
5. Unlike Part 13 of the Telecommunications Act, the NPPs do not impose criminal penalties where a breach is found. However, the Privacy Act provides for complaint-handling by the Commissioner, which includes conciliation between the parties and the power to make a determination for loss or damage suffered (under s 52 of the Act). The Privacy Act does not place a monetary limit on the quantum of damages under a settlement or determination. Generally speaking, the NPPs only apply to those telecommunications organisations with an annual turnover of more than $3 million.496
6. The NPPs regulate personal information held in a record.497 This is narrower than Part 13 of the Telecommunications Act, which regulates information or documents. Whether or not the personal information is held in a record, the Office's main concern with the Telecommunications Act relates to the number and extent of the exceptions under Part 13, which allow disclosure of personal information (discussed below).
7. Division 3 of Part 13 provides exceptions which permit the use and disclosure of personal information in specific circumstances. A use or disclosure that is permitted under the Telecommunications Act will not be a breach of the Privacy Act.498
8. The Office is concerned that a number of exceptions in Part 13 permit uses and disclosures of personal information for a broader range of purposes than the NPPs. This can result in diminished protections for personal information in the telecommunications sector.
9. For example, s 291 allows uses and disclosures of personal information of individuals for 'businesses purposes' of other carriers or service providers. There is no equivalent provision in the NPPs or in the credit reporting provisions in Part IIIA of the Privacy Act. In addition, disclosures under s 291 are exempt from record-keeping requirements that apply to most exceptions, as noted below499.
10. Other exceptions under Part 13 (sections 289 and 290) appear to permit additional uses and disclosures in relation to consumer credit. This area is already covered by the Privacy Act's credit reporting provisions (Part IIIA), and the NPPs where applicable. Unlike the NPPs, Part IIIA is highly prescriptive in nature and provide for criminal penalties in the event of a breach. The level of protection provided under Part IIIA reflects the significant consequences for individuals if their consumer credit information is misused.
11. The website of the Australian Communications and Media Authority (ACMA) provides an explanation of sections 289 and 290. It states that:
12. In the Office's view, if applying the interpretation, sections 289 and 290 appear to create two problems.
13. First, these exceptions appear to go beyond what a credit provider is permitted to do under the credit reporting provisions in Part IIIA of the Privacy Act. However, because of s 303B of the Telecommunications Act (noted above), such uses and disclosures are taken to be authorised by law for the purposes of the Privacy Act, when undertaken by telecommunications businesses covered by Part 13.
14. Second, sections 289 and 290 appear to create more permissive conditions for use and disclosure of personal information related to consumer credit for those credit providers that operate in the telecommunications sector, compared to those that operate in other industries.
15. One way that the Telecommunications Act protects personal information and provides accountability in relation to disclosures, is by requiring the recording of certain disclosures, and the reporting of those disclosures to ACMA.501 The reporting requirements do not extend to uses of the information.
16. The Office understands that only one reason need be recorded for the disclosure. The ALRC may wish to consider whether, where there is more than one applicable reason for the disclosure, it would be appropriate for each reason be recorded.
17. Disclosures of information made under the following exceptions to Part 13 must be reported to ACMA annually:
18. The ALRC notes the Privacy Commissioner's role in monitoring compliance with these record-keeping requirements.503 Although no audits have been undertaken in recent years, as part of an enhanced audit and monitoring program over the next few years, the Office will consider monitoring the record-keeping aspects of relevant disclosures.
19. Additional exceptions mean that eligible persons and eligible number-database persons are not required to keep records of disclosures made under the following exceptions:504
20. As a result, information on the number of disclosures made under these sections is not reported to ACMA. In the Office's view, this limits the protections on personal information that Part 13 confers, and highlights the need to revisit the extent of the exceptions under Part 13.
21. Part 13 provides some explicit protections in relation to secondary uses and disclosures. Division 4 of Part 13 provides that if a document or information is disclosed to a person under certain exceptions in Division 3, then that person must not use or disclose the information for any purpose not authorised by the Division (a secondary purpose). Criminal penalties apply for a contravention.505
22. During 2005-06, there were 944,367 disclosures made under Division 3 of Part 13 of the Telecommunications Act as reported to ACMA under s 308.506 This figure represents an increase of 6.6 per cent from 2004-05 (which, as IP 31 notes, was a 26 per cent increase on the previous financial year).507 Significantly, three of the four largest numbers of disclosures reported during 2005-06 related to law enforcement:
23. The 2005 Report of the Review of the Regulation of Access to Communications (the Blunn Report) considered s 282(1) and (2) to be 'anomalous provisions'. Notably, s 282(1) was the provision most relied upon according to the above figures. The Blunn Report found that s 282(1) and (2):
provide for the disclosure or use of information or a document, including content or substance, by an 'eligible person' (apparently to anyone) without any certificate, if the disclosure or use is reasonably necessary for the enforcement of the criminal law or laws imposing a pecuniary penalty or for the protection of the public revenue.512
24. The Blunn report considered those sections 'appear inappropriate and sit oddly' with the requirement elsewhere in s 282, where a certificate must be produced by a requesting agency to warrant the disclosure: 'From a privacy point of view the provisions as presently drafted are not adequate and I recommend that they be reviewed with a view to clarifying the objective and better identifying the process to be followed.'513 The Part 13 exceptions for law enforcement disclosures are discussed further in response to question 10-2).
25. The Office is concerned that there may be inadequate protection of personal information that is handled by small business operators in the telecommunications sector. While Part 13 regulates use and disclosure across the sector, the Privacy Act's NPPs regulate other important aspects of information handling (such as collection, accuracy, security, access and correction). However, the activities of Carrier Service Providers (CSPs) and Internet Service Providers (ISPs) are not regulated by the NPPs if their annual turnover is $3 million or less. Those telecommunications companies are 'small business operators' for the purposes of the Privacy Act, and are therefore not required to comply with these important Privacy Act obligations.514
26. The Office believes that there are certain activities that should be regulated because of the nature of the activity, rather than the size of the organisation. This is already the case for the provision of health services, and trading in personal information.515 The Office believes that CSPs and ISPs fall into this category because of the amount of personal information they hold, and the potential for adverse impacts on individuals if that information is not appropriately protected. This issue is explored further in response to question 5-6 in Chapter 5.
27. The Office's Private Sector Review recommended that the Australian Government should consider enacting regulations under s 6E of the Privacy Act, to ensure that the NPPs apply to small businesses in the telecommunications sector (including CSPs, ISPs and public number directory producers).516 The Office reiterates this view if the small business exemption is retained in the Privacy Act.
28. Certain provisions in Part 6 of the Telecommunications Act (Part 6) are designed to ensure the privacy standards in the telecommunications sector uphold those of the Privacy Act. For example, industry codes and industry standards must not derogate from the provisions of the Privacy Act.517 The Office supports the retention and strengthening of such provisions as outlined below.
29. The relevant provisions in the Telecommunications Act do not clearly define the Privacy Commissioner's powers to comment on whether a Code or Standard derogates from the Privacy Act. In addition, the Telecommunications Act does not appear to directly state that the Commissioner must be satisfied with a code if it deals with privacy.
30. For example, under s 117 of the Telecommunications Act, before registering industry codes, ACMA must be satisfied (among other things), that the Privacy Commissioner has been consulted in two instances:
31. The Office acknowledges the intent of these provisions, but believes they should be strengthened. The Office suggests s 117 should specifically provide for the Privacy Commissioner to state if, in his or her opinion, the proposed code materially 'derogates' from the provisions of the Privacy Act (rather than basing this on a 'belief' of another body).
32. The Office is aware of an occasion where a proposed Code misstated the law or appeared ambiguous. At present, there is no regulatory mechanism that would enable the Privacy Commissioner to ensure that appropriate action is taken to redraft such provisions.
33. The Commissioner's powers, including the possibility of issuing binding codes, are discussed further in response to Chapter 6 in the response to question 6-20.
34. The Integrated Public Number Database (IPND) was previously regulated by Part 13 of the Telecommunications Act and ACIF Code C555:2002 (ACIF Code).519 The Office was concerned that this regulatory framework was not operating effectively or consistently across the industry. It appeared that customer information on the IPND was being used for purposes that were not intended by Part 13, and not related to the authorised publishing of Public Number Directories (PNDs) (uses such as 'data-washing' and 'reverse searching').
35. In May 2005, ACMA released a Draft Industry Standard520 (Draft Standard) which sought to tighten the definitions and controls around the IPND and PNDs. In particular, the standard expressly excluded data users from producing PNDs that would allow reverse search functionality. It also proposed different levels of user access, with Telstra to fulfil the 'gatekeeper' role in relation to granting access permissions.
36. The Office was supportive of the Draft Standard as a starting point for better regulation and control of the IPND.521 The Office understands this draft Standard has been superseded by the Telecommunications Amendment (Integrated Public Number Database) Act 2006 (the IPND Act), which was passed by Parliament on 30 November 2006 and given royal assent on 8 December 2006. The ACIF Code is being reviewed to take into account the provisions of the IPND Act.
37. In the Office's view, the key features of the IPND Act are that:
38. While generally supportive of the intent of the IPND Act, the Office's main concerns with the Act are outlined below.
39. First, the Office is concerned that the proposed exception allowing access to the IPND for research purposes may be interpreted too broadly. Where personal information is legally required to be collected and stored in a large-scale, protected database like the IPND, the Australian community is entitled to expect a very high level of control and accountability over who may access that information, and the purposes for which it may be accessed, used and disclosed.
40. Considering the potentially broad level of access permitted for Category 5 users in the IPND Act, the Office believes that particular terms should be defined in the Act itself, such as what constitutes research in the public interest, and what would be considered 'non-commercial use' in terms of medical research.
41. Second, the Office believes the IPND Act itself should prescribe the minimum controls that authorised users must implement to protect the privacy of personal information in the IPND. As the IPND Act currently stands, the Office understands these requirements will be set out under separate legislative instruments.
42. Third, the IPND Act does not address the issue of directory products which are produced from data sources other than the IPND. For example, the Office understands that under current industry practices, the entity that produces directory products like the White and Yellow Pages (currently Sensis) collects the required information directly from telecommunications companies under bilateral contractual arrangements. As this information is not drawn from the IPND, it appears that the relevant entity does not have to apply to ACMA for an authorisation, or comply with the requirements of the IPND Act (or other applicable legislation) in relation to this information.
43. In its submission to a 2006 Senate Inquiry, the Office made a number of comments on the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act).522 The Office reiterates some of those comments below.
44. Following a 2006 amendment, the TIA Act provides for access (under warrant) to 'stored communications'523 by law enforcement agencies and others (such as agencies responsible for administering a law that imposes a pecuniary penalty, or that relates to the protection of the public revenue).524 As a consequence, for the first time, agencies such as the Australian Customs Service, the Australian Tax Office, the Australian Securities and Investment Commission (and similar state and territory agencies) will be able to apply for warrants under the Interception Act.
45. In the interests of transparency and privacy protection, the Office believes the TIA Act should provide for greater accountability as to when and why public revenue agencies and others can use these significant access powers. For example, the Act could require that details of warrants be included in the Attorney-General's annual report to Parliament.
46. In the Office's view, one of the main ways of protecting privacy is to avoid the unnecessary disclosure or collection of personal information in the first place. However, the nature of stored communications may mean that a larger number of communications are accessible via a stored communications warrant than may be necessary.
47. For example, a carrier's equipment may store an individual's communications to and from a wide variety of others, possibly over several years. In these circumstances, access granted under a stored communications warrant may make many communications available to enforcement agencies that are unrelated to the purpose for which the warrant was approved.
48. In meeting the privacy objects of the TIA Act,525 it is important that communications that are not necessary for the particular investigation at hand be destroyed as soon as practicable. Section 150(1) of the TIA Act requires the destruction, 'forthwith', of information or a record obtained by accessing stored communications, where the chief officer of the relevant agency 'is satisfied that the information or record is not likely to be required for a purpose referred to in subsection 139(2)'.
49. A consequence of s 150(1) may be that, until the chief officer has considered the relevant matters, the agency may lawfully keep the information or record. Without greater specificity, the Office is concerned that in some circumstances it may be lawful for an agency to keep irrelevant information indefinitely.
50. The ALRC may wish to give further consideration to whether the TIA Act should be further amended to ensure that agencies take regular steps to review whether information they have accessed via stored communications warrants is still required for a permitted purpose, for example, by setting a regular period for review.
51. An exposure draft of the TIA Bill was produced in February 2007. The Office understands the main purpose of this Bill is to transfer the national security and law enforcement related provisions from the Telecommunications Act to the TIA Act to complete the development of a single legislative framework for national security and law enforcement agencies to access telecommunications related data.
52. The TIA Bill represents the second stage of the Government's legislative response to the recommendations of the Blunn Report.526 The impacts of the changes proposed by this Bill are currently being assessed.
53. As noted above in relation to Part 13 of the Telecommunications Act,527 the TIA Act does not deal with some important aspects of information handling that are covered by the NPPs (such as collection, accuracy, security, access and correction). This may result in a lack of adequate regulation of those aspects, for organisations that are not bound by the Privacy Act.
54. The Office made a number of recommendations in its submission to the Senate Environment, Communications, Information Technology and the Arts Committee's Inquiry into the provisions of the Do Not Call Register Bill 2006 and the Do Not Call Register (Consequential Amendments) Bill 2006.528 The Office recommended in its Private Sector Review that the Australian Government consider exploring options for establishing a national 'Do Not Contact' register. The Office subsequently made a number of submissions to the Department of Communications, Information Technology and the Arts (DCITA) towards the introduction of the Do Not Call Register (DNCR). The Office strongly supports the introduction of the DNC Register and welcomes the Australian Government taking steps to implement Recommendation 25 of the Private Sector Review.
55. Although the following recommendations were not adopted into the Do Not Call Register Act (DNCR Act), the Office reiterates these recommendations, in the belief that they would enhance the privacy protections of the Do Not Call Register (DNCR):
56. The Office considers that these recommendations align with public expectations, and reinforce the important privacy principles of notice and informed consent, allowing individuals to maintain control over how their personal information is used and disclosed.
57. In the Office's view, increasing the consistency between the Telecommunications Act and the Privacy Act, and clarifying their relationship, would help to ensure adequate privacy protection, reduce complexity for businesses, and assist consumers to understand their rights.
58. As noted in response to question 10-1 above530, the Office is concerned that the exceptions to the Part 13 offences (Division 3), allow the use and disclosure of personal information in a significantly broader range of circumstances than the Privacy Act. This appears to lower the threshold of privacy protection in the telecommunications sector.
59. Examples of Part 13 exceptions which appear more permissive than NPP 2 include allowing use or disclosure where:
60. In relation to disclosures for law enforcement purposes in the telecommunications sector, the Office believes that the current exceptions in the NPPs would generally be appropriate for allowing such disclosures, or could be adapted for those purposes if such disclosures were brought under the Privacy Act.534 The Office also approves of the requirement under s 282 of the Telecommunications Act that law enforcement agencies provide certificates for disclosures, and suggests that this requirement could be strengthened, consistent with the Blunn Report's recommendations (referred to in response to question 10-1).535 Alternatively, if telecommunications disclosures were to be regulated under the Privacy Act, the NPP 2 requirements relating to law enforcement disclosures could be strengthened accordingly.
61. The Office believes consideration should be given to removing the exceptions under Division 3 of Part 13 (while keeping the Part 13 offence provisions), and allowing NPP 2 to regulate use and disclosure under that Part. Provided that no existing privacy protections are diminished, the Office can see merit in such a change.
62. Alternatively, the ALRC may consider whether the exceptions in Part 13 should be amended to ensure that, at a minimum, the exceptions align with the protections against improper use and disclosure under NPP 2.
63. The Office's Private Sector Review also noted the possibility of amending the Telecommunications Act and the Privacy Act to ensure the highest of the two standards always operates.536
64. The Office supports the retention of the existing offences and penalties against the improper use and disclosure of personal information in Part 13 of the Telecommunications Act.537 These provisions have both educative value and a deterrent effect against improper use or disclosure in the telecommunications sector.
65. In addition, the Office submits that there is merit in retaining the following requirements under Part 13 (subject to any amendments required to promote consistency with NPP 2):
66. The Office's Private Sector Review noted concerns, expressed in several submissions to the Review, regarding a lack of clarity between the Telecommunications Act and the Privacy Act about authorised disclosures. These concerns surrounded the relationship between Part 13 of the Telecommunications Act and NPP 2, along with the credit reporting provisions of the Privacy Act (Part IIIA).540
67. For example, on one possible interpretation of s 280(1)(b) of the Telecommunications Act, a telecommunications company could rely on the exceptions under NPP 2 to disclose information (for example, for direct marketing), in addition to those under Part 13 of the Telecommunications Act.541
68. As the Office recommended in its Private Sector Review, if the exceptions to use and disclosure offences are retained under Part 13 of the Telecommunications Act, the government should consider amending both the Privacy Act and the Telecommunications Act to clarify what constitutes authorised uses and disclosures under the two Acts. The amendments should ensure that the Privacy Act cannot be used to lower the standard of privacy protection (for example, by providing exceptions for disclosure in addition to those in Part 13).542
69. Certain state law enforcement authorities may be declared as agencies for the purposes of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), enabling those authorities to receive intercepted material. Division 2 of Part 2-5 of the TIA Act places some restrictions on the handling and use of intercepted material by those authorities. However, noting that the Privacy Act does not bind state authorities, the Office believes the restrictions in the TIA Act fall short in ensuring adequate protection of privacy, and access to appropriate remedies where personal information is mishandled.
70. Under the civil remedy provisions in Part 2-10 of the TIA Act, an aggrieved person may bring proceedings in a court for the unlawful interception of communications. While the Office recognises the importance of retaining this provision, for many individuals the cost of bringing proceedings in a court may be prohibitive.
71. Australian Government agencies including the Australian Federal Police (except certain intelligence agencies)543 are subject to the IPPs in the Privacy Act when they collect intercepted communications for inclusion in a record from the telecommunications industry. However, in comparison, some states do not have privacy laws, or if such laws exist, law enforcement agencies in those states may be exempt.544 In such cases, an affected individual may not have recourse to a low-cost remedy, including compensation, if a recipient state agency has found to have misused the intercepted material.
72. In the Office's view, state and territory law enforcement authorities should be covered by one set of privacy principles to ensure consistency and uniformity of privacy protections, whether under the Privacy Act or complementary legislation. The Office's views on whether state and territory authorities should be exempt from the Privacy Act are discussed in response to Chapter 5, question 5-4 and 5-5.
73. Submissions to the Office's Private Sector Review suggested the relationship between the Spam Act and the Privacy Act could be clarified. In particular, both consumers and industry noted the different approach to 'opting out' between NPP 2.1(c) and the Spam Act.545
74. In its Private Sector Review, the Office indicated it would hold discussions with the Australian Communications Authority (as ACMA then was) on the possibility of issuing joint guidance on the application of the two Acts.546 Although no joint guidance has been issued to date, the Office continues to see merit in such an undertaking. This was reinforced by the 2006 review of the Spam Act by the Department for Communications, Information Technology and the Arts.547
75. The Do Not Call Register Act 2006 (Cth) is discussed above in the Office's response to question 10-1.
76. As the preceding responses to Chapter 10 indicate, the Office is aware that the regulation of personal information in the telecommunications sector is subject to a number of legislative provisions and regulatory bodies, including ACMA, the TIO and the Office itself. The Office welcomes efforts to clarify and harmonise the interaction of Part 13 of the Telecommunications Act, the TIA Act and the Privacy Act, as indicated by several recommendations in the Office's Private Sector Review.548
77. In the Office's view, the harmonisation of regulations in the telecommunications sector should:
78. The issues of interaction, inconsistency and fragmentation are discussed further in response to Chapter 7. The jurisdictional overlap between the Office and the Telecommunications Industry Ombusdman (TIO) are discussed below. The final section of this response highlights the need to ensure that privacy regulation keeps pace with emerging telecommunications technologies, such as ENUM and VoIP.
79. While both the Privacy Commissioner and the TIO may investigate complaints about privacy-related matters in the telecommunications sector, their powers to investigate and resolve privacy issues flow from different sources. The powers of the Privacy Commissioner are conferred directly by the Privacy Act, while those held by the TIO arise because the telecommunications sector is compelled to have an industry-based Ombudsman scheme to deal with complaints about carrier service providers.
80. The TIO is an industry-based alternate dispute resolution scheme. As the Office understands it, the TIO's Constitution empowers the TIO to make binding decisions and directions on its members in relation to individual complaints up to an amount of $10,000. This includes complaints about certain privacy-related matters. However, the TIO's role does not affect the Office's jurisdiction to investigate privacy complaints in the telecommunications sector.
81. According to the TIO Constitution, 'the functions of the TIO include, but are not limited to,' investigating complaints about an interference with an individual's privacy under the Information Privacy Principles549 (IPPs) and any industry-specific privacy standards.550 Although it is not explicitly stated in the TIO Constitution, the Office understands that the privacy-related matters the TIO will deal with include the IPPs, NPPs and, in some circumstances, the Privacy Act's credit reporting provisions (Part IIIA).
82. While the TIO's decisions are binding on members, the TIO does not appear to have legally-based enforcement powers such as those held by the Privacy Commissioner under s 55A of the Privacy Act. In addition, the TIO does not appear to have similar powers to the Privacy Commissioner to obtain information and documents, or to examine witnesses.551 In the Office's view, this means that the TIO's jurisdiction to deal with privacy-related matters is not equivalent to that of the Privacy Commissioner, in terms of the range of matters that can be dealt with, and the type of outcome that may be available to an individual.
83. The Office believes that there are specific strengths and weaknesses arising from the overlap between complaint-handling by the Office and the TIO. In summary:
84. If the TIO retains its role in handling NPP-related complaints in the telecommunications sector, the Office submits that introducing certain provisions into the Privacy Act may clarify and streamline the existing overlap.
85. First, such provisions could give the Privacy Commissioner discretion to decline to investigate, or close a complaint, if an industry ombudsman or similar body has already adequately dealt with the privacy aspects of the complaint, or is currently doing so. This could be similar to the decline power in s 41(1)(e) of the Privacy Act, which relates to complaints that are already the subject of an application under another Commonwealth, state or territory law.
86. Second, in order to establish better referral arrangements between the Office and recognised industry bodies, the ALRC may wish to consider the option of a combined 'decline and referral' power for the Privacy Commissioner, exercisable where an industry ombudsman (or similar body) would be a more appropriate forum to handle the complaint. This power could permit the Commissioner to decline to investigate, and (in consultation with the complainant) refer the complaint directly to the appropriate industry body with a formal request to investigate the matter.
87. These options are discussed further in relation to the Commissioner's powers, in the Office's response to question 6-13 in Chapter 6.
88. Convergent technology such as ENUM552 and VoIP553 span traditional telephony networks and emerging internet environments. This may raise privacy issues, because the two environments are distinctly different. For example, the telephone network is generally localised and subject to Australian laws, whereas the use, disclosure and other handling of personal information on the internet may lie outside the realm of Australian privacy and telecommunications law.
89. It is also unclear to the Office whether the definition in s 87 of the Telecommunications Act will always encompass the regulation of Internet Service Providers (ISPs), where ISPs provide services that are similar to those of traditional Carrier Service Providers (CSPs) (for example, where an ISP is hosting VoIP services, which are telephone call services that do not route through the regular Public Switched Telephone Network). These issues are discussed in more detail in the Office's response to question 11-1 in Chapter 11.
494 Section 271 of the Telecommunications Act 1997 (Cth) defines 'eligible person' as a person who is a carrier, a carriage service provider, an employee of a carrier, an employee of a carriage service provider, a telecommunications contractor, or an employee of a telecommunications contractor. 'Number-database operator' and 'eligible number-database person' are defined in s 272 of the Telecommunications Act.
495 Under the subheading'Telecommunications Industry Ombudsman'.
496 See the Privacy Act 1988 (Cth), ss 6C and 6D.
497 See the Privacy Act 1988 (Cth), s 16B. 'Record' is defined under s 6 of the Privacy Act.
498 Telecommunications Act 1997 (Cth), s 303B.
499 Under 10-1 'Exceptions to Part 13 where recording of disclosures is not required'.
500 ACMA website, Frequently Asked Question sheet, 'Consumer Information', available at http://www.acma.gov.au/ACMAINTER.852114:STANDARD::pc=PC_1790#20.
501 Telecommunications Act, ss 306 and 308. The relevant entities that must record and report these disclosures are carriers, carriage service providers and number-database operators.
502 That is, where the law enforcement agency has not provided a certificate to confirm the disclosure is reasonably necessary to enforce the law (the term 'certified' is used above to indicate a certificate has been provided).
503 ALRC, IP 31, at paragraph 10.9.
504 Telecommunications Act 1997 (Cth), s 306.
505 Telecommunications Act 1997 (Cth), s 303.
506 ACMA Annual Report 2005-06, "Appendix 12 -Disclosures of Information" at http://www.acma.gov.au/ACMAINTER.852114:STANDARD::pc=PC_100789 .
507 ALRC, IP 31, paragraph 496
508 Telecommunications Act 1997 (Cth), s 282(1).
509 Telecommunications Act 1997 (Cth), s 282(3).
510 Telecommunications Act 1997 (Cth), s 289.
511 Telecommunications Act 1997 (Cth), s 282(5).
512 Anthony Blunn, AO, Report of the Review of the Regulation of Access to Communications (August 2005), paragraph 1.7.3.
513 A Blunn, ibid, paragraph 1.7.6.
514 See the Privacy Act 1988 (Cth), ss 6C and 6D.
515 See the Privacy Act, s 6D (Entities that are not small business operators).
516 Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (Office's Private Sector Review), March 2005, Recommendation 9, p 63, available at http://www.privacy.gov.au/act/review/review2005.htm.
517 Telecommunications Act 1997 (Cth), s 116A.
518 Telecommunications Act 1997 (Cth), s 117(j) and (k) (square brackets are the Office's).
519 Integrated Public Number Database (IPND) Data Provider, Data User and IPND Manager Industry Code, http://www.acif.org.au/_data/page/3230/C555_2002.pdf
520 Telecommunications (Use of Integrated Public Number Database) Draft Industry Standard 2005.
521 The Office's Submission to the Australian Communications and Media Authority on the Telecommunications (Use of Integrated Public Number Database) Draft Industry Standard 2005, August 2005, is available at http://www.privacy.gov.au/publications/ipndsub.pdf.
522 Office of the Privacy Commissioner, Submission to the Senate Inquiry into the Provisions of the Telecommunications (Interception) Amendment Bill 2006, available at http://www.privacy.gov.au/publications/200603_sub_to_senate_tia_amendments_stored_communications_print.html.
523 Defined in the Telecommunications (Interception and Access) Act 1979 (Cth), s 5(1).
524 Telecommunications (Interception) Amendment Act 2006 (Cth).
525 Articulated in the Telecommunications (Interception) Act 1979 Report for the year ending 30 June 2004, at 2.2.
526 A Blunn, Report of the Review of the Regulation of Access to Communications (August 2005), discussed earlier in relation to disclosures for law enforcement purposes.
527 Under the subheading 'The gap between the Privacy Act and Part 13 in relation to small businesses'.
528 Located at http://www.privacy.gov.au/publications/subdodnotcallreg140606.html.
529 Do Not Call Register Act 2006 (Cth), s 17.
530 Under 'Exceptions to Part 13 which may lead to diminished privacy protections'.
531 Telecommunications Act 1997, s 289. This can be contrasted with NPP 2.1(a).
532 Telecommunications Act 1997, s 290.
533 Telecommunications Act 1997, s 291. See also the views of Electronic Frontiers Australia on these provisions, Submission 51 to the Office's Private Sector Review, pp 11-14, available at http://www.privacy.gov.au/act/review/revsub51.pdf
534 See, for example, NPPs 2.1(g) (use or disclosure 'required or authorised by or under law') and 2.1(h) (use or disclosure reasonably necessary for certain functions of an 'enforcement body').
535 A Blunn, Report of the Review of the Regulation of Access to Communications (August 2005), paragraph 1.7.3-6.
536 Office's Private Sector Review, p 60.
537 Telecommunications Act 1997, Division 2 and 4.
538 The Office's auditing functions are discussed in response to question 10-1 under 'Mandatory reporting of certain disclosures under Part 13'.
539 Telecommunications Act 1997, s 282(3), (4) and (5).
540 See, for example, the Office's Private Sector Review, pp 54-5.
541 Section 280 of the Telecommunications Act 1997 (Cth) states: '(1) Division 2 does not prohibit a disclosure or use of information or a document if: ... (b) in any other case [than for law enforcement] -the disclosure or use is required or authorised by or under law.'
542 Office's Private Sector Review,, p.63, recommendation 2.4.8 at http://www.privacy.gov.au/act/review/review2005.htm.
543 Privacy Act 1988 (Cth), ss 7(1)(ee), (1A) and (2).
544 For example, the Office understands that the law enforcement activities of NSW Police are not covered by privacy legislation, while their administrative functions are.
545 Office's Private Sector Review, p 58.
546 The Office's Private Sector Review, Recommendation 11, pp 62-3.
547 Department for Communications, Information Technology and the Arts, Report on the Spam Act 2003 Review (2006), Recommendation 22, pp 96-7, available at http://www.dcita.gov.au/communications_and_technology/consultation_and_submissions/spam_act_review.
548 Office's Private Sector Review. Recommendations 8-11.
549 Contained in the Privacy Act 1988 (Cth), s 14.
550 Telecommunications Industry Ombudsman Constitution, 20 May 2006, s 4.1, available at http://www.tio.com.au/LIBRARY/documents/TIO%20Constitution.pdf. On the TIO's jurisdiction, see further http://www.tio.com.au/policies/jurisdiction.htm.
551 Privacy Act 1988 (Cth), ss 44 and 52 respectively.
552 Electronic Telephone Numbers Mapping (http://www.enum.com.au/glossary.htm).
553 Voice over Internet Protocol.