The Privacy Commissioner has recently released the 2nd draft of the Telecommunications Privacy Code (the "Code"). The 2nd draft takes into account submissions made by telecommunications companies to the Privacy Commissioner.
Privacy in the telecommunications industryThe Code follows international privacy requirements and is set out in three parts. The first part deals with preliminary matters, the second part stipulates the new twelve privacy rules, and the third part deals with complaints and charges relating to a breach of the draft Code. The draft Code remains subject to other legislative requirements.
Who does it apply to?
The draft Code applies to "telecommunications agencies" and "telecommunications information".
Telecommunications agencies are defined as:
telecommunications network agencies; telecommunications service agencies; directory publishing agencies; and directory enquiry agencies. These definitions are extremely wide and cover any agency that provides a telecommunications network, or access to any telecommunication system, or provides facilities (including directories, equipment and call centre operators) for making use of any telecommunication system. Such a broad definition would also cover Internet service providers ("ISPs").
Telecommunications information means either "subscriber information" i.e. information obtained when a new user subscribes for or uses a service, or traffic information, including linked call information about an identifiable individual. The latter includes all information generated by (but excluding the content of) a call/transmission, for example, a user's telephone number or calling patterns.
Telecommunications information privacy rulesThe rules in the draft Code modify the application of the 12 privacy principles in the Privacy Act 1993, but the rest of the Privacy Act still applies to the telecommunications industry. The draft Code remains subject to other legislative requirements.
Rule 1: Purpose of Collection of Telecommunications Information
Rule 1 allows telecommunications agencies to collect personal information, including the following information:
The number or other identification of the device; The subscriber's address and the type of device; Information used for invoicing; Call data information including the type, starting time and duration of calls and volume of data transmissions; The date of provision of any service not covered by the above; and Other matters concerning payments.Rules 2-4: Source, Collection and Manner of Collection of Telecommunications Information
Rules 2-4 of the Code do not require telecommunications agencies to collect telecommunications information directly from the individual concerned where:
The individual authorises collection from someone else/another authority under s54 of the Privacy Act; The information being collected is traffic information/publicly available/collected when responding to a service or billing enquiry (and may be collected from a spouse or flatmate of the subscriber); The collection is an essential element of service provision and/or connection between networks; Non-compliance is necessary to avoid prejudice to the prevention, detection, investigation, and prosecution by a foreign law enforcement agency for any breach of a foreign telecommunications law. The collection of information is for the purpose of staff training or monitoring service standards, or will not be used in a form where the individual is identified.The information collected must be used by the telecommunications agency only for those designated purposes. Once the recording has fulfilled the purpose for which it was made, it must be erased. When making any recordings for staff training and monitoring services which identifies an individual, the agency must ensure that the individual is specifically made aware that a recording is being made, and consents to that recording.
Rules 5-7: Storage and Security, Access to and Correction of Telecommunications Privacy Information
An individual is entitled to obtain personal information from a telecommunications agency holding that information. A telecommunications agency may refuse to disclose linked call information (traffic information linked to a subscriber) except where the request relates to the resolution of a billing dispute or where the information is required to enable the requester to serve proceedings under the Harassment Act 1997. Rules 8-9: Accuracy and Retention of Telecommunications Information
Telecommunications agencies must not hold
telecommunications information for longer than:
- In the case of traffic information, the information must be
erased on termination of the call.
- For billing information, the information may only be held until expiry of a time period during which legal proceedings over the invoice may be decided.
Personal information relating to a subscriber may be retained and used for the purpose of marketing telecommunications services to the subscriber provided that specific authorisation for such use has been first obtained from the subscriber. Rule 10: Limits on the Use and Disclosure of Telecommunications Information
Telecommunications agencies cannot use telecommunications information for the purpose of direct marketing unless the subscriber has consented to that use and has been informed that such consent can be withdrawn at any time. Telecommunications information can only be disclosed on a number of grounds e.g. if authorised, for public safety. Subscribers have the choice of opting-out of directories and marketing. Rules 12: Unique Identifiers
Individuals must not be assigned unique identifiers unless it is necessary for the telecommunications agency to carry out any of its functions efficiently. When assigning such identifiers (ANI, (Automatic Number Identification) telephone number etc) they shall be assigned only to an individual whose identity is clearly established.
Complaints and Charges
Designated Person: Each telecommunications agency must designate a person to deal with alleged breaches of the Code and provide the individual with a complaints procedure which documents and acknowledges the complaint within 5 working days of its receipt. Advise Individual of Complaints Process: The Code requires the telecommunications agency to advise the individual of the "complaints process available under clause 6" (in part 3) where an individual has made an information request that has been refused or complied with only in part. Practical Issues
ISPs: An area of concern for ISPs is the limitation on the information that can be collected from a customer. The Code limits the information that can be collected to information on the location of the subscriber's connection and call-time, and data volume information necessary for accounting and payment purposes. ISPs that collect additional information, for example to monitor users' usage of the system to prevent hacking, spamming or unlawful use of intellectual property, are in breach of the draft Code as currently drafted. The Code also lacks clarity in some areas, such as the acceptability of copying information into a browser cache by ISPs. Consent: There is also the question of just how practical it is to require telecommunications agencies, to make an individual "specifically aware" and obtain his/her consent when a recording of the conversation is made as part of staff training or network monitoring. Retention of Information: It appears impractical to require companies to delete traffic information (which may be useful information for forecasting purposes) on termination of a call. This obligation may need to be watered down by preventing telecommunications agencies from using traffic information for marketing purposes, except with a subscriber's consent. Key Issues:
The code specifies 12 new rules that deal with "telecommunications information" collected by "telecommunications agencies". Any recordings made by a telecommunications agency e.g. for training must be erased once the recording has fulfilled its purpose Traffic information cannot be retained by a telecommunications agency Subscribers can opt-out of directories complied by and marketing undertaken by telecommunications agencies. There must be a person designated to deal with privacy complaints. This is a general summary only and should not be taken as a substitute for specific advice.
x-tech group Simpson Grierson
Web site:
Simpson Grierson Contacts
Michael Sage, Partner, michael.sage@simpsongrierson.com
Earl Gray, Partner, earl.gray@simpsongrierson.com
Alicia Wright, Senior Associate, alicia.wright@simpsongrierson.com
Sarah Ford, Solicitor, sarah.ford@simpsongrierson.com