Our reference: D2018/003773
The Manager
Network Migration Taskforce
Community Safeguards and Networks Branch
Australian Communications and Media Authority
PO Box 13112
Law Courts
Melbourne, Victoria 8010
NBN migration – complaints-handling rules
Thank you for the opportunity to comment on the Telecommunications (Consumer Complaints Handling) Industry Standard 2018 (the draft Standard) and the Telecommunications (Consumer Complaints) Record-Keeping Rules 2018 (the draft Rules). I understand that the draft Standard and the draft Rules are designed to improve how carriage service providers (CSPs) handle complaints about their services and are the initial step in a program to improve the consumer experience in moving to, and using, the National Broadband Network.
Under section 134 of the Telecommunications Act 1997, where an industry standard deals with a matter set out in section 113(3)(f) (privacy matters including the protection of personal information), the Australian Communications and Media Authority (ACMA) must consult with the Australian Information Commissioner prior to determining the standard.
Section 20 of the draft Standard sets out the types of information that a CSP must collect as part of its complaint-handling process. These include a customer’s name and contact details, a description of the complaint and issues raised, a description of the results of any investigation, and copies of correspondence. In some instances, this may involve the collection of sensitive information, [1] such as health information, and other information relating to hardship arrangements, including details about family violence.
Section 22 of the draft Standard indicates that certain CSPs to which the draft Standard applies, are not covered by the Privacy Act.[2] The requirement for these CSPs to handle and retain personal and sensitive information, may raise privacy risks (including in relation to data quality and security), that are not addressed by the confidentiality requirement in s 22 of the draft Standard. Due to the nature of information involved in telecommunications complaints, including financial, health, and details about hardship arrangements, there is a greater risk that individuals may experience harm if it is not appropriately protected. To ensure that information collected under s 20 is afforded protections commensurate with this risk and community expectations, the ACMA could consider including a requirement for CSPs to opt-in to Privacy Act coverage under in s 6EA Privacy Act. This would safeguard customers’ personal information throughout all stages of the information lifecycle, as well as ensuring that customers are notified of any data breaches that are likely to pose a risk of serious harm. The Office of the Australian Information Commissioner (OAIC) would be pleased to explore these options further with the ACMA.
I understand that the draft Rules only authorise the collection of statistical information that does not include personal information.[3] At this stage, the OAIC makes no comment on these rules, however, I would appreciate further consultation should the rules be amended to involve the handling of personal information by CSPs.
If you would like to discuss these matters further, please contact Sophie Higgins, Director, Regulation and Strategy Branch, on [contact details removed].
Yours sincerely
Angelene Falk
Acting Australian Information Commissioner
Acting Privacy Commissioner
17 April 2018
Footnotes
[1] Defined in s 6(1) of the Privacy Act.
[2] Generally, businesses with an annual turnover of $3 million or less are not required to comply with the APPs (some exceptions apply) (s 6D of the Privacy Act). More information is available in Privacy business resource 13: Application of the Australian Privacy Principles to the private sector.
[3] ‘Personal information’ is information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable (s 6(1) of the Privacy Act).