Docstoc

Tip of the Day Privacy Act

Document Sample
Tip of the Day Privacy Act Powered By Docstoc
					            PRIVACY ACT 1988
                PART VI

     PUBLIC INTEREST DETERMINATION NO. 6

                           (PID 6)



                      In respect of:



Application No         :   6 (dated 10 December 1990)


Applicant              :   Australian
                           Telecommunications
                           Corporation (Telecom)


Nature of the Application :   Disclosure of modified
                        electronic white pages to law
                        enforcement agencies for law
                        enforcement purposes.


Information Privacy    :   Information Privacy
                           Principles 2 and
Principle Concerned         11
Issued      :   27 September 1991


Effective   :   27 September 1991
                                      DETERMINATION



Applicant                              : Australian Telecommunications Corporation

Application Number                     :6


1.     The application as it relates to the requirements of Information Privacy Principle 11.1 is
       unnecessary.

2.     The application as it relates to non-compliance with the requirements of Information Privacy
       Principle 11.2 is dismissed.

3.     The application as it relates to non-compliance with the requirements of Information Privacy
       Principle 2 is dismissed.




Dated 27 September 1991



KEVIN O'CONNOR
Privacy Commissioner
                                  REASONS FOR DETERMINATION

                                                      CONTENTS

1.    Nature of Application..................................................................................................... 4

2.    Number-to-Name Disclosure Practice............................................................................ 5
      !    Past Practice ...................................................................................................... 5
      !    Recent Legislation.............................................................................................. 6
      !    Electronic White Pages....................................................................................... 9
      !    Modified EWP: Arrangements with Users ........................................................ 10
      !    Current Users.................................................................................................... 10

3.    Notice of Application.................................................................................................... 11

4.    The Privacy Issues........................................................................................................ 12

5     Significance of Application............................................................................................ 13

6.    Draft Determination....................................................................................................... 14

7.    Statutory Conference .................................................................................................... 14

8.    Applicability of Information Privacy Principle 11 to Use of Modified Electronic
      White Pages ................................................................................................................. 15
      (1)    Position of Personal Information which is coincidentally publicly available............ 15
      (2)    Position of Personal Information provided by modified EWP.............................. 17

9.    Compliance with IPP 11.1 ............................................................................................ 20

10.   Commissioner's Statutory Discretion.............................................................................. 25

11.   Compliance with IPP 11.2 ............................................................................................ 25

12.   Compliance with IPP 2 ................................................................................................. 28

13.   Summary of Conclusions............................................................................................... 32
                      REASONS FOR THE DECISION

1.      Nature of Application

This application (dated 10 December 1990 - Attachment A) is made by the Australian
Telecommunications Corporation (Telecom) and relates to practices involving the provision of the
names (and other particulars) of customers to law enforcement agencies where those agencies only
have the customers' numbers. This practice has traditionally been known as "number-to-name"
access.


The application is made under Part VI of the Privacy Act, which requires agencies which propose to
engage in a practice that infringes an Information Privacy Principle to obtain permission to do that,
by way of a public interest determination issued by the Privacy Commissioner. Any determination to
that effect is subject to disallowance.


Telecom is an agency within the meaning of the Act (s.6) and its activities in respect of personal
information are ordinarily subject to the Act. An exclusion applies in connection with any of its
competitive activities (see s.7 (1)(c), referring in turn to Part II of schedule 2 of the Freedom of
Information Act 1982).


Telecom's application has three parts:


(1)     to be permitted to disclose customer information on a number-to-name basis to approved
        law enforcement agencies without having to satisfy itself that any such disclosure is
        reasonably necessary for the enforcement of criminal law: see IPP 11.1.


(2)     to be permitted not to record such disclosure: see IPP 11.2.


(3)     to be permitted not to comply with the notice-to-customers requirements: see IPP 2.


As to (1), Telecom considers that it needs a waiver because it proposes to provide automated
access to its modified electronic white pages database and not exercise any independent judgement
or discretion in relation to the validity of the request.


As to (2), Telecom does not propose to log any such accesses but, by way of agreement, would




                                                    5
require approved law enforcement agencies to maintain logs of their accesses to the modified
electronic white pages database.


As to (3), Telecom does not wish to give any notice to customers of its disclosure of
number-to-name information, other than by way of general advice in the telephone directory.


IPP 11.1 provides that an agency may not disclose personal information contained in a record in its
possession (other than to the individual concerned) unless one of five exceptions is satisfied. The
main exception relevant to the first part of Telecom's application is (e), which allows disclosure
where it is "reasonably necessary for the enforcement of the criminal law."


IPP 11.2 provides that where an agency discloses information because it is reasonably necessary for
the enforcement of the criminal law, it must make a note of the disclosure.


IPP 2 requires agencies to give individuals notice of usual disclosure practices.

2.      Number-to-Name Disclosure Practice

!        Past Practice
For many years Telecom has provided law enforcement agencies with "number-to-name"
information on a case by case basis. Under this arrangement a law enforcement agency would
contact the Protective Services Unit in Telecom and ask for the customer particulars held against a
number of interest. The provision of this information was subject to detailed administrative
guidelines (Security and Investigation Policy Guidelines, Division G, section 2 dealing with Release
of Customer Information). The normal procedure was that the agency required a written request
signed by a commissioned officer of the rank of inspector or above and a certification from the
requesting law enforcement agency. The certification was expected to address the nature of the
legal authority under which the request was made in each case. A response was normally provided
in writing, if an officer of the agency (with a relevant delegation) was satisfied as to its propriety.
Emergency requests could be dealt with orally, but had to be confirmed in writing by close of
business on the next day. Eight conditions have been attached to the practice, one of which
specifically addressed customer privacy:
         "(iv) the information is to be [provided] subject to security arrangements that are in
         keeping with preservation of the `need to know' principle and respect of the
         privacy of Telecom customers."


The practice was accompanied by a detailed log of disclosure. The logging requirement was as



                                                   6
follows:
           "Appropriate records are to be kept in each Telecom Protective Services Regional
           or Sub-Regional Office of all requests made, the information given out and the
           identity of the Telecom Protective Services officer who handled the request. Such
           record to be kept for six years and then destroyed by secure means in the same
           way as disposable sensitive business records."


The agency has advised that there are approximately 100,000 requests actioned per year. No
information is available as to distribution of these requests. In a twelve month period the agency
estimated that the provision of this service costs $200,000 (gross).


!        Recent Legislation
Prior to 1989 this practice did not have any clear legislative basis. Since September 1989 such case
by case disclosures have been authorised by section 97 of the Australian Telecommunications Act
1989 and Regulations made under that Act.
"s.97

(1)        Subject to subsection (2), it is the duty of a person who is an employee of Telecom not to
           disclose any fact or document that:

           (a)    relates to:

                  (i)     the contents or substance of a communication that has been carried by
                          Telecom or a communication in the course of telecommunications carriage;

                  (ii)    telecommunications services supplied, or intended to be supplied, to another
                          person by Telecom; or

                  (iii)   the affairs or personal particular (including any unlisted telephone number or
                          any address) of another person; and

           (b)    comes to the person's knowledge, or into the person's possession, because the
                  person is an employee of Telecom.

(2)        Subsection (1) does not apply in relation to a disclosure by a person:

           (a)    in the performance of the person's duties as an employee of Telecom;

           (b)    as a witness summonsed to give evidence, or to produce documents, in a court of
                  law:

           (c)    under the requirements of a law of the Commonwealth;
                  or

           (d)    in prescribed circumstances."



                                                     7
The "prescribed circumstances" referred to in Section 97(2)(d) are defined as follows in Regulation
3 of the Australian Telecommunications Corporation Regulations:

"Disclosure of facts or documents

3.      For the purposes of subsection 97(2) of the Act, the following circumstances are
        prescribed:

        (a)     where the disclosure of the fact or document is:

                (i)      to a person authorised under subsection 12(1) of the Telecommunications
                         (Interception) Act 1979; and

                (ii)     for the purposes of the issuing of, or in connection with information obtained
                         under, a warrant under Part III of that Act; or

        (b)     where:

                (i)      the fact or document disclosed comes to the employee's knowledge, or into
                         the employee's possession, because of a call to the emergency number 000;
                         and

                (ii)     disclosure is to a member of the police force or ambulance or fire service to
                         which the call was connected; or

        (c)     where the fact or document relates to the affairs or personal particulars (including
                any unlisted telephone number or any address) of a person and:

                (i)      the person is reasonably likely to be aware that information of that kind is
                         usually disclosed in the circumstances; or

                (ii)     the person has consented to the disclosure in the circumstances; or

                (iii)    the employee believes on reasonable grounds that disclosure is necessary to
                         prevent or lessen a serious and imminent threat to the life or health of a
                         person; or

        (d)     where the disclosure is authorised by or under a law of the Commonwealth, or
                required or authorised by or under a law of a State or Territory; or

        (e)     where the disclosure is reasonably necessary for the enforcement of the criminal law
                or of a law imposing a pecuniary penalty, or for the protection of the public
                revenue."

These provisions were intended, it seems, to provide a clear legal basis for existing practices. The




                                                   8
traditional practice in relation to "number-to-name" information, as explained, involved case-by-case
disclosure with a specific decision to disclose being taken, according to the guidelines, in response to
each request. Regulation 3 paragraphs (a), (b), (c) reflect this view; while paragraphs (d) and (e)
re-state the last two exceptions in Information Privacy Principle 11 of the Privacy Act. (I should
note that para (d) may be unconstitutional in so far as it purports to permit a federal agency to
disclose information under the authority of a State law.)


!        Electronic White Pages
The agency, over recent years, has developed a directory product called "electronic white pages"
(EWP). This product is continuously updated and allows users to separately search all Telecom
white pages directories throughout Australia. EWP does not allow access to silent number
information. EWP can be purchased for a fee and access can be obtained on a computerised
dial-up, on line basis to Telecom's public directory information. Inquiries are made within a
particular directory area by customer name and in response that user is provided with the usual
public directory particulars of address and telephone number.


!        Modified EWP Facility
The same basic technology that makes EWP possible can also allow a user to search by means
other than the name of the customer, for example, by telephone number. The latest edition of
Telecom's Policy guidelines addresses access to the modified electronic white pages (this facility is
explained more fully below) as follows:

        "2.     Electronic White Pages - Provision of access to Electronic White Pages
                (Number-to-Name) is subject to:

                a.      Demonstration by the agency that it has legislative responsibilities and/or
                        provisions that meet the requirements of the above legislation;

                b.      A written undertaking that:

                        i.        the information will be used only in circumstances defined in
                                  Regulation 3 that are consistent with the agency's legislative
                                  responsibilities or provisions;

                        ii.       access to the Number-to-Name facility will be controlled on a strict
                                  "need to know" basis;

                        iii.      terminal/s and information will be subject to security arrangements
                                  that are in keeping with the preservation of the "need to know"
                                  principle and respect for the privacy of Telecom customers; and

                        iv.       the agency accepts that Telecom may suspend its access to the



                                                   9
                                  Number-to-Name facility should the agency fail to comply with any
                                  one of the above conditions;"


The "need-to-know" standard, one commonly used in official circles, is vague; and is clearly lower
than the threshold set by Information Privacy Principle 11.


!       Modified EWP: Arrangements with Users
During 1989 Telecom, for cost effectiveness and efficiency reasons, made the EWP facility available
on a "number-to-name" basis to law enforcement agencies. This facility is commonly referred to as
"modified EWP". Organisations using this facility can interrogate the Telecom database using their
own terminal for access. Either number or name may be entered, with the name, address and
number being displayed if it is found in the particular directory being searched. Access to the
modified EWP database is controlled by two levels of security: a "user password" and an encrypted
"security password". There is no formal request made which is reviewed by Telecom. As a
consequence the form of disclosure is not subject to the main condition which previously applied.


In effect Telecom is now wishing to allow automated provision of customer information to approved
law enforcement agencies. It no longer wishes to act as a gate-keeper.


The present application was brought forward following concern that the provision of automated
access may infringe the Privacy Act, in particular Information Privacy Principles 2 and 11.


The object of the application is to clarify the status of this practice and to seek approval for the
practice.


!      Current Users
Organisations already provided with this new facility are:
≅      Australian Bureau of Criminal Intelligence, Canberra
≅      NSW Crime Commission, Sydney
≅      National Crime Authority, Sydney
≅      Australian Federal Police, Canberra
≅      Victorian Police Special Projects, Melbourne
≅      Northern Territory Police Force, Winnellie, NT
≅      Independent Commission Against Corruption, Sydney
≅      Queensland Criminal Justice Commission, Brisbane
≅      Australian Taxation Office (South Sydney Audit)
≅      the Australian Security Intelligence Organisation



                                                   10
New requests for the modified EWP were to be no longer actioned pending the outcome of this
determination.


Each of the above organisations only has one EWP terminal located at the nominated site with
access to modified EWP.

3.      Notice of Application

In accordance with section 74 of the Act, I published, on 9 January 1991, a notice in two leading
newspapers advising of the application and seeking expressions of interest or submission from
interested parties - see Attachment B. In addition, invitations for submissions were mailed to a cross
section of potentially interested organisations.


I received, in response to the mailout and notice, fifteen submission, seven expressions of interest
and nine acknowledgments: see Attachment C.


The Australian Taxation Office has also written to me requesting that their access to modified EWP
be maintained. However, the Taxation Office is not included within the scope of Telecom's
application which is confined to law enforcement agencies as defined in Part VIIC of the Crimes Act
1914.


The Victorian Police submitted that the question of providing additional records to law enforcement
agencies should also be addressed by the determination. These records are silent numbers; mobile
telephone numbers and Calling Line Information. The matters raised fall outside the scope of
Telecom's application. They can not be addressed by this public interest determination.

4.      The Privacy Issues

The modified EWP facility which permits "number-to-name" access is substantially different to the
"White Pages". It has an additional function which allows it to be interrogated by number.
Telecom's policy is to retain control of this database and not to make it available to the public.


Telecom's concern in this regard is understandable. Customer privacy would be reduced if it made
available generally automated "number-to-name" facilities. People with no legitimate social need for
that information could find out personal particulars beyond that which a person may wish to reveal.




                                                  11
In advertising it is common for people to give a telephone number to solicit interest, and to give out
their personal particulars only when they have screened an inquiry. In the worst-case situation,
thieves could identify the location of expensive goods, cars, furniture and the like advertised for
private sale. People living on their own who advertise, for example, for a flat-mate may also feel
vulnerable if "number-to-name" search facilities become widely available. If the modified EWP were
to be made generally available there may be increased community pressure for silent-number listings,
leading to a new cost for the agency to absorb.


Automated access to the modified EWP database raises the possibility of bulk disclosure of
potentially sensitive information regarding the majority of households in Australia to law enforcement
agencies. Telecom itself has recognised the sensitive nature of the modified EWP facility by the fact
that the present application is restricted to law enforcement agencies only. This reflects the concern
that privacy intrusive uses can be made of the facility. There are a number of situations where
individuals may consent to their telephone number being disclosed but not their address.


An additional privacy concern is the probability that there will be an increase in the overall volume of
searches made on the modified EWP once access to it is made available directly to law enforcement
agencies.


Further, there is the issue of whether the increase in access to the modified EWP facility leads to the
possibility for increase in unauthorised access, use, modification and disclosure. A number of
disturbing allegations are presently before criminal courts and official inquiries regarding the improper
disclosure of personal information initially obtained for official purposes.


I consider that Telecom's current policy of seeking to limit the availability of the modified EWP
serves the reasonable privacy interests of individuals.


(In making these comments I am aware that there is a commercial product generally available
("Australia on Disc") which has the "number-to-name" search feature. Its price and the relative lack
of up-to-dateness of its data appear to be limiting its use.)

5       Significance of Application

This application is significant both operationally and legally.


There is a widespread desire among Australian law enforcement agencies to be allowed to have




                                                    12
automated number-to-name access to customer data held by Telecom. Telecom itself would prefer
to move to this system; and not continue, as it has done in the past, the practice of dealing with
applications for number-to-name access on a manual, case-by-case basis. As indicated earlier
number-to-name requests are lodged in great volume with Telecom. It estimates that it handles
100,000 enquiries per year.


Legally, the application is significant because it raises a number of questions of interpretation relating
to IPP 11.1, and in particular exception (e).


These questions include:


*       Is customer information held in the modified electronic white pages database subject in any
        way to the protections of the use and disclosure provisions of the Act?


*       If it is in general terms subject to the protection of the Act, is it necessary for Telecom to
        obtain waiver from compliance with IPP 11 or is its proposed practice one that it is able to
        undertake without infringing exception (e)?


*       In that regard, can automated disclosure by an agency of personal information in its
        possession be undertaken lawfully under exception (e) if procedures exist to ensure that a
        particular disclosure can be shown to have been "reasonably necessary for the enforcement
        of the criminal law", in the event of complaint or audit?

6.      Draft Determination

A draft determination (Attachment D) was issued by me on 2 May 1991. It allowed the application,
but required that disclosure for law enforcement purposes be made subject to a number of
conditions. The most significant aspect of the determination from the point of view of law
enforcement agencies was that it considered that Telecom must obtain a waiver because IPP 11.1
(e) could not be satisfied by it in a situation where it gave automated access. Others who
commented on the draft determination questioned whether the application, in so far as it related to
IPP 11, was necessary at all, arguing that the modified EWP database was not a "record" subject to
IPP 11

7.      Statutory Conference




                                                    13
Numerous expressions of interest in the draft determination were received and, as contemplated by
the Act, I convened a statutory conference to consider it. The statutory conference was held on 29
May 1991, and attended by representatives of several Commonwealth departments, numerous
Federal, State and Territory law enforcement agencies as well as representatives of privacy and civil
liberties groups.


A transcript (78 pages) of the statutory conference is available.


At the conference Mr N Reaburn, Deputy Secretary, Commonwealth Attorney-General's
Department, raised a number of legal objections to the application by Telecom, arguing that it was
unnecessary as the practice in issue was either not governed at all by the Act or if governed by the
Act permitted by it without the need for a determination. I will now deal with these submissions.

8.      Applicability of Information Privacy Principle 11 to Use of Modified
        Electronic White Pages

The Commonwealth Attorney-General's Department submitted:


(i)     that personal information held by federal agencies which replicated information which is
        publicly available in some form is not protected by the Act.


(ii)    If (i) is not accepted, that the modified electronic white pages database from which
        number-to-name information is given by Telecom is not a "record" within the meaning of the
        Privacy Act because it falls within one of the exclusions from the meaning of record, that of
        a "generally available publication".


(1)     Position of Personal Information which is coincidentally publicly available


As I indicated at the conference, I regard the first proposition as extraordinary. What is being
suggested is that personal particulars lodged by an individual with a Commonwealth agency are
deprived of the protection of the Act if it can be shown that those particulars are available
somewhere else in the community in a publicly available source. So, for example, if a social security
client lodges address details with that department and those address details are the same as those
contained say in a phone directory or the electoral roll, the address loses the protection of the Act.
Consequently, a social security officer could give out the address to anyone he or she cared to
without infringing the Privacy Act.




                                                  14
Personal information held in "generally available publications" does not have the protection of the use
and disclosure provisions of the Privacy Act because the protections attach to "records" and
"records" are defined so as to exclude "generally available publications". (See generally opening
words of IPP 11, and definitions of "record" in s.6.)


The argument of the Attorney-General's Department appeared to be that the concept of a "generally
available publication" embraces any personal information held in an agency that coincidentally
happens to be publicly available even if the agency did not derive it from the public source. I can
find no foundation for this argument in the terms of the Privacy Act; nor in any of the explanatory
notes underlying the Act, which notes were substantially drafted by the Attorney-General's
Department.


If the proposition advanced were to be upheld the Privacy Act would become unworkable, as no
clear guidance could be given to agencies as to when the identification particulars they hold are
covered by the Act or not covered by the Act, since it would never be known with certainty
whether the identification items appeared somewhere in a public record (e.g. land titles records,
electoral rolls etc). Virtually every adult's name appears in a public record somewhere. If this
submission were correct, the names of virtually all adult Australian's would not have the protection of
the Privacy Act, nor in most instances would individuals' addresses. Lists of clients of federal
government agencies could be given out, without redress under the Privacy Act.


(2)     Position of Personal Information provided by modified EWP


This aspect of the application raised a number of important issues relating to the application of the
Privacy Act to complex computerised systems.


The fields of data - name, address, telephone number - are central to the operations of Telecom.
Different ways of interrogating and reporting these data items are built into Telecom's computer
system. In the case of the Electronic White Pages, that database is capable of outputting its data
items in two ways:
         *      Name-Address-Number, with name as the access key,                  or
         *      Number-Name-Address, with number or name as the access key.


As noted earlier, Telecom has historically recognised that the same data items can give rise to
reports of quite differing levels of sensitivity. As a result its policy is one of general availability in
relation to one kind of report produced by the EWP database (the report that mirrors that found in




                                                    15
the paper phone directories); and one of restricted availability to the kind of report produced by the
modified EWP facility.


The Attorney-General's Department advanced a series of arguments to the effect that Information
Privacy Principle 11 did not apply to number-to-name reports. The arguments go to the interaction
in the Act between the definitions of "personal information", "record" and "generally available
publication". The interaction of these definitions is important because Information Privacy Principles
4 to 11 contained in the Privacy Act only apply to agency activities as they affect a "record"
containing personal information.


The Act includes within its definition of a "record" (s.6) the following - a "document", a "database
(however kept)" and a "photograph". So on the face of it the EWP database is a record within the
meaning of the Act.


But the definition of record then goes on to exclude from its scope a "generally available
publication". It was contended that the EWP database was a generally available publication and
accordingly that its use in a modified way so that data within it could be obtained in a manner not
generally permitted is unaffected by the Act. If this argument is correct then IPP 11 does not need
to be complied with.


This argument fails to take account of the complexities of modern database administration. It also
fails to take account of the range of meanings that tends to be attached to the term "database". For
example, in a letter of information to me dated 23 June 1991, Telecom described its computerised
data-management system as having five databases. These were its main customer record database
(includes full details on all numbers connected to the public switched telephone equipment details);
the main directory database; the directory assistance database (used by directory assistance staff);
the EWP; and the modified EWP. However in describing the modified EWP Telecom refers to it as
using the same database as the EWP with the variant that in the case of silent line information the
message is displayed "This number is not for publication". Some, I suggest , would contend that all
of these arrangements involve particular operational applications within the context of one database.




Meaning of "Database"
"Database is not defined in the Act. The Macquarie Dictionary definition is:
       "1.     A large volume of information stored in a computer and organised in categories to




                                                  16
                facilitate retrieval.
        2.      Any large collection of information or reference material."


Another definition in a standard computing text is as follows:
         "A database is a collection of stored operational data used by the applications systems of
         some particular enterprise." (C J Date, An Introduction to Database Systems 1981, 3rd
         ed.)
The same text also acknowledges that the associations or relationships between data entities (items)
are just as much part of the operational data (and therefore of the database) as are the entities
themselves.


A database is usually organised as a collection of fields of information. It can have both generally
available and selectively available characteristics. A material factor is the way in which it is made
available. This can comprise both technical capabilities (e.g.: access and search limitations) and
procedural/contractual limitations.


If the view were to be taken that the entire Telecom customer record system comprised one
database then it becomes clear that the database may be so organised as to have elements which are
publicly available and elements which have varying levels of restricted availability. So in the case of
the Telecom arrangements referred to, only directory assistance staff normally have access to the
"database" of that name whereas most staff in the billing and technical areas would have access to
the main customer record system. In the case of the EWP system there are two levels of access
operating - one general and unrestricted where the use is on a name-basis and the other highly
restricted where the use is on a number basis. These complexities in operation are typical of modern
database systems.


In my view whether the entire Telecom system is more properly seen as one database of customer
information having many operational segments or as a series of databases one of which is the EWP,
it is possible for the system to be so organised that its data when reported in one format is available
on an unrestricted basis and when reported or organised in another format has restricted availability.


Relationship between Databases and Records
Equally I consider that while an entire database can be a record within the meaning of the Act it is
also possible for a database to be open to different "views", or to make or produce reports, all of
which are "records" individually subject to the Act. It is also possible for a database which is
generally viewed as a publicly available one to have operational features which restrict the availability




                                                   17
of its data when that data is sought to be organised or reported in certain ways.


A good current illustration of this situation is found in Australian Electoral Law. Sections 91, 91A
and 91B of the Commonwealth Electoral Act 1918 specifically limit the availability and use of the
Habitation Indexes (street order rolls) even though they contain the same data drawn from the same
overall database as the alphabetic rolls which are available on demand and for public reference.


These technical features of databases would I believe have been well understood when the Privacy
Act was passed in 1988. I believe that the explicit reference to database in the definition of record
was designed to ensure that these complex systems were brought under the regime of the legislation.
 The exclusion that then appears, relating to generally available publications, comes into play in
respect of a database in circumstances where there are agency policies which allow for public use or
access. It is quite possible, as I have explained, for an agency to allow its data to be configured by
its database in a way which allows that configuration to be generally available while preventing the
same data to be configured in some other way. Each of the configurations involves the making and
producing of a record - one of which is excluded from the application of Information Privacy
Principles 4-11 as a generally available publication, while the other remains subject to all the
Principles.



Conclusion
Accordingly, I consider that when the EWP system is used to produce a record on a number-to-
name basis that activity is subject to the Act. What is occurring is that a record with restricted
availability is being generated; a feature of the database is being employed which seeks to restrict
the availability of the personal information stored by the database. When a database is being
operated so as to generate information about individuals on a restricted basis (ie: non-public) its
operations are subject to the Act.



9.      Compliance with IPP 11.1

The principle which governs this matter is Information Privacy Principle 11, which states:

        "1. A record-keeper who has possession or control of a record that contains personal
        information shall not disclose the information to a person, body or agency (other than the
        individual concerned) unless:

        (a)     the individual concerned is reasonably likely to have been aware, or made aware



                                                  18
                under Principle 2, that information of that kind is usually passed to that person, body
                or agency;

        (b)     the individual concerned has consented to the disclosure;

        (c)     the record-keeper believes on reasonable grounds that the disclosure is necessary to
                prevent or lessen a serious and imminent threat to the life or health of the individual
                concerned or of another person;

        (d)     the disclosure is required or authorised by or under law; or

        (e)     the disclosure is reasonably necessary for the enforcement of the criminal law or of a
                law imposing a pecuniary penalty, or for the protection of the public revenue."


Of the above exceptions (a) cannot apply as Telecom has not at any material time given customers
notice of the existence of this disclosure practice. Exceptions (b) and (c) are not relevant to this
application.


The two exceptions which were suggested as permitting the practice of number-to-name disclosure
were exceptions (d) and (e).


Exception (d)


Here the argument is that the disclosure is authorised by a regulation recently made under the
Australian Telecommunications Act 1989, referred to in part 2 of these reasons.


It seems to me that this regulation is unhelpful in deciding whether number-to-name searching of the
modified EWP database is a lawful disclosure for the purposes of exception (d). The text simply
mirrors the language of the Information Privacy Principles. In the case of exception (d) reg. 3 does
not take the matter any further. It simply says that the disclosure must be "authorised under a law of
the Commonwealth": see para. (c) of reg. 3, mirroring exceptions (a) (b) and (c) of IPP 11.1 and
para. (d) mirroring substantially exception (d) and para. (e) mirroring exactly (e). No law specifying
this disclosure practice permitted has been drawn to my attention. Further I note that the number-
to-name disclosure practice has existed in Telecom for many years and could readily have been
identified in the regulation as a permissible practice had it been intended that the regulation should
have that effect.


Exception (e)


Much of the discussion at the statutory conference centred on this exception to Information Privacy



                                                  19
Principle 11.1.


Telecom's past practice, as I have noted earlier, in handling number-to-name inquiries involved
requiring an application to be submitted and for it to be assessed by an officer as to its justification.
If Telecom considered the application justified on law enforcement grounds, the information was
provided. Provided the criteria applied were at least as strong as those provided for in exception
(e), (i.e. they met the requirement of "reasonable necessity") this practice, if continued, would in my
view comply with exception (e), and no public interest determination is required. While it appears
that in the past the criteria were not as strong, my understanding from discussions with Telecom over
this matter and from its submission at the conference, is that it would propose to offer the facility in
future on terms that require satisfaction of the "reasonable necessity" test in exception (e).


The complication in the present case is that Telecom no longer wishes to be actively involved in the
number-to-name searching process. It in effect wishes to license certain users to access its
database, with the users being responsible for ensuring that the justification is in accord with
exception (e).


The question which arises is whether exception (e) permits a record-keeper to disclose information
without it exercising any judgment as to the lawfulness of that event for the purposes of the Privacy
Act.


The Attorney-General's Department, and others, have argued that the types of disclosure permitted
by Information Privacy Principle 11 only in one case clearly requires a record-keeper to make a
specific judgment on the merits of a request. That arises in the case of exception (c) which limits the
relevant disclosure to circumstances where "the record-keeper believes on reasonable grounds"
that it is "necessary" (emphasis added). In contrast, it is said, exception (e) permits disclosure where
it is "reasonably necessary" to assist the social interests mentioned in the exception, without imposing
an obligation on the record-keeper to form a belief as to whether reasonable grounds exist.
Accordingly, it is argued, that it is possible for a situation to exist where the record-keeper has no
active involvement in the access/disclosure transaction. It is sufficient, it is argued, that the access
disclosure transaction can be shown to be "reasonably necessary".


This discussion has considerable significance in relation to the general operation of exception (e) in
Commonwealth administration. If the arguments that I have outlined are valid, it would mean that it
would be possible for agencies to allow on-line links to their databases with those using the facility in
effect bearing responsibility for ensuring that any accesses that take place are "reasonably necessary"




                                                   20
to the protection of the social interests listed in exception (e).


On the other hand, it was argued by me in my draft determination and by a number of public interest
groups at the conference that exception (e) should be interpreted so as to impose a requirement on
the record-keeper that it satisfy itself that the disclosure is "reasonably necessary" to the protection
of the social interests listed there. It is argued that "reasonably" is a word which connotes an
obligation on the part of the record-keeper to form a view as to the need or otherwise for the
disclosure. This view, it is argued, is also supported by IPP 11.2 which imposes on record-keepers
who make disclosures on the basis of the criteria contained in exception (e) to include in the relevant
record a note of the disclosure. It is argued that this requirement is consistent with the view that the
record-keeper should make a specific decision in relation to each request for disclosure.


While I do not regard the matter as free from doubt, after considering the arguments made at the
conference I have resiled from my earlier views and concluded that a disclosure can occur lawfully
under exception (e) without there being an active exercise of discretion by the record-keeper. But
the record-keeper remains obliged to demonstrate (if, for example, an individual complains to me
over a specific disclosure) that each access it permits was "reasonably necessary" to the protection
of the social interests enumerated in exception (e).


In reaching this view I have largely been influenced by the variation in language between exception
(c) and exception (e). Clearly exception (c) imposes an active decision-making obligation on the
record-keeper. It is not one that it can give up to a third party.


But exceptions (d) and (e) both attach the conditions which they specify for lawfulness to "the
disclosure". It seems to me, therefore, that a disclosure could satisfy the standard imposed by
exception (e) even though the record-keeper had not satisfied itself directly that that standard has
been observed.


There are also, I think some policy arguments which support this view. Circumstances can be
envisaged where it would not be conducive to the protection of the social interests enumerated in
exception (e) (e.g. enforcement of the criminal law) for the record-keeper to be apprised in any
detail of the reasons for the inquiry, or for the record-keeper not to wish to be so apprised. There
may on occasions be circumstances of urgency which preclude any possibility of practical judgment
by the record-keeper. (Though this argument is weakened by the fact that exception (c) which
deals with a paradigm situation of urgency ("a serious and imminent threat to the life or health of the
individual concerned") does clearly impose an active decision-making obligation on the record-




                                                     21
keeper.)


If a record-keeper does choose to establish an access system which permits disclosures under
exception (e) without active intervention on its part, then it remains liable for any abuse or misuse
of the access facility. If an individual complains that a particular disclosure was not "reasonably
necessary" the record-keeper, as the respondent, must be able to satisfy the Privacy Commissioner
that it was "reasonably necessary" in order to avoid liability. A similar position would apply in the
event that an audit of an automated-access system is undertaken.


Conclusion
Accordingly an application for waiver from Information Privacy Principle 11.1 is unnecessary.
However, as I have previously noted, any access arrangements provided under IPP 11.1(e) would
have to be constructed so it can be demonstrated that each access meets the requirements of
exception (e) as to reasonable necessity.



10.     Commissioner's Statutory Discretion

So it is only in relation to Telecom's remaining applications that I am called upon to exercise my
statutory discretion under s.72 of the Act.
Section 72 provides:
          "Where the Commissioner is satisfied that:

        (a)     an act or practice of an agency breaches, or may breach an Information Privacy
                Principle; and

        (b)     the public interest in the agency doing the act, or engaging in the practice, outweighs
                to a substantial degree, the public interest in adhering to the Information Privacy
                Principle;

        the Commissioner may make a written determination to that effect..."


The effect of such a determination is that the agency avoids breaching the Act.

11.     Compliance with IPP 11.2

Telecom indicated that if automated-access to the modified EWP database was permissible, it
sought a public interest determination to relieve it from the obligation imposed by IPP 11.2.




                                                  22
IPP 11.2 imposes a disclosure-logging requirement in the following terms:

        2.      Where personal information is disclosed for the purposes of enforcement of the
                criminal law or of a law imposing a pecuniary penalty, or for the purpose of
                protection of the public revenue, the record-keeper shall include in the record
                containing the information a note of the disclosure.



Telecom said that it could log the volume of inquiries made on the database by each user, but that
its technology did not enable it to place a "note of disclosure" as required by IPP 11.2 against each
individual whose name was searched. These concerns essentially relate to cost and administrative
convenience.


Apart from these administrative concerns, Telecom also said that it saw some dangers in making a
note of disclosure against a particular individual, because if an individual became aware of the fact
this might tip the individual off in relation to police interest. This argument is not in my view
meritorious. The objection is one that could be made in relation to the logging of any disclosure to
police sources. It was clearly rejected by Parliament when it included IPP 11.2. While there may
be some extreme circumstances where IPP 11.2 could be waived or varied for the protection of
investigations it was clearly, in my view, Parliament's intention to impose a logging requirement on
the key administrative agencies of the Commonwealth in regard to those disclosures of personal
information which are made to police. If an FOI application was made for access to such a record
there is a wide law enforcement exemption available to be invoked by Telecom.


The administrative convenience argument is not in my view a strong one. Historically Telecom
vetted applications and, consequently, had an exact and detailed administrative record of what
occurred and why. My earlier conclusion rids Telecom of its responsibilities to vet; now it is seeking
to rid itself of the other responsibility it exercised in the past and has been required to exercise by
law since 1989 (to log). Given that in future there is intended to be no case-by-case vetting as in the
past, it becomes even more critical to the protection of individual privacy that the safeguard
contained in IPP 11.2 be maintained.


Allowing Federal agencies to release personal information protected by the Privacy Act on an
automated basis (provided otherwise the release accords with IPP 11.1 (e)) carries great dangers to
the privacy rights of all Australians. Where an agency is not called on to consider actively why
particular information should be released, the following significant constraints against possible abuse
of privacy are lost:




                                                  23
(i)     any actual knowledge that an agency may have regarding the client or individual's
        circumstances cannot be brought into consideration before the data is released.


(ii)    ordinarily the requesting/accessing organisation will have little or no knowledge of any
        personal circumstances that indicate against taking that data


(iii)   the requesting/accessing organisation will not be affected by the salutary constraint of having
        to justify its request and expose its actions to another body with less of a stake in the matter.


Moreover if Telecom does not remain responsible for logging, the Privacy Commissioner would
have no specific evidence as to whether a particular disclosure had occurred, in the event that an
individual complained to him about a breach of IPP 11.1(e). The recipient organisation may well
deny that it got the personal information from Telecom by means of an IPP 11.1 (e) access. There
would be no way of testing the truth of that denial.


It was suggested on this point at the statutory conference that accessing agencies would invariably
for operational reasons keep logs; and that they could be inspected in their hands, by the Privacy
Commissioner's if he had a right to inspect them under contractual arrangements (or memorandums
of understandings) between Telecom and accessing-agencies.


I do not regard this as a satisfactory suggestion. Logs would be scattered all over the country. The
logs would, most likely in light of a number of comments at the conference, be organised in a way
that reflected the operational practices of the particular police force or law enforcement agency.
Some of those agencies may resist intervention by the Privacy Commissioner. Most of those using
the system are not subject to his authority; leaving the Privacy Commissioner in a position where
Telecom has to be prevailed upon to sort out the problem. This would demean the Privacy
Commissioner's office in the eyes of complainants and the community.


Conclusion
Accordingly, I dismiss the application as it relates to giving Telecom a waiver from the obligation
imposed by IPP 11.2.


Telecom is required to ensure that it makes a note of each disclosure from its modified EWP
database made under the authority of IPP 11.1(e). The note should include a record of the date of
the disclosure and the identity of the accessing organisation, including the password or other key
used. Any cost of logging could be recovered by Telecom from users: it charged a fee for access




                                                  24
under its old manual system. That practice could be maintained; and would act as some
discouragement to overly permissive use.



12.     Compliance with IPP 2

Finally, Telecom applied to be relieved of its obligations under IPP 2, in particular IPP 2 (e). This
IPP applies to agencies regardless of whether the personal information being collected is for
inclusion in a "record" or for inclusion in a "generally available publication".


IPP 2 requires agencies which collect personal information to ensure that they take:
        "such steps (if any) as are, in the circumstances, reasonable to ensure that, before the
        information is collected or, if that is not practicable after the information is collected, the
        individual concerned is generally aware of:

        (e)      any person to whom, or any body or agency to which, it is the collector's usual
                 practice to disclose information of the kind collected, and (if known by the collector)
                 any person to whom, or any body or agency to which, it is the usual practice of that
                 first - mentioned person, body or agency to pass on that information."


It should be noted that the obligation imposed on agencies by IPP 2 applies "only in relation to
information collected after the commencement of the Act" (i.e. 1 January 1989): s.15 (1) of the Act.
 Consequently Telecom is not bound to give customers whose information was collected prior to 1
January 1989 (and who have not been the subject of any new collection since that date) any notice
under IPP 2.


The material placed before me in making this determination indicates that Telecom has over many
years had a number of "usual practices" involving disclosure of customer information to police and
emergency organisations. In the past the existence of these practices has not been made known to
customers.


Number-to-name disclosures on a specific-application basis have continued to be made since
January 1989; while automated disclosure to selected law enforcement agencies was introduced in
1989. It is arguable that automated modified-EWP number-to-name disclosure is not yet a "usual
practice", so that Telecom's failure to advise customers of this activity may not be a breach of IPP 2.
 Nevertheless the old practice of manual provision of number-to-name information on the basis of a
specific application was clearly a "usual practice"; but its existence has never been routinely
disclosed to customers.




                                                    25
A key theme of information privacy laws, and of the international O.E.C.D Guidelines on which
Australia's Privacy Act is based, is that of "openness" as to the existence of practices. IPP 2 reflects
that theme, and seeks to give it specific expression.


Telecom seeks a waiver from the requirement of IPP 2 to notify customers - "before the information
is collected, or if that is not practicable, as soon as practicable after the information is collected".
Telecom is prepared to put a general notice in the telephone directory referring to the existence of
the practice.


To grant Telecom's application would I believe seriously weaken the force of IPP 2 in
Commonwealth administration. As a basic matter of fairness, people who supply information to
organisations are entitled to know of any uses that are likely to be made of the information which do
not conform to their reasonable expectations. While a telephone customer might reasonably expect
that their particulars would be stored in a range of ways within Telecom to enable it to carry out its
service function, the customer would not expect information to be given to bodies as diverse as
State crime commissions, government departments and State police forces. While such a disclosure
practice may be in the public interest, there is also a public interest (endorsed by Parliament in IPP
2) in knowing that it occurs.


Telecom's main reason for not wishing to tell customers at the time of application for the service that
it has disclosure practices of the kind under consideration appears to be that it is concerned that
there may be a proliferation of silent-line listings. An increase in silent-line listings would increase its
costs; and, I note, diminish the commercial value of the public directory e.g: for telemarketing
companies. There may also be some negative public reactions once these activities become known.
 These are not in my view meritorious reasons for withholding notification.


A simple and informative notice could be incorporated into information given to new customers.
This would not involve a significant administrative burden. Telecom routinely provides customer
information pamphlets with its bills. A pamphlet referring to a customers privacy rights - and the
exceptions to those rights - would be a useful practice. I understand that an overall customer
information strategy related to privacy issues is under development by Telecom. A well-presented
explanation would be likely to satisfy many customers.


The Act requires me only to grant a public interest determination where the public interest in allowing
a practice (here to waive strict compliance with the notice requirements of IPP 2) "outweighs to a




                                                    26
substantial degree" the public interest in adhering to the IPP. Telecom has failed to satisfy me in that
regard.


Consequently, Telecom should immediately commence to inform new customers of the existence of
the modified EWP disclosure practice, if it proposes to continue with that practice. Customers
should be informed of the bodies and organisations to which their data may be given. An
appropriate mechanism might be an information leaflet distributed to new customers.


As to existing customers, it is possibly arguable whether to date automated use of modified EWP
disclosure has been a "usual practice". As a result of this determination, it appears likely that it will
become a usual practice. Without deciding the point as to the position in the past, I would
recommend that steps be taken to notify all customers of future practice, in conformity with the spirit
of the Act. In that regard a notice given with billing information would be acceptable.


A prominent and clear notice of this practice should also be included in telephone directories.


Conclusion
The application for a limited waiver from the obligation imposed by IPP 2 is dismissed.




                                                   27
13.   Summary of Conclusions

(1)   Telecom is an agency governed by the Privacy Act in respect of the practices the subject of
      this application.


(2)   The modified EWP database (and each of its listings) constitute records within the meaning
      of the Privacy Act.


(3)   Information Privacy Principle 11 applies to disclosure of personal information contained in
      records produced by the modified EWP system.


(4)   Disclosure pursuant to exception (e) of IPP 11.1 may occur on an automated basis,
      provided always that the disclosure is "reasonably necessary" for the protection of the social
      interests enumerated in that exception.


(5)   Consequently, the proposed practices requiring consideration under s.72 are the proposals
      that Telecom dispense with logging (IPP 11.2.) and dispense substantially with the notice of
      this practice (IPP 2).


(6)   The application seeking waiver from the requirements of IPP 11.2 and IPP 2 is dismissed.




                                               28
                           LIST OF ATTACHMENTS




               A:       Application




               B:       Notice of Application




               C:       Responses to Notice




               D:       Draft Determination




Note:   These attachments are not being distributed routinely, but are held with the original
        determination and are available on request from:

                         Privacy Branch
                         Human Rights and Equal Opportunity Commission
                         GPO Box 5218
                         SYDNEY NSW 2001

                         Phone: (02) 229 7600




                                          29

				
DOCUMENT INFO
Shared By:
Categories:
Tags: privacy
Stats:
views:31
posted:10/29/2008
language:English
pages:29