17.08.2010
72.70 Sections 287 and 300 of the Telecommunications Act provide that a primary or secondary use or disclosure of information is permitted if the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person, and the first person believes on reasonable grounds that the use or disclosure is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person. Unlike NPP 2, the provisions do not permit use or disclosure where it is necessary to lessen or prevent a serious threat to ‘public health or public safety’. ACMA has reported that 3,980 disclosures were made under this exception in 2006–07,[61] compared to 4,085 disclosures in 2005–06.[62]
72.71 The guidance notes to the deregistered Australian Communications Industry Forum (ACIF) Industry Code—Protection of Personal Information of Customers of Telecommunications Providers stated that this provision is aimed at emergency situations.
A threat to life or health would be interpreted to include threats to safety—bush fires, industrial accidents etc. Health would include mental as well as physical health, although appeals to the threat of stress or anxiety would not generally be sufficient. The rules require the threat is serious and imminent.[63]
72.72 In DP 72, the ALRC proposed that ss 287 and 300 of the Telecommunications Act should be amended to provide that a use or disclosure by a person of information or a document is permitted if the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person; and the person reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to: a person’s life, health or safety; or public health or public safety.[64]
Submissions and consultations
72.73 A number of stakeholders supported the proposal.[65] The Australian Privacy Foundation submitted that it supported the proposal provided that the provision retains the ‘imminent’ qualifier. The Foundation submitted that, without this qualifier, the part of the exception relating to ‘public health or safety’ could be abused too readily.[66]
72.74 The DBCDE supported the proposal. The Department noted, however, that the proposal to extend the exception to ‘public health and safety’ could raise issues in relation to the use and disclosure of IPND information for the dissemination of mass outbound warning messages to the population, including on a commercial basis. The DBCDE noted that it had been working closely with Emergency Management Australia to determine if there is a case for a national telephone-based warning system and examining the feasibility of access to the IPND for this purpose. The Department also noted that the proposal did not limit the kinds of organisations to whom the IPND Manager could disclose information. It submitted that the proposal could increase the range of organisations outside the telecommunications industry accessing IPND information.[67]
72.75 A number of stakeholders did not support the proposal. The OPC submitted that the proposal diminishes privacy protection.[68] The OPC also noted that there are a number of exceptions in Part 13 which facilitate the use and disclosure of personal information in an emergency where the threat may be serious but not imminent, for example, s 289.[69]
ALRC’s view
72.76 In Chapter 25, the ALRC considers a similar exception under the ‘Use and Disclosure’ principle. In that chapter the ALRC expresses the view that the requirement that a threat be ‘imminent’ as well as ‘serious’ is inappropriate. In the ALRC’s view, any analysis of whether a threat is ‘serious’ must involve consideration of the gravity of the potential outcome as well as the relative likelihood. The ALRC therefore recommends amending the exception to provide that it applies where the relevant threat is serious, but not necessarily imminent.
72.77 Similar wording should be used in the exception under Part 13. This would allow telecommunications service providers to take preventative action to stop a threat from developing to a point where the danger, which one is seeking to avoid, is likely to eventuate. At this point it is often too late to take meaningful preventative action. Further, this formulation strikes an appropriate balance between respecting the privacy rights of an individual and the public interest in averting serious threats to a person’s life, health or safety.
72.78 The ALRC does not recommend that ss 287 and 300 should relate to ‘public health and safety’. The ALRC notes the concerns expressed by the DBCDE that such an amendment may permit access to IPND information for the purpose of providing services that enable the dissemination of mass outbound warning messages to the public. Later in this chapter, the ALRC concludes that it is unclear when a telecommunications services provider may use or disclose information held on the IPND. In the ALRC’s view, the Australian Government should consider extending ss 287 and 300 to apply to ‘public health and safety’ only when permitted uses or disclosures of information held on the IPND are clarified.
Recommendation 72-7 Sections 287 and 300 of the Telecommunications Act 1997 (Cth) should be amended to provide that a use or disclosure by a ‘person’, as defined under the Act, of information or a document is permitted if:
(a) the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person; and
(b) the person reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to a person’s life, health or safety.
[61] Australian Communications and Media Authority, Annual Report 2006–07 (2007), App 12.
[62] Australian Communications and Media Authority, ACMA Communications Report 2005–06 (2006), 145. In 2004–05, there were 885,466 disclosures—an increase of 26% from the previous financial year: Australian Communications and Media Authority, Telecommunications Performance Report 2004–05 (2005), 186.
[63]Australian Communications Industry Forum, Industry Code—Protection of Personal Information of Customers of Telecommunications Providers, ACIF C523 (1999), 23. Rules 6.1(d) and 7.1(c) of the Australian Communications Industry Forum, Industry Code—Protection of Personal Information of Customers of Telecommunications Providers, ACIF C523 (1999) provided for a similar exception.
[64]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–3.
[65]Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007.
[66]Australian Privacy Foundation, Submission PR 553, 2 January 2008. See also I Graham, Submission PR 427, 9 December 2007.
[67]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.
[68]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Optus, Submission PR 532, 21 December 2007.
[69]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Optus, Submission PR 532, 21 December 2007.