Integrated public number database

72.166 Currently, Telstra’s carrier licence requires it to provide and maintain an IPND.[151] The IPND, which was established in 1998, is a database of all listed and unlisted telephone numbers and associated customer data—namely, the name and address of the customer, the customer’s service location, the name of the carriage service provider, and whether the telephone is to be used for government, business, charitable or private purposes.[152]

72.167 Telstra reported that the IPND contained 45,999,620 connected records at 30 June 2006, an increase of 2,413,787 records (or 9.5%) over the previous 12 month period. At 30 June 2006, 31 carriers and carriage service providers were listed as data providers to the IPND, compared with 24 in the previous 12 month period.[153]

Regulation of the IPND

72.168 Section 472(1) of the Telecommunications Act allows the Minister (currently the Minister for Broadband, Communications and the Digital Economy)[154] to determine that a person other than Telstra should provide and maintain an IPND. Any such determination has no effect while Telstra’s carrier licence requires it to provide and maintain an IPND.[155] To date, no such determination has been made.

72.169 The Telecommunications Act requires carriage service providers to provide Telstra with as much information as is reasonably required to provide and maintain the IPND.[156] Accordingly, disclosure of telecommunications information for inclusion in the IPND is not an offence under Part 13 of the Act because it is ‘required or authorised by or under law’.[157]

72.170 The use and disclosure of information in the IPND is subject to Part 13 of the Telecommunications Act.[158] Section 285 of the Act allows use or disclosure of IPND information about the affairs or personal particulars of a person for purposes connected with the: provision of directory assistance services by or on behalf of a carriage service provider; publication or maintenance of a directory of public numbers; or the making of a call to an emergency service number.

72.171 Where the Privacy Act applies to a person who discloses or uses IPND information, the disclosure or use of such information will not breach the Privacy Act so long as the disclosure or use occurs in accordance with Part 13 of the Telecommunications Act. That is, the disclosure or use will be authorised by law for the purposes of the Privacy Act.[159]

72.172 Telstra’s carrier licence also limits the purposes for which information in the IPND can be used and disclosed.[160] It can be disclosed only to a carriage service provider to enable the provider to: provide directory assistance, operator assistance or operator services; produce a public number directory; provide location dependent carriage services; or assist emergency call services and enforcement agencies.[161]

72.173 In November 2003, the ACA announced its intention to develop an industry standard to articulate clearly the use that may be made of information provided by customers to telecommunications providers. It stated that an industry standard was required because investigations had revealed that information in the IPND was being used for purposes other than those envisaged by Part 13 of the Telecommunications Act. These purposes included ‘database enhancement’, ‘data cleansing’, ‘data verification’, and ‘list management’.[162]

72.174 In March 2004, the ACA released a discussion paper on regulating the use of IPND data.[163] In May 2005, it released a draft industry standard on the use of IPND data (IPND Draft Standard).[164] Had the IPND Draft Standard been implemented, it would have regulated further the use of IPND data; ensured that customers were aware of the purposes of the collection of IPND data and the purposes for which the information may be disclosed; and enabled customers to choose whether to include their data in a public number directory.

72.175 In December 2006, however, the Australian Parliament passed the Telecommunications Amendment (Integrated Public Number Database) Act 2006 (Cth)(IPND Act). The IPND Act introduced a definition of ‘public number directory’ into the Telecommunications Act in order to prevent IPND data being used directly for unauthorised purposes, such as the development of reverse search directories, and the production of databases which are used for purposes such as marketing, data cleansing, debt collection, identity verification and credit checking.[165]

72.176 The IPND Act also introduced a new exception to the offence provisions under the Telecommunications Act that allows IPND information to be disclosed for specified research purposes that are in the public interest. ACMA has promulgated a Telecommunications (Integrated Public Number Database—Permitted Research Purposes) Instrument 2007 (No 1) that sets out the kinds of research that will be considered to be in the public interest. The public interest research exception is discussed further below.

72.177 Under former arrangements, Telstra, as the IPND Manager, was responsible for deciding applications for access to the IPND for all users. The IPND Act amended the Telecommunications Act to provide that IPND data users are required to apply to ACMA for an authorisation to access the IPND. Telstra is permitted to disclose IPND data only to persons holding such an authorisation.

72.178 The IPND Act also requires ACMA to establish a scheme for granting authorisations permitting persons to use and disclose IPND information.[166] The Act requires ACMA to consult with the Privacy Commissioner and Attorney-General’s Department on development of the scheme.[167] Criminal sanctions apply for unauthorised secondary disclosure and use of IPND data by public number directory publishers, and for breaches of the conditions of authorisation issued under the IPND scheme.[168] ACMA has established an IPND Scheme under the Telecommunications Integrated Public Number Database Scheme 2007 and a number of other instruments.[169]

72.179 Information held on the IPND also is regulated under the Integrated Public Number Database Industry Code of Practice. Communications Alliance developed this code to reflect better the arrangements outlined in legislation and subordinate instruments, including the IPND Scheme.[170]

Should the IPND be regulated under the Privacy Act?

72.180 In DP 72, the ALRC considered whether the IPND should be regulated under the Privacy Act rather than the Telecommunications Act. The ALRC expressed the preliminary view that the current legislative regime relating to the IPND under the Telecommunications Act provides adequate protection of information held under the IPND.[171]

Submissions and consultations

72.181 DCITA submitted that, if only the NPPs were relied upon to govern use and disclosure of IPND information, this would prevent the use and disclosure of IPND information for purposes that are currently permitted under the Telecommunications Act. These purposes, it argued, continue to be important for the effective operation of the telecommunications industry, and for public safety.[172]

72.182 DCITA also noted that NPP 2 provides that personal information can be used or disclosed for the secondary purpose of direct marketing if certain criteria are met. It submitted that currently IPND information is not permitted to be used for direct marketing purposes and that this prohibition should remain.[173]

72.183 Optus submitted, however, that telecommunications privacy regulation should be moved to the Privacy Act, including provisions regulating the IPND. In Optus’s view, the additional use and disclosure of IPND information could be accommodated in the Privacy Act. It stated that provisions regarding the IPND Manager and requiring carriage service providers to provide data to the IPND should be retained in the Telecommunications Act.

72.184 Optus strongly disagreed with DCITA’s view that IPND information should not be available for direct marketing purposes. Optus submitted that the current provisions of the Telecommunications Act and the Privacy Act permit non-IPND directory producers such as Telstra to direct market to the listed customers of all other telecommunications providers. Optus argued that this provides Telstra with a significant competitive advantage. It submitted that restrictions regarding the use or disclosure of telephone directory information should be removed.[174]

ALRC’s view

72.185 The privacy aspects of the IPND should continue to be regulated under Part 13 of the Telecommunications Act. The IPND is an up-to-date, comprehensive database containing the details of all listed and unlisted telecommunications subscribers. The special nature of the IPND means that a high standard of protection should apply.

72.186 Further, personal information held on the IPND is required to be collected by law, but disclosed and used for purposes not always related to the purpose for which the information was collected. The Australian community is entitled to expect a high level of control over access to that information, and the purposes for which it may be accessed, used and disclosed. The current legislative regime relating to the IPND under the Telecommunications Act is appropriate for the protection of information held under the IPND.

Clarifying the provisions that regulate the IPND

72.187 It is unclear to what extent provisions other than s 285 of the Telecommunications Act regulate the use or disclosure of information held on the IPND. For example, it is not clear whether all the exceptions under Part 13 apply to IPND information, and how those exceptions interact with Telstra’s licence conditions and the Telecommunications (Interception and Access) Act.

72.188 Section 285 is the only provision in Part 13 that refers to the IPND. The DBCDE submitted, however, that s 285 is not the only section in Part 13 that permits access to IPND information.[175] The ALRC has given consideration to the scope of all the exceptions under Part 13 and how they affect the protection of information held in the IPND. None of its recommendations to amend the exemptions under Part 13 would lower the level of protection currently afforded to IPND information.

72.189 It is not clear whether all of the exceptions under Part 13 should apply to the use and disclosure of information contained in the IPND. In particular, the ALRC is concerned that s 289(1)(b)(i) would allow the use and disclosure of IPND information for a broad range of purposes. This should be the subject of further consideration by the Australian Government.

72.190 How the exceptions under Part 13 interact with Telstra’s carrier licence also is unclear. Telstra’s carrier licence provides that it must establish and maintain the IPND to provide information for a range of purposes, including purposes connected with ‘providing location dependent carriage services’.[176] It is unclear whether this condition is consistent with Part 13. The exception under s 291 permits the disclosure of information or a document that relates to the location of a mobile telephone handset or other mobile communications device if a person consents to that disclosure. None of the exceptions under Part 13, however, state that information held on the IPND can be disclosed for this purpose.

72.191 Two stakeholders submitted that s 285 should be amended to clarify that IPND information may be used for the provision of location-dependent carriage services.[177] Another stakeholder was strongly opposed to any proposal to permit additional uses or disclosures of information for such purposes.[178]The Australian Government is currently considering this issue.[179]

72.192 As noted above, the Telecommunications (Interception and Access) Amendment Act deleted the law enforcement and protection of public revenue provisions from Part 13 of the Telecommunications Act and introduced a new Chapter 4 into the Telecommunications (Interception and Access) Act. Chapter 4 regulates the use and disclosure of ‘telecommunications data’ for the purpose of assisting the Australian Security Intelligence Organisation (ASIO) and other law enforcement and intelligence agencies. The Act does not set out a definition of ‘telecommunications data’. It is unclear therefore whether these provisions regulate the use and disclosure of information held on the IPND.

72.193 Part 13 should be amended to clarify when a use or disclosure of information or a document held on the IPND is permitted. This amendment should set out which provisions under Part 13 regulate the use and disclosure of IPND information, and how they interact with Telstra’s licence conditions and the Telecommunications (Interception and Access) Act.

Recommendation 72-11 The Telecommunications Act 1997 (Cth) should be amended to clarify when a use or disclosure of information or a document held on the integrated public number database is permitted.

Enforcement agency

72.194 The Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997 (Cth) provides that Telstra must establish and maintain an IPND[180] to provide information for purposes connected with a number of activities, including ‘assisting enforcement agencies’.[181] The Declaration provides that the definition of ‘enforcement agency’ has the same meaning given by s 282 of the Telecommunications Act.[182]

72.195 Section 282 was recently repealed by the Telecommunications (Interception and Access) Amendment Act 2007.[183] The section defined ‘enforcement agency’ as a:

  • criminal law enforcement agency (including the Australian Federal Police; a police force or service of a state or a territory; the Australian Commission for Law Enforcement Integrity; the Australian Crime Commission; the NSW Crime Commission; the Independent Commission Against Corruption of NSW; the Crime and Misconduct Commission of Queensland; and a prescribed authority established by or under a law of the Commonwealth, a state or territory);

  • civil penalty enforcement agency (an agency responsible for administering a law imposing a pecuniary penalty); or

  • public revenue agency (an agency responsible for the administration of a law relating to the protection of the public revenue, including the Australian Taxation Office).

72.196 Section 282 was replaced by Chapter 4 of the Telecommunications (Interception and Access) Act. The Telecommunications (Interception and Access) Act regulates interception and access by ASIO and enforcement agencies. ‘Enforcement agency’ is defined in the Telecommunications (Interception and Access) Act in almost identical terms to s 282 of the Telecommunications Act. The only difference is that the definition in the Telecommunications (Interception and Access) Act includes a number of agencies in state anti-corruption agencies that were not established at the time that s 282 was first enacted.

72.197 All the agencies included in the definition of ‘enforcement agency’ under the Telecommunications (Interception and Access) Act should be permitted to access information held on the IPND. Each of these agencies is subject to oversight by the Inspector-General of Intelligence and Security, the Commonwealth Ombudsman or state and territory equivalents. Such an amendment would ensure consistency between the Carrier Licence Conditions (Telstra Corporation Limited) Declaration and the Telecommunications (Interception and Access) Act. The ALRC therefore recommends that the Carrier Licence Conditions (Telstra Corporation Limited) Declaration should be amended to provide that ‘enforcement agency’ has the same meaning as that provided for in the Telecommunications (Interception and Access) Act.

Recommendation 72-12 Clause 3 of the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997 (Cth) should be amended to provide that ‘enforcement agency’ has the same meaning as that provided for in the Telecommunications (Interception and Access) Act 1979 (Cth).

Emergency service numbers

72.198 Section 285 currently restricts the permitted use and disclosure of IPND information for the purpose of emergency call services to listed numbers. Optus submitted that s 285 should be revised to clarify that both unlisted and listed numbers can be used and disclosed for matters raised by a call to an emergency service number.[184]

72.199 Most individuals would reasonably expect the disclosure of an unlisted number in an emergency call situation. The ALRC recommends therefore that, in the interest of the health and safety of individuals, the Telecommunications Act should permit the disclosure of an unlisted number contained in the IPND if the disclosure is made to another person for purposes connected with dealing with the matter or matters raised by a call to an emergency service number.

Recommendation 72-13 Section 285 of the Telecommunications Act 1997 (Cth) should be amended to provide that a disclosure of an unlisted number is permitted if the disclosure is made to another person for purposes connected with dealing with the matter or matters raised by a call to an emergency service number.

Research exception

72.200 Sections 285(1A)(c)(iv) and 285(1A)(d) of the Telecommunications Act provide an exception to the prohibition on use and disclosure of information contained in the IPND. If the disclosure is made to another person for purposes connected with the conduct of research of a kind specified in an instrument under s 285(3), and the other person has been authorised by ACMA to use and disclose the information, such access is permitted. Section 285(3) provides that the Minister may, by legislative instrument, specify the types of research that are in the public interest.

72.201 On 4 May 2007, the Minister for Communications, Information Technology, and the Arts issued the Telecommunications (Integrated Public Number Database—Permitted Research Purposes) Instrument 2007 (No 1) (Cth). The Instrument provides that permitted research for the purposes of s 285(1A)(c)(iv) includes:

  • research, or the compilation or analysis of statistics, relevant to public health, including epidemiological research, where the research is not conducted primarily for a commercial purpose;

  • research regarding an electoral matter conducted by a registered political party, a political representative, a candidate in an election for a parliament or a local government authority or a person on behalf of such a party, representative or candidate, where the research is not conducted primarily for a commercial purpose; and

  • research conducted by or on behalf of the Commonwealth, a Commonwealth authority or a prescribed agency which will contribute to the development of public policy, where the research is not conducted for a primarily commercial purpose.[185]

72.202 The OPC submitted that the research exception may be interpreted too broadly. The OPC suggested that particular terms should be defined in the Act itself. Such terms include: what constitutes research in the public interest; and, in terms of medical research, what would be considered ‘non-commercial use’.[186]

72.203 A key concept in each of these categories is that the research ‘is not conducted for a primarily commercial purpose’. This is in contrast to the National Health and Medical Research Council guidelines made under ss 95 and 95A of the Privacy Act.[187] These guidelines provide that where research may breach the IPPs or NPPs, the research must be approved by a Human Research Ethics Committee (HREC). Before approving a particular research proposal under the guidelines, an HREC is required to consider whether the public interest in the research substantially outweighs the public interest in the protection of privacy.[188]

72.204 In DP 72, the ALRC proposed that the test under the ss 95 and 95A guidelines be amended to provide that, before approving an activity, an HREC must be satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the proposed UPPs. The ALRC also expressed the preliminary view that this was the appropriate test in relation to the use and disclosure of information contained in the IPND for the purpose of research in the public interest.

72.205 The ALRC therefore proposed that the Australian Government should amend the Telecommunications (Integrated Public Number Database—Permitted Research Purposes) Instrument to provide that the test of research in the public interest is met when the public interest in the relevant research outweighs the public interest in maintaining the level of protection provided by the Telecommunications Act to the information in the IPND.[189]

Submissions and consultations

72.206 The DBCDE submitted that it would not be appropriate to amend the Telecommunications (Integrated Public Number Database-Permitted Research Purposes) Instrument, as the Minister is required to decide whether the research is in the public interest.[190]

72.207 Other stakeholders provided qualified support for the proposal. The OPC supported the ALRC’s proposal but submitted that, given that individuals have no choice as to whether their personal information is included in the IPND, any research proposal that lessens privacy should demonstrate that the public interest in the research proposal ‘substantially’ outweighs the public interest in maintaining the level of protection afforded in the IPND.[191]

72.208 The Australian Privacy Foundation supported the proposal, provided an appropriate ethics committee is either identified or established to make independent assessments of the balance of interests. The Foundation also noted that the ALRC does not address the weakness of the definition of research in the IPND scheme, which includes such activities as political canvassing which, it argued, should not be able to take advantage of the exception.[192]

ALRC’s view

72.209 The Australian Government should amend s 285(3) of the Telecommunications Act to provide that before the Minister specifies types of research for the purpose of the use or disclosure of information or a document contained in the IPND, the Minister must be satisfied that the public interest in the relevant research outweighs the public interest in maintaining the level of protection provided by the Telecommunications Act to the information in the IPND.[193]

72.210 The appropriate test is whether the public interest in the relevant research outweighs the public interest in maintaining the protection of the personal information held on the IPND. Consideration of whether a research project is for a commercial purpose is not the appropriate test. It will not always be clear when research primarily is conducted for a commercial purpose. Further, research that is clearly in the public interest may also have a commercial purpose.

72.211 The ALRC notes that all research conducted pursuant to the recommended research exception under the Privacy Act must be reviewed by an HREC which must apply the public interest test. The ALRC does not recommend the establishment of an ethics committee to make independent assessments of the balance of interests, however, the DBCDE may want to consider this mechanism when next reviewing the Telecommunications (Integrated Public Number Database-Permitted Research Purposes) Instrument.

72.212 The ALRC is concerned about the use of IPND information for research regarding an electoral matter conducted by a registered political party, a political representative, a candidate in an election for a parliament or a local government authority. Those who exercise or seek power in government should adhere to the principles and practices that are required of the wider community.[194]

72.213 The ALRC is particularly concerned that this provision would allow the use of IPND information for a range of activities, including political canvassing. The DBCDE should monitor the use of IPND information for research regarding electoral matters, and should consider whether IPND information should continue to be used for this purpose when next reviewing the Telecommunications (Integrated Public Number Database-Permitted Research Purposes) Instrument.

Recommendation 72-14 The Australian Government should amend s 285(3) of the Telecommunications Act 1997 (Cth) to provide that before the Minister specifies a kind of research for the purpose of the use or disclosure of information or a document contained in the Integrated Public Number Database, the Minister must be satisfied that the public interest in the relevant research outweighs the public interest in maintaining the level of protection provided by the Telecommunications Act to the information in the Integrated Public Number Database.

Notifying the Privacy Commissioner of a breach

72.214 The Telecommunications (Integrated Public Number Database Scheme—Conditions for Authorisations) Determination 2007 (No 1) sets out the conditions upon which ACMA may grant authorisations for access to information contained in the IPND under the IPND scheme.

72.215 Clause 6 of the Determination provides that an authorisation under the IPND scheme is subject to a condition requiring the holder of the authorisation, as soon as practicable after the holder becomes aware of a substantive or systemic breach of security that could reasonably be regarded as having an adverse impact on the integrity and confidentiality of the protected information, to notify ACMA and the IPND Manager, and to take reasonable steps to minimise the effects of the breach. This obligation is reflected in the Integrated Public Number Database Industry Code of Practice—a code developed by Communications Alliance and registered with ACMA.[195]

72.216 In DP 72, the ALRC proposed that the Telecommunications (Integrated Public Number Database Scheme—Conditions for Authorisations) Determination should be amended to provide that an authorisation under the IPND scheme is subject to a condition requiring the holder of the authorisation to notify the OPC, as soon as practicable after becoming aware:

  • of a substantive or systemic breach of security that reasonably could be regarded as having an adverse impact on the integrity and confidentiality of the protected information; and

  • that a person to whom the holder has disclosed protected information has contravened any legal restrictions governing the person’s ability to use or disclose protected information.[196]

Submissions and consultations

72.217 A number of stakeholders supported the proposal.[197] For example, the DBCDE expressed support for the proposal on the basis that a substantive or systemic breach of security that impacts on the integrity and confidentiality of personal information could potentially be a breach of the Privacy Act as well as the Telecommunications Act.[198] Optus did not support the proposal because the Integrated Public Number Database Industry Code of Practice already contains procedures to be followed by an IPND data user.[199]

ALRC’s view

72.218 The holder of an authorisation should be required to notify the OPC as soon as practicable after the holder becomes aware of a substantive or systemic breach of security that reasonably could be regarded as having an adverse impact on the integrity and confidentiality of the protected information. It is important that the OPC be given an opportunity to investigate whether a breach of security has also resulted in an interference with an individual’s privacy. This requirement is consistent with the ALRC’s recommendation relating to data breach notification.[200]

72.219 The Telecommunications (Integrated Public Number Database Scheme—Conditions for Authorisations) Determination andthe Integrated Public Number Database Industry Code of Practice require the user of IPND information to inform the IPND Manager of a breach. In the ALRC’s view, because the holder of an authorisation may use personal information held on the IPND for purposes that are not related to the purpose of collection, it is appropriate that they are under an additional obligation to notify the OPC of a suspected breach of security or contravention of a legal restriction.

Recommendation 72-15 The Telecommunications (Integrated Public Number Database Scheme—Conditions for Authorisations) Determination 2007 (No 1) should be amended to provide that an authorisation under the integrated public number database scheme is subject to a condition requiring the holder of the authorisation to notify the Privacy Commissioner, as soon as practicable after becoming aware:

(a) of a substantive or systemic breach of security that reasonably could be regarded as having an adverse impact on the integrity and confidentiality of protected information; and

(b) that a person to whom the holder has disclosed protected information has contravened any legal restrictions governing the person’s ability to use or disclose protected information.

[151]Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997.

[152] Ibid, cl 10(4).

[153]Australian Communications and Media Authority, ACMA Communications Report 2005–06 (2006), 147. At 30 June 2005, 24 carriage service providers provided data to the IPND and the IPND contained approximately 43.6 million records: Australian Communications and Media Authority, Telecommunications Performance Report 2004–05 (2005), 184.

[154] Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008, sch, pt 3.

[155]Telecommunications Act 1997 (Cth) s 472(5).

[156] Ibid s 101, sch 2, pt 4.

[157] Ibid s 280.

[158]Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997, cl 10(9)(b).

[159]Telecommunications Act 1997 (Cth) s 303B.

[160]Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997, cl 10(7).

[161] Ibid, cl 10(1).

[162] Australian Communications Authority, Who’s Got Your Number? Regulating the Use of Telecommunications Customer Information, Discussion Paper (2004), 11.

[163] Ibid.

[164] Australian Communications Authority, Draft Telecommunications (Use of Integrated Public Number Database) Standard (2005).

[165]Telecommunications Act 1997 (Cth) s 285(2).

[166]Ibid s 295A.

[167]Ibid s 295M.

[168] Ibid pt 13 div 3A.

[169] Including the Telecommunications (Integrated Public Number Database—Permitted Research Purposes) Instrument 2007 (No 1) and the Telecommunications (Integrated Public Number Database Scheme—Conditions for Authorisations) Determination 2007 (No 1). These instruments are discussed further below.

[170] Australian Communications Industry Forum, Industry Code—Integrated Public Number Database (IPND) Industry Code, ACIF C555 (2008), [10.7].

[171] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [63.112]–[63.116].

[172] Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007.

[173] Ibid.

[174]Optus, Submission PR 532, 21 December 2007.

[175]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[176]Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997 cl 10(1)(d).

[177]Optus, Submission PR 532, 21 December 2007; Communications Alliance Ltd, Submission PR 439, 10 December 2007.

[178]I Graham, Submission PR 427, 9 December 2007.

[179] Australian Government Department of Communications, Information Technology and the Arts, Use of IPND Information to Provide Location Dependent Carriage Services—Discussion Paper (2007).

[180] The integrated public number database is discussed in Ch 72.

[181]Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997 (Cth) cl 10.

[182]Ibid cl 3.

[183] The section provided that the use or disclosure by a person of information is not prohibited if the use or disclosure is reasonably necessary for certain law enforcement purposes, including the enforcement of the criminal law, the enforcement of a law imposing a pecuniary penalty or the protection of public revenue: Telecommunications Act 1997 (Cth) s 282(1), (2).

[184]Optus, Submission PR 532, 21 December 2007.

[185] Telecommunications (Integrated Public Number Database—Permitted Research Purposes) Instrument 2007 (No 1) (Cth). A ‘prescribed FMA agency’ is a body, organisation or group mentioned in the Financial Management and Accountability Regulations 1997 (Cth) sch 1.

[186] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[187] National Health and Medical Research Council, Guidelines under Section 95 of the Privacy Act 1988 (2000); National Health and Medical Research Council, Guidelines Approved under Section 95A of the Privacy Act 1988 (2001).

[188] National Health and Medical Research Council, Guidelines under Section 95 of the Privacy Act 1988 (2000), guideline 3.2; National Health and Medical Research Council, Guidelines Approved under Section 95A of the Privacy Act 1988 (2001), guideline D.4.

[189] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–7.

[190]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[191]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[192]Australian Privacy Foundation, Submission PR 553, 2 January 2008. See also I Graham, Submission PR 427, 9 December 2007.

[193] The public interest test is discussed in detail in Ch 65.

[194] See Ch 41.

[195] Australian Communications Industry Forum, Industry Code—Integrated Public Number Database (IPND) Industry Code, ACIF C555 (2008), [10.7].

[196]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–8.

[197] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007.

[198]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[199] Optus, Submission PR 532, 21 December 2007.

[200] In Ch 51, the ALRC recommends that the Privacy Act should be amended to include a new Part on data breach notification, which will provide that an agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.