Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020 — submission to ACMA

Introduction

1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide comments in relation to the draft Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020 (draft standard).
2. The OAIC notes the Telecommunications (Industry Standard for Mobile Number Pre-Porting Additional Identity Verification) Direction made by the Minister for Communications, Cyber Safety and the Arts in October 2019 (the Determination). The Determination directs the Australian Communications and Media Authority (ACMA) to make an industry standard that requires gaining mobile carriage service providers (CSPs) to implement customer identity verification processes before accepting a port of a mobile service number, in the Government’s efforts to combat mobile porting fraud and to protect the personal information of Australians.
3. Under section 134 of the Telecommunications Act 1997 (Telecommunications Act), the ACMA must consult with the OAIC before determining an industry standard on matters dealt with by the Australian Privacy Principles (APPs) or other provisions of the Privacy Act 1988 (Privacy Act) relating to those principles.
4. The OAIC handles complaints about acts and practices that may be an interference with privacy under the Privacy Act, a principles-based framework for privacy protection in Australia. In undertaking this function, the OAIC has received complaints involving CSPs and unauthorised porting that has resulted in alleged identity theft and unauthorised access to personal information.
5. In assessing these matters the OAIC considers, among other matters, ‘reasonable steps’ the CSP has taken under APP 10 (quality of personal information) and APP 11 (security of personal information) to verify the identity of an individual before porting their number.
6. The OAIC welcomes measures to strengthen pre-porting identity verification requirements, which aim to enhance privacy protections for individuals and their personal information.

Requirements under the Privacy Act

7. Under the Privacy Act, pre-porting verification processes will be covered most relevantly by APPs 10 and 11, contained in Schedule 1 of the Privacy Act. APP 1, the foundational governance principle, also requires APP entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs and deal with enquiries and complaints.
   1. Under APP 10, CSPs that are ‘organisations’ under the Privacy Act must take such steps ‘as are reasonable in the circumstances’[1] to ensure personal information that the entity uses or discloses, having regard to the purpose of the use or disclosure, is accurate, up-to-date and complete.
   2. An example of taking ‘reasonable steps’ under APP 10 to ensure quality of personal information may include implementing internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information, including in time-critical situations, such as a number porting request.
   3. Under APP 11, CSPs must take such steps ‘as are reasonable in the circumstances’ to protect personal information[2]:
      1. from misuse, interference and loss; and
      2. from unauthorised access, modification or disclosure.
   4. An example of taking ‘reasonable steps’ under APP 11 to ensure security of personal information may include taking steps and implementing strategies relating, but not limited to:
      1. governance, culture and training;
      2. internal practices, procedures and systems;
      3. ICT security;
      4. third party providers, including cloud computing;
      5. data breaches;
      6. physical security;
      7. destruction and de-identification; or
      8. standards.
8. The OAIC notes pre-porting verification requirements in the draft standard supplement the Industry Code – Mobile Number Portability (C570:2009) (Code) and Customer Authorisation Industry Guideline (G651:2017) (Guideline).[3]
9. The OAIC notes section 116A of the Telecommunications Act provides that neither an industry code nor an industry standard derogates from a requirement made by, or under the Privacy Act.[4] The OAIC considers that entities should be made aware that the requirements of the Privacy Act continue to apply in addition to the standard. CSPs may be compliant with telecommunications industry codes and guidelines, but still be in breach of certain APPs, such as where the OAIC considers all ‘reasonable steps’ have not been taken in the particular circumstances.

Requirements for GCSPs during a Customer Authorisation (CA)

10. Section 8 of the draft standard sets out new minimum requirements for authorising porting requests by adding the requirement for a gaining carriage service provider (GCSP) to use at least one ‘additional identity verification process’ prior to accepting the port of a mobile service number.
11. The OAIC supports the outcomes-based approach taken by the ACMA to consider variance between CSPs while maintaining high standards of safeguards. Paragraph 8(2)(d) of the draft standard appears to allow for flexibility in implementation of the additional identity verification requirements to cater for differences in CSPs’ size, scale of operation and interaction with customers.[5]

Requirements for LCSPs during a CA

12. Currently, the draft standard does not impose any requirements on the Losing Carriage Service Provider (LCSP) to conduct identification processes during a CA[6], despite the fact it is the party already familiar with the customer and holding their personal information. The LCSP has obligations under APP 1 (open and transparent management of information), APP 6 (use or disclosure of personal information) and APP 11 (security of personal information) to ensure that the personal information of customers is not improperly disclosed to GCSPs. There is a risk of improper disclosure in the event that an unauthorised porting request is made. The OAIC considers that the CA process would be improved by mandating additional verification requirements across both the LCSP and GCSP.

CSPs that are ‘small businesses’ under the Privacy Act

13. Some small businesses are exempt from the Privacy Act. A CSP that is defined as a ‘small business’ for the purposes of the Privacy Act[7] does not have to comply with that Act. There is therefore a parallel risk that customers’ personal information that is collected, held, used and disclosed in connection with this standard would not be protected under that Act, and not covered under APPs 10 and 11.
14. In order to protect customers’ personal information, we recommend any CSPs who are not subject to the Privacy Act be required to opt-in to coverage under section 6EA of the Privacy Act. This will ensure that customers are afforded equal and consistent privacy protections irrespective of the size of CSP.

Conclusion

15. For further information please contact Kellie Fonseca, Director, Regulation & Strategy, via [contact details removed] if you would like to discuss this matter further.

Footnotes

[1] APPs 10.1 and 10.2.

[2] APPs 11.1 and 11.2.

[3] Section 4 of the draft standard.

[4] Section 116A of the Telecommunications Act 1997.

[5] ACMA Consultation Paper – Proposal to make the Telecommunications Mobile Number Pre-Porting Additional Identity Verification Industry Standard 2020.

[6] Clauses 4 and 5 of the G651:2017 (Customer Authorisation Industry Standard).

[7] Sections 6C and 6D of the Privacy Act.