Greenleaf, Graham --- "Telsta's First Privacy Audit: B" [1996] PrivLawPRpr 52; (1996) 3(5) Privacy Law & Policy Reporter 97
TELSTRA'S FIRST PRIVACY AUDIT: B-
Report of the Privacy Audit Panel 1995, Telstra
Telstra's Privacy Protection Policy commits it to a regular independent privacy audit, with an annual report to Telstra's CEO (as explained in 3 PLPR 64). The first such report, carried out by the Independent Privacy Auditor (Bruce Meehan, Price Waterhouse), and supervised by the Privacy Audit Panel (Janine Haines, Convener, John Morison, representative of the Privacy Commissioner, and the Auditor), gives Telstra a rather muted endorsement of its privacy policies.Telstra's pluses
Convener Haines says that the Auditor's findings show that `in the main' Telstra `meets (and sometimes exceeds) inter-national standards, although there is still some room for improvement'. The Panel made 31 such recommendations for improvements. The Panel notes that Telstra's `voluntary commitment to privacy is more advanced than many other Australian and offshore major commercial organisations'.Where Telstra flunked
Particular areas where Telstra did not meet international best practice were `accountability, identifying purpose, and consent'. Deficiencies in security, and inadequate policy in relation to Call Charge Records (CCR) were also identified.Accountability
The Panel recommends that `Telstra's Privacy Protection Policy should ... identify the position designated to oversee compliance' (Recommendation 3).Identifying purpose
The Panel recommends that `Telstra' should amend its Privacy Protection Policy to ensure that customers are notified of the purpose for which information is collected both directly and indirectly. This notification could take the form of a bill insert at the time of sending the first bill to the consumer. (Recommendation 4).Consent and internal use
`Consent to the use of personal information should be obtained from customers and provision for withdrawing consent from direct marketing activities should be provided on the bill insert included in Recommendation 4' (Recommendation 6), says the Panel.The Report notes that customer details, including billing information, is used for marketing initiatives including the production of specific mailing lists. The Panel recommends that (once proper consent procedures are in place), `it will need to be established the customer has not withdrawn their consent for their personal and billing information to be used for marketing purposes'. (Recommendation 18)
Security
Noting that `a number of Telstra's business groups exhibit poor control over the accessibility of information', the Panel recommends a review of security controls governing access to computers, files and software (Recommendation 14).Call Charge Records (CCR)
The Panel noted `a number of instances where extensive access was provided to call charge information' (identifying A and B party and call duration). This appears to be a reference to internal accesses within Telstra. The Panel recommends that staff access be reviewed and restricted to a `need to know' basis (Recommendation 30).Just as important, the Panel noted that there were no clear guidelines to staff as to when such CCR data should be given to law enforcement agencies `upon request' (that is without a warrant), and recommended clear guidelines and procedures (Recommendation 31).
Although the Report notes that there was subsequent evidence that recommendations 7-11 were currently being implemented, it made no such comment in relation to recommendations 3-6, or other recommendations.
Comment
Perhaps `B-' is overly generous. Telstra fails on the litmus test privacy principles -- identifying purpose, obtaining consent and internal use -- and is even open to criticism concerning external disclosures (in relation to CCR information).Austel's Privacy Advisory Committee is due to report on customer personal information soon. Will Telstra continue to fight a rearguard action against meaningful privacy protection in that forum, as well as in its own operations? Will we read another dissenting report from Telstra, to cap its last amazing performance in arguing that silent line customers should have to opt out from calling number identification (see 3 PLPR 46).
CCR information is something of a `black hole' for privacy protection. The Barrett Review had recommended that call data should only be available to law enforcement agencies on the basis of a warrant (see 1 PLPR 178), but this was ignored in the 1995 amendments to the Telecommunications (Interception) Act 1979.
Graham Greenleaf, General Editor.