72.12 Sections 279 and 296 of the Telecommunications Act provide that the primary and secondary use and disclosure of information is permitted if the use or disclosure is made in the performance of that person’s duties as an employee or contractor. It has been noted that the exception is necessary for ‘the myriad of day-to-day communications between employees about connecting, disconnecting and billing customers’.
72.13 AAPT noted that the exception seems to imply that as long as someone is an employee of a supplier, and is embarking on duties associated with that employment, then they can use and disclose personal information in any way they see fit.
We are confident that this is not the intended reading of this section, and it is entirely at odds with the Privacy Act 1988 and its requirements when it comes to the use and disclosure of personal information.
The Act also leaves itself open to interpretation about what we consider are key privacy consumer protection mechanisms. This includes not allowing Sales and Marketing people to use the detail of a call to attempt to market to these customers based on these details.
72.14 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC asked whether the exception is too broadly drafted; is resulting in the inappropriate use or disclosure of personal information; and, if so, how the exception should be confined.
72.15 The ALRC outlined two options to confine the exception. The first option was to amend the exception so that it referred to certain duties of an employee or contractor, including connecting and disconnecting telecommunications services and billing. The second option was to bring the exception more closely into line with the ‘Use and Disclosure’ principle in the model Unified Privacy Principles (UPPs), under which an agency or organisation may use or disclose personal information for a purpose (the secondary purpose) other than the primary purpose of collection if both of the following apply, the:
secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and
individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose.
Submissions and consultations
72.16 The Department of Broadband, Communications and the Digital Economy (DBCDE) submitted that the ALRC should examine whether the exception is resulting in the inappropriate use and disclosure of personal information before recommending that the exception be confined. Some stakeholders submitted that they were unaware of any situations where the exception has resulted in the inappropriate use or disclosure of information.
72.17 Other stakeholders submitted that the exception is too broadly drafted and should be confined. Some submitted that the exception should specify certain duties of an employee or contractor, including connecting and disconnecting telecommunications services or billing, where ‘billing’ means billing of the carriage service provider’s own customers. Optus and Telstra submitted, however, that it would be impossible to define all the different functions that cover the provision of a carriage service, and that these functions will change over time as products and technologies change.
72.18 The Office of the Privacy Commissioner (OPC) submitted that the exception should be aligned with the ‘Use and Disclosure’ principle in the model UPPs. One stakeholder submitted, however, that this would not be appropriate in the telecommunications context. She noted that telecommunications service providers do not always ‘collect’ personal information—for example, some information is automatically generated in the originating carrier’s network—and so there will not always be a primary or secondary purpose of collection. She also argued that most individuals would have little knowledge about how telecommunications networks operate so would not know what would be the primary purpose of collection.
72.19 It was also submitted that the exception should be amended to prohibit the disclosure of unlisted number information from the IPND or anywhere else, if the exception is interpreted to allow this; and to specify that the exception only applies ‘where it is reasonably necessary for the employee to disclose or use the information or document in order to perform those duties effectively’.
72.20 Other stakeholders strongly opposed any proposal to confine the exception. For example, AAPT submitted that the exception should not be confined, given the range of tasks that are required to deliver a telecommunications service. Telstra submitted that it interprets the exception so it cannot result in an employee using information for a purpose which may be within the scope of his or her employment but is otherwise unlawful.
Accordingly, in relation to personal information, any use or disclosure by an employee of such information has to comply with the NPPs. There are also other statutory and common law constraints on Telstra (eg confidentiality) which would limit the ability of employees to deal with information … It is therefore unnecessary to further confine the exception. 
72.21 The ALRC does not make any recommendation to confine the scope of the exception under ss 279 and 296 of the Telecommunications Act. Stakeholders did not provide any evidence that the exception was resulting in the inappropriate use or disclosure of personal information.
72.22 The ALRC considered confining the scope of the exception to certain duties of an employee or contractor. In the ALRC’s view, however, this option would be unworkable in a complex and changing telecommunications environment.
72.23 The ALRC also considered aligning the exception with the recommended ‘Use and Disclosure’ principle. The ALRC was concerned, however, that confining the scope of the exception in this way could have unforeseen consequences and prevent the provision of telecommunications services. Further, information protected under Part 13 will not always be ‘collected’. The proposal would therefore result in the exception relating to only some of the information currently protected under Part 13.
72.24 The ALRC also considered whether the exception should be amended to require that a use or disclosure is ‘reasonably necessary’ in order for an employee to perform their duties effectively. In the ALRC’s view, this is already an implied requirement of the exception.
72.25 The ALRC notes that one stakeholder raised the issue of whether the exception permitted the use and disclosure of unlisted numbers held on the IPND or otherwise. The ALRC did not receive any information that this exception was resulting in the inappropriate disclosure of this information. In the ALRC’s view, the use and disclosure of unlisted numbers should be considered in the review of telecommunications legislation recommended in Chapter 71. The use and disclosure of unlisted numbers and other information contained in the IPND is discussed below.
72.26 In Chapter 73, the ALRC recommends that ACMA, in consultation with relevant stakeholders, should develop and publish guidance on telecommunications privacy, including on the exceptions in Part 13. This guidance should provide examples of when a use or disclosure is made in the performance of a person’s duties as an employee of a telecommunications service provider.
 An employee of a carrier, carriage service provider, telecommunications contractor, number-database operator, number-database contractor, a person who operates an emergency call service or an emergency call contractor: Telecommunications Act 1997 (Cth) s 279(1), (3), (5).
 A telecommunications contractor, number-database contractor or an emergency call contractor: Ibid s 279(2), (4), (6).
Explanatory Memorandum, Telecommunications Bill 1996 (Cth), vol 2, 6. An eligible person or an eligible number-database person is not required to report to ACMA the number of disclosures they make under ss 279 and 296: Telecommunications Act 1997 (Cth) s 306(1).
 AAPT Ltd, Submission PR 87, 15 January 2007.
 Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 63–1.
 See Ch 25.
Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.
Australian Communications and Media Authority, Submission PR 522, 21 December 2007; AAPT Ltd, Submission PR 338, 7 November 2007.
Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007.
I Graham, Submission PR 427, 9 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.
Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The DBCDE also supported this option, but noted that there may be issues with what was the ‘primary purpose of the collection’ in the telecommunications context: Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.
I Graham, Submission PR 427, 9 December 2007.
Ibid. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008. Telecommunications (Interception and Access) Act 1979 (Cth) s 7 provides a similar exception.
AAPT Ltd, Submission PR 338, 7 November 2007. See also Optus, Submission PR 532, 21 December 2007.
Telstra Corporation Limited, Submission PR 459, 11 December 2007.
 Rec 71–2. The ALRC notes that this issue was addressed in Australian Communications Authority, Who’s Got Your Number? Regulating the Use of Telecommunications Customer Information, Discussion Paper (2004). In the ALRC’s view, however, the Telecommunications Act remains unclear about when unlisted numbers may be disclosed.
 Rec 73–9.