Remaking the Telecommunications Integrated Public Number Database Scheme 2007Consultation on the draft IPND Scheme 2017DECEMBER 2016

CanberraRed Building Benjamin OfficesChan Street Belconnen ACT

PO Box 78Belconnen ACT 2616

T +61 2 6219 5555F +61 2 6219 5353

MelbourneLevel 32 Melbourne Central Tower360 Elizabeth Street Melbourne VIC

PO Box 13112Law Courts Melbourne VIC 8010

T +61 3 9963 6800F +61 3 9963 6899

SydneyLevel 5 The Bay Centre65 Pirrama Road Pyrmont NSW

PO Box Q500Queen Victoria Building NSW 1230

T +61 2 9334 7700 or 1800 226 667F +61 2 9334 7799

Copyright notice

http://creativecommons.org/licenses/by/3.0/au/

With the exception of coats of arms, logos, emblems, images, other third-party material or devices protected by a trademark, this content is licensed under the Creative Commons Australia Attribution 3.0 Licence.

We request attribution as © Commonwealth of Australia (Australian Communications and Media Authority) 2016.

All other rights are reserved.

The Australian Communications and Media Authority has undertaken reasonable enquiries to identify material owned by third parties and secure permission for its reproduction. Permission may need to be obtained from third parties to re-use their material.

Written enquiries may be sent to:

Manager, Editorial and DesignPO Box 13112Law CourtsMelbourne VIC 8010Email: candinfo@acma.gov.au

OverviewIntroduction 1Regulatory framework 2

Issues for comment

Brief details of what the IPND Scheme does

Proposed changes to the IPND SchemeApproving ongoing IPND access for a research entity to conduct research 6Facilitating greater industry management of research entity access to conduct permitted research 7Additional issues for comment 9

Invitation to commentMaking a submission 11

Appendix A—Summary of key rules for IPND: researchers

Appendix B—Summary of key rules for IPND: public number directory (PND) publishers

acma | iii

OverviewIntroductionThe Australian Communications and Media Authority (the ACMA) is seeking comment on a proposal to remake the Telecommunications Integrated Public Number Database Scheme 2007 (IPND Scheme).

Under the Telecommunications Act 1997 (the Act), the ACMA must make a scheme for the granting of authorisations to access the Integrated Public Number Database (IPND) for purposes connected with the publication and maintenance of a public number directory or for the conduct of specified kinds of research that are in the public interest.

The IPND Scheme will ‘sunset’ (that is, it will automatically be repealed) on 1 April 2017 unless it is remade before then. Most legislative instruments ‘sunset’ on either 1 April or 1 October, which ever first occurs 10 years after the instrument was registered on the Federal Register of Legislation. This is an automatic process applying to most legislative instruments, regardless of their particular content.

Since the commencement of the IPND Scheme on 15 May 2007, the ACMA has granted seven authorisations granting access to the IPND for the purposes of the publication and maintenance of a public number directory, and two authorisations granting access to the IPND for specified research purposes (research authorisations).

Access to personal information contained in the IPND under the IPND Scheme is also subject to five ministerial instruments and to the requirements of the Act. For example, any research conducted using data sourced from the IPND must be for one of three kinds of research permitted under a ministerial instrument.

IPND data currently available under the IPND Scheme is also limited to listed numbers under subsection 285(2) of the Act. This means that mobile numbers are excluded from being accessible under the IPND Scheme, unless customers specifically request that their numbers be listed.

The ACMA considers that the IPND Scheme is generally operating efficiently within the existing regulatory framework, but changes could be made to improve IPND access to assist researchers in producing quality research that will be of benefit to the public.

The key proposed changes to the IPND Scheme are:> Allowing the ACMA to grant a research authorisation on an ongoing basis, subject to

the researcher meeting certain requirements, including conducting a privacy impact assessment, identifying the elements of IPND customer data sought, and the reasons why those elements are required to conduct the permitted research. The proposed changes remove the current limitation that a researcher wishing to conduct more than one research project using IPND customer data must make a separate application to the ACMA for each research project.

> Facilitating industry management of access to the IPND in limited circumstances. This would be achieved by enabling the ACMA to authorise a research body to disclose de-identified IPND data (listed number and corresponding geographic information not below postcode level) to its members to conduct permitted research under the IPND Scheme, provided certain requirements are met.

The ACMA is also proposing to introduce an additional safeguard for authorisation-holders to ensure that any relevant personnel are made aware of the authorisation-holders’ obligations and to require cooperation in meeting the relevant requirements.

acma | 1

These proposed changes have taken into account recommendations made by the Department of Communication and the Arts (DoCA), following its review into the effectiveness of, and continued need for, the IPND in April 2015 (IPND Review Report).1 Four recommendations made in the IPND Review Report relate to the IPND Scheme. Two of the recommendations are proposed to be implemented by the ACMA. Those recommendations are: > Recommendation 5—The ACMA should be able to approve ongoing or periodic access

for an applicant (for a research authorisation), provided that the ACMA regularly reviews access and a privacy impact assessment is completed.

> Recommendation 7—The ACMA should publish information about applications and decisions made under the IPND Scheme (the ACMA currently makes details of authorisations granted under the IPND Scheme available on its website).

The other two remaining IPND Review Report recommendations relating to the IPND Scheme (accessing of anonymised unlisted numbers, including mobile numbers (Recommendation 4) and the anti-scraping rules (Recommendation 6)) are broader policy matters. A copy of DoCA’s plan for implementing the IPND Review recommendations—released on 4 December 2015—is available at www.communications.gov.au/departmental-news/implementation-plan-review-integrated-public-number-database.

Regulatory frameworkEstablished in 1998, the IPND is a centralised database containing records of all Australian telephone numbers and associated customer details. In September 2016, it contained 65.5 million listed connected records. The IPND is currently managed by Telstra under the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997.

Part 13 of the Act sets out a regime for protecting the confidentiality of certain information about the customers of carriage service providers, including information held in the IPND.

The information in the IPND includes the customer name, customer address, phone number, whether the service is fixed or mobile, and whether the service is listed or unlisted. Only information about listed numbers in the IPND is made available to persons granted authorisations under the IPND Scheme. With limited exceptions, fixed line numbers are listed unless a customer specifically requests an unlisted number.2 The reverse is true for mobile services—mobile numbers are unlisted unless a customer specifically requests a listed number.

The IPND Scheme was introduced in 2007 to address concerns that IPND information was being used for purposes not authorised under the Act, such as marketing, data cleansing and debt collection. It is supported by a range of ministerial instruments made under Division 3A of Part 13 of the Act, which specify:> The three types of research permitted under the IPND Scheme:

> public health research, where the research is not conducted for a primarily commercial purpose

> electoral research (not conducted for a primarily commercial purpose) by a registered political party, a candidate in a Parliament or local government authority, or a person on behalf of such a party, representative or candidate

1 A copy of the report can be accessed at: www.communications.gov.au/publications/integrated-public-number-database-review-report.

2 Public payphone numbers are unlisted numbers.

2 | acma

> government research, which will contribute to the development of public policy, (not conducted for a primarily commercial purpose) by or on behalf of the Commonwealth, a Commonwealth authority or other prescribed agency.3

> The criteria that the ACMA is required to consider in deciding authorisation applications under the IPND Scheme.4

> The requirements that have to be met in order to satisfy the definition of a public number directory.5

> Additional information that can be included in a public number directory.6 > The conditions that apply to all IPND authorisations or to particular kinds of IPND

authorisations.7

The ACMA is not seeking comment on the ministerial instruments that support the IPND Scheme, as these instruments are not within the ACMA’s remit.

Other users of IPND data, such as emergency service organisations and law enforcement and national security agencies, access the IPND under arrangements separate from the IPND Scheme.

3 Telecommunications (Integrated Public Number Database-Permitted Research Purposes) Instrument 2007 (No.1)4 Telecommunications (Integrated Public Number Database Scheme – Criteria for Deciding Authorisation Applications) Instrument 2007 (No. 1)5 Telecommunications (Integrated Public Number Database – Public Number Directory Requirements) Instrument 2007 (No.1)6 Telecommunications (Public Number Directory – Additional Information) Instrument 2007 (No.1)7 Telecommunications (Integrated Public Number Database Scheme – Conditions for Authorisations) Determination 2007 (No. 1)

acma | 3

Issues for commentThe ACMA welcomes comment on any issues relevant to the draft Telecommunications Integrated Public Number Database Scheme 2017 (the draft IPND Scheme 2017), which is available on the ACMA website.

Specific questions are featured in the relevant sections of this paper and collated below. Details on making a submission can be found at Invitation to comment at the end of this document.

Areas for feedbackThe ACMA is especially interested in feedback on:

1. The proposed arrangements for implementing recommendation 5 of the IPND Review Report to allow the granting of ongoing authorisations for the purposes of conducting permitted research (see Part 4 of the draft IPND Scheme 2017).

2. The proposed arrangements in the draft IPND Scheme 2017 for facilitating greater research industry management of access to the IPND (see Part 4).

3. Whether limiting access to de-identified (anonymised) IPND customer data should apply not only to researchers that obtain IPND data from an authorised research body, but also to researchers that apply directly to the ACMA, outside the proposed industry model.

4. The safeguards included in the IPND Scheme 2017.

5. Additional issues for comment in Table 1.

4 | acma

Brief details of what the IPND Scheme doesThe IPND Scheme details the processes by which the ACMA may grant authorisations enabling persons to access information in the IPND for the purposes of the publication and maintenance of a public number directory and for the conduct of research of a kind specified by the Minister for Communications.

The IPND Scheme makes provision for making and assessing applications, and setting conditions of authorisations. It also makes provision for revoking authorisations.

Under the current scheme, a person wishing to use and disclose information in the IPND in order to conduct specified research is required to apply to the ACMA for an authorisation. Applications must be made on an approved form, and provide specific details about the research project, as well as the proposed duration for access.

For public number directories, there are two stages of authorisation. Initially applicants request provisional authorisation on an ACMA-approved form, providing details of the products they intend to develop using the IPND data. If provisional authorisation is given, the applicant makes arrangements with the IPND Manager to access a provisional data source for use in developing a sample public number directory. The ACMA assesses the sample directory provided and, if it is satisfied the sample complies with the relevant requirements, may grant a final authorisation (provided that the public number directory publisher applies for that final authorisation).

The ACMA must assess applications in accordance with Telecommunications (Integrated Public Number Database Scheme – Criteria for Deciding Authorisation Applications) Instrument 2007 (No. 1), as well as other requirements in the Act and the IPND Scheme.

Following authorisation from the ACMA, the research entity or public number directory publisher then approaches the IPND Manager to access the IPND data. Access fees to the IPND are determined by Telstra, as the IPND Manager, on a cost recovery basis.

A summary of the key rules contained in the IPND Scheme and related ministerial instruments (such as requirements to protect IPND data from misuse and securely dispose of information) is set out in appendixes A and B.

acma | 5

Proposed changes to the IPND Scheme The ACMA proposes to remake the IPND Scheme with some changes to improve its efficiency and effectiveness. Additional changes have also been made to implement some of the recommendations made in the IPND Review Report. The key changes are discussed below.

Approving ongoing IPND access for a research entity to conduct research The current IPND Scheme requires researchers to apply to the ACMA for an authorisation to access the IPND for research purposes on a project-by-project basis.

In order to reduce any unnecessary administrative burden for users who would like to regularly access the IPND, the IPND Review Report recommended that:

The ACMA should be able to approve ongoing or periodic access for an applicant, provided that the ACMA regularly reviews access and that a privacy impact assessment is completed (Recommendation 5).

The ACMA is proposing that the draft IPND Scheme 2017 would allow a research entity8 to apply to the ACMA for authorisation to access the IPND to conduct specified research on an ongoing basis, or for a finite period. Authorisations given to public number directory producers are ongoing.

Under the proposed reform, research entities seeking IPND access would need to complete a privacy impact assessment as part of their application to the ACMA.

The Office of the Australian Information Commissioner (OAIC) has published a Guide to undertaking privacy impact assessments.9 The ACMA would expect, at a minimum, an explanation of the following factors to be included in a privacy impact assessment prepared under the IPND Scheme:> Why the data could not be obtained from other non-IPND sources.> Whether the research could be undertaken by only having access to de-identified

customer data (for example, phone number and postcode). While under the current IPND arrangements, the holder of a research authorisation is permitted to use IPND data including the directory finding name, the public number, and the directory address to contact customers10, the ACMA’s approach is that data users should only be able to access the data they require for the purpose specified in their application.

> A detailed analysis of the privacy risks and proposed strategies to mitigate those privacy risks (including whether the use of the data complies with privacy legislation).

> The impact of the research on the privacy of individuals.> Any internal compliance checks proposed by the research entity.

The ACMA would consult closely with the OAIC in considering any application from a research entity seeking an authorisation on an ongoing basis.

8 In the draft IPND Scheme 2017, a research entity means a researcher who is a person or a research body.9 A copy can be accessed at: www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments. 10 Subsection 10(4) of the Telecommunications (Integrated Public Number Database Scheme – Conditions for Authorisations) Determination 2007 (No.1).

6 | acma

The draft IPND Scheme 2017 clarifies that it is appropriate to request an authorisation on an ongoing basis if the person or body wishes the customer data to be supplied continuously or periodically.

The conditions11 that a research authorisation would be subject to if the IPND Scheme is remade, would include that the research entity must:> use the customer data only for the purposes of conducting the kind of research

specified by the minister under subsection 285(3) of the Act to which the authorisation relates

> ask the customer if the customer gives consent for the use of the customer data, and any other information relating to the customer, in the research

> not add other information or data to customer data without the express consent of the person to whom the information relates, preventing the re-identification of data

> make the customer data secure so that it is accessible only by a person who is involved in the conduct of the research for the research entity

> securely dispose of the IPND information within 10 days of its no longer being required.

Under the draft IPND Scheme 2017, the ACMA can specify additional conditions to which an authorisation is subject. It is likely that any authorisation granted on an ongoing basis would be conditional on the research entity providing the ACMA with an annual report on the research entity’s use of IPND data. This would provide an annual review mechanism.

The ACMA can undertake periodic audits of an authorisation holder’s compliance with the Scheme.

Comment is invited on:> The proposed arrangements for implementing recommendation 5 of the IPND Review

Report to allow the granting of ongoing authorisations for the purposes of conducting permitted research (see Part 4 of the draft IPND Scheme 2017).

Facilitating greater industry management of research entity access to conduct permitted researchThe second substantive proposed reform is to allow the ACMA to authorise a research body to disclose IPND data to its members for purposes connected with the conduct of research specified by the minister, subject to certain requirements being met.

The ACMA considers that implementing this proposed reform could be another efficient way for some organisations to access the IPND to conduct permitted research.

Researchers would have the option of applying directly to the ACMA for accessing IPND data, or obtaining data from a research body authorised under the IPND Scheme.

Under the proposed model:> An authorisation granted to a research body would be limited to accessing de-identified

IPND customer data (listed number and full directory address). > The research body would be subject to the additional requirement that it would only be

authorised to disclose the listed number and corresponding geographic information not below postcode level to its members for the purposes of conducting research of a kind specified by the minister (permitted research). That is, the research body would be prohibited from disclosing the full customer address to the member researcher. The

11 There are other relevant conditions summarised in Appendix A.

acma | 7

research body requires the full customer address to create geographical-based samples for the member researchers.

> The ACMA could only provide the authorisation where it is satisfied that the research body has demonstrated it has adequate processes and procedures in place to ensure that IPND data is only used and disclosed to members who will be conducting permitted research.

> The research body must have in place legally enforceable arrangements, under which its members must not do anything the body is not permitted to do under the IPND Scheme.

In assessing any applications from a research body, the ACMA will be interested in: > the processes or measures that will be implemented to ensure that any proposed

research conducted by its members will not be for a primarily commercial purpose and be for one of the three permitted purposes

> how the research body will ensure that its members will comply with the requirements of the Act, as extended by any of the relevant legislative instruments, and the IPND Scheme, including the prohibition on re-identifying data

> the processes the research body will have in place to secure protected information (including disposal processes for data that is no longer required).

An example of the proposed industry body model for accessing de-identified IPND customer data for permitted research purposes is at Figure 1.

Section 295R of the Act makes it an offence for an authorisation holder to breach a condition of an authorisation under the IPND Scheme.

Holders of authorisations under the IPND Scheme are also subject to secondary disclosure offences under Part 13 of the Act if they disclose IPND information for unauthorised purposes. In addition, under subsection 299A(3) of the Act, a person who receives information from a research authorisation holder for a particular purpose must not disclose or use that information except for that purpose. Under this subsection, a member who receives IPND information from a research entity for the purpose of conducting permitted research would be guilty of an offence if the member disclosed or used that information for another purpose.

Comment is invited on:> The proposed arrangements in the draft IPND Scheme 2017 for facilitating greater

research industry management of access to the IPND (see Part 4).> Whether limiting access to de-identified (anonymised) IPND customer data should apply

not only to researchers that obtain IPND data from an authorised research body, but also to researchers that apply directly to the ACMA, outside the proposed industry model.

> The safeguards in the draft IPND Scheme 2017.

8 | acma

Figure 1: Proposed model for a research body to disclose de-identified information to its members for specified research purposes

Additional issues for commentIn addition to the two issues outlined above, Table 1 sets out a series of other proposed changes identified by the ACMA to improve and update the IPND Scheme.

acma | 9

Table 1: Draft IPND Scheme 2017—additional issues for comment

Proposed change Request for comment

Public number directory publisher and research entity (personnel requirements)

The ACMA is proposing to introduce an additional safeguard that authorisation-holders must ensure that any personnel who are given access to the IPND customer data are made aware of the authorisation-holders’ obligations and to cooperate with them in meeting the relevant requirements.

(See clauses 3.5(9), 3.12(20), 4.5(28))

Comment is invited on the proposed change.

Internal dispute resolution processes

The ACMA is proposing to make some minor changes to the requirements in the IPND Scheme that relate to internal dispute resolution procedures. The proposed new requirements clarify that authorisation-holders must have internal dispute resolution procedures in place to deal with inquiries or complaints from customers. Authorisation-holders must also inform the customer that they can complain to the ACMA if they are dissatisfied with the way the complaint is handled. Reference to the now superseded AS ISO 10002-2006 Customer Satisfaction – Guidelines for complaints handling in organizations has been removed from the draft IPND Scheme 2017. It is proposed that authorisation-holders be required to provide reasonable assistance to the ACMA in relation to any complaints if requested by the ACMA to do so.

Comment is invited on subclauses 3.12(14), 3.12(15),4.5(16), 4.5(17) and 4.5(18).

Minor administrative changes

The following minor administrative changes are proposed:> Including a new provision allowing for the variation of a

condition of a provisional authorisation, a final authorisation or a research authorisation (see paragraphs 3.5(7)(b), 3.12(18)(b) and 4.5(28)(b)). Previously, where a revision to an authorisation has been requested, the ACMA actioned the request by making a new condition to an authorisation.

> Including new provisions allowing for the holder of an authorisation to voluntarily surrender an authorisation (see subclause 5.3(2) and clause 5.6).

> Updating the transitional provisions in Part 6 of the IPND Scheme.

Comment is invited on these proposed changes and any other provisions in the draft IPND Scheme.

10 | acma

Invitation to commentMaking a submissionThe ACMA invites comments on the issues set out in this consultation paper. > Online submissions —submissions can be made via the comment function or by

uploading a document. The online consultation page provides details.> Submissions by post—can be sent to:

ManagerNational and Community Interests SectionAustralian Communications and Media AuthorityPO BOX 13112, Law CourtsMelbourne, VIC, 8010

The closing date for submissions is COB, Tuesday 31 January 2017.

Electronic submissions in Microsoft Word or Rich Text Format are preferred.

Enquiries> Consultation enquiries can be emailed to ipndscheme@acma.gov.au . > Media enquiries can be directed to Emma Rossi on 02 9334 7719 or by email to

media@acma.gov.au.

Effective consultation The ACMA is working to enhance the effectiveness of its stakeholder consultation processes, which are an important source of evidence for its regulatory development activities. To assist stakeholders in formulating submissions to its formal, written consultation processes, it has developed Effective consultation—a guide to making a submission. This guide provides information about the ACMA’s formal written public consultation processes and practical guidance on how to make a submission.

Publication of submissionsIn general, the ACMA publishes all submissions it receives, including any personal information in the submissions (such as names and contact details of submitters). The ACMA prefers to receive submissions that are not claimed to be confidential. However, the ACMA accepts that a submitter may sometimes wish to provide information in confidence. In these circumstances, submitters are asked to identify the material (including any personal information) over which confidentiality is claimed and provide a written explanation for the claim.

The ACMA will consider each confidentiality claim on a case-by-case basis. If the ACMA accepts a claim, it will not publish the confidential information unless authorised or required by law to do so.

Release of submissions where authorised or required by lawAny submissions provided to the ACMA may be released under the Freedom of Information Act 1982 (unless an exemption applies) or shared with various other government agencies and certain other parties under Part 7A of the Australian Communications and Media Authority Act 2005. The ACMA may also be required to release submissions for other reasons including for the purpose of parliamentary processes or where otherwise required by law (for example, under a court subpoena). While the ACMA seeks to consult submitters of confidential information before that information is provided to another party, the ACMA cannot guarantee that confidential information will not be released through these or other legal means.

acma | 11

PrivacyThe Privacy Act 1988 imposes obligations on the ACMA in relation to the collection, security, quality, access, use and disclosure of personal information. These obligations are detailed in the Australian Privacy Principles.

The ACMA may only collect personal information if it is reasonably necessary for, or directly related to, one or more of its functions or activities.

The purposes for which personal information is being collected (such as the names and contact details of submitters) are to:> contribute to the transparency of the consultation process by clarifying, where

appropriate, whose views are represented by a submission > enable the ACMA to contact submitters where follow-up is required or to notify them of

related matters (except where submitters indicate they do not wish to be notified of such matters).

The ACMA will not use the personal information collected for any other purpose, unless the submitter has provided their consent or the ACMA is otherwise permitted to do so under the Privacy Act.

Submissions in response to this paper are voluntary. As mentioned above, the ACMA generally publishes all submissions it receives, including any personal information in the submissions. If a submitter has made a confidentiality claim over personal information that the ACMA has accepted, the submission will be published without that information. The ACMA will not release the personal information unless authorised or required by law to do so.

If a submitter wishes to make a submission anonymously or use a pseudonym, they are asked to contact the ACMA to see whether it is practicable to do so in light of the subject matter of the consultation. If it is practicable, the ACMA will notify the submitter of any procedures that need to be followed and whether there are any other consequences of making a submission in that way.

Further information on the Privacy Act and the ACMA’s privacy policy is available at www.acma.gov.au/privacypolicy. The privacy policy contains details about how an individual may access personal information about them that is held by the ACMA, and seek the correction of such information. It also explains how an individual may complain about a breach of the Privacy Act and how the ACMA will deal with such a complaint.

12 | acma

Appendix A—Summary of key rules for IPND: researchersRelevant legislative instruments

Researchers

IPND Scheme 2007

Researcher must:> Apply for authorisation on a project-by-project basis> Have technical systems to receive customer data> Notify the ACMA of the date it receives the customer data

(within 10 working days of authorisation)> Use the customer data only for the purposes of the research

project as specified in the authorisation> Secure customer data and limit access to those involved in

the research project> Not add information or data to customer data without express

consent> Follow customer contact rules> Act on notification of numbers becoming unlisted and destroy

customer data> Not use a directory address in a suppressed address entry> Cease use of and not keep customer data and other

information if the customer does not consent or withdraws consent

> Have internal dispute resolution procedures> Not disaggregate geographic data below the level of a

customer’s postcode> Notify the ACMA if it has breached the IPND Scheme and act

to minimise the effect of the breach

Ministerial instruments

Criteria for deciding authorisation applications—s. 295N of the Act > Research must be in a permitted research purpose category> Research must not be for a primarily commercial purpose> Researcher must have processes in place to protect the

privacy and security of the IPND information> The ACMA must consider applicant’s previous use of IPND

customer data, or if no previous use, whether applicant has appropriate measures in place to comply with regulatory requirements

> The ACMA must be reasonably satisfied researcher meets the applicant eligibility criteria and will comply with all the requirements.

Permitted research purposes—s. 285(3) of the Act

acma | 13

Relevant legislative instruments

Researchers

Research conducted must not be for a primarily commercial purpose and must be: > Research relevant to public health, including epidemiological

research> Research regarding an electoral matter conducted by, or on

behalf of, a registered political party, political representative or candidate in an election

> Research for the development of public policy conducted by or on behalf of the Commonwealth, a Commonwealth authority or other prescribed agency

Conditions for authorisations—s. 295P of the Act> Restricts transborder flows of IPND data unless certain

circumstances exist> Must protect IPND data from misuse or loss and from

unauthorised access, modification, use or disclosure> Must notify the ACMA and IPND manager of security

breaches and take reasonable steps to minimise the effects of the breach

> Must securely dispose of protected information within 10 days of it being no longer required

> Must ensure any contractual arrangements comply with regulatory requirements

> Production of a reverse-searchable database is prohibited (except search by postcode)

> Customers may only be contacted using the directory finding name, directory address and public number fields

> Selling or providing customer data to any person is prohibited unless authorised by law

The Act Permits disclosure of IPND data (excluding unlisted number data) for the conduct of research s. 285(1A), s. 299A

14 | acma

Appendix B—Summary of key rules for IPND: public number directory (PND) publishersRelevant legislative instruments

PND publishers

IPND Scheme 2007

PND publisher must:> Have technical systems to receive customer data> Notify the ACMA of the date it receives the customer data

(within 10 working days of final authorisation)> Publish PND within 90 days of being granted final

authorisation > Notify the ACMA within 10 working days of publishing and

provide ACMA with access to the PND> Provide ACMA with access to PNDs annually and on request> Ensure each PND published is available to all members of the

public> Update online PNDs monthly and permanent PNDs annually> Act on notification of numbers becoming unlisted within

two days (online PNDs) and destroy customer data within 10 days

> Have internal dispute resolution procedures> Comply with all regulatory requirements> Notify the ACMA if it has breached the IPND Scheme and act

to minimise the effect of the breach

Ministerial instruments

Criteria for deciding authorisation applications—s. 295N of the Act > Proposed directory product must meet definition of PND> Proposed PND must only use IPND information for the

publication and maintenance of PND> Publisher will comply with the requirements of the Act, as

modified by any legislative instrument, and the IPND Scheme> Publisher must have processes in place to protect the privacy

and security of the IPND information> The ACMA must consider applicant’s previous use of IPND

customer data, or if no previous use, whether applicant has appropriate measures in place to comply with regulatory requirements

Public number directory requirements—s. 285(5) of the Act > PND must contain no fewer than 1,000 entries> PND must not be disaggregated to a level below postcode

acma | 15

Relevant legislative instruments

PND publishers

> If PND is not a classified business directory, the PND must contain all listed numbers in the relevant geographical area covered by the directory and must be organised alphabetically

> No more than 20 entries may be transferred from a PND in a single action

> No more than 100 entries may be generated from a single search in electronic PND

> PND must be encrypted or otherwise electronically protected

Conditions for authorisations—s. 295P of the Act> Restricts transborder flows of IPND data unless certain

circumstances exist> Must protect IPND data from misuse and notify the ACMA

and IPND manager of substantive security breaches> Must notify the ACMA and IPND Manager of a breach about

disclosure of protected information by another person> Must securely dispose of protected information within 10 days

of it being no longer required> Must ensure any contractual arrangements comply with

regulatory requirements> Only directory name, directory address and public number

customer data is to be included in a PND> Must be the copyright holder and PND must include name

and contact details of the copyright owner

Public number directory—additional information—s. 285(4) of the Act> Allows additional information to be included in a PND as

agreed between a PND publisher and specified entities—such as businesses, charities, government departments and educational institutions

> Any additional information must be agreed between the publisher and the entity

> A record of any agreement must be maintained for a minimum of two years

The Act > Permits use and disclosure of IPND data (excluding unlisted number data) for the publication and maintenance of PNDs s. 285(1), s. 285(1A), s. 299A

> Defines a PND, including that a PND must not be reverse searchable s. 285(2)

> Requires a PND publisher to hold an authorisation under the IPND Scheme s. 285(1A)

16 | acma