The New Australian Privacy Landscape
UNSW Continuing Legal Education Seminar
Wednesday 14 March 2001
1. PERSONAL INFORMATION WHICH IS PROTECTED UNDER TELECOMMUNICATIONS LEGISLATION 1.1 Privacy Regulation of Content: Interception Legislation
The three Issues which I will address in this paper are:
Telecommunications content issues which raise privacy concerns are generally considered to concern the protection of conversations between individuals. Increasingly, however, content issues also include data communication such as emails and whether the inter-personal exchange of data is covered by telecommunications legislation
* Carriage -
Telecommunications carriage is also a privacy issue because carriers and carriage service providers necessarily collect personal information about individuals. That information includes:
Those gaps include
For the purposes of this paper, however, I will concentrate on the protections provided under the Telecommunications Act 1997 for both content and carriage issues.
Specifically, section 276 prohibits:
Disclosures under Part 13 are, however, monitored by the Privacy Commissioner, who may report to the Minister on such disclosures. and a breach of Part 13 would be a criminal offence and would attract criminal sanctions.
Part 6 of the Telecommunications Act 1997 provides for industry to develop codes of practice. The industry codes to date have been developed by the telecommunications industry body, the Australian Communications Industry Forum (ACIF).
ACIF is a telecommunications industry forum established and funded by the industry that develops Codes and Standards on a variety of telecommunications issues including customer equipment, cabling, radiocommunications, network, and inter industry operational issues.
ACIF Codes Dealing with privacy issues include:
Enforcement of ACIF Codes is, at an individual complaints level, through the Telecommunications Industry Ombudsman (TIO), with the regulator, the Australian Communications Authority (ACA), also having powers in relation to the enforcement of industry codes.
* Telecommunications Industry Ombudsman (TIO)
The TIO is established under Part 6 of the Telecommunications (Consumer Protection and Service Standards) Act 1999. All `eligible carriage service providers' (which supply a standard telephone service, a mobile service or a service that enables end users to access the internet) must join and comply with the TIO scheme. The TIO has general jurisdiction to handle complaints, including complaints about privacy under provisions of the Constitution of the TIO.
If industry Codes are registered by the ACA, the TIO treats the Code provisions as industry standards against which the behaviour of the industry member is measured, and reports on all Code breaches to both ACIF and the ACA
Under the TIO corporate documentation, the TIO can, after investigating a complaint, make binding decisions on all TIO members for payment of up to $10,000, and/or orders for the carrier or carriage service provider to do or refrain from doing an act.
* The Australian Communications Authority (ACA)
The ACA has the power to register codes covering sections of the industry engaged in telecommunications activities. Once a Code is registered, the ACA can enforce Code provisions against all those subject to the Code, whether or not they have signed the Code.
ACA enforcement can be either through Formal Warnings or Directions for compliance with Codes, and ACA Directions can be enforced through court proceedings.
If the ACA is satisfied that a registered Code is deficient (ie, does not provide appropriate community safeguards or is not otherwise operating to regulate adequately participants in the relevant section (s) of the industry) it can determine an industry standard on the matter. Once the ACA has determined an industry standard, compliance with that standard is required under the Act and a breach can be brought before the Federal Court.
The ACA is also required to report to the Minister and publish annual
reports on carrier and carriage service provider compliance with codes
The new amendments require that organisations do not do an act or engage in a practice that breaches an approved privacy Code that binds the organisation. To the extent that an organisation is not bound by an approved code, an organisation will be required not to do an act or engage in a practice that breaches the National Privacy Principles.
Given the requirement that an approved code either incorporates all the National Privacy Principles or sets out obligations which are at least the equivalent of the National Privacy Principles, the effect is that the private sector will be bound by the National Privacy Principles, or their equivalent.
The most important requirement is clearly that the Code either incorporates all of the National Privacy Principles or at least their equivalent.
If the Code contains a complaints handling mechanism, there are additional criteria which must be satisfied including:
There is also provision for the Privacy Commissioner to handle
complaints if they are referred to the Commissioner by the independent
In one sense, that is not an issue. The CPI Code will be enforceable against all carriers and carriage service providers and therefore any interference with an individual's privacy will be determined in accordance with the NPPs. If therefore the CPI Code becomes an approved Code, while an individual will not be able to have their complaint handled by the Privacy Commissioner, their complaint will be dealt with in accordance with the NPPs and by an adjudicator with similar powers to those of the Commissioner.
However, some of what would be considered telecommunications privacy codes (eg, the CND Code or the IPND Code) have far more detailed provisions for privacy protection in the context of the issues the Codes are dealing with. Yet because those codes cannot be privacy codes, an individual will still be able to take their complaint about breaches of those codes either to the industry regulatory structures or to the privacy commissioner.
Consequence of Approval of CPI Code: All complaints on a breach of the CPI code would be handled only through the current regulatory structure unless the adjudicator, under the approved complaints scheme, has referred the complaint to the Privacy Commissioner and the Commissioner has consented to handle the complaint. For all other alleged interferences with privacy a complainant could use the current telecommunications regulatory structure or complain directly to the Privacy Commissioner. The issue is the handling of interferences with privacy that fall outside of the NPPs.
* Approval of the CPI Code without surrounding structure (ie, not submitted as containing a complaints mechanism
Consequence: Complaints for interferences with privacy (ie, a can be handled under the current regulatory structure or the complainant can go to the Privacy Commissioner's office, as would be the case for all Codes which raise privacy issues but are not approved codes.
* CPI Code not submitted for approval
Consequence: Complaints can be handled under the current telecommunications regulatory structure or the complainant can go to the Privacy Commissioner's office
 Sections 6 and 7 Telecommunications (Interception) Act 1979.
 See, for example, Duncan v The Queen (1991) 5 WAR 249, T. v Medical Board of South Australia (1992) 58 SASR 382, Carbone and anor v National Crime Authority (1994) 52 FCR 516 and Green v R (1995) 135 ALR 181 for differing views on this issue.
 See Miller v Miller (1978) 141 CLR 269.
 Contained in Schedule 3, Privacy Act 1988.
 Clause 1, Schedule 3, Privacy Act 1988.
 Sections 277-297 Telecommunications Act 1997.
 Section 309. Telecommunications Act 1997.
 All published ACIF codes are available on the ACIF website www.acif.org.au. The CPI Code is ACIF C523:1999, the CND Code is ACIF C522:2000, and the IPND Code is ACIF C555:2000.
 Sections 128 and 132 Telecommunications (Consumer Protection and Service Standards) Act 1999.
 Clause 4.1, Constitution, Telecommunications Industry Ombudsman.
 Clause 6, Constitution, Telecommunications Industry Ombudsman.
 Section 117 Telecommunications Act 1997.
 Sections 121-122 and 570 Telecommunications Act 1997.
 Section 125 Telecommunications Act 1997.
 Section 128 Telecommunications Act 1997.
 Section 105 Telecommunications Act 1997.
 Section 16A(1) Privacy Act 1988.
 Section 16A(2) Privacy Act 1988.
 Section 6(1) Privacy Act 1988.
 For a complete list of the matters about which the Privacy Commissioner must be satisfied under section 18BB, Privacy Act 1988, see Appendix A.
 Interference with privacy is defined in Section 13A of the Privacy Act 1988 to mean, generally, an act or practices in relation to personal information that relates to the individual which either breaches the NPPs or an approved code which binds the organisation.
 Sections 36(1a) and 18BHI(1) Privacy Act 1988.
 Section 36(1B) Privacy Act 1988.
 A new section 122A Telecommunications Act 1997.