Privacy Commissioner - Te Mana Matapono Matatapu

Telecommunications Information Privacy Code - General information

The Telecommunications Information Privacy Code was released for public consultation in December 2001 and issued by the Privacy Commissioner in May 2003. It generally comes into force, except for two provisions, in November 2003. This information paper contains some general information about the code. A further information paper is available concerning changes made to the code as a result of public consultation.

Coverage of the code (clause 4)

The code principally covers the telecommunications industry in its dealings with the personal information of customers and users of telecommunications services. Clause 4 spells out the code's coverage. Reference should also be made to the definitions in clause 3 of terms such as directory enquiry agency, directory publisher, Internet service provider, network operator, subscriber information, telecommunications, telecommunications agency, telecommunications information, telecommunications service provider and traffic information.

The code does not attempt to deal comprehensively with every privacy issue that may be associated with telecommunications services. For example, the code does not deal with staff related issues or with the use of telephones and electronic mail by employees in organisations that are not telecommunications agencies.

At some future time, the Privacy Commissioner may revisit the question of coverage to see whether the code should be extended to capture further important telecommunications privacy issues. However, the limited present coverage does not leave a gap. Whenever an agency collects, holds, uses or discloses personal information in circumstances where the code does not apply, the more general information privacy principles in the Privacy Act continue to apply. The Privacy Act and the code operate together to address each situation.

Definitions (clause 3)

A number of the definitions are taken from the Telecommunications Act 2001. Consistency with the principal regulatory law dealing with telecommunications has advantages. Definitions in the Privacy Act 1993, of course, apply to such terms used in the code.

International law enforcement, network security and integrity (rules 2, 3, 10 and 11)

Rules 2, 3, 10 and 11 contain exceptions where departure from the rule is permitted for a particular purpose, often to recognise a competing public interest. Most of the exceptions contained in the information privacy principles are also to be found in the code, although some have been omitted. There have, in addition, been some exceptions tailored to the telecommunications sector.

A notable new exception allows for the collection from a source other than the individual concerned and for the use and disclosure of telecommunications information where that might not otherwise comply with the relevant rules, where non-compliance is necessary:

"to assist a foreign law enforcement authority in the prevention, detection, investigation and prosecution of a breach of a foreign telecommunications law."

A "foreign telecommunications law" means a law (other than a New Zealand law) which:

• regulates the operation and use of a network; or
• prescribes offences for misuse of, or interference with, a network.

We live in a networked global environment in which business and social activity is readily conducted without regard to international frontiers. Telecommunications agencies, particularly network operators, can be called upon to assist in dealing with telecommunications crimes across borders.

A second new exception allows for collection, use and disclosure:

"for the purpose of preventing or investigating an action or threat that may compromise network or service security or integrity."

This may include, for instance, activity that could breach the technical defences of a network. Denial of service attacks may threaten a subscriber's service or may compromise the network in whole or part.

Interconnection between networks, wholesaling or similar arrangements (rules 2, 10 and 11)

There are exceptions to some of the rules recognising the way that telecommunications involve a complex series of arrangements for interconnection. In addition to interconnection agreements there are wholesaling agreements and other similar arrangements.

In addition to exceptions permitting various exchanges of information which are necessary to make these arrangements work efficiently, there are constraints. For example an agency is not permitted to use information obtained through an interconnection arrangement as the basis for unauthorised direct marketing (refer rule 10(2)).

Service or billing enquiries (rules 2 and 11)

Another exception to rule 2, which is not found in the equivalent information privacy principle 2, is where information to deal with a service or billing enquiry is collected from a member of a subscriber's household (or a representative of a business subscriber).

There is a corresponding disclosure exception where such a person to whom a disclosure is made appears to be acting on behalf of the subscriber.

Access to identity of another individual or subscriber (rule 6)

People occasionally ask telephone companies for identity of callers. Sometimes that information needs to be revealed in order to resolve a billing dispute. However, some requests are made where there is no billing dispute since the unknown party is meeting the cost of the call. Releasing customer identity in response to such requests can be a highly sensitive matter since it may involve an intrusion into the privacy of another person. It may also raise personal safety issues. An example may be where a victim of domestic violence has telephoned from a secret location.

Rule 6(4) makes it clear that network operators can withhold the linked traffic information which may reveal the identity of another individual or subscriber. This is consistent with the typical current practice. However, agencies retain a discretion to release the information in appropriate circumstances in accordance with rule 11.

Direct marketing (rule 10)

The code includes some provisions dealing with a telecommunications agency's use of information for direct marketing. "Direct marketing" is defined. The basic premise of the code is that the use of telecommunications information by a telecommunications agency for direct marketing be done with the authorisation of the individual concerned. Where the individual is asked to authorise use for direct marketing, the individual must also be advised that he or she may withdraw such authorisation at any time.

Rule 10(2) provides that a telecommunications agency must not use traffic information obtained as a result of interconnection, wholesaling or similar arrangements between network operators for the purposes of direct marketing to an individual who is not a subscriber of the agency without the authorisation of that individual.

Internal complaints processes (Schedule 1)

Telecommunications agencies are required to provide for the internal handling of complaints of breaches of the code in a manner that meets certain standards. The internal complaints processes do not replace the right to complain to the Privacy Commissioner. However, the objective is to ensure that, wherever possible, that an individual with a privacy complaint about a telecommunications agency's actions be able to sort the matter out with the agency concerned, if at all possible.

Directories and directory enquiries services (Schedule 2)

A subscriber's details may be included in a directory, or released through a directory enquiry service, only with the subscriber's authorisation. This has been Telecom's practice since the enactment of the Privacy Act 1993. (Previously it was a condition of service that a subscriber be listed in the telephone book unless payment was made for the privilege of being left out). The code contains other requirements relating to directories which reflect existing practice (for example in terms of the information that is required to be provided in order to obtain a subscriber's telephone number using a directory enquiry service).

The code explicitly prohibits the display of subscriber information in a reverse search facility, or the disclosure for inclusion in such a facility, without the subscriber's explicit authorisation. "Reverse search facility" is defined. A simple example is a facility by which an individual's name and address can be obtained by reference to a telephone number alone.

The Schedule contains certain requirements in terms of preferences expressed by subscribers as to how their name might appear in a directory and whether all or, only part, of the subscriber's address details are published. These new requirements are delayed until 1 April 2005 given the long lead-in time required for changes to telephone directories. There is a transitional provision applicable to these 2 new requirements to make it clear that the publishers of the telephone directories are not required to seek new explicit authorisation from all the existing subscribers listed in the telephone book (but are to act on requests that they might receive from those subscribers) (see clauses 5 and 6 of Schedule 2).

Calling line identification presentation (CLIP ) (Schedule 3)

Schedule 3 includes rules on CLIP (commonly called caller ID or "caller display"). CLIP is allowed so long as per-line and per-call blocking is available free of charge. Telecommunications agencies which provide CLIP are required to take reasonable steps to make subscribers and users aware of the blocking options and to have a means by which callers can easily find out whether an out-going line is blocked.