Draft Telecommunications Integrated Public Number Database Scheme 2017 — submission to ACMA

Date: 1 February 2017

Our reference: D2017/001027

Mr Peter Sutton
Manager, National and Community Interests
Australian Communications and Media Authority
PO Box 13112
Law Courts
Melbourne VIC 8010

Via email: Peter.Sutton@acma.gov.au

Dear Mr Sutton

Consultation on the draft Telecommunications Integrated Public Number Database Scheme 2017

Thank you for opportunity to review and comment on the draft Telecommunications Integrated Public Number Database Scheme 2017 (the proposed Scheme) and Consultation Paper, Remaking the Telecommunications Integrated Public Number Database Scheme 2017 (the Consultation Paper).

I understand that the key proposed changes to the Scheme are:

  • enabling the ACMA to grant a research authorisation to give a researcher ongoing access to customer data in the Integrated Public Number Database (IPND) for research purposes (subject to certain conditions and requirements); and
  • enabling the ACMA to authorise a research representative body to disclose certain IPND data to its members to conduct permitted research (subject to certain conditions and requirements).

Where proposed policy changes, such as those outlined above, have the effect of limiting existing privacy protections, I generally recommend that careful consideration be given to whether these are reasonable, necessary and proportionate having regard to the overall public policy objectives of the proposal. Additionally, those changes should be accompanied by an appropriate level of privacy safeguards and accountability.

I note that the proposed Scheme includes some privacy safeguards, such as requiring research entities seeking IPND access to complete a privacy impact assessment (PIA) as part of their application to the ACMA.[1] However, in my view, the proposed Scheme could include some additional privacy safeguards, such as building in stronger privacy governance mechanisms and by ensuring that the ACMA conducts a PIA in relation to the proposed changes to the Scheme.

To that end, and by reference to the headings in the Consultation Paper, I have below, expanded on these suggestions as well as making further suggestions to enhance the privacy safeguards and protections in the proposed Scheme. This may help to ensure the new arrangements are consistent with community expectations about the level of privacy protection for customer data in the IPND.

Proposed arrangements for implementing recommendation 5 of the IPND Review Report to allow the granting of ongoing authorisations for the purposes of conducting permitted research (Part 4 of the proposed Scheme)

The high value of customer data in the IPND is reflected in the level of regulatory protection provided to the information under Part 13 of the Telecommunications Act 1997. This includes that secondary uses of IPND customer data are prohibited except in limited circumstances, including for research purposes prescribed by Ministerial instruments [2] that support the current IPND Scheme.[3] Given the volume and value of the personal information included in the IPND it is important that appropriate privacy safeguards be included in the proposed Scheme to reflect community expectations about privacy protection.

ACMA to regularly review access

The Department of Communications and the Arts IPND Review Report recommended that ‘the ACMA should be enabled to approve ongoing or periodic access for an applicant, provided that the ACMA regularly reviews access and that a privacy impact assessment is completed’.[4] I understand that this recommendation was intended to improve the effectiveness and utility of the IPND.

Consistent with the above recommendation, the ACMA’s Consultation Paper states that ‘it is likely that any authorisation granted on an ongoing basis would be conditional on the research entity providing the ACMA with an annual report on the research entity’s use of IPND data. This would provide an annual review mechanism’.[5] However, despite this statement and the above recommendation, I understand that the proposed Scheme currently does not include a review mechanism to be undertaken by the ACMA.

Effective privacy governance requires ongoing reporting, audit and review of privacy controls. To ensure that regular reviews are conducted of ongoing authorisations to access IPND data, I recommend that a review mechanism that specifies a timeframe for reviews is included in the proposed Scheme. Such a mechanism may include a requirement for the ACMA to review how the research entity is meeting its privacy obligations to protect IPND customer data.

When conducting reviews of ongoing authorisations, the ACMA may wish to consider the following matters:

  • Does the research entity still require access to the IPND information?
  • Can the research entity access the information elsewhere, or is the IPND still the only source of the information?
  • Does the public interest in the research entity accessing this information still outweigh the public benefit in protecting individuals’ privacy?
  • Has the research entity evaluated its practices, procedures and systems to ensure it continues to meet its privacy obligations?

Transparency of ACMA decisions

I would suggest that the ACMA consider how it can enhance the transparency of its decisions to authorise ongoing access to IPND customer data for research purposes, including publishing information about applications and decisions, as recommended in the IPND Review Report.[6]

Privacy impact assessments

I support the requirement in the proposed Scheme that an application for access to IPND information must be accompanied by a PIA.[7] This requirement mirrors existing arrangements for applications on a project by project basis.[8] I welcome reference in the Consultation Paper to the OAIC’s Guide to undertaking privacy impact assessments and recommend that the ACMA ensure that their PIA template is consistent with this Guide.[9]

Extending Privacy Act obligations to all researchers

To ensure that all research entities that access, use and disclose IPND customer data are obliged to protect personal information in accordance with the Australian Privacy Principles (APPs), I recommend inserting an appropriate mechanism in the proposed Scheme to address potential regulatory gaps for research entities that may not meet the definition of an ‘APP entity’ under the Privacy Act 1988 (Cth) (the Privacy Act). For example, we understand some researchers may fall within the small business exemption of the Privacy Act.[10] In this respect, consideration could be given to requiring those researchers who may fall under the small business exemption to opt in to coverage under section 6EA of the Privacy Act.

Proposed arrangements for facilitating greater research industry management of access to the IPND

The proposed Scheme enables the ACMA to authorise a research representative body to disclose certain IPND data fields to its members for permitted research purposes, provided certain requirements are met (the industry model).[11] I understand that the data fields that may be disclosed by research representative bodies to their members are:

  • the listed number of the customer or business;
  • the postcode, and
  • the State or Territory included in the directory address of the customer or business.[12]

While I appreciate that the data fields that may be disclosed in the industry model are limited, this does not, in itself, address the privacy risks of the proposed industry model (for example, see my comments on de-identification below and my comments on potential regulatory gaps above).

The proposed Scheme requires there to be adequate and legally enforceable arrangements in place between the research representative body and its member under the industry model.[13] To ensure the efficacy of this safeguard, I suggest addressing the potential regulatory gap in the Scheme outlined above, by requiring all research entities to comply with the APPs.

Whether limiting access to de-identified (anonymised) IPND customer data should apply not only to researchers that obtain IPND data from a research body, but also to researchers that apply directly to ACMA, outside the industry model

As a general principle, access to customer data should only be authorised if each data field is reasonably necessary for the purposes of the proposed research. I support the ACMA’s approach that researchers should only be able to access the data they require for the purposes specified in their application.

I note that the Consultation Paper describes the proposed industry model as the disclosure of ‘de-identified information’ to members for research purposes (although this term is not used in the proposed provisions of the Scheme). ‘Personal information’ is ‘de-identified’ for the purposes of the Privacy Act if the information has been altered or protected in some way, with the result that it is no longer about any identifiable or reasonably identifiable individuals. As the IPND data may not be ‘de-identified’, particularly given the availability of other data sets that could be used to cross-reference IPND information to reveal the identity of individuals, I suggest that the ACMA reconsider the use of the term in this context.

Other safeguards

Access controls

As regards the provisions of the proposed Scheme that require a research entity to ensure that ‘only its personnel’ have access to the customer data,[14] I suggest that these should be narrowed to align with the ‘need to know’ access controls in the current Scheme that limit access to personnel involved in the conduct of the research.[15]

Consent

The express consent model, which must be applied if a researcher contacts a customer using customer data, could be improved by inserting a requirement, at the beginning of section 4.5(7), that the caller must tell the customer that participation in the research is voluntary. This would improve the transparency of the call and ensure that individuals are aware from the outset that their participation in the research is voluntary before giving consent.

Privacy complaints

Given the volume of personal information included in the proposed Scheme, as well as the privacy risks referred to above, I recommend that the proposed Scheme include a mechanism for referral of privacy complaints by individuals regarding the use of IPND data for research purposes to the OAIC.

If you would like to discuss any of the comments above or have any questions, please contact Sophie Higgins on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Information Commissioner
Australian Privacy Commissioner

February 2017

Footnotes

[1] Section 4.2(4)(b) of the proposed Scheme

[2] Including the Telecommunications (Integrated Public Number Database – Permitted Research Purposes) Instrument 2007 – available at https://www.legislation.gov.au/Details/F2007L01309

[3]Telecommunications Integrated Public Number Database Scheme 2007

[4] Department of Communications and the Arts, IPND Review Report, April 2015, Recommendation 5 – available at https://www.communications.gov.au/publications/integrated-public-number-database-review-report

[5] ACMA, Remaking the Telecommunications Integrated Public Number Database Scheme 2007: Consultation on the draft IPND Scheme 2017, page 1

[6] Department of Communications and the Arts, IPND Review Report, April 2015, Recommendation 7

[7] Section 4.2(4)(b) of the proposed Scheme

[8] Section 4.2(4)(b) of the Telecommunications Integrated Public Number Database Scheme 2007

[9] See the OAIC Guide to undertaking privacy impact assessments for more information – available at www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments

[10] See s6C and s6D of the Privacy Act

[11] Part 4: Authorisation to use and disclose customer data – research entities in the proposed Scheme

[12] Section 4.5(4)(a) of the proposed Scheme

[13] Section 4.5(4)(b) of the proposed Scheme

[14] Section 4.5(5)(c), 4.5(6)(b) in proposed Scheme

[15] Section 4.6(3)(c) in the current Scheme

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au