The Integrated Public Number Database (IPND) is an industry-wide database containing records of all Australian telephone numbers and associated customer details. It is a critical source of information for emergency and law enforcement purposes. The IPND also serves as a valuable resource of customer information that is used to publish public number directories and conduct government research in the public interest.
The IPND Scheme
The ACMA has made the IPND Scheme under s295A of the Telecommunications Act.
The IPND Scheme details the processes by which the ACMA may grant authorisations allowing persons to access IPND data for the publication and maintenance of a public number directory (PND) and for permitted research purposes. Section 285 of the Telecommunications Act limits the data available under the IPND Scheme to listed numbers, which generally do not include mobile numbers.
The IPND Scheme makes provision for:
- the making of applications for authorisations
- the assessment of applications
- the period for which authorisations are to be in force
- the notification of decisions under the scheme
- the requirement for applicants for an authorisation to specify the purpose for which the authorisation is sought.
The IPND Scheme also sets out conditions that authorisation holders are required to comply with, and provides the ACMA with the discretion to impose further conditions on the grant of an authorisation.
A range of ministerial instruments made under Part 13 of the Telecommunications Act support the arrangements under the IPND Scheme. The ACMA is required to have regard to these instruments in its consideration of whether to grant authorisations under the IPND Scheme. These instruments are:
- Telecommunications (Integrated Public Number Database Scheme - Criteria for Deciding Authorisation Applications) Instrument 2017, which specifies the criteria that the ACMA is required to consider when deciding authorisation applications under the scheme.
- Telecommunications (Integrated Public Number Database Scheme - Conditions for Authorisations) Determination 2017, which specifies the conditions that apply to all IPND authorisations or to particular kinds of IPND authorisations.
- Telecommunications (Integrated Public Number Database - Public Number Directory Requirements) Instrument 2017, which specifies the requirements that have to be met in order to satisfy the definition of a public number directory.
- Telecommunications (Integrated Public Number Database - Public Number Directory Additional Information) Instrument 2017, which specifies the additional information that can be included in a public number directory.
- Telecommunications (Integrated Public Number Database - Permitted Research Purposes) Instrument 2017, which specifies the following types of research permitted under the scheme:
- research, or the compilation or analysis of statistics, relevant to public health, including epidemiological research, where the research is not conducted for a primarily commercial purpose
- research regarding an electoral matter conducted by a registered political party, a political representative, a candidate in an election for Parliament or a local government authority or a person on behalf of such a party, representative or candidate, where the research is not conducted for a primarily commercial purpose
- research conducted by or on behalf of the Commonwealth, a Commonwealth authority or other prescribed agency that will contribute to the development of public policy, where the research is not conducted for a primarily commercial purpose.
The IPND Scheme includes a number of privacy safeguards and governance mechanisms, which reflect the value of IPND data and community expectations about privacy and protection of personal information. These include:
- Applicants seeking an authorisation under the IPND Scheme are required to undertake a Privacy Impact Assessment (PIA) in support of their proposal. A PIA evaluates their proposal from a privacy perspective and identifies risks and mitigation strategies.
- Research entities are subject to the Privacy Act 1988 for at least the duration of the research authorisation in relation to the handling of any personal information. This will require research entities and their members to comply with relevant privacy obligations and Australian Privacy Principles and brings them under the Office of the Australian Information Commissioner’s investigation and compliance framework.
- Research entities must not add other information or data to IPND customer data without the express consent of the customer, preventing re-identification where the customer name and/or address is not provided from the IPND. A further protection requires authorisation holders to securely destroy data or de-identify if the data has been re-identified.
Applications for authorisation
Those seeking to use and disclose IPND data for the purposes covered by the IPND Scheme are required to apply to the ACMA, specifying the reason for which they seek authorisation and demonstrate their ability to comply with all the relevant requirements. The applications must be in a form approved by the ACMA and must also be accompanied by a PIA form.
Public number directory publishers
There are two stages of authorisation for public number directory publishers—provisional and final. Initially applicants request provisional authorisation, providing details of the products they intend to develop using the IPND data.
An application for provisional authorisation must be made to the ACMA and must accompanied by a PIA form. An application for an extension may be requested if the applicant is unable to provide a sample PND within that timeframe for reasons beyond the publisher’s control.
If provisional authorisation is granted, the applicant makes arrangements with the IPND Manager to access a provisional data source for use in developing a sample PND. The ACMA will assess the sample product provided, and if it is satisfied the sample complies with the relevant requirements, final authorisation will be granted. The PND publisher will then have 90 days in which to publish a PND.
The holder of a final authorisation may make arrangements with the IPND Manager for the ongoing supply of customer data (which is not as limited as a provisional IPND data source and includes regular updates) to publish and maintain a PND.
An application for an extension may be made if a PND publisher fails to publish a PND in the required timeframe for reasons beyond its control.
Research entities who want to use and disclose IPND data for the purposes of the IPND Scheme are required to apply to the ACMA for authorisation, which may be granted for a finite period of time or on an ongoing basis.
An application may be made by an independent research entity or a research representative body. The IPND Scheme provides for a representative body to apply for an authorisation to use and disclose customer data to its members. An application for a research authorisation includes a PIA of the proposed handling of customer data.
A research representative body holding an authorisation is only allowed to disclose to its members the public number of a customer or a customer’s business, the postcode and the state or territory in the directory address of the customer or business. A research representative body is also subject to additional requirements to protect the privacy and security of customer data disclosed to its members. An authorised research body is not permitted access to the name of customers held in the IPND.
An application for extension of a research authorisation granted for a finite period may be made if the research entity is unable to complete the research before the end of the authorisation period for reasons beyond its control.
A person who holds a research authorisation may make arrangements with the IPND Manager for the supply of customer data to conduct research.
|Form name and number
T021 form—Public number directory publisher—Application for provisional authorisation
T023 form—Privacy Impact Assessment—public number directory publishers
T028 form—Research entity_application for authorisation and Privacy Impact Assessment