Potential for industry self-regulation of the Integrated Public Number Database, the Do No Call Register and commercial electronic messages — submission to ACMA

Our reference: D2017/009492

The Manager
Unsolicited Communications Strategic Projects
Australian Communications and Media Authority
PO Box 13112
Law Courts
Melbourne, Victoria 8010

Potential for industry self-regulation of the Integrated Public Number Database, the Do No Call Register and commercial electronic messages

Thank you for the opportunity to provide comments on the Australian Communications and Media Authority’s (ACMA) consultation paper, which considers the potential for industry to self-regulate functions relating to:

• the Integrated Public Number Database (IPND)
• the Do Not Call Register (DNCR) and responsibilities in relation to the Do Not Call Register Act 2006 (Cth) (the DNCR Act) and related industry standards
• commercial electronic messages under the Spam Act 2003 (Cth) (Spam Act).

I acknowledge that changes to the existing regulatory framework, including self-regulating aspects of the ACMA’s current functions, have the potential to be an efficient response to the rapidly evolving communications environment. However, any proposed change to the current regulatory framework of the IPND, DNCR or commercial electronic messages will need a strong foundation in privacy. Ensuring robust privacy protections and governance mechanisms are not unreasonably impacted will be essential in engendering public trust and building a social licence for such changes.

I suggest that the ACMA, in considering any changes to the current regulatory framework for the IPND, DNCR and the Spam Act, take the following matters into account:

• existing protections for personal information in the IPND, and whether these protections would be impacted by proposed changes to the regulatory framework, and be enforceable to an equivalent standard
• the interaction between the direct marketing provisions in Australian Privacy Principle 7 (APP 7) in the Privacy Act 1988 (Cth)(Privacy Act) and any changes to the DNCR Act and the Spam Act regulatory framework.

I have provided more fulsome comments on these points below. If changes to the existing regulatory framework are to be made, I recommend that a privacy impact assessment (PIA) be undertaken at an early stage, to identify and mitigate any impacts on the privacy of individuals.

About the Office of the Australian Information Commissioner and the Privacy Act

The Australian Parliament established the OAIC in 2010 to bring together three functions:

• freedom of information functions, including access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth)
• privacy functions (regulating the handling of personal information under the Privacy Act, and other Acts)
• information management functions.

The integration of these three interrelated functions into one agency has made the OAIC well placed to help agencies promote the right to privacy and achieve broader information policy goals.

The Privacy Act contains 13 Australian Privacy Principles (APPs) that outline how regulated entities must handle, use and manage personal information. These apply to most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.

The Integrated Public Number Database

The IPND is a centralised database, containing information about all public telephone numbers and associated customer details in Australia, which may be used or disclosed for a number of critical and non-critical purposes. It includes a range of data, some of which may be personal information under s 6(1) of the Privacy Act, such as customer name, service address, phone number, whether the service is fixed or mobile and whether the service is listed or unlisted.[1]

The high value of customer data in the IPND is reflected in the level of regulatory protection prohibiting its use or disclosure, except in specified circumstances, under Part 13 of the Telecommunications Act 1997 (Cth) (Telecommunications Act). Other privacy protections provided for under the IPND’s regulatory framework include:

• an accuracy requirement under the IPND Code,[2] which is enforceable by the ACMA under Part 6 of the Telecommunications Act
• a requirement for a person applying for IPND access for the purposes of publishing a public number directory or research to conduct a privacy impact assessment (PIA)[3]
• a requirement that research entities granted access to IPND data under the IPND Scheme are either subject to the Privacy Act or, if they meet the small business exemption, that they choose to be treated as an organisation under the Privacy Act, using a mechanism under s 6EA of the Privacy Act[4]
• a prohibition on research entities combining other information or data with IPND data unless they obtain the express consent of the customer[5]
• a prohibition on research entities re-identifying IPND data where names and addresses are not provided.[6]

I understand from the consultation paper that the ACMA is exploring a range of options for greater industry involvement in the IPND. These include the IPND Manager or a telecommunications industry body taking on responsibility for whole or part of the IPND Scheme (subject to specified conditions and oversight) or the IPND Manager or industry bodies taking on other ACMA responsibilities (for example certain compliance activities, with the ACMA retaining its enforcement powers.)[7]

If these changes were to be made, consideration will need to be given to whether self-regulatory options strike the right balance between efficient regulation and an appropriate level of personal information protection, particularly given the high value of IPND data. My Office would be pleased to work with the ACMA as these options are explored further to ensure that any changes to the regulatory framework are aligned with existing protections set out in the Privacy Act, and reflect community expectations of privacy.

The Do Not Call Register and the Spam Act

The DNCR Act and the Spam Act provide consumers with a means of giving or withdrawing consent for their personal information to be used by different entities for the purpose of direct marketing. [8] Under the Privacy Act, consent and transparency underpin several APPs by enabling the individual to control how their personal information is handled at the same time as promoting organisational accountability. As mentioned in the consultation paper, both the DNCR and Spam Acts were developed in response to community concerns about unauthorised uses of personal information for telemarketing and commercial electronic messages. [9]

The consultation paper asked about how community expectations have changed since the DNCR Act and the Spam Act were first introduced. Over the past 16 years, my Office has conducted the Australian Community Attitudes to Privacy Survey (ACAPS),[10] which has provided us with a clear indication of the community’s expectations around personal information management. Of relevance to the DNCR Act and the Spam Act, the 2017 ACAPS found that:

• only 1% of respondents do not mind receiving unsolicited marketing information from organisations they have not dealt with[11]
• 43% worry about where the organisation obtained their personal information from[12]
• 42% find unsolicited marketing information annoying[13]
• only 24% trust market and social researchers to look after their personal information,[14] and
• one in three people were reluctant to provide their contact information to businesses and government.[15]

When compared with the 2007 ACAPS results,[16] it is clear that not only do the privacy concerns from ten years ago still exist, but in some respects the community is now demanding an even higher level of protection. For example, only 27% of respondents in 2007 found unsolicited marketing information annoying[17] and market research organisations experienced a higher level of trust at 35%.[18]

The OAIC’s experience regulating direct marketing activities under APP 7 provides further evidence of these concerns. In 2016–17:

• the OAIC received 299 phone enquiries relating to APP 7[19]
• the OAIC’s Privacy business resource 19: Direct Marketing was in the top six pages viewed on the OAIC’s website[20]
• the OAIC received 108 privacy complaints about direct marketing.[21]

These statistics, in conjunction with the OAIC’s ACAPS results, suggest that the public interest concerns that gave rise to the DNCR Act and the Spam Act are still strongly felt within the Australian community. In assessing whether it would be appropriate for industry to self-regulate elements of these functions, it is important to consider how options would be aligned with the community’s expectations of privacy.

Currently, APP 7.1 provides that organisations (including businesses and not-for-profit organisations with an annual turnover of more than $3 million and some small businesses) that hold personal information may only use or disclose personal information for the purpose of direct marketing in certain circumstances and where certain conditions are met. For example, where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always provide the individual with a simple means to opt-out of receiving direct marketing communications, and comply with any request to opt-out. For ‘sensitive information’ such as health information, an organisation may only use or disclose this type of information for the purpose of direct marketing if the individual has consented to the use or disclosure for that purpose.[22]

However, APP 7 does not apply to the extent that the DNCR Act, the Spam Act or any other Act prescribed by the regulations,[23] apply (APP 7.8). The intention was for APP 7 to be displaced where another Act specifically provides for a particular type of direct marketing or that using a specific technology.[24] For more information about the interaction of APP 7, the DNCR Act and the Spam Act, please see the OAIC’s Privacy business resource 19: Direct Marketing[25] or Chapter 7 of the APP Guidelines.[26]

It is important that the ACMA considers how changes to existing regulatory frameworks will impact on the operation of APP 7, the Privacy Act and the OAIC’s regulatory role. If the DNCR Act or Spam Act no longer applied to certain uses or disclosures of personal information for direct marketing purposes, APP 7 may extend to the direct marketing activities previously covered by those provisions. While it is not clear whether this is an intended outcome, it would have some foreseeable benefits. For example, it would ensure that consistent and robust privacy protections continue to apply to organisation’s direct marketing practices and that existing complaint and redress mechanisms under the Privacy Act are available to individuals concerned about the mishandling of their personal information.

Should APP 7 be extended to encompass all direct marketing activities, this would also be aligned with the regulatory landscape in the European Union (EU), where personal information handling for this purpose is addressed under privacy frameworks. I note that the consultation paper refers to EU’s General Data Protection Regulation (GDPR), which will strengthen data privacy and consent laws when it comes into force on 25 May 2018.[27] Under the GDPR, personal information handling for the purpose of direct marketing must occur with consent or be necessary for the purposes of the ‘legitimate interests’ pursued by the controller.[28] There are comparable provisions in APP 7 that allow for the use or disclosure of personal information for direct marketing purposes where the individual would ‘reasonably expect’ this to occur or the entity has obtained consent. My Office would be pleased to discuss these issues with the ACMA further.

Broader reforms

As noted in the consultation paper, the ACMA is considering a broader range of reforms, such as combining information in the IPND and the DNCR, which could have the effect of mitigating data accuracy and integrity issues.[29] I understand that such a reform may have benefits in terms of data accuracy, and so would be broadly aligned with the objectives of APP 10.

APP 10 requires an APP entity that collects personal information to take reasonable steps to ensure that the information is accurate, up to date and complete, and that any personal information that it uses or discloses is accurate, up to date, complete and relevant. However, any broader reforms of the IPND with the DNCR should be based on careful design following a comprehensive assessment of any associated privacy impacts.

Privacy impact assessment

Where a policy or regulatory change may have an impact on the privacy of individuals, I recommend that a PIA be conducted at the earliest opportunity, and preferably in the policy design stage. A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. This process will help to identify any impacts on the privacy of individuals, and allow for privacy safeguards to be built into the preferred regulatory model.

Conducting a PIA at an early stage is the best way for the ACMA to ensure that appropriate privacy safeguards are included in new regulatory proposals. For more information on conducting a PIA, see the OAIC’s Guide to undertaking privacy impact assessments.[30]

Further, I note that the OAIC’s Privacy (Australian Government Agencies — Governance) APP Code 2017,[31] which will apply from July 2018, will require agencies to undertake a written PIA for all high risk projects.

Next steps

Privacy protections relating to the IPND, DNCR and activities covered by the Spam Act are currently spread across a number of instruments. It is imperative that robust privacy safeguards will be retained to protect personal information currently covered by these schemes, in a way that reflects both the value of personal information and the community’s expectations around its management. Any option for changes to the existing regulatory framework should take these issues into account and should be consistent with individuals’ expectations of privacy. I would welcome the opportunity for ongoing engagement with the ACMA as any proposed reforms are progressed.

If you wish to discuss any of these matters further, please contact Sophie Higgins, Director, Regulation & Strategy, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

December 2017