	Home \| Databases \| WorldLII \| Search \| Feedback Privacy Law and Policy Reporter

Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

You are here: AustLII >> Databases >> Privacy Law and Policy Reporter >> 1996 >> [1996] PrivLawPRpr 40

Haines, Janine --- "Telstra'sprivacy audit" [1996] PrivLawPRpr 40; (1996) 3(4) Privacy Law & Policy Reporter 64

Telstra's privacy audit

Technological advances in the latter half of the 20th century have occurred at such a rapid pace and have been accepted with such enthusiasm by the majority of the world's population that many, if not most, people have overlooked the fact that there is a down-side to the burgeoning use of computers, the Internet and other modern high tech paraphernalia. One of those problems is the increasing capacity for, and hence likelihood of, breaches of the rights individuals (as well as corporations) have to privacy. In the past, too few people have recognised this and even fewer have spoken out about it -- and all too often those who have issued warnings have been met with the banal (and erroneous) statement that `if you've got nothing to hide, you've got nothing to fear'.

One of the few people to raise concerns (well in advance of those who saw only the advantages and few of the potential disadvantages inherent in the world's rapturous embrace of new technologies) was Zelman Cowan who argued in 1969 that `proper surveillance over the character and relevance of the information stored by a computer' was necessary if its benefits were not to be outweighed by breaches of privacy. Human nature being what it is, his warning (while apposite) was largely ignored, again at least partly because few people really understood either the concept or the consequences. Several years later, however, the SA Parliament, recognising that `privacy' had to be defined in order to be protected, decided that the term meant protection from `intrusion' into areas such as an individual's personal life and their communications with others.

By 1988, the Federal Government was forced to respond to growing community concerns by passing the Privacy Act 1988 (Cth) -- a piece of legislation which covered most Commonwealth agencies. The 11 Information Privacy Principles in that legislation laid down guidelines for the collection, collation, storage, security, use and disclosure of personal information. Concern about breaches of individual privacy and the need for better protection of personal data had already led to the establishment of the Independent Commission Against Corruption (ICAC) in NSW. Following the release of its reports in 1990 and, in particular, the revelation that the activities which were the subject of that inquiry `were part of a wider trade in confidential [NSW] government information', a meeting was held in Sydney attended by representatives of some of the major record-keeping organisations in Australia such as credit reference bureaus and telecommunications carriers as well as others concerned about the prevention of further breaches of privacy.

That meeting resulted in the formation of the Australian Privacy Charter Council (see <2 PLPR 41>) chaired, until recently, by Justice Michael Kirby. I was elected to take his place when he retired from the position in July. The members of the council committed themselves to putting privacy protection policies in place within their own organisations. They included representatives of several companies whose need and capacity to accumulate large amounts of personal data meant they were particularly vulnerable to both privacy breaches and public concern. Telecom, as it was then, was among them. When the company, by then called Telstra, merged with OTC in 1992, AUSTEL and the Telecommunications Industry Ombudsman assumed the responsibility for overseeing privacy provisions within the industry.

Origins of the audit

In early 1994, the then minister for Communications and the Arts revealed allegations that some employees of Telstra had `monitored and recorded telephone conversations of certain customers without their consent.'. In responding to that statement, Telstra developed its `guidelines on voice monitoring or recording of telephone services' (see <1 PLPR 55>) as well as its Privacy Protection Policy which stated that the company accorded `the highest priority to the protection of personal privacy alongside customer service'. That document included provision for the establishment of an independent external audit of the company's privacy protection measures as they related to Telstra customers. The resultant Privacy Audit panel consisted of John Morison, representing the federal Privacy Commissioner; representatives of the privacy auditor, Price Waterhouse (which won the tender for the privacy audit) and myself as the independent member and chair of the panel.

Privacy Auditor's role

As the Privacy Auditor, Price Waterhouse's role is to investigate and report on:

the appropriateness and effectiveness of Telstra's privacy policy;
the corporation's compliance with that policy;
the extent to which the level of privacy protection meets international standards;
the security of the network; and
the extent to which the policy meets Telstra's statutory obligations, its own policy commitments and its data protection requirements.

In other words, it is required to analyse the type and source of data collected by Telstra, its dissemination for purposes of providing a service, its accessibility to employees of Telstra and any other practices which have, or could have, an impact on the security of the data and hence the privacy of customers. In particular, it has to determine whether there are sufficient safeguards in place to ensure that the privacy of customer data is properly protected. This external audit is complementary to Telstra's own audit and privacy programs and includes an audit of the security of customers' personal data stored within Telstra's computer system. The findings of that audit are presented to both Telstra management and the Audit Panel and a public report is issued annually.

Privacy Audit Panel

The role of the Privacy Audit Panel, on the other hand, is to oversee and report and this involves analysing and reporting publicly on the appropriateness, compliance with, and effectiveness of Telstra's privacy protection procedures and the extent to which they meet the organisation's statutory obligations as well as its own policy commitments and data protection requirements.

This has been no mean feat given that Telstra employs over 70,000 people nation-wide as well as hundreds of others in contract positions or associated with its operations in peripheral areas. The independent audit conducted by Price Waterhouse and overseen by the Audit Panel has involved scrutinising the security of customers' personal data stored within Telstra's computer system and is additional to Telstra's own audit and privacy programs. The resulting recommendations have led to Telstra expanding its Privacy Protection Policy by, among other things, limiting the amount of data collected and kept on customers and placing significant restrictions on access to that data within Telstra as well as on disclosure of the information.

The Privacy Audit Panel's terms of reference include:

monitoring and reporting on the corporations compliance with its Privacy Protection Policy;
assessing and reporting on the effectiveness of the privacy protection policies in ensuring the privacy rights of customers and the general public;
assessing and reporting on the security of the network and the privacy of users;
ensuring that consent is obtained from customers before voice monitoring is carried out; and
ensuring that customer data is not disclosed without the consent of the customer.

The Panel is also required to report annually to Telstra's CEO.

The first audit

The audit, conducted by Price Waterhouse and overseen by the Privacy Audit Panel, has covered all the company's business units and focused on the level of implementation of Telstra's own Privacy Protection Policy and its commitment to meet international best practice in this area. It has also recommended that Telstra continues to provide sufficient resources within the company to ensure that the security of data on both employees and customers is ensured, and that all telecommunications carriers be put under the jurisdiction of the Telecommunications Industry Ombudsman.

Additional procedures such as ensuring that access to customers personal data is limited to authorised personnel on a needs basis and the requirement that confidentiality agreements must be signed, play both a direct and indirect role in privacy protection. Direct because it ensures that customers' personal data are seen by as few employees as possible and indirect because it reinforces to employees the emphasis placed on data privacy protection by the company.

International comparisons

As the second year of the process draws to an end, it is pleasing to note that the whole process has been so successful over the past two years that Telstra in Australia is now at the forefront of privacy protection in this area, being slightly ahead of Canada's telecommunications carrier which hopes to have their own privacy protection policy in place within the next few months. As far as the member nations of the European Union are concerned, while agreement has been reached in principle regarding the directive on the `Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of that Data', it is still proving difficult to reconcile member nations' policy differences in the area of privacy protection.

The US, with its plethora of telecommunications carriers, is not nearly as far advanced in the area of telecommunications privacy policy as most other western nations. Australia, therefore, has reason to be proud of the fact that it is breaking new ground as far as the protection of privacy within the telecommunications area is concerned and is currently setting the standard for world's best practice in telecommunication's privacy protection policy.

Post-1997

For Australia to maintain this position, it is important that Telstra's competitors be required to adopt the same policies when they come on stream. If the government, or the carriers themselves, fail to ensure this, Australia will fall behind the rest of the world notwithstanding Telstra's high standards. In my foreword to Telstra's 1995 Privacy Report, I noted that `community and business concerns' about threats to individual (and, for that matter, corporate) privacy were growing as advances in technology burgeoned (and the Internet is a particular worry to many people). It is therefore incumbent on any organisation which, of necessity, collects, collates and stores data on individuals to ensure that personal information remains secure while it is being stored by the organisation; that it is destroyed or disposed of securely, and that the right to privacy of the individuals on whom that data are held are fully protected.

As Privacy Commissioner Kevin O'Connor noted when he released the Human Rights and Equal Opportunity Commission paper, Community Attitudes to Privacy, `Australians want greater control over personal data held by government and business ... [because] ... There is a feeling that control of personal information, particularly on computers, is beyond an individual's power ... and they want to have a say over how it is obtained and used.'

The role of Telstra's Privacy Audit Panel is to ensure that Australia's major telecommunications carrier, already aware of public expectations of them as well as public concerns about both the potential for and the actuality of breaches of privacy in organisations which collect personal data, meets its obligations.

Janine Haines, Chair of Telstra's Privacy Audit Panel, and Chair of the Australian Privacy Charter Council.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1996/40.html