Required or authorised by or under law

72.27 Sections 280(1)(b) and 297 of the Telecommunications Act provide that a primary or secondary use or disclosure of information or document is permitted if the use or disclosure is required or authorised by or under law. NPP 2, and the ‘Use and Disclosure’ principle in the model UPPs, provide for a similar exception.[31] ACMA has reported that 21,541 disclosures were made under s 280 in 2006–07,[32] compared to 13,634 in 2005–06.[33]

72.28 It is unclear whether ss 280(1)(b) and 297 would allow a telecommunications service provider to rely on the exceptions under NPP 2 to disclose information (for example, for direct marketing) in addition to those exceptions under Part 13 of the Telecommunications Act.[34] While Note 2 to NPP 2 states that the exceptions to NPP 2 do not ‘require’ an organisation to disclose personal information, it could be argued that the exceptions ‘authorise’ the use and disclosure of personal information. Some stakeholders argue, however, that the exceptions to NPP 2 are not general authorisations to disclose.[35]

72.29 It is arguable that when Part 13 of the Telecommunications Act was enacted Parliament turned its mind to the use and disclosure of information and documents obtained during the supply of telecommunications services, and that it would be contrary to the intention of Parliament to weaken the protection offered by Part 13 to allow the uses and disclosures permitted under NPP 2.

72.30 While s 303B of the Telecommunications Act provides that a use or disclosure permitted under that Act is a use or disclosure that is authorised by law for the purposes of the Privacy Act,[36] neither the Privacy Act nor the Telecommunications Act provide that the uses and disclosures permitted under NPP 2 are authorised for the purposes of s 280 of the Telecommunications Act.

72.31 Section 303B was introduced by the Privacy Amendment (Private Sector) Act 2000 (Cth). The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 states that the provision:

will make it clear that a disclosure or use of information by a person permitted under Divisions 3 and 4 [of Part 13 of the Telecommunications Act] is a disclosure or use authorised by law for the purposes of the Privacy Act 1988 or an approved privacy code.

72.32 The Explanatory Memorandum does not address whether a use or disclosure permitted by exceptions under NPP 2 is authorised by law for the purposes of Part 13 of the Telecommunications Act.[37] One view is that, had the Parliament intended the exceptions under NPP 2 to apply to information or documents protected under Part 13, it would have addressed this issue in the legislation, or at least in the Explanatory Memorandum.

72.33 Further, it is a principle of statutory interpretation that provisions of general application give way to specific provisions when in conflict.

When the legislature has given its attention to a separate subject and made provisions for it, the presumption is that a subsequent general enactment is not intended to interfere with the special provision unless it manifests that intention very clearly. Each enactment must be construed in that respect according to its own subject matter and its own terms.[38]

72.34 It could be argued that the subsequent enactment of the general provisions of NPP 2 in the Privacy Act do not apply in addition to the exception under Part 13 because the Act does not state that intention ‘very clearly’.

72.35 In DP 72, the ALRC proposed that ss 280(1)(b) and 297 of the Telecommunications Act 1997 (Cth) should be amended to clarify that the exception does not authorise a use or disclosure that would be permitted by the proposed ‘Use and Disclosure’ principle under the Privacy Act, if that use or disclosure would not be otherwise permitted under Part 13 of the Telecommunications Act.[39]

Submissions and consultations

72.36 A number of stakeholders supported the proposal.[40] For example, the DBCDE submitted that the proposal has merit on policy grounds—that one Act should not permit what the other is clearly intending to prevent—and would clarify the interaction between the two Acts.[41]

72.37 The Australian Privacy Foundation also supported the proposal but submitted that ss 280(1)(b) and 297 should be amended to permit a use or disclosure if it is required or ‘specifically authorised’ by or under a law.[42] One stakeholder supported the proposal, and noted that s 280(1)(a) also should be amended to refer to uses or disclosures that are required or authorised by the Telecommunications (Interception and Access) Act 1979 (Cth).[43]

72.38 Other stakeholders strongly opposed the proposal. Optus submitted that the outcome of such a proposal would be to prevent the telecommunications industry from using the personal information of its customers for the secondary purpose of direct marketing, as provided for under NPP 2.1.

This would be a perverse outcome, resulting in an entire industry being barred from using information that is permissible under the Privacy Act currently and accessible to all other Australian industries.[44]

72.39 Telstra submitted that the ALRC’s interpretation of the exception in DP 72 was incorrect. In Telstra’s view, a use or disclosure under the NPPs is clearly a use or disclosure that is authorised by law. Telstra submitted that the Privacy Act should not be treated any differently from other legislation which authorises or compels disclosure of information. Telstra submitted that to do otherwise would create significant confusion and major compliance problems for members of the telecommunications industry.[45]

ALRC’s view

72.40 Sections 280(1)(b) and 297 of the Telecommunications Act should be amended to clarify that the exception does not authorise a use or disclosure that would be permitted by the ‘Use and Disclosure’ principle in the Privacy Act if that use or disclosure would not be otherwise permitted under Part 13 of the Telecommunications Act. The Privacy Act should not permit uses and disclosures that the Telecommunications Act is clearly intended to prevent. Further, such an amendment would clarify the interaction between the two Acts.

72.41 Rather than confusing telecommunications service providers, such an amendment would clarify that the permitted uses and disclosures of information or documents obtained during the supply of telecommunications services are contained in the Telecommunications Act. This is preferable to the current situation where there is confusion about whether the use and disclosure of this information is regulated by two sets of inconsistent exceptions under two Acts.

72.42 The ALRC acknowledges, however, that this is a significant amendment and may not reflect current practice by telecommunications service providers. As noted in Chapter 71, there have been significant developments in the telecommunications industry since the enactment of the Telecommunications Act. Telecommunications service providers may need to use and disclose information and documents for purposes that were not anticipated when Part 13 was enacted.

72.43 The ALRC has undertaken an analysis of the exceptions under Part 13 of the Telecommunications Act and the Privacy Act, and identified that the exceptions under NPP 2 permit the use and disclosure of personal information in circumstances that are not currently permitted under Part 13. It is appropriate that telecommunications service providers can use and disclose information, other than information obtained during the supply of telecommunications services, in accordance with these exceptions.

72.44 The ALRC has concluded, however, that only some of the exceptions under NPP 2 should be available to telecommunications service providers in relation to information obtained during the supply of telecommunications services. These exceptions are discussed below.

72.45 The ALRC considered whether the Telecommunications Act should be amended to allow telecommunications service providers to access these exceptions under the Privacy Act or whether they should be transferred to the Telecommunications Act. The ALRC has concluded that, in the interest of clarity, all the exceptions to the offence provisions in Part 13 should be grouped together in the Telecommunications Act.

Recommendation 72-1 Sections 280(1)(b) and 297 of the Telecommunications Act 1997 (Cth) should be amended to clarify that the exception does not authorise a use or disclosure that would be permitted by the Privacy Act if that use or disclosure would not be otherwise permitted under Part 13 of the Telecommunications Act.

Unlawful activities

72.46 NPP 2.1(f) provides that an organisation may use or disclose personal information about an individual if the organisation has reason to suspect that ‘unlawful activity’ has been, is being, or may be engaged in, and the use or disclosure is a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities. Suspected unlawful activity would usually relate to the organisation’s operations.[46] For example, an organisation might use or disclose personal information under this exception when investigating fraudulent activity of an employee or a customer. No such exception exists in Part 13 of the Telecommunications Act.

72.47 The ALRC’s recommendation to amend ss 280(1)(b) and 297 of the Telecommunications Act would prevent a telecommunications service provider from using or disclosing information or documents obtained during the supply of telecommunications services for the purpose of investigating and reporting on unlawful activities under NPP 2.1(f). Telecommunications service providers would still be able to use and disclose ‘personal information’ other than information obtained during the supply of telecommunications services in accordance with NPP 2.1(f).

72.48 Telecommunications service providers are no different from other organisations regulated under the Privacy Act in that they need to be able to investigate, and report on,[47] suspected wrongdoing. The ALRC has concluded, therefore, that a telecommunications service provider should be able to use or disclose information or a document regulated by Part 13[48] if it suspects unlawful activity, and the use or disclosure is necessary for the investigation of the matter or in reporting its concerns to relevant persons or authorities.

Recommendation 72-2 The Telecommunications Act 1997 (Cth) should be amended to provide that a use or disclosure of information or a document is permitted if a person has reason to suspect that unlawful activity has been, is being, or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities.

Direct marketing

72.49 The ALRC’s recommendation to amend ss 280(1)(b) and 297 of the Telecommunications Act would limit a telecommunications service provider’s ability to use information or a document obtained during the supply of telecommunications services for direct marketing.[49]

72.50 The recommendation would not prevent completely the use of information for direct marketing. Telecommunications service providers would be able to use and disclose ‘personal information’, other than information or a document obtained during the supply of telecommunications services, for direct marketing on the same basis as under the ‘Direct Marketing’ principle in the model UPPs.[50] For example, a telecommunications service provider could purchase a customer list for the purpose of direct marketing. The use and disclosure of this information would be regulated under the Privacy Act.

72.51 Further, s 289(1)(b)(ii) of the Telecommunications Act would allow a telecommunications service provider to use and disclose the affairs or personal particulars of a person for the purpose of direct marketing if the person consented to the information being used or disclosed for that purpose.[51]

72.52 The telecommunications industry has undergone significant changes since the enactment of Part 13, including the privatisation of Telstra, business diversification, specialisation and the entry of new niche industry participants.[52] The ALRC acknowledges that in this increasingly competitive industry, telecommunications service providers need to use and disclose personal information for the purpose of direct marketing.

72.53 In Chapter 26, the ALRC recommends a ‘Direct Marketing’ principle (UPP 6). UPP 6.1 provides that an organisation may use or disclose personal information about an individual who is an existing customer aged 15 years or over for the purpose of direct marketing in certain circumstances—that is, where the:

  • individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and

  • organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications.

72.54 The ALRC has concluded that, subject to one limitation, a telecommunications service provider should be able to use and disclose an existing customer’s ‘personal information’, including information obtained during the supply of telecommunications services, for the purpose of direct marketing on the same basis as recommended under the ‘Direct Marketing’ principle. The limitation is that the following information should not be used for the purpose of direct marketing without an existing customer’s consent:

  • information or a document relating to the contents of a communication carried, or being carried, by a carrier or carriage service provider; and

  • information or a document relating to the carriage services supplied or intended to be supplied by a carrier or carriage service provider.

72.55 As noted in Chapter 71, this information would include the telephone numbers of the parties involved, the time of a call and its duration, the Internet Protocol (IP) address used for a session, and the start and finish time of each session. The ALRC is concerned that a telecommunications service provider could use this information to monitor when, how and with whom an individual communicates, and what websites they access, for the purpose of sending direct marketing communications to that individual. This information only should be used or disclosed for the purpose of direct marketing with the consent of the individual.[53] For example, existing customers of a telecommunications service provider may want to receive direct marketing communications based on information relating to their use of a telecommunication service.

Recommendation 72-3 The Telecommunications Act 1997 (Cth) should be amended to provide that a telecommunications service provider may use or disclose ‘personal information’ as defined in the Privacy Act about an individual who is an existing customer aged 15 or over for the purpose of direct marketing only where the:

(a) individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing;

(b) organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications; and

(c) the information does not relate to the contents of a communication carried, or being carried, by a telecommunications service provider; or carriage services supplied or intended to be supplied by a telecommunications service provider.

72.56 Under UPP 6.2 an organisation may use or disclose personal information about an individual who is not an existing customer or is under 15 years of age for the purpose of direct marketing in a number of circumstances.

72.57 A telecommunications service provider should not be able to use information obtained during the supply of a telecommunications services about an individual who is not an existing customer. Information relating to the parties to a communication will often pass over a number of telecommunications service providers’ networks. It is inappropriate in these circumstances for a telecommunications service provider to use information relating to an individual who is not an existing customer for the purpose of direct marketing. In the interest of consistency with the ‘Direct Marketing’ principle, a telecommunications service provider, however, should be able to use and disclose the personal information of an existing customer who is under 15 years in accordance with UPP 6.2.

Recommendation 72-4 The Telecommunications Act 1997 (Cth) should be amended to provide that a telecommunications service provider may use or disclose ‘personal information’ as defined in the Privacy Act about an individual who is an existing customer and is under 15 years of age for the purpose of direct marketing only in the following circumstances:

(a) either the:

(i) individual has consented; or

(ii) information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure; and

(b) the information does not relate to the contents of a communication carried, or being carried, by a telecommunications service provider; or carriage services supplied or intended to be supplied by a telecommunications service provider;

(c) in each direct marketing communication, the organisation draws to the individual’s attention, or prominently displays a notice advising the individual, that he or she may express a wish not to receive any further direct marketing communications;

(d) the organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications; and

(e) if requested by the individual, the organisation must, where reasonable and practicable, advise the individual of the source from which it acquired the individual’s personal information.

72.58 UPP 6.3 provides that in the event that an individual makes a request of an organisation not to receive any further direct marketing communications, the organisation must comply with this requirement within a reasonable period of time and not charge the individual for giving effect to the request. This requirement also should apply in the telecommunications context.[54]

Recommendation 72-5 The Telecommunications Act 1997 (Cth) should be amended to provide that in the event that an individual makes a request of an organisation not to receive any further direct marketing communications, the organisation must:

(a) comply with this requirement within a reasonable period of time; and

(b) not charge the individual for giving effect to the request.

Health information

72.59 The ALRC’s recommendation to amend ss 280(1)(b) and 297 of the Telecommunications Act also would exclude telecommunications service providers from using information obtained during the supply of telecommunications services for the purpose of health research as permitted under NPP 2.1(d). This exception relates to the use and disclosure of health information where it is necessary for research, or the compilation or analysis of statistics relevant to public health or public safety. Telecommunications service providers do not conduct research or compile or analyse statistics relevant to public health or public safety. In the ALRC’s view, this exception is unnecessary in the context of the provision of telecommunications services.

72.60 The ALRC acknowledges, however, that telecommunications service providers collect health information. For example, some telecommunications service providers collect health information for the provision of services to priority assistance customers. The collection of this information would be regulated under the Privacy Act. The use and disclosure of this information for the provision of services to priority assistance customers would not be permitted, however, under NPP 2.1(d). It may be permitted under a number of other exceptions under Part 13, including the exception under s 287, relating to a threat to person’s life or health, and s 289, where an individual has consented to that use or disclosure or would reasonably expect that use or disclosure.

Law enforcement

72.61 The ALRC’s recommendation to amend ss 280(1)(b) and 297 of the Telecommunications Act would prevent telecommunications service providers from disclosing personal information obtained during the supply of a telecommunications service to an ‘enforcement body’, as provided for by NPP 2.1(h) and the ‘Use and Disclosure’ principle in the model UPPs.

72.62 For the reasons discussed in detail below, this is appropriate. Information obtained during the supply of a telecommunications service should be subject to more stringent rules than those provided for in NPP 2.1(h) and the ‘Use and Disclosure’ principle in the model UPPs. The ALRC is concerned that information obtained during the supply of telecommunications services could allow law enforcement bodies to monitor and track an individual based on when, how and with whom that individual communicates; the websites they access; and the location of their mobile phone. Further, the Australian Government has amended the Telecommunications (Interception and Access) Act to deal with the disclosure of this information for law enforcement purposes.[55]

72.63 NPP 2.1(h) permits the use or disclosure of personal information for a number of law enforcement purposes by or on behalf of an enforcement body. These purposes include the prevention, detection, investigation or punishment of criminal offences; the enforcement of laws relating to the confiscation of the proceeds of crime; and the protection of the public revenue.

72.64 Most of the uses and disclosures permitted under NPP 2.1(h) would be permitted under the Telecommunications (Interception and Access) Amendment Act.[56] For example, s 177 of the Telecommunications (Interception and Access) Amendment Act provides that a telecommunications service provider may disclose voluntarily information or a document obtained during the supply of telecommunications services to an enforcement agency if the disclosure is reasonably necessary for the enforcement of the criminal law or a law imposing a pecuniary penalty or the protection of public revenue.[57]

72.65 It is questionable, however, whether the Telecommunications (Interception and Access) Amendment Act would permit a disclosure for the purpose of the prevention, detection, investigation or remedying of ‘seriously improper conduct’, as provided for under NPP 2.1(h)(iv) and the ‘Use and Disclosure’ principle in the model UPPs.[58] The prevention, detection, investigation or remedying of ‘seriously improper conduct’ generally refers to:

serious breaches of professional standards of conduct regarding the exercise of duties, powers, authorities or responsibilities and which warrant enforcement action by a professional association or other body, eg bringing a profession into disrepute, sexual relations with a patient, corruption and perverting the course of justice.[59]

72.66 This exception is not appropriate in the context of information obtained during the supply of a telecommunications service. The ALRC is concerned that NPP 2.1(h)(iv) is too broad, and would permit disclosure of information to a range of bodies, such as professional associations, that are not subject to the same use and disclosure, retention, and destruction and reporting requirements as enforcement agencies under the Telecommunications (Interception and Access) Act.

72.67 NPP 2.1(h)(v) permits disclosure of personal information for the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal. Section 280 of the Telecommunications Act would permit the use and disclosure of information obtained during the supply of a telecommunications service for the implementation of an order of a court or tribunal.[60]

72.68 It is unlikely, however, that the Telecommunications (Interception and Access) Act would permit the disclosure of information obtained during the supply of a telecommunications service for proceedings, or a court or tribunal orders, when those proceedings or orders do not relate to the criminal law or a law imposing a pecuniary penalty or the protection of public revenue. This is appropriate in the context of information obtained during the supply of telecommunications service. As outlined in Chapter 71, this information is highly sensitive and should be subject to more stringent protection than that provided under the Privacy Act.

72.69 Individuals and telecommunications service providers may not be aware that the Telecommunications (Interception and Access) Act provides for the use and disclosure of ‘telecommunications data’ in a range of circumstances not covered by Part 13. These uses and disclosures would be ‘authorised’ for the purposes of s 280 of the Telecommunications Act. In the interest of clarity, a note should be inserted after s 280 of the Telecommunications Act 1997 (Cth), cross-referencing to Chapter 4 (Access to telecommunications data) of the Telecommunications (Interception and Access) Act.

Recommendation 72-6 A note should be inserted after s 280 of the Telecommunications Act 1997 (Cth) cross-referencing to Chapter 4 (Access to telecommunications data) of the Telecommunications (Interception and Access) Act 1979 (Cth).

[31] Rule 6.1(c)(f) of the Australian Communications Industry Forum, Industry Code—Protection of Personal Information of Customers of Telecommunications Providers, ACIF C523 (1999) provided an identical exception. The scope of the ‘required or authorised by or under law’ exception in the context of the Privacy Act 1988 (Cth) is discussed in Ch 16.

[32] Australian Communications and Media Authority, Annual Report 2006–07 (2007), Appendix 12.

[33]Australian Communications and Media Authority, ACMA Communications Report 2005–06 (2006), 145.

[34]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[35]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[36]Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [427].

[37] The Explanatory Memorandum does, however, outline the exception under s 280 in the section about the relationship with the Privacy Act: Ibid, [426].

[38] Barker v Edger [1898] AC 748, 754; accepted by the High Court of Australia in Bank Officials’ Association (South Australian Branch) v Savings Bank of South Australia (1923) 32 CLR 276. See D Gifford, Statutory Interpretation (1990), 109.

[39]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–2.

[40]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007.

[41]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[42]Australian Privacy Foundation, Submission PR 553, 2 January 2008. See also I Graham, Submission PR 427, 9 December 2007.

[43]I Graham, Submission PR 427, 9 December 2007.

[44]Optus, Submission PR 532, 21 December 2007.

[45]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[46] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001).

[47] Employees of telecommunications service providers are permitted to disclose this information voluntarily to intelligence and enforcement agencies under the Telecommunications (Interception and Access) Act 1979 (Cth). See discussion in Ch 73.

[48] This includes information or documents relating to the content or substance of communications, not the actual content or substance of a communication. The content and substance of communications is regulated under the Telecommunications (Interception and Access) Act.

[49] Rec 72–1.

[50] See Ch 26.

[51] See discussion of Telecommunications Act 1997 (Cth) s 289(1)(b)(ii) below.

[52] These developments are discussed in Australian Communications and Media Authority, ACMA Communications Report 2005–06 (2006), 22.

[53] As noted above, s 289(1)(b)(ii) of the Telecommunications Act would allow a telecommunications service provider to use and disclose information for the purpose of direct marketing with consent.

[54] See discussion of this requirement in Ch 26.

[55] As noted in Ch 73, the Telecommunications (Interception and Access) Amendment Act 2007 (Cth) deleted the law enforcement and protection of public revenue provisions from the Telecommunications Act and introduced a new Chapter 4 into the Telecommunications (Interception and Access) Act 1979 (Cth). Ch 73 discusses these provisions in detail.

[56] The definition of ‘enforcement body’ under the Privacy Act and the definition of ‘enforcement agency’ under the Telecommunications (Interception and Access) Amendment Act are broadly similar.

[57] This provision is discussed in Ch 73.

[58] See Ch 25.

[59]J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2–1695].

[60] See Ch 16.