Submission to the Communications Alliance — Draft Copyright Notice Scheme Industry Code (DR C635:2015)

23 March 2015

Elizabeth Harland
Commercial Manager
Communications Alliance Ltd

By email: info@commsalliance.com.au

Dear Ms Harland

Submission to the Communications Alliance — Draft Copyright Notice Scheme Industry Code (DR C635:2015)

Thank you for the opportunity to comment on the draft Copyright Notice Scheme Industry Code (DR C635:2015)(the draft Code).

I note that the draft Code will be registered by the Australian Communications and Media Authority (ACMA), under Part 6 of the Telecommunications Act 1997 (Cth) (Telecommunications Act). Under Part 6 of the Telecommunications Act, where a code deals with matters such as the protection of personal information, the ACMA must be satisfied of various matters before it can register the code, including, relevantly, that the Information Commissioner has been consulted by the body or association about the development of the code before a copy of the code is given to the ACMA (s 117(1)(j)).

The Privacy Act 1988 (Cth) (Privacy Act) confers a range of functions on the Australian Information Commissioner which are also conferred on the Privacy Commissioner by operation of the Australian Information Commissioner Act 2010 (Cth).[1]

The Privacy Act regulates the way that Australian Government agencies and many private sector organisations handle personal information. The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency that regulates compliance with the Privacy Act. Entities covered by the Privacy Act must comply with the 13 Australian Privacy Principles (APPs), which cover the collection, use, disclosure and storage of personal information, and allow individuals to access their personal information and have it corrected if it is incorrect. Entities are also required to have a clearly expressed and up-to-date APP privacy policy about how the entity manages personal information.

The Privacy Act covers many private sector businesses in Australia, but there are exemptions. In particular, a business with an annual turnover of $3 million or less is considered a small business operator and is exempt from the Privacy Act unless they handle certain kinds of information.[2]

Privacy Impact Assessment

In considering the draft Code, I have had regard to the Privacy Impact Assessment (PIA) that Communications Alliance prepared in relation to this project.

I note that Communications Alliance has been working to a challenging timeframe to complete the Code and submit it to the ACMA for registration by 8 April 2015. I welcome Communications Alliance’s decision to prepare the PIA within this timeframe.

I encourage Communications Alliance to publish the finalised PIA, in order to promote transparency and inform stakeholders and the public about how ISPs are expected to manage their obligations to protect individuals’ privacy.

Draft Code

I note Communications Alliance’s advice that the draft Code protects customer personal information by ensuring the information is not disclosed by Internet Service Providers (ISPs) to anyone other than Account Holders themselves, unless:

  • An Account Holder challenges an Education, Warning or Final Notice, and the Adjudication Panel requires their personal information to assess the challenge (noting that this information is not disclosed to the Copyright Information Panel (CIP).

  • A Rights Holder is authorised to collect this information, either by Court Order or with the express consent of the Account Holder.

I appreciate Communications Alliance’s advice that it drafted the draft Code with privacy at front of mind. I have provided a number of recommendations to assist Communications Alliance to enhance the privacy protections in the Code.

Privacy Act coverage

As noted above, the Privacy Act may not apply to some businesses with an annual turnover of $3 million or less. As such, there may be ISPs that are not covered by the Privacy Act. I acknowledge that the obligations on ISPs in the draft Code, in relation to their personal information handling practices, have been drafted in a manner aimed at addressing privacy risks, and achieving consistency with the APPs, as outlined on pages 6-7 of the PIA.

The draft Code and analysis in the PIA appear to assume that all ISPs will be covered by the Privacy Act. For example, clause 3.7.2 of the draft Code outlines the expectation that all ISPs will include a reference to their privacy policy in the covering email to an Account Holder. Further, the PIA notes that the ISPs will have existing obligations in relation to security (APP 11), access (APP 12) and correction (APP 13).

Given the possible serious consequences for individuals under the draft Code, it is important that individuals are adequately informed about the entity’s information handling practices, that ISPs hold information about individuals securely and that individuals are able to ensure that the information ISPs hold about them is correct.

If some ISPs are not covered by the Privacy Act, one way to achieve this is for the draft Code to require those ISPs to opt in to the Privacy Act by registering their interest in writing under section 6EA of the Privacy Act.

Notification of personal information disclosures associated with challenged notices

Clause 3.10.8 of the Code states that an ISP must provide the Adjudication Panel with any information it reasonably requests from the ISP, to enable the Adjudication Panel to determine whether the correct processes had been followed.

The draft Code is not clear about whether an ISP is likely to be requested to provide the Adjudication Panel with an Account Holder’s personal information as part of this process. I note that any information provided by an ISP about an Account Holder, where that Account Holder is identified or reasonably identifiable, constitutes personal information. The draft Code should therefore direct ISPs to notify Account Holders that their personal information may be disclosed to the Adjudication Panel when it assesses a challenged notice.

This notification could be included in the Education, Warning or Final notice document, or added to the Copyright Information Website, which is referred to in these notices.

Explanation of proposed retention period

Section 3.11 of the draft Code requires ISPs to retain, for a minimum of 24 months:

  • Infringement Reports
  • Education, Warning and Final Notices, and
  • any acknowledgement received from the Account Holder.

To the extent permitted by law and not contrary to any court order, the draft Code allows an ISP to de-identify or destroy Infringement Reports, Education, Warning or Final Notices, and any records relating to these documents after 24 months from the date of the relevant document.

As you may be aware, APP 11.2 requires ISPs to destroy or de-identify personal information when they no longer need it for any purpose authorised by the APPs, unless the ISP is required to retain the information under an Australian law or a court/tribunal order. This would include, relevantly, a requirement such as that in clause 3.11 of the draft Code.

It is not clear to us from the draft Code why ISPs are required to maintain that information for a minimum period of 24 months. We suggest Communications Alliance consider the purpose for which the information needs to be retained, and ensure that the time period for which it is required to be retained is reasonable, necessary and proportionate, having regard to that purpose, and the impact on the privacy of individuals.

ISPs should also be mindful of their APP 11.2 obligations when determining whether they should retain personal information past the 24 month period specified in the draft Code.

Review of proposed Acknowledgement measures outlined in the Code

Communications Alliance should ensure the Acknowledgement options provided in clause 3.9.2 of the draft Code are not privacy invasive. For example, the PIA notes that Communications Alliance should consider whether the use of methods such as pop-up notices may increase the risk of the Account Holder’s personal information being disclosed to someone other than the Account Holder if others are using the Account Holder’s service. Communications Alliance should consider whether the other, non-privacy invasive Acknowledgement options outlined in the draft Code are sufficient to achieve its intended purpose, and if so, remove the options that create potential privacy issues.

Adjudication Panel

I note that clause 3.10.13 requires the Adjudication Panel to protect personal information of Account Holders in accordance with the APPs.

For certainty and clarity, I recommend that that clause be replaced by a clause in the draft Code that requires the Adjudication Panel to opt-in to the Privacy Act by registering their interest in writing under section 6EA of the Privacy Act. This ensures both that the Adjudication Panel will be required to comply with the APPs, that individuals can complain to the OAIC about a breach of the APPs by the Adjudication Panel, and that the OAIC can take regulatory action if the Adjudication Panel breaches the APPs. As currently drafted, it is not clear that there is any redress for individuals if the Adjudication Panel does not comply with the APPs.

Copyright Information Panel

I understand that it is not intended that the Copyright Information Panel (CIP) handle the personal information of Account Holders. However, it is foreseeable that an Account Holder that seeks advice and educational materials from the CIP may provide personal information in the process of doing so. I recommend that the draft Code include a clause that requires the Copyright Information Panel to opt-in to the Privacy Act by registering their interest in writing under section 6EA of the Privacy Act, similar to the clause recommended above in relation to the Adjudication Panel.

The CIP should also provide Account Holders with educational information about their privacy rights. This could be included on the Copyright Information Website.

Evaluation process

I support the PIA’s recommendation that the privacy impacts of the draft Code are included as one of the items to be considered during the mandatory evaluation process set out in clause 4.3 of the draft Code. I suggest that this is specifically included in the list of items for consideration in clause 4.3.5.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner

23 March 2015

Footnotes

[1] See s 12 of the Australian Information Commissioner Act 2010

[2] See s 6D of the Privacy Act.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au