Submission

28 July 2005

Draft Integrated Public Number Database Standard 2005

Below is EFA's submission to the Australian Communications and Media Authority in response to the Draft Telecommunications Industry Standard (Use of Integrated Public Number Database) 2005.

Contents:

  1. Executive Summary
  2. Introduction
  3. Draft Standard
    1. Obligations for data providers supplying customer information to the IPND
      1. Advice to customers regarding directory listing
      2. Provision of updates to IPND manager
      3. Protection of customer data
    2. Obligations for data users seeking access to customer information to the IPND
      1. Obligations in relation to directory assistance services
      2. Content of directories - s33
      3. No production of directories with a reverse search function - s34
      4. Use of public number directory - s35
      5. Change in listing status of number or address - s38 & 39
      6. Protection of customer data - s37
    3. Approved purposes for which data users can obtain access to IPND data
      1. Approved purposes
      2. Purposes applicable to open data users and restricted data users
    4. Obligations on the IPND Manager and process by which approval is given
      1. Approver of data users
      2. Provision of information to the ACMA
      3. Continuation of approval
      4. Withdrawal of approval
      5. IPND manager to protect unlisted numbers
      6. Protection of customer data
      7. Notification of breaches
    5. Definitions and other terminology used in the draft standard
      1. Listed and unlisted numbers
      2. Reverse search function
      3. Directory assistance services
      4. Data washing services
      5. National Privacy Principles
    6. Additional Issues & Aspects
      1. Complaints and Enforcement
      2. Objectives of the Standard
  4. Draft Determination re public number data section of the telecommunications industry
    1. IPND bureau services, etc
  5. Related Policy Issues
    1. Sensis
    2. Consent and charges for silent numbers and suppressed address listings
  6. Conclusion
  7. References
  8. About EFA

1. Executive Summary

1. EFA supports in general the provisions of the draft Telecommunications (Use of Integrated Public Number Database) Industry Standard 2005. However, there are a number of aspects that we consider require further consideration and improvement. These include, but are not limited to, the following primary issues:

  1. Significantly more attention needs to be given to directory assistance services and relevant amendments made. The current draft is primarily focussed on public number directories.

  2. Inconsistencies between some definitions and/or prohibited uses need to be addressed and appropriate amendments made.

  3. Some "approved purposes" applicable to open data users and restricted data users appear, in some potential circumstances, to result in a breach of Part 13 of the Telecommunications Act 1997 by the IPND Manager.

  4. The Standard should specify at least some of the "all reasonable steps" that a data user is required to take to protect customer data.

  5. Provisions relating to approval of data users, continuation of approval and withdrawal of approval should be improved.

  6. The draft determination should be amended to ensure the Industry Standard will apply to all organisations and persons who collect, use or disclose customer data in the process of providing same to the IPND, for example, organisations that provide "IPND bureau services" to carriage service providers.

Up ArrowGo to Contents List


2. Introduction

2. EFA supports in general the provisions of the draft Telecommunications (Use of Integrated Public Number Database) Industry Standard 2005[1]. However, there are a number of aspects that we consider should be improved. Some of these concern improving clarity and ease of comprehension, while others concern loopholes that either will or may result in inadequate protection for customer information. These matters are discussed in Section 3 of this submission in relation to the draft Standard (in the same sequence as the questions in the ACMA Consultation Paper) and in Section 4 in relation to the draft Determination.

3. While we are highly concerned by the exclusion of Sensis from coverage by the Industry Standard, we stress that this does not detract from our support for implementation of the Standard. The Standard will nevertheless result in a significant improvement in protection for telecommunications customer information contained in the IPND.

4. We note the advice in the Consultation Paper that the draft Standard has been developed within the confines of the current legislative and regulatory parameters and that the ACMA has identified fundamental policy issues which may also need to be addressed to deliver industry wide, sustainable and appropriate protection of personal information. We are of the view that those and other policy issues definitely need to be addressed and we urge the ACMA to pursue Government consideration of these policy issues with the objective of appropriate legislative change and/or the incorporation of relevant provisions in a future version of the Standard. Relevant issues are discussed in Section 5 of this submission.

Up ArrowGo to Contents List


3. Draft Standard

3.1 Obligations for data providers supplying customer information to the IPND

(a) Advice to customers regarding directory listing

5. Section 25 requires data providers to advise customers that default directory listings (listed for geographic numbers and unlisted for mobile numbers) will be used unless the customer requests otherwise. However, in the case of mobile numbers (but not geographic numbers), Section 26 also requires the data provider to ask the customer whether the customer wishes to consent to a mobile number being listed (instead of the mobile default of unlisted).

6. We do not consider the above provisions adequate or appropriate to ensure that a customer's consent is obtained. We see no reason why actual consent should not have to be obtained in relation to listing of geographic numbers, the same as for mobile numbers. In relation to geographic numbers, the mere advice required to be given by Sections 25(1)(d) and (e) could be buried in fine print and/or in the Standard Terms of Agreement resulting in it being highly questionable whether a customer did in fact consent to the default listing status and/or whether they are aware that they have a right to choose the unlisted number option and/or the suppressed address option. If this situation of inferring consent by failure to opt out is to remain, then at the very least, Sections 25(1)(d) (and (e) must be amended to require such advice to be clearly and prominently presented and that the method of opting out be easy to take up[2]. We submit, however, that the default status should be unlisted for both geographic and mobile numbers and data providers should be required to seek customers' consent to their number, and address, being listed.

7. In addition, data providers should be required to inform customers of any charges that will apply if they wish to have an unlisted number or suppressed address at the same time as providing advice of availability of those options.

8. Furthermore, while Section 25(b) requires data providers to advise customers of the data provider's obligation to disclose customer data to the IPND Manager for inclusion in the IPND, we note that they also provide customer data relating to listed numbers to Sensis. Accordingly, we submit that data providers should be required to advise customers that such customer data will be disclosed to Sensis (or whichever entity is contracted from time to time by Telstra to produce the White Pages directory) as well as to the IPND Manager. In our view the practice of some carriage service providers of informing customers that their personal information is provided to the operator of the IPND for directory publication purposes is misleading because it gives customers the mistaken belief that it is not disclosed to any other entity for the same purpose. Unless data providers are required to notify customers of disclosure to Sensis, the introduction of the Industry Standard seems likely to compound the problem by resulting in customers having the mistaken belief that all personal information disclosed by their telephone service provider for directory purposes is protected by the Standard.

(b) Provision of updates to IPND manager

9. While Section 25(e) provides that a customer may at any time change to a listed number/address to unlisted/suppressed and vice versa, and Section 31 obligates the data provider to provide daily updates to the IPND manager, that obligation does not result in a customer's listing in the White Pages (both printed and online) being amended because Sensis does not obtain the relevant information from the IPND. Accordingly, we submit that the Standard should place on obligation on data providers to provide daily updates to, not only the IPND manager, but also to Sensis (or any other organisation to which they provide customer data for directory purposes).

(c) Protection of customer data

10. Although Section 32 is similar to National Privacy Principle[3]("NPP") 4, it excludes the important protection from misuse that is included in NPP 4. Section 32 should be amended to include the same wording as NPP 4, i.e. "...is protected from misuse and loss and from unauthorised access, modification or disclosure".

Up ArrowGo to Contents List


3.2 Obligations for data users seeking access to customer information to the IPND

(a) Obligations in relation to directory assistance services

11. Division 4.3 (Obligations of a data user) contains a number of obligations applicable to data users in relation to public number directories, but no obligations in relation to directory assistance services.

12. It is extremely important that the same obligations apply because, among other things, the definitions of a public number directory ("PND") and a directory assistance ("DAS") service result in some types of products/services being able to be regarded as either PND, or a DAS, or both. For example, services/products like the online White Pages provided by Sensis (which could be made available by IPND data users in the future) are a PND i.e. "a database of listed numbers in electronic form" and are also a DAS i.e. "a service to help the end-user find a number...provided...by means of...another technology based system". We note that according to the statements on the Sensis website[4], Sensis considers the service to be "directory assistance service".

13. Unless the same obligations apply in relation to both PNDs and DASs, the Standard will contain loopholes enabling data users to avoid complying with the intent and objectives of the Standard.

14. We submit that all sections in Division 4.3 referring to public number directories must be amended to also refer to directory assistance services. The relevant sections (33, 34, 35, 38 and 39) are discussed below.

(b) Content of directories - s33

15. We note that:

  • a PND (as defined) contains only customer contact information and, in addition, Section 33 states that "if a data user produces a public number directory, the directory must contain only customer contact information";
  • a DAS apparently may contain other information. The definition is silent on what a DAS may contain and Section 33 does not mention a DAS.

16. We submit that the definition of a DAS should state that a DAS "contains only customer contact information" the same as the definition of a PND does and Section 33 should refer to a DAS as well as a PND.

17. Furthermore, the definition of a PND states that it "does not contain any customer data that relates to an unlisted number". However, the definition of a DAS does not contain such a limitation and therefore requires amendment.

(c) No production of directories with a reverse search function - s34

18. Section 34 states that "a data user must not produce or use a public number directory that contains a reverse search function".

19. However, the Standard does not prohibit production or use of a directory assistance service, e.g. similar to the Sensis online white pages, that contains a reverse search function enabling a search for a person's name by use of an address (see also comments regarding the definition of reverse search function in Section 3.5(b)).

20. We submit that the definition of a DAS and/or Section 34 must be amended to prohibit a DAS from containing the above type of reverse search function.

(d) Use of public number directory - s35

21. Section 35 states:

"A data user must not use a public number directory to:
(a) verify customer contact information;
(b) compare with or update another customer contact database;
(c) build or maintain another customer contact database."

22. While Section 35 specifies prohibited uses of public number directories ("PND"), it does not address the use of directory assistance services ("DAS"). Instead, the Standard appears to, in effect, proscribe similar uses of a DAS by defining a DAS to exclude services that are used for purposes similar to those set out in Section 35.

23. It is not clear to us why this different approach has been taken, nor why the prohibited uses are slightly different in Section 35 regarding PNDs from those in the definition of a DAS, particularly given some services can be regarded as either or both a PND and a DAS as discussed above.

24. The relevant differences are listed and discussed below:

  • a PND must not be used by a data user to verify customer contact information (s35(a));
  • a DAS (as defined) does not include services that are used to verify customer contact information.

25. We consider that the Standard would be clearer and easier to comprehend if the matter of verification of customer contact information was covered in the definitions of both a PND and a DAS, or Section 35 addressed the use of both a PND and a DAS for such a purpose. Currently the different location of this prohibition in relation to each type of service gives an initial impression that different rules apply and a close analysis is necessary to discover that in fact neither type of service is permitted to be used for such a purpose.

  • a PND must not be used by a data user to:
    - "compare with or update another customer contact database" (s35(b))
    - "build or maintain another customer contact database" (s35(c))
  • a DAS (as defined) does not include services that are:
    - "data washing services"
    which are defined to be services that use any customer contact information to:
       - "compare or update a database; or"
       - "create a database or list".

26. It is not clear to us why a "data washing service" has been specifically defined and then only used in the definition of a DAS, while in relation to a PND a somewhat different form of words has been used to proscribe similar uses of a PND. We consider that this matter should be covered in the definitions of both a PND and a DAS, or Section 35 should prohibit the use of both a PND and a DAS for such purposes.

27. In addition, we submit that the form of words used to proscribe such purposes should be identical in relation to both a PND and a DAS. We consider the phrasing in Section 35(b) and (c) is generally preferable to that in the definition of a data washing service and accordingly we submit the phrasing used in the definition of a data washing service and in Section 35(b) and (c) should be amalgamated as follows:

- compare with or update another customer contact database or list;
- create, build or maintain another customer contact database or list.

28. Furthermore, the different approach to defining and limiting use of a PND and a DAS results in insufficient restriction on provision of data washing services that use data from the IPND. The current draft provides that a data user cannot obtain access to the IPND for the purpose of producing a DAS that includes data washing services because the definition of a DAS excludes such services. However, it appears that a data user can obtain access to the IPND for the purpose of producing a PND that includes data washing services provided only that the data user themself does not use a PND for such purposes. This situation arises because the definition of a PND does not exclude data washing services and there is no prohibition on a data user producing a PND for such purposes.

29. In summary, we submit that either the definitions of a PND and DAS need to be amended to address the above matters consistently, or Section 35 needs to be amended to become substantially similar to the following:

"A data user must not produce or use a public number directory or a directory assistance service to:
(a) verify customer contact information;
(b) compare with or update another customer contact database or list;
(c) create, build or maintain another customer contact database or list."

(e) Change in listing status of number or address - s38 & 39

30. When a listed number has become an unlisted number Section 38(b) requires data users to remove customer contact information from a "public number directory" but not from a "directory assistance service". The same situation applies in Section 39(b) in relation to an address that has become suppressed.

31. The above sections need amendment to require removal from a DAS as well as from a PND.

(f) Protection of customer data - s37

32. Although Section 37 is similar to NPP 4, it excludes the important protection from misuse that is included in NPP 4. Section 37 should be amended to include the same wording as NPP 4, i.e. "...is protected from misuse and loss and from unauthorised access, modification or disclosure".

33. In addition, while Section 37 requires data users to take "all reasonable steps" to protect customer data, such a provision is open to a wide variety of interpretations and is therefore not adequate. We consider the Standard should specify particular steps that a data user is required to take at a minimum, similar to those in the U.K. Code of Practice on Telecommunications Directory Information Covering the Fair Processing of Personal Data[5] available on the Codes of Practice section of the U.K. Information Commissioner's web site[6]. For example:

  • encryption of files containing customer information in directories provided on CDs and in other electronic formats to prevent searching the raw data contained files for numbers or addresses;
  • restrictions on the number of records generated from a single search using electronic directories;
  • restrictions on the number of directory entries which can be copied and pasted from electronic directories;
  • ensuring printed directories contain a minimum number of subscribers' information or cover a minimum geographical area, to prevent the publishing of a small printed directory which would enable searching by location without using a subscriber's name;
  • ensuring all directories contain a clearly visible warning that the directory information is not to be used for unsolicited direct marketing purposes.

Up ArrowGo to Contents List


3.3 The "approved purposes" for which data users can obtain access to IPND data

(a) Approved purposes

34. EFA supports the restriction of "approved purposes" to those listed in Section 12 (i.e. the purposes for which the IPND manager may approve access to the IPND). However, we consider that further consideration needs to be given to which types of data users may access which types of customer data for a particular approved purpose as discussed in Section 3.3(b) below.

35. We remain strongly of the view that personal information that individuals are required by law to provide to their telecommunications service provider, for the purpose of being provided with a telephone service, and that those service providers are required by law to disclose to the IPND should not be permitted to be used for commercial purposes such as marketing, database enhancement, data washing, etc, without the express consent of the relevant individual.

36. We also remain opposed to use of the mandatory IPND being extended for the purpose of recording consent or otherwise to other uses and disclosures for the reasons set out in detail in the "Future Options" section of our 2004 submission[7].

(b) Purposes applicable to open data users and restricted data users

37. We consider that the provisions of Section 12(2)(a) would, in some potential circumstances, result in a breach of Part 13 of the Telecommunications Act 1997 by the IPND Manager. Section 12(2)(a) states that the IPND Manager may approve the purpose of "providing directory assistance services" as a purpose for which a restricted data user may use customer contact information. However, Section 285(1) of the Telecommunications Act 1997 states, in relation to directory assistance services (s285(1)(c)), that disclosure or use of information contained in the IPND is not prohibited only if it is for purposes connected with "the provision of directory assistance services by or on behalf of a carriage service provider" (emphasis added).

38. We submit that Section 12(2)(a) of the Standard should be amended by the addition of the words "by or on behalf of a carriage service provider".

39. Similarly, Section 12(1)(e) which permits disclosure of information contained in the IPND to an open data user for the purpose of verifying the accuracy of information provided by the data provider against information held by the data provider appears to result in disclosure by the IPND Manager in breach of Part 13 of the Telecommunications Act 1997.

Up ArrowGo to Contents List


3.4 Obligations on the IPND Manager and process by which approval is given

(a) Approver of data users

40. We remain of the view, as stated in our 2004 submission[8], that persons/organisations seeking access to information in the IPND should be required to apply to the ACMA for approval, not to Telstra or any other commercial organisation. We believe access approval needs to be regulated by an independent entity, such as the ACMA, who can act in the public interest without being at risk of claims that they refuse, or otherwise regulate, access in ways designed to give themselves and/or their related companies a market advantage.

(b) Provision of information to the ACMA

41. Section 14(2) states that within 5 days after the end of the approval period (three months) a data user must, among other things, where relevant "(c) ... provide a copy of the public number directory to the ACMA".

42. We submit that a new sub-clause (d) should be added to Section 14(2) stating:

(d) if the data user has approval to access customer data for the purpose of providing a directory assistance service - provide the ACMA with written advice of how the directory assistance service can be accessed by members of the general public.

(c) Continuation of approval

43. We consider that continuation of approval as a data user should be conditional on the data user continuing to use the data for the approved purpose.

44. We submit that a new sub-section should be added to Section 14 requiring data users referred to in Section 14(2)(c) to provide the ACMA with a copy of an updated version of the public number directory at least annually and requiring those referred to in proposed Section 14(2)(d) to, at least annually, provide the ACMA with written advice of the directory assistance service/s they provide and of how the directory assistance service can be accessed by members of the general public.

45. Further, if such data users do not do so, the ACMA should be obligated to require the IPND manager to revoke the data user's authority to access the IPND unless the ACMA is satisfied that there are legitimate reasons for the failure to provide the specified information and/or a relevant directory product/service and that the data user intends to re-commence providing same within a specified period, e.g. three months.

(d) Withdrawal of approval

46. Section 15 states that the IPND manager may withdraw approval of a data user if the IPND manager becomes aware that customer data has been used for a purpose that is not an approved purpose or has failed to use the data for the purpose that was approved within the three month approval period. We submit that Section 15 should be amended to state that the IPND manager must withdraw the approval in such circumstances.

47. Similarly Section 14(4) should be amended to state that the ACMA must (instead of may) notify the IPND manger if it becomes aware of the either of the above two matters (as specified in Section 14(4)(a) and (b)).

(e) IPND manager to protect unlisted numbers

48. We consider that Section 22 should refer not only to unlisted numbers, but also to suppressed addresses.

49. Further, we find Section 22 confusing and arguably ambiguous. If our understanding is correct, the only purpose for which the IPND manager may provide data containing an unlisted number to a restricted data user is as set out in s22(1)(a). If that is correct, we believe s22 should be reformatted to make it easier to comprehend. We recommend that it contain two sub-sections as follows:

  1. provision of data to a restricted data user (currently (1)(a)) and (2);
  2. provision of data to an open data user (currently (1)(b), (c), (d) and (e)).

(f) Protection of customer data

50. Although Section 21 is similar to NPP 4, it excludes the important protection from misuse that is included in NPP 4. Section 21 should be amended to include the same wording as NPP 4, i.e. "...is protected from misuse and loss and from unauthorised access, modification or disclosure".

(g) Notification of breaches

51. Section 23 requires the IPND manager, within one day of becoming aware that customer data has been disclosed in breach of an obligation in Part 4, to notify the ACMA and relevant data users/data providers. We submit that the IPND manager should also be obligated to notify the individuals/customers whose data has been disclosed, at the least in cases where the breach involves disclosure of an unlisted number and/or suppressed address.

Up ArrowGo to Contents List


3.5 Definitions and other terminology used in the draft standard

(a) Listed and unlisted numbers

52. The draft Standard states:

"listed number means a database record in the IPND that contains customer contact information that is available:
(a) in a public number directory; and
(b) for directory assistance services.
"

"unlisted number means a database record in the IPND that contains customer contact information that is not available:
(a) in a public number directory; or
(b) for directory assistance services.
"

53. The above definitions require amendment because they result in a situation where, for example, a number that is available in e.g. a printed public number directory, but which the customer has subsequently requested become unlisted and its status has been changed in the IPND, is not an "unlisted number" because it is still available in a printed directory. As a result Section 22 does not protect such customer data from disclosure by the IPND Manager to restricted data users because the numbers are not "unlisted numbers" as defined. Whether a number is regarded as a listed or unlisted number should depend on its status in the IPND, not where the number is or is not actually available.

(b) Reverse search function

54. The draft Standard states:

"reverse search function means the ability to query a database, in order to determine the name, address or telephone number of a customer, using:
(a) a telephone number, or part of a telephone number; or
(b) an address, or part of an address.
"

55. We submit that it is necessary to define the term "database" to include a repository of information in electronic or documentary form, or alternatively amend the definition to state, for example:

... means the ability to query a database in electronic or documentary form, ...

56. The existing definition gives rise to doubt concerning whether the Standard would prohibit data users from producing a public number directory ("PND") in "documentary form" (as stated in the definition of a PND) containing customer data listed in telephone number order (instead of customer name order). Is a printed directory (such as the White Pages printed publication) a "database" for the purpose of the definition of reverse search function or not? We submit that it should be and the Standard should be amended to make clear that it does not allow production of public number directories in a documentary form containing listings in telephone number order or street address order.

(c) Directory assistance services

57. The draft Standard states:

"directory assistance services, in spite of the meaning given by section 7 of the Act, means services that are:
(a) provided to an end user of a standard telephone service to help the end-user find the number of not more than one end-user of a standard telephone service; and
(b) provided by an operator or by means of:
     (i) an automated voice response system; or
     (ii) another technology based system;
but does not include services that are:
(c) used to verify customer contact information; and
(d) data washing services.
"

58. The above definition requires amendment to prevent provision of services that include a reverse search function, for example, as part of a directory assistance service similar to the online White Pages which an IPND data user could commence providing in the future. While the current definition would not permit services that allow use of a number to query a database (because the service is for finding a number), it does not prevent services that allow use of an address to query a database for the purposing of finding a person's name and their number.

59. The definition also requires amendment to limit such services to containing only customer contact information and not unlisted numbers as discussed in Section 3.2 above.

(d) Data washing services

60. The draft Standard states:

"data washing services means services that use any customer contact information to:
(a) compare or update a database; or
(b) create a database or list
"
This definition requires amendment as discussed in Section 3.2(d) above.

(e) National Privacy Principles

61. The draft Standard states:

"national privacy principles means the principles mentioned in Schedule 3 to the Privacy Act 1988"

62. We submit that the word "mentioned" in the above definition should be changed to "specified" or "set out". The principles are more than "mentioned" in that Act.

Up ArrowGo to Contents List


3.6 Additional Issues & Aspects

(a) Complaints and Enforcement

63. We consider that the Standard or an accompanying ACMA information sheet should provide information concerning lodging of complaints and means of enforcement by the ACMA.

64. Currently it is not clear to us whether a customer with a complaint about misuse of their customer data by data users would be expected to submit their complaint, in the first instance, to their CSP (data provider), the data user, the TIO or the ACMA. We expect it will often be impossible for an individual to know at what point in the data chain a breach originated and in any case the individual will not have a customer relationship with any party other than their CSP. In addition, we consider that breaches of the Standard are most likely to be indicative of systematic problems rather than misuse of only one individual's data. We therefore consider that complaints should be able to be made to the ACMA in the first instance.

65. In addition we are of the view that the ACMA should provide information on the means by which it intends to enforce compliance. We note that the ACMA has a range of enforcement measures available to it under the Telecommunications Act 1997. We consider that publication of information about which of these the ACMA would be likely to take in various circumstances would assist in ensuring that data users are aware that compliance with an Industry Standard is enforceable by the ACMA.

(b) Objectives of the Standard

66. We note that Section 5(d) (Objects of industry standard) states "a customer may choose whether his or her customer data is to be included in a public number directory". We submit that the phrase "and a directory assistance service" should be added to the end of Section 5(d).

Up ArrowGo to Contents List


4. Draft Determination re public number data section of the telecommunications industry

4.1 IPND bureau services, etc

67. EFA questions whether or not the Industry Standard will apply to all organisations and persons who collect, use or disclose customer data in the process of providing same to the IPND. In particular we question whether the Standard will permit carriage service providers to contract out their obligations to provide data to the IPND to "IPND bureau services"[9] such as the service announced in Paradigm.One's media release of 1 March 2004[10], and if so, whether such contracted organisations will be regarded as a member of the public number data section of the industry that is required to comply with the Standard. In this regard we note the following sections of the draft Standard:

Section 7 - Definitions:
"data provider means a carriage service provider who provides customer data to the IPND manager under Part 4 of Schedule 2 to the Act."
Section 9 - Access to customer data in the IPND:
"(1) The customer data contained in the IPND, or collected for that purpose, may be used or dealt with only if:
(a) the person using or dealing with the data is:
     (i) the IPND manager; or
     (ii) a data provider; or
     (iii) a person approved under section 13 as an open data user or a restricted data user;
"
Section 11 - Use of customer data - data provider:
"Subject to section 9, a data provider may use customer data for the following purposes:
a) the collection and use of customer data in the course of carrying on a business as a carriage service provider;
b) the forwarding of customer data to the IPND manager."

68. It seems clear that an "IPND bureau service" does not fall within the definition of a "data provider" because it is not a carriage service provider ("CSP"). Further, Section 11(b) indicates that data providers are only permitted to forward customer data to the IPND manager, not to any other organisation such as an IPND bureau service. Similarly, Section 26(1) states "[t]he data provider must send all customer data to the IPND Manager".

69. However, the question arises as to whether or not data providers/CSPs are permitted to send the data to an IPND bureau service for the purpose of that bureau service sending it to the IPND manager. It appears, for example, that Section 11(a) might permit data providers/CSPs to "use" customer data for the purpose of forwarding it to an IPND bureau service, instead of directly to the IPND manager.

70. In addition Section 4 of the draft Determination states:

"For subsection 110(3) of the Act, the following are determined to be the public number data section of the telecommunications industry:
(a) a person who performs the functions of the IPND manager;
(b) a person who performs the functions of a data provider;
(c) a person who uses customer data with the approval of the IPND manager.
"

71. It is unclear whether "a person who performs the functions of a data provider" is intended to include, for example, an IPND bureau service (or means an employee of a carriage service provider, as distinct from person who is employed by another organisation). However, even it is intended to cover contracted organisations, since an IPND bureau service is not a "data provider" as defined in the Standard, it seems clear they would not be obligated to comply with the Standard.

72. We submit that the Standard and/or Determination requires amendment to either:

  • clearly prohibit data providers/CSPs from disclosing customer data to persons/organisations other than the IPND/manager in the process of meeting their obligations to provide it to the IPND manager; or
  • clearly cover any person/organisations that may be contracted by a data provider/CSP to undertake functions on the CSP's behalf in relation to fulfilling the CSP's obligations to provide customer data to the IPND manager and ensure that such persons/organisations are not permitted to collect, use or disclose the customer data for any other purpose.

Up ArrowGo to Contents List


5. Related Policy Issues

5.1 Sensis

73. The Consultation Paper states:

"Why doesn't the standard apply to Sensis?
It does not apply to Sensis, the Telstra subsidiary which produces the White PagesŪ telephone directory as Sensis obtains customer information directly from Telstra and other carriage service providers, rather than from the IPND. Sensis is deemed to be beyond the scope of the IPND Code and the IPND Standard. Sensis' use of customer information is however, governed and protected in accordance with the National Privacy Principles.
"

74. EFA is highly concerned by the decision to exclude Sensis from the public number data section of the telecommunications industry and hence from coverage by the industry standard. We remain of the view stated in our 2004 submission that the standard should apply to all organisations that collect customer data for directory purposes, regardless of whether the information is collected from the IPND or directly from a telecommunications company.

75. As Sensis is currently the major producer and distributor of directories, the exclusion of Sensis creates a major loophole resulting in grossly inadequate protection for customer data.

76. For example, as previously raised in our 2004 submission, one of the currently authorised IPND data users, Baycorp Advantage Ltd, claims on its web site[11] to provide its customers with a service that uses the Telstra/Sensis Electronic White Pages®[12] subscription based desktop service to enable Baycorp customers to locate addresses for marketing purposes and skip tracing and that also "formulates a search on the EWPTM system and matches the EWPTM response with your input to verify the identity details of the applicant". Such use and disclosure of customer data (without customers' consent) that has been obtained by Sensis from telecommunications companies will obviously continue irrespective of the provisions of the industry standard unless Sensis is required to comply with the Standard.

77. Although the Consultation Paper claims that Sensis' use of customer information is governed and protected in accordance with the National Privacy Principles, it is clear that either the NPPs do not adequately protect customer data in this context, or that Sensis' practices are not being governed by the NPPs because they are not being enforced by relevant government regulators. We consider that Sensis' use and disclosure of customer data for purposes other than enabling Telstra to comply with Clause 9 of its Carrier Licence Conditions regarding production of an alphabetical public number directory is of highly doubtful legality as set out in the comprehensive analysis contained in Appendix 1 to our 2004 submission[13]. At the very least, it appears contrary to the government and Parliamentary intent set out in the Telecommunications Act 1997.

78. The current situation and the draft Standard also fails to result in the level playing field intended by the Telecommunications Act 1997 and the absence of a level playing field in relation to provision of public number directory services is not in the best interests of consumers.

79. Sensis should be required to comply with the industry Standard and to obtain customer information for use in its directory products (including the White Pages) from the IPND, the same as any other public number directory producers.

Up ArrowGo to Contents List


5.2 Consent and charges for silent numbers and suppressed address listings

80. The Standard's stated objective that "a customer may choose whether his or her customer data is to be included in a public number directory" will be undermined if some telecommunications service providers continue to charge customers an additional fee for an unlisted number and/or suppressed address.

81. EFA considers that telecommunications service providers (and directory producers) should be legislatively prohibited from charging individuals to exercise their right not to have their personal information published. Carriage service providers are legislatively prohibited from disclosing a customer's "unlisted telephone number or any address" (s276(1)(a)(iv) - Telecommunications Act 1997) to public number directory producers without consent and telecommunications companies and/or their contractors (e.g. Sensis) that charge silent line customer are apparently declining to comply with legislated obligations unless customers pay them to do so. Individuals should not be required to pay to exercise their legislated right to have control over disclosure and use of their personal information and especially not when they are required by law to provide their personal information to the telecommunications provider in the first place so that it can be recorded in the IPND for law enforcement and emergency service purposes.

82. Furthermore we note that Sensis is apparently well aware they are not permitted to publish numbers or addresses without consent. According to a June 2005 posting to a public discussion mailing list[14], when a person withholds consent and also refuses to pay for suppression of all or part of their address, Sensis decides to treat the entire listing as an unlisted number, i.e. not publish any of the information, and not to charge for not listing it. While this results in no disclosure without consent in compliance with the law, it does not give customers a genuine choice concerning what personal information is included in a public number directory.

Up ArrowGo to Contents List


6. Conclusion

83. In summary, we are of the view that the Standard will result in a significant improvement in protection for telecommunications customer information, subject to a number of amendments to the current draft to ensure achievement of the Standard's intent and objectives within the constraints of the current legislative and regulatory parameters.

84. However, we are concerned that an adequate level of protection of customer information will not be achieved while Sensis is excluded from coverage by the Standard, nor until fundamental policy issues identified by the ACMA are addressed and resolved in an appropriate manner.

85. We therefore urge the ACMA to finalise and implement an initial version of the Standard and also to pursue Government consideration of relevant policy issues with the objective of appropriate legislative change and/or the incorporation of relevant provisions in a future version of the Standard.

Up ArrowGo to Contents List


7. References

1. Australian Communications and Media Authority, Draft Telecommunications (Use of Integrated Public Number Database) Industry Standard 2005.
<http://www.acma.gov.au/ACMAINTER.1900860:STANDARD:1695401914:pc=PC_6124>

2. Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles, NPP 2.1(b) Secondary use and disclosure with consent
<http://http://www.privacy.gov.au/publications/nppgl_01.html#npp21b>

3. National Privacy Principles, Privacy Act 1988
<http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html>

4. Sensis online Whitepages web site
<http://www.whitepages.com.au/wp/legal/copyright.html>

"This site and the data contained in it are supplied solely for informational use. ... users may download individual listings for their own private use in the course of the normal use of this site for directory assistance purposes". (emphasis added)

5. U.K. Code of Practice on Telecommunications Directory Information Covering the Fair Processing of Personal Data
<http://www.informationcommissioner.gov.uk/cms/DocumentUploads/CoP%20Directory%20Info%20%20Fair%20Processing.pdf>

6. Codes of Practice section of the U.K. Information Commissioner's web site
<http://www.informationcommissioner.gov.uk/eventual.aspx?id=446>

7. EFA submission to the Australian Communications Authority re discussion paper Who's Got Your Number?: Regulating the Use of Telecommunications Customer Information, 14 May 2004
<http://www.efa.org.au/Publish/efasubm-aca-ipnd.html#consent>

8. EFA submission to the Australian Communications Authority re discussion paper Who's Got Your Number?: Regulating the Use of Telecommunications Customer Information, 14 May 2004
<http://www.efa.org.au/Publish/efasubm-aca-ipnd.html>

9. For further information regarding IPND bureau services, see Section 1 of EFA's submission to the Australian Communications Authority, 14 May 2004
<http://www.efa.org.au/Publish/efasubm-aca-ipnd.html#isa>

10. Paradigm.One Pty Ltd, Paradigm.One launch IPND bureau service, Media Release, 1 March 2004
<http://www.paradigmone.com.au/number-portability-news.html#01032004> (accessed 11 May 2004, page not accessible 18 July 2005):

"Paradigm.One launch IPND bureau service
The IPND (Integrated Public Number Database) bureau service offered by Paradigm.One allows CSPs to fulfill their regulatory obligations without the overhead and headaches involved in dealing directly with the IPND. ...
Advanced pre-processing of clients data prior to submission to the IPND, thus removing any errors before they are detected and reported by IPND. ...
A comment often cited by clients is 'this is not a core business activity, it doesn't generate any revenue, we just want to fulfill our regulatory obligation'. Simply talk to us today and benefit from our experience."
   Paradigm.One Pty Ltd Latest News headlines as at 11 May 2004 (accessed 18 July 2005)
   <http://web.archive.org/web/20040511220852/http://paradigmone.com.au>

11. Baycorp Advantage Ltd, Electronic White Pages services (accessed 18 July 2005)
<http://www.baycorpadvantage.com/your_customer_life_cycle/stage1/electronic_white_pages.asp?CountryID=1&UserTypeID=1>

12. Telstra/Sensis Electronic White Pages® (accessed 18 July 2005)
<http://www.about.sensis.com.au/products/wp_electronic.php>

13. Analysis of relevance of existing privacy protection laws, Appendix 1 of EFA submission to the Australian Communications Authority re discussion paper Who's Got Your Number?: Regulating the Use of Telecommunications Customer Information, 14 May 2004
<http://www.efa.org.au/Publish/efasubm-aca-ipnd.html#app1>

14. June 2005 posting to a public discussion mailing list
<http://mailman.anu.edu.au/pipermail/link/2005-June/062688.html>

Up ArrowGo to Contents List


8. About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.

EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.

Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The ten elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.

EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), in Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004) and the ENUM Privacy and Security Working Group convened by the Australian Communications Authority (2003-2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.

Up ArrowGo to Contents List