Telecom may be violating at least the spirit of the draft Telecommunications Privacy Code, if not the Privacy Act, with its attempts to woo Vodafone users with information from Telecom customers’ bills.
While emphasising that the Privacy Commissioner’s office has not investigated the matter of Telecom’s using details of its customers’ Vodafone calls in its marketing, Commissioner Bruce Slane says the discussions towards a Telecommunications Privacy Code have until now tended to favour limits on the use of transactional information for marketing purposes.
“We understood that that was the wish of the industry,” he says. But asked whether the latest Telecom move has contradicted that understanding, Slane declines to comment.
Telecom has been taking from its billing database details of the calls made by its customers to Vodafone numbers, and giving the Vodafone numbers to a telemarketing firm to woo their owners over to Telecom’s 027 service.
The Privacy Act’s Principle 10 says information provided for one purpose should not, in general, be used for another purpose, without the consent of the provider of the information.
Telecom spokeswoman Linda Sanders says the company took legal advice on the privacy aspects of the move, but has not consulted the Privacy Commissioner. The act applies to personal information, she says, and according to the advice given, “a telephone number is not personal information unless it has other identifying information attached, and in this case, it doesn’t. We’re just passing across the numbers.”
The Telecommunications Privacy Code does not use the phrase “personal information”, but “information about an identifiable individual”. This phrase is also used in the Privacy Act itself to define “personal information”. Telecom appears to have construed it as “information from which an individual can be identified”.
A legal privacy specialist, who insisted on remaining unidentified in print, says it could be argued that the means of identification need not be the same as the information used, nor be obtained at the same time.
The phrase has been left deliberately ambiguous to be decided by case law, he says. Some jurisdictions, like Hong Kong, which specifies that the person must be identifiable at the time the information is gathered, have seen cases of probable privacy invasion slip through loopholes.
Slane says the term has not been further clarified in the act or the code. It would “not generally” be understood to refer to information about a person who had been identified by some other means, he suggests, “but every case is looked at on its merits.
[The definition] has not created problems in eight years of administering the act,” he says.
Rules in the current draft of the telecomms privacy code are more severe on use of information for marketing to a subscriber of the information-holding agency (in this case Telecom) than for marketing to an individual who is not a subscriber of that agency. In the former case the subscriber must have authorised the use, but in the latter this requirement is absent. The agency is, rather, told to respect any “opt-out” request the subscriber makes, asking that his/her information not be used for marketing purposes.
Clearly, some Vodafone subscribers will be customers of Telecom for their landline and some will not be.
Submissions for the telecommunications privacy code close on March 22, and a final draft of the code is “some months away”, Slane says.