17.08.2010
The type of information protected
71.14 The Privacy Act protects ‘personal information’ which is currently defined as:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[19]
71.15 In Chapter 6, the ALRC recommends that the Privacy Act should define ‘personal information’ as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.[20] Generally, the privacy principles in the Privacy Act only apply to personal information that is held, or collected for inclusion, in a ‘record’.[21]
71.16 As noted above, Part 13 of the Telecommunications Act regulates the use or disclosure of information or a document relating to the:
contents or substance of a communication carried, or being carried, by a carrier or carriage service provider;
carriage services supplied or intended to be supplied by a carrier or carriage service provider; or
affairs or personal particulars (including any unlisted telephone number or any address) of another person.[22]
71.17 Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.
71.18 Information or a document will be protected by Part 13 only if it comes to a person’s knowledge, or into the person’s possession in certain circumstances. For example, s 276 provides that information or documents protected under that section will be protected if they come to a person’s knowledge, or into the person’s possession:
if the person is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person’s business as such a carrier, provider or contractor; or
if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.
71.19 A telecommunications service provider may collect information that does not come into a person’s knowledge or possession in the circumstances specified in Part 13. For example, a carriage service provider may buy a customer list for direct marketing purposes; or collect information when offering services that are not related to its business as a carriage service provider, for example, an online music business. This information will not be regulated by Part 13. If it is personal information, however, it may be regulated under the Privacy Act.
71.20 The Australian Privacy Foundation submitted that the reference to ‘the affairs or personal particulars … of another person’ in the Telecommunications Act is too narrow and that ‘personal information’, as defined in the Privacy Act, is a more appropriate term for use in the Telecommunications Act.[23]
71.21 In the ALRC’s view, however, the Telecommunications Act protects a broader range of information than ‘personal information’ in the context of information or documents that are obtained in the circumstances outlined in Part 13. Information or a document protected under Part 13 (including information or a document relating to the contents or substance of a communication carried, or being carried) would include ‘personal information’ if the information or document was:
about an individual whose identity was apparent, or could reasonably be ascertained, from the information or document; and
held, or collected for inclusion in a record.
71.22 As noted in Chapter 6, while stand-alone telephone numbers, street addresses and IP addresses may not be ‘personal information’ for the purposes of the Privacy Act, such information may become personal information in certain circumstances. Telephone numbers relate to telephones or other communications devices, IP addresses to computers, and street addresses to houses, rather than individuals, but such information may come to be associated with a particular individual as information accretes around the number or address.
71.23 The ALRC also notes that while ‘personal affairs’ is generally considered to be a narrower concept than ‘personal information’,[24] Part 13 refers only to the ‘affairs’ of another person. It is arguable that ‘affairs’ relates to a broader category of information than ‘personal affairs’. Further, Part 13 protects the information of ‘persons’ which includes organisations as well as individuals.[25] Therefore the ‘affairs’ of another person would cover types of information other than ‘personal information’, such as business affairs.
71.24 Part 13 also protects ‘personal particulars’. Section 276 of the Telecommunications Act provides that ‘personal particulars’ includes ‘any unlisted telephone number or any address’. In the ALRC’s view, ‘personal particulars’ is potentially a broad category of information, and would cover ‘personal information’ where this information was held or collected for inclusion in a record and was about an individual whose identity was apparent, or could reasonably be ascertained.
71.25 In the interest of consistency and clarity, the ALRC sees merit in Part 13 generally referring to ‘personal information’. It is the ALRC’s view, however, that the information or documents protected under Part 13 would already include ‘personal information’. Further, the ALRC has not consulted widely on this issue and is concerned that such an amendment could have unforeseen consequences.
71.26 In Chapter 72, however, the ALRC recommends the amendment of the Telecommunications Act to provide for direct marketing to existing customers of a telecommunications service provider. In the interest of consistency with the ‘Direct Marketing’ principle, this provision refers to ‘personal information’ as defined in the Privacy Act.
71.27 The ALRC also recommends the amendment of s 289(1)(b)(i) of the Telecommunications Act to protect ‘sensitive information’ as defined in the Privacy Act. Section 289(1)(b)(i) provides that the use or disclosure by a person of information or a document is permitted if the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person, and the other person is reasonably likely to have been aware or made aware that information or a document of that kind is usually disclosed, or used, as the case requires, in the circumstances concerned. In the ALRC’s view, such an amendment is appropriate to protect ‘sensitive information’ in the context of a very broad exception.
Use and disclosure of information
71.28 NPP 2 and Part 13 of the Telecommunications Act regulate the use and disclosure of personal information. An organisation that uses or discloses personal information in a way that is authorised under the Telecommunications Act will not be in breach of NPP 2. An act or practice engaged in pursuant to any of the exceptions under Part 13 is an act or practice that is ‘authorised by or under law’ for the purposes of NPP 2 and the ‘Use and Disclosure’ principle in the model Unified Privacy Principles (UPPs).[26] This is confirmed by s 303B of the Telecommunications Act, which provides that a use or disclosure permitted under that Act is a use or disclosure that is ‘authorised by law’ for the purposes of the Privacy Act.[27]
71.29 Conversely, if a participant in the telecommunications industry engages in an act or practice that does not comply with one of the exceptions under Part 13, the act or practice would not be ‘authorised by or under law’, and may breach NPP 2 and the ‘Use and Disclosure’ principle.[28] This position is supported by s 303C of the Telecommunications Act, which provides that a prosecution for an offence relating to the use or disclosure of protected information under the Telecommunications Act does not prevent civil proceedings or administrative action being taken under the Privacy Act for the same breach.[29]
71.30 There is some uncertainty whether the exceptions under Part 13 provide the only circumstances in which it is lawful for those regulated by the Telecommunications Act to use or disclose that information. In particular, it is unclear whether the ‘required or authorised by or under law’ exception in s 280 of the Telecommunications Act allows the exceptions under NPP 2 in the Privacy Act to apply to the information protected under Part 13. This issue is discussed in detail in Chapter 72.
Other aspects of information handling
71.31 The Privacy Act, and in particular the NPPs, continue to regulate many aspects of the handling of personal information by telecommunications service providers. For example, a telecommunications provider only can collect personal information that is necessary for one or more of its functions or activities, such as to enable the provision of telecommunication services to a customer and to facilitate the billing for those services.[30] In addition, a telecommunications provider must take reasonable steps to ensure that an individual is aware of certain matters at or around the time of collection, such as the types of organisations to which the provider usually discloses the information.[31]
[19]Privacy Act 1988 (Cth) s 6(1).
[20] Rec 6–1.
[21] The IPPs expressly refer to collection of personal information by agencies for inclusion in a ‘record’, storage and security of ‘records’, access to ‘records’ and so on. Section 16B provides that the Act applies to the collection of personal information by an organisation only if the information is collected for inclusion in a record or is held by the organisation in a record. The privacy principles also apply to the collection of information for inclusion in a ‘generally available publication’. The definition of ‘generally available publication’ is discussed in Ch 6.
[22]Telecommunications Act 1997 (Cth) ss 276–278.
[23]Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[24] See discussion in Ch 15.
[25]Telecommunications Act 1997 (Cth) s 7.
[26] See Ch 22.
[27]Telecommunications Act 1997 (Cth) s 303B.
[28] An act or practice that is prohibited under the Telecommunications Act may appear to be permitted under one of the other exceptions to NPP 2. This does not permit the act or practice, however, as Part 13 still applies to the use or disclosure of that information.
[29]Telecommunications Act 1997 (Cth) s 303C.
[30]Privacy Act 1988 (Cth) sch 3, NPP 1.1.
[31] Ibid sch 3, NPPs 1.3, 1.5.