You are here:
Privacy Law and Policy Reporter >>
 PrivLawPRpr 52
| Name Search
| Recent Articles
Greenleaf, Graham --- "Telsta's First Privacy Audit: B"  PrivLawPRpr 52; (1996) 3(5) Privacy Law & Policy Reporter 97
TELSTRA'S FIRST PRIVACY AUDIT: B-
Privacy Protection Policy commits it to a regular independent privacy audit,
with an annual report to Telstra's CEO (as
explained in 3 PLPR 64). The first such report, carried out by the Independent Privacy Auditor (Bruce Meehan,
Price Waterhouse), and supervised by the Privacy
Audit Panel (Janine Haines,
Convener, John Morison, representative of the Privacy Commissioner, and the
Auditor), gives Telstra a
rather muted endorsement of its privacy policies.
Haines says that the Auditor's findings show that `in the main' Telstra `meets
(and sometimes exceeds) inter-national standards,
although there is still some
room for improvement'. The Panel made 31 such recommendations for improvements.
The Panel notes that
Telstra's `voluntary commitment to privacy is more
advanced than many other Australian and offshore major commercial
areas where Telstra did not meet international best practice were
`accountability, identifying purpose, and consent'.
Deficiencies in security,
and inadequate policy in relation to Call Charge Records (CCR) were also
Panel recommends that `Telstra's Privacy Protection Policy should ... identify
the position designated to oversee compliance'
Panel recommends that `Telstra' should amend its Privacy Protection Policy to
ensure that customers are notified of the purpose
for which information is
collected both directly and indirectly. This notification could take the form
of a bill insert at the time
of sending the first bill to the consumer.
to the use of personal information should be obtained from customers and
provision for withdrawing consent from direct marketing
activities should be
provided on the bill insert included in Recommendation 4' (Recommendation 6),
says the Panel.
The Report notes that customer details, including billing information, is used
for marketing initiatives including the production
of specific mailing lists.
The Panel recommends that (once proper consent procedures are in place), `it
will need to be established
the customer has not withdrawn their consent for
their personal and billing information to be used for marketing purposes'.
that `a number of Telstra's business groups exhibit poor control over the
accessibility of information', the Panel recommends
a review of security
controls governing access to computers, files and software (Recommendation 14).
Panel noted `a number of instances where extensive access was provided to call
charge information' (identifying A and B party
and call duration). This appears
to be a reference to internal accesses within Telstra. The Panel recommends
that staff access be
reviewed and restricted to a `need to know' basis
Just as important, the Panel noted that there were no clear guidelines to staff
as to when such CCR data should be given to law enforcement
request' (that is without a warrant), and recommended clear guidelines and
procedures (Recommendation 31).
Although the Report notes that there was subsequent evidence that
recommendations 7-11 were currently being implemented, it made
no such comment
in relation to recommendations 3-6, or other recommendations.
`B-' is overly generous. Telstra fails on the litmus test privacy principles --
identifying purpose, obtaining consent and
internal use -- and is even open to
criticism concerning external disclosures (in relation to CCR information).
Austel's Privacy Advisory Committee is due to report on customer personal
information soon. Will Telstra continue to fight a rearguard
meaningful privacy protection in that forum, as well as in its own operations?
Will we read another dissenting report
from Telstra, to cap its last amazing
performance in arguing that silent line customers should have to opt out from
identification (see 3 PLPR 46).
CCR information is something of a `black hole' for privacy protection. The
Barrett Review had recommended that call data should only
be available to law
enforcement agencies on the basis of a warrant (see 1 PLPR 178), but this was
ignored in the 1995 amendments to the Telecommunications (Interception) Act
Graham Greenleaf, General Editor.