|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Parliamentary Joint Committee on Human Rights |
|
Purpose
|
This bill seeks to amend the Telecommunications Act 1997 to
alter the operation of information disclosure provisions and record of
disclosure requirements. It would also make technical amendments
to the
Telstra Corporation and Other Legislation Amendment Act 2021
|
|
Portfolio
|
Infrastructure, Transport, Regional Development, Communications and the
Arts
|
|
Introduced
|
House of Representatives, 10 November 2022
|
|
Rights
|
Privacy; effective remedy
|
2.78 The committee requested a response from the minister in relation to the bill in Report 6 of 2022.[2]
2.79 The bill seeks to amend the Telecommunications Act 1997 (Telecommunications Act) to expand the information that may be disclosed from the Integrated Public Number Database (Number Database), allowing disclosure of information related to unlisted (and listed) phone numbers in the case of calls to emergency services numbers.[3] It would also insert a requirement that it must be unreasonable or impracticable to obtain the other person's consent to the disclosure or use of their information.
2.80 Permitting the use and disclosure of personal information related to unlisted phone numbers on the Number Database in emergency call situations engages and limits the right to privacy. The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, the measure must pursue a legitimate objective and be rationally connected to (that is, effective to achieve) and proportionate to achieving that objective.
2.81 Permitting the disclosure of unlisted phone numbers in such circumstances in order to protect life is a legitimate objective for the purposes of international human rights law, and this measure appears to be rationally connected to (that is, capable of achieving) that objective. But questions remain regarding proportionality.
2.82 While noting the important objective of this bill, the committee noted that permitting the disclosure of information relating to unlisted phone numbers (such as mobile phone numbers) on the Integrated Public Number Database in dealing with matters raised by a call to an emergency service number engages and limits the right to privacy and sought the minister's advice as to:
(a) whom information or documents obtained under this measure may be disclosed, and examples of such disclosure;
(b) what are the parameters of the term 'dealing with matters raised by' a call to an emergency service number;
(c) whether and how the alternative basis for disclosing information relating to a call to an emergency services phone number in section 286 interacts with this proposed amendment to section 285, and why the proposed amendment is necessary despite this existing exception; and
(d) what safeguards would apply to information disclosed under section 285 as amended (including restrictions in terms of how the data must be handled, used, stored, and destroyed).
2.10 The full initial analysis is set out in Report 6 of 2022.
2.83 The minister advised:
(a) To whom may information obtained under this measure be disclosed, with examples of disclosure?
The Bill facilitates the disclosure of information about unlisted numbers from the Manager of the Integrated Public Number Database (IPND) to the Emergency Call Person.
In practice, the information is disclosed to emergency services (police, fire or ambulance). When a caller dials an emergency service number in need of emergency assistance, the call is first answered by the Emergency Call Person (currently Telstra for 000/112, and the National Relay Service provider for 106). The Emergency Call Person asks the caller which emergency service is required – police, fire, or ambulance – and then connects the caller to the relevant emergency service centre that services the caller’s location[5].
Figure 1: An overview of what happens on an emergency call
When the call is transferred to the requested emergency service, the customer name and residential address of the caller is automatically transmitted from the IPND and displayed on the control screen of the emergency service operator handling the call. In most cases, the operator is able to confirm the appropriate dispatch location directly with the caller.
However, if this location cannot be confirmed, assistance is dispatched to the address associated with the phone number of the caller, as listed on the IPND. The IPND, which is managed by Telstra under clause 10 of its carrier license conditions,[6] contains a record of each telephone number issued by carriage service providers to their customers in Australia, including the customer’s name and residential address. Access to information in the IPND – including storage, transfer, use, or disclosure of unlisted information – is strictly regulated through the Act, a number of legislative instruments, and enforceable industry standards. Further information is provided under response (c).
The proposed amendment to section 285 of the Act is mainly focused at promoting clarity in the legislative framework around the disclosure of unlisted number information. As set out in paragraph 13 of the Notes on Clauses in the Explanatory Memorandum for the Bill, the intention is to remove unnecessary complexity in the interpretation of the Act – however, the proposed measure also introduces an additional safeguard that it must be unreasonable or impracticable to seek the consent of the person to whom the disclosure relates.
(b) What are the parameters of 'dealing with matters raised by' a call to an emergency service number?
Disclosure of unlisted information through the proposed measure will be limited in practice to dispatching services (such as an ambulance) and routing calls to either Triple Zero or the Australian 106 Text Emergency Relay Service for people who have a hearing or speech impairment. In law, they are strictly limited to matters raised by a call to an emergency service number.
(c) Does the alternative basis for disclosing information relating to a call to an emergency services phone number in section 286 interact with this proposed amendment to section 285, and if so, how? Why is the proposed amendment necessary despite this existing exception?
No. The exception in section 286 only applies to information that is known or comes into a person’s possession because of a call to an emergency service number. It allows the Emergency Call Person to disclose information to the appropriate ESO. It does not extend to the IPND Manager (i.e. information in the IPND does not come into possession of the IPND Manger as a result of a call to an emergency number).
The exception in section 285, and the proposed amendment, applies in a different circumstance and is also narrower. It applies only to information contained in the IPND, only to the Manager of the IPND, and only for purposes of dealing with a matter raised by a call to an emergency service number. The proposed amendment merely clarifies that disclosure about unlisted numbers from the IPND Manager to the Emergency Call Person (for example, to allow the dispatch of an ambulance because the person on the call using an unlisted number is asphyxiating) is lawful.
Figure 2: an overview of which provisions apply to which disclosure
(d) What are the safeguards that would apply to information disclosed under section 285 as amended (including restrictions in terms of how the data must be handled, used, stored, and destroyed)?
The amendment builds upon the existing Part 13 safeguards by introducing a requirement that it must be unreasonable or impracticable to seek the consent of the person to whom the disclosure relates. The use and disclosure of this data is restricted only to those necessary in providing an emergency service response. Through the interaction between several pieces of legislation which regulate either access to information in the IPND and/or the provision of emergency call services, information disclosure through the measure is restricted to police, fire and ambulance services.
Beyond this, the general safeguards that apply across Part 13 of the Act remain in place. For example, Division 2 of the Act sets out that use or disclosure of information received under these exceptions must be for the authorised purpose, contravention of which is an offence punishable on conviction by 2 years imprisonment, for example.
Telstra, as the IPND Manager and the Emergency Call Person (ECP), has publicly available procedures in place to ensure that information disclosed between the IPND Manager and the ECP is handled appropriately.[7] Obligations on IPND access seekers are specified in an enforceable industry code[8] and in the data access agreements with Telstra.[9] These technical implementations limit the ability for disclosures to occur for purposes or to entities separate to those mentioned above.
2.84 As to whom information or documents obtained under this measure may be disclosed, the minister advised that information is disclosed to emergency services (police, fire or ambulance). When a caller dials an emergency service number, the call is answered by the Emergency Call Person who asks the caller which emergency service is required and then connects the caller to the relevant emergency service centre that services the caller’s location. Following the transfer of the call, the caller's name and residential address is automatically transmitted from the Number Database and displayed on the control screen of the emergency service operator handling the call. Consequently, it appears that information or documents obtained under this measure may only be disclosed to emergency services workers.
2.85 In relation to the parameters of 'dealing with matters raised by' a call to an emergency service number, the minister advised that this will be limited in practice to dispatching services (such as an ambulance) and routing calls to either Triple Zero or the Australian 106 Text Emergency Relay Service for people who have a hearing or speech impairment. It would appear, therefore that this provision only operates in respect of immediate responses to calls made to emergency services (and not, for example, to permit disclosure at some later time).
2.86 The minister further advised that this provision is necessary, because existing provisions in the Telecommunications Act (including section 286) operate differently to this proposed amendment. The minister advised that the exception in section 286 only applies to information that is known or comes into a person’s possession because of a call to an emergency service number, allowing the Emergency Call Person to disclose information to the appropriate Emergency Services Officer. Section 285 (as amended), by contrast, would apply in different and more narrow circumstances: to information contained on the Number Database, to be relied on by the Number Database Manager, and only for purposes of dealing with a matter raised by a call to an emergency service number (for example, to allow the dispatch of an ambulance because the person on the call using an unlisted number is asphyxiating). Based on this additional information, it is clear that sections 285 and 286 facilitate the disclosure of information to different workers where an emergency phone call has been made, and therefore operate differently.
2.87 The minister also outlined several safeguards which would apply to information disclosed under section 285 as amended. The minister noted the proposed inclusion of an additional safeguard by introducing a requirement that it must be unreasonable or impracticable to seek the consent of the person to whom the disclosure relates. In addition, the minister noted there is already: an offence to use or disclose information received under these exceptions other than for the authorised purpose; procedures that govern how Telstra, as the Number Database Manager and the Emergency Call Person, must handle information appropriately; as well as obligations on those seeking access to the Number Database via an enforceable industry code and in data access agreements with Telstra. These safeguards assist with the proportionality of the measure.
2.88 Based on this additional information from the minister, it would appear that the power under section 285 (as amended) is appropriately circumscribed and accompanied by valuable safeguards such that it is likely to constitute a proportionate limitation on the right to privacy.
2.89 The committee thanks the minister for their comprehensive response to its questions about this measure, and considers that based on this additional information, allowing disclosure of information related to unlisted (and listed) phone numbers, in the case of calls to emergency services numbers, would likely constitute a proportionate limit on the right to privacy. The committee welcomes the minister's advice that the explanatory materials accompanying this bill will be updated to reflect this additional information.
2.90 The bill seeks to expand a further exception from the use and disclosure offences set out in Part 13 of the Telecommunications Act where the disclosure relates to threats to a person's life or health.[10] Section 287 currently provides that a person may disclose or use information or a document relating to the affairs or personal particulars (including any unlisted telephone number or any address) of another person if the first person 'believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person'. The bill seeks to remove the qualifier that a threat to the life or health of a person be 'imminent' and insert a requirement that it is unreasonable or impracticable to obtain the other person’s consent to the disclosure or use of information.
2.91 The bill also seeks to repeal and replace section 300, which provides for the secondary use and disclosure of information that has been obtained under section 287.[11] This would allow for the secondary disclosure or use of information by the person who obtained it from the carriage service provider or carrier where it is unreasonable or impracticable to obtain consent and either: the disclosure or use is for the purpose of, or in connection with, preventing or lessening a serious threat to the life or health of a person; or the first person believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious threat to the life or health of a person.
2.92 The proposed expansion of the exception from the use and disclosure offences set out in Part 13 of the Telecommunications Act where the disclosure relates to threats to a person's life or health engages and limits the right to privacy. The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, the measure must pursue a legitimate objective and be rationally connected to (that is, effective to achieve) and proportionate to achieving that objective.
2.93 Permitting the disclosure of information (and its onward disclosure) in order to protect life and health of a person is a legitimate objective, and this measure appears to be rationally connected to (that is, capable of achieving) that objective. However, with respect to the proportionality of the measure, the statement of compatibility does not outline whether the measure is appropriately circumscribed and fails to identify any safeguards relating to access to, and the use of, such data.
2.94 The committee considered further information was required to assess the compatibility of the measure with the right to privacy, and sought the minister's advice as to:
(a) what is the process by which section 287 is invoked (for example, is it only ever police contacting carriage service providers in practice?), and is a warrant or other formal application a part of the process;
(b) what specific kinds of information may be used or disclosed as a result of the offence provisions not applying. In particular, would it allow for the content of a person's text messages or voicemail or their call log to be made available, or only the GPS phone triangulation;
(c) how such data is managed on receipt, and whether, how, and for how long such data is then stored;
(d) to whom that data may then be secondarily disclosed or used under section 300; and
(e) why is the provision of guidance and training to police regarding the applicability and scope of section 287 not sufficient to achieve the aim of this measure.
2.95 The full initial analysis is set out in Report 6 of 2022.
2.96 The minister advised:
Shortly prior to finalisation of the explanatory materials required for introduction of the Bill, a number of non-publication orders were made in relation to the Inquest into the disappearance of CD, the findings of which were not yet public at the time. As such, references made to the findings in the Explanatory Memorandum to the Bill were either removed or limited as a precautionary measure.
This was to ensure that the Government did not inadvertently contravene an order through its reliance on any materials provided in confidence before the publication of findings. As the findings are now available online, the Government will issue an updated Explanatory Memorandum and statement of compatibility to address the Committee’s concerns.
On 24 November 2022, the Senate referred the Bill to the Environment and Communications Legislation Committee. While described generally in the Inquest into the disappearance of CD and the response provided, the Government appreciates the position of law enforcement agencies that outlining specific details about the operational methodology of how missing persons investigations are conducted would expose vulnerable people to unjustifiable risk. My Department considers that this information may be of significant value to the Senate Committee in its appraisal and scrutiny of the Bill, and would be happy to facilitate a discussion with relevant agencies if it is of interest to the Committee.
...
(a) What is the process by which section 287 is invoked (for example, is it only ever police contacting carriage service providers in practice?), and is a warrant or other formal application a part of the process?
In practice, the provision generally only applies when a carrier or service provider is contacted by the police.[12]
For the proposed exception in section 287 of the Act to apply, the carrier or carriage service provider must believe on reasonable grounds that the disclosure is reasonably necessary to prevent or lessen a serious threat to the life or health of a person. The Bill will also introduce the safeguard that the carrier or carriage service provider must be satisfied that it would be unreasonable or impracticable to obtain the consent of the person to which the information disclosed relates to. The OAIC’s Australian Privacy Principle Guidelines (C.5) on the equivalent use/disclosure principle in the Privacy Act 1988 provides helpful interpretative guidance about the scope and appropriate meaning of these terms in relation to the circumstances where a use or disclosure is likely to be permitted.
It is the intention of the proposed measure that regulated entities would be largely reliant on the representations made by law enforcement or emergency service organisations to determine whether a threat was ‘serious’. This approach is consistent with the existing operational approach of law enforcement agencies, and recognises that law enforcement or emergency service organisations have access to information, systems and resources that telecommunications companies do not.
It is important to note that the amendments to the exception in section 287:
- do not compel the disclosure of information - even in cases where a request from police clearly satisfies the threshold for the exception to apply, disclosure remains at the discretion of the carrier;
- do not provide access to the contents or substance of a communication, or any other information which would ordinarily require a warrant;
- do not allow for information received through the exception to be used for another purpose – the amendments to section 300 of the Act require that any secondary disclosure or use of information by police or emergency service organisations must relate back to the purpose of the original request. Failure to do so is an offence punishable on conviction by 2 years imprisonment.
Rather, the exception provides that a carrier or carriage service provider does not commit a criminal offence for disclosing information about the ‘affairs or personal particulars’ of a person where it has a reasonable belief that doing so is reasonably necessary for preventing or lessening a threat to the person’s life or health.
In relation to missing persons, a formal request from law enforcement agencies to providers is required, but internal procedural requirements also apply for law enforcement to help establish that the thresholds for reasonable belief and reasonable necessity in the exception are met for section 300 of the Act.
This includes mandatory risk assessments, exhaustion of less intrusive methods, and internal authorisation requirements prior to initiating the process for a request. Broadly speaking, this also includes adherence to the Australia New Zealand Policing Advisory Agency Missing Persons Policy (2020) and Guiding Principles. In both the Inquest into the death of Thomas Hunt, and the Inquest into the disappearance of CD, a formal request to the provider was never made because NSW Police were not able to satisfy themselves that the threshold could be met by the circumstances.
The Government recognises the particular sensitivity that may attach to the personal information of individuals who have been reported missing. Such individuals may have exercised their free choice to disassociate themselves from friends and family for legitimate reasons, including removing themselves from harmful environments. Accordingly, a claim made by a member of the general public, without support or confirmation from emergency service organisations or law enforcement agencies, would not meet the threshold for the exception to apply. This is made plain in the explanatory memorandum to the Bill. However, the Government will clarify the process through which requests under the section 287 exception are invoked through amendments to the Bill’s explanatory materials.
(b) What specific kinds of information may be used or disclosed as a result of the offence provisions not applying. In particular, would it allow for the content of a person's text messages or voicemail or their call log to be made available, or only the GPS phone triangulation;
Section 287 of the Act reads:
Division 2 does not prohibit a disclosure or use by a person (the first person) of information or a document if:
(a) the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person; and
(b) the first person believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person.
The exception in section 287 of the Act, and the proposed amendment, does not allow for the content or substance of a communication to be made available in any circumstance. The proposed measure in the Bill will not change or increase the type of information which can be requested and disclosed through the operation of the provision.
The exception only applies to information relating to the ‘affairs or personal particulars of a person’, a meaning which includes location information as clarified by section 275A of the Act. Carriers do not typically have access to GPS information, and triangulations do not use GPS technology. Instead, a triangulation provides an approximate area of where a handset might be located, based on the location of one or more nearby cell towers. While there can be an enormous variance in the accuracy of this information, triangulations remain a useful tool in missing persons investigations, assisting in locating high-risk missing persons in about 20% of occasions in NSW.
As set out in paragraph 177 of the Inquest into the Disappearance of CD, if deemed necessary and proportionate following the initial risk assessment of relevant factors in a missing persons case, consideration may also be given to the use of Live CAD – which provides the time and date of activation of a mobile phone to the network, whether those activations consist of incoming or outgoing calls, and cell tower location.
(c) How such data is managed on receipt, and whether, how, and for how long such data is then stored;
In consultation with law enforcement agencies, the Department understands that the management of such data is received and managed according to well-established protocols, and also subject to a range of safeguards of which only one is the Act (which, for example, prohibits disclosure except in specified circumstances, and for which the penalty is two years imprisonment). These procedures and protocols are not public, to avoid disclosure of operational police practices. The Department can assist to arrange private briefing with law enforcement agencies with the Committee if that would be of assistance. These protocols and practices are also subject to a range of oversight mechanisms, including at the federal level by a number of oversight bodies, including the National Anti-Corruption Commission.
(d) To whom that data may then be secondarily disclosed or used under section 300;
In practice, to law enforcement or Emergency Service Organisations, to the extent that secondary disclosure is necessary (see the discussion above in relation to section 286). The secondary disclosure exception in section 300 of the Act can only be relied upon where doing so was for the purposes of preventing a serious threat, or the first person (i.e. the carrier or carriage service provider) believes on reasonable grounds that the disclosure is reasonably necessary to prevent or lessen a serious threat to life or health.
For example, if a carrier were to rely upon section 287 to disclose triangulation information to the NSW police about a missing person, and the triangulation data showed that the missing person was located in Queensland, the NSW police would be able to rely on section 300 to disclose that triangulation data to Queensland police if the NSW police formed the reasonable belief that doing so would save the person’s life.
The Bill introduces a new safeguard into section 300 that it must be impracticable or unreasonable to obtain the consent of the person the disclosure relates to. In doing so, the proposed measures in the Bill ensure that any secondary use or disclosure of information received under these exceptions must be for the authorised purpose, contravention of which is an offence punishable on conviction by 2 years imprisonment.
(e) Why is the provision of guidance and training to police regarding the applicability and scope of section 287 not sufficient to achieve the aim of this measure?
Because even with additional guidance or training, the ‘imminent’ threat threshold adds nothing to the safeguards in the Act, and the delay making out ‘imminence’ has contributed to the deaths of at least two people. As the Australian Law Reform Commission pointed out more than 10 years ago, any consideration of a serious threat, will give consideration to imminence if that is of relevance to the matter at hand.[13]
In the Inquest into the Disappearance of CD, paragraphs 107-137 of Magistrate Kennedy’s findings provide further justification about the ongoing challenges experienced with the interpretation of the provision, and the need for legislative reform. Moreover, the Department consulted the Interception Consultative Committee (ICC) several times in relation to these guidelines, and sought their feedback through several revisions. The ICC is a longstanding government consultative committee led by the Attorney-General’s Department (AGD), which includes both police agencies and industry representatives. While the clarification provided by the material was welcomed, it became clear that the ‘imminence’ qualifier in section 287 of the Act presents a legislative barrier in missing persons investigations that is difficult to overcome through guidance or training alone. In the Inquest into the Disappearance of CD, Chief Inspector Charlesworth of the NSW Police, who refused the request to triangulate CD’s mobile phone because there was insufficient evidence the threat was imminent, confirmed he would make the same decision today with the benefit of hindsight due to the lack of imminence.[14]
2.97 In relation to when a carrier may disclose or use information relating to the affairs or personal particulars of another person, the minister advised that in practice, the provision generally only applies when a carrier or service provider is contacted by the police (although it could also be relied on by other emergency services in cases such as bushfires). The minister advised that in relation to missing persons, a formal request from law enforcement agencies to providers is required. The minister stated that internal procedural requirements also apply for law enforcement to help establish that the thresholds for reasonable belief and reasonable necessity in the exception are met for section 300, as well as mandatory risk assessments, exhaustion of less intrusive methods, and internal authorisation requirements prior to initiating the process for a request. The minister also stated that this broadly also requires adherence to existing policies regarding missing persons. As such, it would appear that while a warrant is not required under section 287, a formal application may be required, and additional requirements must be met in the case of a missing person (although noting that such processes are not publicly available). It is less clear what processes would apply where section 287 was sought to be invoked in relation to other potential threats to life and health (for example, in the case of bushfires or other natural disaster). In this regard, it is noted that the minister has advised that there are 'an unlimited number of unpredictable circumstances in which an emergency may manifest itself' where a disclosure may be necessary to save life. This does raise some questions about the processes required to regulate the exercise of this power in circumstances other than that described in relation to missing persons.
2.98 In this regard, it is noted that the minister stated that section 287 does not compel a provider to disclose information to emergency services: 'even in cases where a request from police clearly satisfies the threshold for the exception to apply, disclosure remains at the discretion of the carrier'. However, it is not clear that a provider would reasonably be in a position to dispute an emergency service operator's assertion that a person's life or health is in danger, and so decline to provide the information (or to otherwise simply decline to provide the information). Indeed, as the minister has advised it is 'the intention of the proposed measure that regulated entities would be largely reliant on the representations made by law enforcement or emergency service organisations to determine whether a threat was "serious"'. As such, the absence of a legal power of compulsion would appear to have limited safeguard value. For this reason, the processes regulating the exercise of this power by law enforcement and other emergency services are important considerations.
2.99 As to the types of information that may be disclosed, the minister advised that section 287 does not allow for the content or substance of a communication to be made available in any circumstance. The minister stated that the provision only applies to information relating to the ‘affairs or personal particulars of a person’, which includes location information (pursuant to section 275A).[15] The minister advised that this provides only approximate information about where a handset may be located, not a precise location. The minister further advised that, if deemed necessary and proportionate following the initial risk assessment of relevant factors in a missing persons case, consideration may also be given to the use of 'Live CAD' – which provides the time and date of activation of a mobile phone to the network, whether those activations consist of incoming or outgoing calls, and cell tower location.[16] The term 'affairs or personal particulars' is not defined in the Telecommunications Act, and so it would appear that section 287 is capable of permitting the disclosure of a broader range of information than merely location information.[17] However, the fact that the content or substance of a communication cannot be disclosed in any circumstances substantially assists with the proportionality of the measure.
2.100 As to how such data is managed on receipt, and whether, how, and for how long such data is then stored, the minister advised that this occurs according to
'well-established protocols', and subject to a range of safeguards, which are themselves subject to a range of oversight mechanisms. The minister stated that these procedures and protocols are not public, to avoid disclosure of operational police practices. Depending on how robust such protocols and safeguards are, their existence would appear capable of serving as important safeguards in the handling of data received pursuant to section 287, which also assists with the proportionality of the measure.
2.101 The minister further advised that, in practice, data obtained under section 287 may only be secondarily disclosed or used under section 300, to law enforcement or Emergency Service Organisations, and only to the extent that secondary disclosure is necessary. In this regard, the minister noted that section 300 may only be relied on where doing so is for the purposes of preventing a serious threat, or where the first person (i.e. the carrier or carriage service provider) believes on reasonable grounds that the disclosure is reasonably necessary to prevent or lessen a serious threat to life or health. The minister also noted the proposed introduction of a new requirement that it must be impracticable or unreasonable to obtain the consent of the person to whom the disclosure relates, and that any secondary use or disclosure of information received under these exceptions must be for the authorised purpose, contravention of which is an offence. It would appear, therefore, that the secondary disclosure provision in section 300 is circumscribed such that it may only be relied on in narrow circumstances.
2.102 Further information was also sought as to why the provision of guidance and training to police regarding the applicability and scope of section 287 (a recommendation made by a NSW coroner in 2020) is not sufficient to achieve the aim of this measure. The minister advised that the report into a more recent coronial inquiry—Inquest into the disappearance of CD (September 2022)—is now public,[18] and includes recommendations relevant to this matter. The coroner's report outlines the narrow interpretation that had been given to section 287 in this case, including as a result of a narrow interpretation being applied to the 'imminent' qualifier. As to why the provision of guidance and training to police regarding the applicability and scope of section 287 would not be sufficient to achieve the aim of this measure, the minister stated that 'even with additional guidance or training, the 'imminent' threat threshold adds nothing to the safeguards in the Act, and the delay making out 'imminence' has contributed to the deaths of at least two people'. As such, the provision of guidance and training to police as to the scope of section 287 (as currently drafted) is unlikely to be an effective less rights-restrictive alternative.
2.103 Having regard to the detailed information provided by the minister, particularly in relation to the type of personal information that may be obtained under section 287; the circumstances in which the provision may be relied on (typically by police); and the rationale as to why the existing provision is unduly restrictive, on balance this measure would appear likely to constitute a proportionate limit on the right to privacy. However, it is noted many of the safeguards provided above are non-legislative in nature and some safeguards depend on robust internal police processes. In particular, the term 'affairs or personal particulars' is not defined in the Telecommunications Act. Further, while it appears there is existing guidance the police must follow to use this provision in the context of missing persons, it is less clear if such guidance exists to regulate the exercise of this power in circumstances other than that described in relation to missing persons (for example, by other emergency services personnel in the context of a natural emergency).
2.104 The committee thanks the minister for her comprehensive response in relation to this measure, and advice that the findings of a recent coronial inquest to which this measure relates are now publicly available. The committee notes the importance of removing the existing qualifier in section 287 that a threat to the life or health of a person be 'imminent' before a carrier discloses telecommunications data to police and other emergency services personnel. In particular, the committee notes the minister's advice that the delay in making out 'imminence' has contributed to the deaths of at least two people.
2.105 The committee also notes that disclosing personal telecommunications data limits the right to privacy, particularly in circumstances where a person may voluntarily have gone missing and may not wish to be contacted. The committee notes that the right to privacy may be limited where it is reasonable and necessary to do so. In this instance, based on the comprehensive additional information provided by the minister, the committee considers there are, on the whole, sufficient safeguards built into the existing processes to ensure that the limit on the right to privacy is likely to be proportionate. Of particular importance is the minister's advice that this provision would not allow access to the substance of content of communication in any circumstances and there are robust processes in place before the information can be sought.
2.106 The committee considers that the minister's advice sets out the processes the police must follow before invoking this provision in relation to missing persons, and such processes help with the proportionality of the measure. However, the minister's advice did not provide detail of any existing guidance as to the processes followed in cases not involving missing persons. Further, the committee considers there is some risk that the type of information that might be disclosed using these powers is overly broad, noting that disclosure may relate to the ‘affairs or personal particulars of a person’ – a term which is not defined in the legislation.
|
Suggested action
2.107 If it does not already exist, all emergency service providers who may
seek to invoke the powers in section 287 (for example, in the context of natural
emergencies) should consider making publicly available guidance as to the
process to be followed
before requests are made under section 287 to access
personal information held by carriers.
2.108 The proportionality of this measure may be assisted were the bill to
be amended to define what is captured by the term 'the
affairs or personal
particulars' of a person, to reflect the limited type of information or
documents that the minister advised may
be disclosed under the powers in section
287, noting that any such definition should not restrict or frustrate the
important intention of this provision.
|
2.109 The committee welcomes the minister's advice that the explanatory materials accompanying the bill will be updated to include the information provided to the committee by the minister.
2.110 The bill seeks to amend subsection 313(5)(a) of the Telecommunications Act relating to civil immunities for carriers, carriage service providers and carriage service intermediaries.[19] This amendment would provide that a carrier or carriage service provider or intermediary is not liable to an action or other proceeding for damages for or in relation to an act done (or omitted to be done) in good faith when providing help as is reasonably necessary for specific purposes in connection with preparing for, responding to, or recovering from an emergency.[20]
2.111 By extending immunity of these bodies from civil liability to include an act done or omitted in good faith when providing help in connection with an emergency, this measure engages the right to an effective remedy. This is because, if such an act done or omitted by a carrier or carriage service provider/intermediary resulted in a violation of a person's human rights (such as the right to privacy), they would be unable to seek a civil remedy for that violation from the various carriers.
2.112 The right to an effective remedy requires the availability of a remedy which is effective with respect to any violation of rights and freedoms recognised by the covenant.[21] It includes the right to have such a remedy determined by competent judicial, administrative or legislative authorities or by any other competent authority provided for by the legal system of the state. While limitations may be placed in particular circumstances on the nature of the remedy provided (judicial or otherwise), States parties must comply with the fundamental obligation to provide a remedy that is effective.[22]
2.113 The statement of compatibility fails to acknowledge the engagement of this right. As such, no information is provided as to whether and how this proposed amendment is consistent with the right.
2.114 The committee noted that extending the immunity of carriers and carriage service providers (such as mobile service providers) from civil liability engages the right to an effective remedy. The committee noted that the statement of compatibility does not identify the engagement of this right, and therefore sought the minister's advice as to:
(a) whether the measure is consistent with the right to an effective remedy; and
(b) what alternative remedies are available to persons where performance of a duty under subsections 313(4A) and (4B) results in a violation of their human rights.
2.115 The full initial analysis is set out in Report 6 of 2022.
2.116 The minister advised:
Section 313(5) of the Act provides that a carrier or carriage service provider is not liable to an action or other proceeding for damages if an act is done or omitted in good faith under subsections 313 (1), (1A), (2), (2A), (3) or (4) of the Act. However, it does not include subsections 313(4A) and (4B). The amendment in the Bill is consistent with similar provisions relating to safeguarding national security and public revenue in the Act, and corrects a [sic] error in the National Emergency Declaration Bill 2020, introduced by the former Government.
Under the National Emergency Declaration (Consequential Amendments) Act 2020 (NED(CA) Act), subsections 313(4A) and (4B) were inserted into the Act. These subsections introduce a duty on telecommunications providers to provide reasonably necessary help during certain emergencies.
It was intended that these entities would not be liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in fulfilment of that duty. The policy intention was set out in the Explanatory Memorandum to the National Emergency Declaration (Consequential Amendments) Bill 2020 that immunities would extend to the duties under subsections 313(4A) and (4B). Due to an error in drafting, the measures were not included in the Bill, and unfortunately section 313(5) was not amended to give effect to the then Parliament’s intention.
(a) whether the measure is consistent with the right to an effective remedy;
The Government believes that these measures are consistent with the right to an effective remedy, as laid out in Article 2(3)(a) of the International Covenant on Civil and Political Rights (ICCPR).
By extending the existing civil immunities to a carrier or carriage service provider when fulfilling a duty under subsections 313(4A) and (4B) to give officers and authorities of the Commonwealth and of States and Territories such help as is reasonably necessary in disaster and emergency circumstances, including national emergencies, the Bill engages the right to an effective remedy for any unlawful or arbitrary violation to the rights of individuals infringed in the process of providing that help. The proposed extension of the existing civil immunity serves the legitimate objective of ensuring that an officer, employee or agent acting on behalf of a carrier or carriage service provider are able to provide the reasonably necessary help before, during and after disasters and national emergencies, fulfilling their statutory duty in good faith and in the national interest.
The immunities are rationally connected to that important objective by managing the risk that carriers or carriage service providers would limit their conduct and in turn, the level of assistance given to the requesting government body to minimise any real or perceived risk of incurring personal civil liability. The immunity is proportionate to achieving this important objective, it is not arbitrary, unfair or based on irrational considerations and is limited to circumstances where a telecommunications company is assisting in good faith in specified situations (as noted above) and is only related to actions or other proceedings for damages (e.g. a cause of action in tort or negligence).
(b) what alternative remedies are available to persons where performance of a duty under subsections 313(4A) and (4B) results in a violation of their human rights;
While the Government believes that the Bill does engage the right to an effective remedy under article 2(3) of the ICCPR, to the extent that it does limit that right, the limitation is reasonable, necessary and proportionate to the objective. Alternative remedies are available to persons where performance of the duty results in a violation of their human rights.
In cases where the performance of the duty was done in good faith, an affected person could still seek an effective remedy for loss or damage suffered in the purported exercise of the assistance against the relevant Commonwealth, State, or Territory body or government official initiating the request for assistance.
In relation to the right of privacy that the Committee has queried, in giving (requested) help in accordance with subsections 313(4A) and (4B), carriers and carriage service providers must still comply with all applicable laws, including the Privacy Act 1988 (Cth) and the Act itself. For example, Part 13 sets out strict rules for carriers, carriage service providers and others in their use and disclosure of personal information. A request for help in accordance with subsections 313(4A) and (4B) that included the provision of information would in and of itself not provide the legal basis for a carrier to disclose personal information of an individual (an exception to the prohibition in Part 13 would need to be found).
Private citizens may also seek recourse through other avenues where, in giving help, a carrier or carriage service provider has allegedly interfered unlawfully with an individual’s right to privacy. For example, a complaint could be made to the Australian Communications and Media Authority (ACMA) if there was a concern that a carrier or carriage service provider had breached Part 13 of the Act or concerns about how the duties under subsections 313(4A) and (4B) were carried out. The ACMA could take enforcement action against the carrier or provider, including court injunctive relief. Similarly, a complaint could be made by the individual directly to the Privacy Commissioner for investigation (noting that privacy breaches will attract fines etc).
2.117 The minister advised that the measure engages, and is consistent with, the right to an effective remedy. The minister noted that this provision only limits liability in respect of actions for damages. The minister advised that alternative remedies would be available to persons where performance of a duty in good faith under subsections 313(4A) and (4B) results in a violation of their human rights. In particular, the minister advised that a person could bring a claim for loss or damage suffered in the purported exercise of the assistance against the relevant Commonwealth, State, or Territory body or government official initiating the request for assistance. The minister also noted the operation of the Privacy Act 1988 (Privacy Act), in relation to an unlawful use of information, and the ability of persons to complain to the Australia Communications and Media Authority (ACMA) 'if there was a concern that a carrier or carriage service provider had breached Part 13 of the Act or concerns about how the duties under subsections 313(4A) and (4B) were carried out'. The ACMA could then obtain injunctive relief from a court. Similarly, a person could also complain to the Privacy Commissioner about a suspected privacy breach.
2.118 Having regard to the availability of these alternative remedies in relation to any loss or damage suffered as a result of the performance of a duty (in good faith) under section 313 (resulting in a corresponding violation of human rights, such as the right to privacy), this measure would appear to be consistent with the right to an effective remedy.[24]
2.119 The committee considers that, based on the additional information provided by the minister about the availability of other remedies, extending the immunity of carriers and carriage service providers (such as mobile service providers) from civil liability is compatible with the right to an effective remedy. The committee welcomes the minister's advice that the statement of compatibility will be updated to reflect the engagement of this right.
2.120 Items 12–14 of Schedule 1 of the bill seek to amend section 306 of the Telecommunications Act, which establishes the record-keeping requirements where an eligible person or eligible number-database person[25] has disclosed information or a document as authorised by a provision of Division 3 of the Telecommunications Act, or as authorised under specified sections of the Telecommunication (Interception and Access) Act 1979 (TIA Act).[26]
2.121 The measure would expand the circumstances in which section 306 would require the creation of a record to include where a disclosure has been made pursuant to section 187AA(1) of the TIA Act.[27] Subsection 187AA(1) sets out the kinds of information that a service provider must keep, or cause to be kept. This includes: the name and address of a telecommunications subscriber; the source and destination of their communications (i.e. the device a communication was sent from and where it was sent); the type of communication (e.g. email, voicemail); and the location of the equipment used for the communication (e.g. cell towers or wi-fi hot spots). The bill would provide that, if the information or document that was lawfully disclosed included information of a kind specified in subsection 187AA(1), a record of the disclosure must set out the number of the item[28] and a description of the content of those items to the extent that the content relates to the information or document.
2.122 Requiring the creation of a record of disclosure under section 306 of the Telecommunications Act engages and limits the right to privacy. This is because the information required to be retained by a service provider under subsection 187AA(1) would include personal information (including the name and address of a service subscriber, and information relating to all of their communications on a device).
2.123 The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, the measure must pursue a legitimate objective and be rationally connected to (that is, effective to achieve) and proportionate to achieving that objective.
2.124 The committee noted that expanding the requirement to record where an authorised disclosure of information, including personal information, has occurred engages and may limit the right to privacy and sought the minister's advice as to:
(a) whether the measure is consistent with the right to privacy; and
(b) in particular, what safeguards would operate in respect of information required to be recorded under section 306 (including with respect to requirements for the data's storage, and its destruction after it is no longer required to be retained).
2.125 The full initial analysis is set out in Report 6 of 2022.
2.126 The minister advised:
(a) Is the measure consistent with the right to privacy?
(b) What safeguards operate in respect of information required to be recorded under section 306?
The Government does not consider that any aspects of the measure will limit the right to privacy.
Prior to introduction of the Bill, the Office of the Australian Information Commissioner (OAIC) was consulted on an exposure draft of the proposed measures, and requested an additional amendment to include a description of the type of content disclosed. A revision to Clause 13 of the Bill was made to include a requirement to this effect. This measure introduces a requirement to keep a record of the type of information which was disclosed by reference to the table in subsection 187AA(1) of the Telecommunications (Interception and Access) Act 1979 - e.g. ‘subscriber address’; ‘billing information; ‘call charge record from x date’ - to assist in the OAIC’s assessment of proportionality.
It does not, however, require providers to record the actual information disclosed, or otherwise retain any personally identifiable information in the record of disclosure. This issue was specifically addressed in consultation with major carriers and the Communications Alliance, and a revision to the explanatory materials of the Bill will be tabled to clarify the intended operation of the measure and that the disclosure record should not contain personally identifiable information.
Telecommunication providers subject to the Privacy Act 1988 will continue to have obligations requiring that reasonable steps must be taken to protect personal information held under Australian Privacy Principle 11.
2.127 The minister stated that this measure does not engage the right to privacy, as the requirement to create a record of the type of information which has been disclosed does not require the creation of a record that itself sets out personal information, for example, a customer's address. Rather it requires only the creation of a record that information of that nature was disclosed. The minister explained that this measure does not require providers to record the actual information disclosed, or otherwise retain any personally identifiable information in the record of disclosure. The minister also noted that telecommunication providers subject to the Privacy Act will continue to have obligations to take reasonable steps to protect personal information.
2.128 Noting that the proposed record keeping requirement set out in items 12–14 of Schedule 1 of the bill will not require the creation of an additional record that itself includes any personal information, it would appear that this measure does not limit the right to privacy.
2.129 The committee thanks the minister for this response. The committee notes the minister's advice that this additional record-keeping requirement would not lead to the creation of a new record that includes any personal information. As such, the committee considers that this measure does not limit the right to privacy.
2.130 The committee welcomes the minister's advice that a revision to the explanatory materials of the bill will be tabled to clarify the intended operation of the measure and that the disclosure record should not contain personally identifiable information.
Legislative instruments
[1] This entry can be cited as: Parliamentary Joint Committee on Human Rights, Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Bill 2022, Report 1 of 2023; [2023] AUPJCHR 12.
[2] Parliamentary Joint Committee on Human Rights, Report 6 of 2022 (24 November 2022),
pp. 56-67.
[3] Items 1–6. See, Telecommunications Act 1997, section 285.
[4] The minister's response to the committee's inquiries was received on 9 December 2022. This is an extract of the response. The response is available in full on the committee's website.
[5] Page 14 of the IPND Data G619:2017 Communications Alliance Industry Guideline outline the processes relating to emergency service calls, including how information derived from the IPND is used for the purpose of emergency call services.
[6] See: Telecommunications (Carrier Licence Conditions - Telstra Corporation Limited) Declaration 2019
[7] Part 8 of the Telecommunications (Consumer Protection and Service Standards) Act 1999 and the Telecommunications (Emergency Call Service) Determination 2019 set out obligations relating to the provision of emergency call services, including call information.
[8] See: Integrated Public Number Database C555:2020 (industry code registered under Part 6 of the Act)
[9] For example, Data Users and Data Providers Technical Requirements for IPND outlines technical requirements of the IPND, including for file formatting and storage, data security, and reporting. IPND homepage link: https://www.telstra.com.au/consumer-advice/ipnd
[10] Items 7–8 amending section 287.
[11] Item 9.
[12] The Committee could well ask why the provision is not specifically limited to disclosure to law enforcement agencies. However, doing so would be unnecessarily limiting given the range of circumstances that may involve a serious threat to a person’s life or health. For example, the provisions were given consideration in the 2009 Black Saturday Bushfires. In that instance disclosure of location information was of assistance to Emergency Service Organisations to issue warnings to save lives. The current drafting of the Act, which the Bill does not modify, recognises that there are an unlimited number of unpredictable circumstances in which an emergency may manifest itself, and which a disclosure may be necessary to save what is most important – human life.
[13] See: For Your Information: Australian Privacy Law and Practice (ALRC Report 108) | ALRC
[14] See: Inquest into the Disappearance of CD – NSW Coroner’s Court at 115.
[15] The term 'affairs or personal particulars' is not defined in the Telecommunications Act, but section 275A does state that location information is taken to be 'information that relates to the affairs of a customer'.
[16] For further information, see e.g. Department of Home Affairs, Advanced Mobile Location, 13 September 2021.
[17] The Australian Law Reform Commission (ALRC) has previously described 'personal particulars' as a potentially broad category of information which would cover personal information. See, ALRC, Report 108, For Your Information: Australian Privacy Law and Practice (May 2008) at [71.20].
[18] See, Coroners Court of New South Wales, Inquest into the disappearance of CD, 16 September 2022.
[19] Item 10.
[20] That is, duties established under subsections 313(4A) or (4B)).
[21] International Covenant on Civil and Political Rights, article 2(3). See, Kazantzis v Cyprus, UN Human Rights Committee Communication No. 972/01 (2003) and Faure v Australia, UN Human Rights Committee Communication No. 1036/01 (2005). States parties must not only provide remedies for violations of the ICCPR but must also provide forums in which a person can pursue arguable if unsuccessful claims of violations of the ICCPR. Per C v Australia, UN Human Rights Committee Communication No. 900/99 (2002), remedies sufficient for the purposes of article 5(2)(b) of the ICCPR must have a binding obligatory effect.
[22] See UN Human Rights Committee, General Comment 29: States of Emergency (Article 4) (2001) [14].
[23] The minister's response to the committee's inquiries was received on 9 December 2022. This is an extract of the response. The response is available in full on the committee's website.
[24] In this regard, it is noted that under international human rights law, while limitations may be placed in particular circumstances on the nature of a remedy provided (judicial or otherwise), States must comply with the fundamental obligation to provide a remedy that is effective. This means that, in assessing whether a particular measure is consistent with the right to an effective remedy, the assessment will turn on whether there are sufficient remedies so as to be 'effective' (including considering what alternative remedies are available in spite of the limitation of a particular remedy). The standard limitation test (legitimate objective, rational connection, proportionality), which has been drawn on in the minister's response, is not applicable to this assessment.
[25] An 'eligible person' is a carrier; carriage service provider; telecommunications contractor; or employee of such. An 'eligible number-database person' is a number-database operator or contractor, or employee of such. See, Telecommunications Act, ss. 271–272.
[26] Namely, sections 177, 178 or 179, subsection 180(3) or section 180A of the Telecommunication (Interception and Access) Act 1979.
[27] Specifically, item 15 of the bill would insert a new paragraph 306(5)(g) which would require the creation of a record where the information or document includes information specified in a table that is (a) specified in a determination made by the Minister, by legislative instrument under new subsection 305(5A) (inserted by Item 16); or (b) if there is no determination, the table in subsection 187AA(1) of the Telecommunications (Interception and Access) Act 1979.
[28] The table in subsection 187AA(1) groups the types of information into six numbered groups. For example, recording the number of the item as 'Item No. 6' would indicate that the information relates to the location of the equipment used in connection with a communication.
[29] The minister's response to the committee's inquiries was received on 9 December 2022. This is an extract of the response. The response is available in full on the committee's website.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/other/AUPJCHR/2023/12.html
