|
|
|
|
 |
|
|
|
|
|
|
|
||||||||||||||
 |
 |
 |
|
||||||||||||||||||
| Draft guidelines for Customer Line Identification Display Services and other related services over Electronic Communications Networks – a consultation – 17 February 2003 | |
||||||||||||||||||||
 |
 |
 |
|
||||||||||||||||||
 |
|
|
|
 |
|
||||||||||||||||
|
|
|
|||||||||||||||||||
Contents
Chapter 1 Scope Chapter 2 Purpose of the guidelines
Chapter 3 Changes to the guidelines
Chapter 4 Why guidelines are needed
Chapter 5 The regulation of CLI
Chapter 6 End users’ privacy rights Chapter 7 Exceptions to the caller’s privacy rights Chapter 8 CLI Principles: privacy, authenticity and integrity Chapter 9 Privacy and privacy markings Chapter 10 Authenticity of CLI information Chapter 11 Integrity Chapter 12 Precepts arising from the CLI principles Chapter 13 The use of CLI data within public communications networks Chapter 14 Calls received or passed to public communications networks not covered by these guidelines Chapter 15 Enforcement of the guidelines Annex A Consumer protection policy review on the CLI guidelines Annex B How to make comments on the questions raised in this consultation document Annex C Consumer protection policy review - checklist S.1 This consultation on the draft Guidelines for Customer Line Identification Display Services and other related services over Electronic Communications Networks has two aspects. Firstly, it is a consultation on the new Guidelines which are intended to replace the existing Code of Practice for Network Operators in relation to Customer Line Identification Display Services and other related services (3rd edition) available at www.oftel.gov.uk/ind_groups/cli_group/docs/cop1101.pdf Secondly, in drawing up these draft guidelines Oftel has drawn on the principles outlined in its Consumer Protection Policy Review (CPPR) statement available at www.oftel.gov.uk/publications/about_oftel/2002/cppr1202.htm. S.2 The Guidelines have been developed as a generic document to take account of the double convergence of the new regulatory framework: between telephony and other electronic communications services; and between operators and service providers and to recognise the change in terminology associated with the new regulatory framework. An additional reason for modifying the existing Code of Practice is that when the first edition was published in December 1996 there was no CLI-specific data protection legislation, so the rules put forward by the Code had to be derived from general data protection principles. Now that fundamental rules for CLI services have been established by European Community legislation, the more pressing need is for a document that offers guidance on how those specific legal requirements may be met. S.3 Although the document is a continuation of, and builds on, the work that has been invested in the preceding codes its title has been changed as codes of practice represent a distinct type of instrument linked with dispute resolution procedures under the new regulatory framework. The CLI Code of Practice is not one of those codes specifically envisaged under the draft general conditions and the term Guidelines has been adopted to avoid confusion. S.4 The draft guidelines have already been exposed to stakeholder consultation through the activities of the CLI Interest Group, where industry, consumer interests and regulators are represented. The document now out on formal consultation already reflects comments and responses made by members of the group. On previous occasions when a new edition of the Code of Practice has been adopted the procedures set out in paragraph 3.2 of the guidelines have been followed. Consent from the CLI interest group was thought to be sufficient, without the need for a wider consultation. However because the amendments made to the Code of Practice by the guidelines have resulted in a substantially new document, and because the consultation will take account of Oftel’s recently published CPPR guidelines, a wider consultation is appropriate. S.5 The most significant changes introduced into the Guidelines are:
S.6 The specific questions posed by a consumer protection policy review appear in Annex A of this document. For the guidelines themselves, general comments are invited. Responses to the consultation should be addressed to frank.phillips@oftel.gov.uk. The closing date of the consultation is 21 May 2003. Annex B of this document offers more advice on how to respond to this consultation.
Chapter 1 Scope 1.1 These guidelines apply to providers of publicly available telephone services in the UK and to other communications providers who provide services for the conveyance of telephone calls. The guidelines set out a series of principles that should be respected by communications providers in the provision and conveyance of calling and connected line identities when end-users make or receive a call. A 'call' is defined in the Privacy Directive (q.v. paragraph 5.3) as 'a connection established by means of a publicly available telephone service allowing two-way communication in real time'.
Purpose of the guidelines 2.1 The purpose of the guidelines is to establish a consistent approach to the handling of calling line identification (hereafter CLI) data from call origination through to call termination. This is to ensure that the privacy choices that end-users make about their CLI data are respected by all electronic communications networks (ECNs) that participate in the origination, transmission and termination of a call. By identifying a common set of expectations and obligations, the guidelines lay the foundations for mutual trust which gives communications providers confidence that they will be able to discharge their legally binding privacy and data protection obligations, frequently dependent on the behaviour of other communications providers. 2.2 The guidelines are now the subject of a public consultation and have been drawn up by an industry group which included network operators, consumer representatives, the Information commissioner and OFTEL. Communications providers have agreed to abide by the guidelines which form part of their interconnection agreements. 2.3 The guidelines are intended to replace the third edition of the Code of Practice for Network Operators In relation to Customer Line Identification Display Services and other related services.
Changes to the guidelines 3.1 These guidelines, and any subsequent modifications, will be published on the Oftel, and successively, on the Ofcom website. 3.2 Modifications to the guidelines shall only be made by Oftel or Ofcom under the following circumstances:
Chapter 4 Why Guidelines are needed 4.1 Market incentives will not guarantee end-user confidence that communications providers will correctly handle their CLI or connected line identification (hereafter COL) information. This is because the end-to-end conveyance of a call originated by an end-user frequently requires the collaboration of several network providers. End-users have a limited ability to select which networks will be involved in the conveyance of a call and are not able to influence the behaviour of those networks by the normal exercise of consumer sovereignty.
Chapter 5 The Regulation of CLI 5.1 Because the conveyance of CLI (and COL) data involves end-users in relationships with communications providers over whom they have little influence, it has been found necessary for regulators to intervene and adopt powers to compensate for the lack of power of end-users. From 1996 Oftel and the industry have collaborated in producing and endorsing a Code of Practice for network operators in relation to CLI services. The most recent, third edition, of the Code was published in November 2001. 5.2 The starting point for regulation is the recognition that an individual’s telephone number is personal data within the meaning of data protection legislation. Of necessity regulation applies to all calls because it is not feasible on a call-by-call basis to distinguish whether a particular call involves a living individual (as opposed to a corporate entity) and so has personal data associated with it. However European Community legislation, described in the following paragraphs, provides that the rules regarding CLI and COL apply to corporate as well as to individual users, and apply irrespective of whether the identity of the user is known or not. 5.3 In 1997, the adoption of the Telecommunications Data Protection Directive (97/66/EC), transposed into UK legislation as the Telecommunication (Data Protection and Privacy) Regulations 1999 (SI 1999 No.2093), established the first set of European Community rules applying to CLI and COL. The Regulations are enforced by the Information Commissioner. 5.4 The Telecommunications Data Protection Directive will be replaced by the Privacy Directive (2002/58/EC), formally adopted on 12 July 2002 and requiring to be transposed into UK law no later than 31 October 2003. This will require the repeal of the existing 1999 Regulations and their replacement by fresh regulations implementing the new Directive. 5.5 CLI information in a number of forms has passed through the PSTN for many years. The widespread introduction of digital switching technology led to customer CLI information being available on almost all calls. In consequence, a CLI customer display service became technically feasible but required data protection safeguards for the reasons explained above. Over the years UK and ETSI standards have been developed to reflect improvements to the CLI display service and to satisfy data protection requirements. For this reason the terminology used in this document unavoidably draws heavily on concepts developed by ETSI, notwithstanding that the underlying data protection principles are technologically neutral. However, nothing in these Guidelines obliges communications providers to implement the ETSI standards or specifications from which the terminology has been derived.
Chapter 6 End-users’ privacy rights 6.1 Both directives set out a fundamental series of privacy rights for end-users making and receiving telephone calls. The following rights, which are explicitly required to be made available by communications providers, are laid down in article 8 of Directive 2002/58/EC. 6.2 The rights of calling end-users are that:
Chapter 7 Exceptions to the caller’s privacy rights 7.1 Both the old and new directives set aside a caller’s general right to prevent the display of their CLI information where calls are made to the emergency services or where the appropriate authorities investigate and trace malicious or nuisance calls. The directives also provide for national legislation to restrict privacy rights in order to safeguard national security, defence, public security and to facilitate the prevention, investigation, detection and prosecution of criminal offences.
Chapter 8 CLI Principles: privacy, authenticity, integrity 8.1 The directives simply declare a set of privacy rights in respect of the transmission and receipt of CLI information. However, so that communications providers may effectively implement these rights three cardinal principles relating to CLI have been recognised. These are:
Chapter 9 Privacy and privacy markings 9.1 Privacy is the complex of rights over CLI and COL information conferred on end-users by data protection legislation which leads to the generation of a privacy marking. 9.2 In order that communications providers are able to respect a caller or called party's wishes, it is important that a privacy marking is associated with a call. For ease of reference, the four privacy markings adopted to satisfy data protection requirements by the most recent version of the ETSI/ISUP signalling system are:
9.3 Where a privacy marking is not explicitly associated with a call, CLI data shall not be passed unless the caller's privacy wishes have been unambiguously established.
Chapter 10 Authenticity of CLI information 10.1 Authenticity is the capability offered by a network to generate accurate CLI data at call origination. CLI data is a combination of the end-user's line identity and the associated privacy marking. A line identity is either the number at the point of a call's origination or data from which that number may be reconstructed. 10.2 End-user confidence in CLI display services requires that the CLI data displayed at the termination is authentic. This depends on providers being able to generate accurate CLI data at call origination. Currently in the UK the number displayed will either be a Network Number or a Presentation Number. 10.3 A Network Number is the digits that comprise a unique E.164 number (or from which that number may be reconstructed) that unambiguously identifies the line identity of: 10.4 In the case of a network number authenticity is guaranteed as the number will have either been provided by a public electronic communications network, or alternatively, will have been verified and passed by it. However the number displayed may not be very informative to the called party as it may not reflect the point of origin of the call or may not even be diallable. 10.5 A Presentation Number is a number nominated or provided by the caller that can identify that caller or be used to make a return or subsequent call. In the UK several types of Presentation Numbers are in use - they are described in An Oftel guide to the use of Presentation Numbers (February 2003) posted at www.oftel.gov.uk/ind_groups/cli_group/docs/guide0203.pdf 10.6 Although a Presentation Number will not identify a call's point of ingress to a public network it may well carry more useful information. The requirements of a Presentation Number are that:
It should also be noted that no privacy markings are associated with Presentation Numbers as they are, by definition, available for display.
Chapter 11 Integrity 11.1 Integrity is the ability of electronic communications networks to maintain authenticity from call origination to call termination. 11.2 The precepts that ensure integrity are set out below.
Chapter 12 Precepts arising from the CLI principles 12.1 Applying these principles gives rise to the following precepts:
Chapter 13 The use of CLI data within public electronic communications networks 13.1 The CLI privacy rights conferred on end users by data protection legislation apply to the situation where a call with associated CLI information that identifies the caller’s line terminates on a network that offers CLI display services (or vice versa in the case of Connected Line Identification). 13.2 This customer service needs to be distinguished from the passage and display of CLI information within and between public electronic communications networks where the information will be accessible within the network(s) irrespective of the caller’s privacy wishes. 13.3 The operation of these guidelines does not affect the ability of public electronic communications networks (or networks that are wholly outside the public network) to use CLI data for network and/or account management purposes and, in co-operation with the relevant authorities, for emergency calls and the tracing of malicious calls and similar activities. However, the privileged access that communications providers have to end-users’ CLI data, whether or not they have chosen to prevent its display, may only be used where the use of this data is essential to the provision of an electronic communications service. Such access should be restricted to those staff to whom it is essential for any of the above purposes. Communications providers will respect the privacy of callers who have elected to prevent the display of their line identities by not exploiting this information for telemarketing or any commercial purpose other than billing.
Chapter 14 Calls received or passed to public electronic communication networks not covered by these guidelines 14.1 On calls received from networks not covered by these Guidelines (e.g. international calls) the CLI information shall be classified by the receiving network as follows: 14.2 When a call is routed to a network not covered by these Guidelines, e.g. international calls, the communications provider may not be in a position to guarantee that the caller’s wishes with regard to his CLI privacy will be respected by a subsequent network or the terminating network. 14.3 Consequently, in order to avoid a caller’s identity being displayed to a called party in this case, the gateway exchange should delete all CLI information from the call, if the CLI information has been classified as ‘withheld’ or ‘unavailable’. 14.4 Alternatively, if it is known that the subsequent and terminating networks will respect the caller’s wishes, then the CLI information may be passed as received.
Chapter 15 Enforcement of the guidelines 15.1 The guidelines are not in themselves a regulatory instrument that carries legally binding force. Oftel and Ofcom expects communications providers to abide by them in recognition of their shared self-interest. Providing CLI services that respect privacy and data protection legislation is simplified where players observe a common set of rules. Following the guidelines also obviates the necessity for privately negotiated bilateral agreements between communications providers in order to come to an agreement on how end-users' CLI information should be handled. However, the 'voluntary' nature of the guidelines does not mean that they may be ignored with impunity. There are three sets of constraints that underpin the guidelines. 15.2 Primarily, the guidelines provide a practical route to complying with UK Regulations implementing the Community Directives on privacy in the electronic communications sector. In cases of non-compliance the Regulations provide for enforcement by the Office of the Information Commissioner through the procedures set out in the Data Protection Act 1998 which can, in the final resort, result in criminal proceedings. 15.3 The draft Communications Bill creates a new offence, the persistent misuse of an electronic communications network or electronic communications service, where misuse of a network or service causes another person unnecessarily to suffer annoyance, inconvenience or anxiety. This legislation may be in point where end-users knowingly cause unauthentic or misleading CLI information to be sent. 15.4 Finally, as has been the case with preceding editions of the Codes of Practice for Network Operators in relation to Customer Line Identification Display Services and other related services, it is expected that standard interconnect agreements will reference these guidelines with a requirement that the contracting parties abide by them. Consultation Stakeholders are invited to comment on any aspect of these guidelines relevant to CLI policy. Specific questions relating to the consumer policy protection review follow in Annex A.
Annex A Consumer protection policy review on the CLI Guidelines In December Oftel published its CPPR guidelines. Whilst this consultation does not review whether CLI services should be regulated, rather focusing on how regulation is implemented, this document has however been drawn up with the principles outlined in these guidelines in mind (the CPPR checklist is provided at Annex C). Oftel’s CPPR guidelines are designed to ensure that consumer protection focused regulation remains appropriate, proportionate and is achieving its objectives. They are also designed to provide stakeholders with greater clarity about how Oftel reaches its decisions. The proceeding chapters of the document have detailed the scope of the review, the purpose of the guidelines, the consumer interest involved and proposed changes to the guidelines and why they are needed. Outlined below along with consultation questions are the key questions that arise from application of the CPPR guidelines. What is the consumer interest? A1. Paragraph 1.5 of the Draft consumer protection policy review statement places Oftel policy on CLI within the broader policy objective of protecting the privacy of customer information across electronic communications networks. A2. It is probably not necessary to make the general case for the protection of personal data as privacy has been identified as one of the consumer interest criteria in the National Consumer Council list. In the context of CLI services the right to privacy is, fundamentally, the customer's right to choose, for each telephone call made, whether to release or withhold their phone number. Wherever in the world CLI services have been introduced there has been a general recognition that callers have a right to anonymity. The traditional case is made by a victim of domestic violence phoning home from a refuge but there are less dramatic circumstances too where callers may require anonymity in a wish to avoid return marketing calls. A3. Supplementary privacy rights in the CLI context are the right not to receive calls from callers who have deliberately chosen to withhold their number, the right to prevent display of the number on which a call has been terminated (eg where calls to a doctor's surgery are forwarded out-of-hours to a residential number) and the right not to receive any CLI information at all (eg for helplines and informers' lines to guarantee anonymity to callers). A4. The case for the regulation of CLI services is made in Chapter 4 of the Guidelines. To recap, although most customers of electronic communications services can choose which provider to use for the origination of their calls they can exercise little choice over the networks which transit and terminate their calls. If I choose to withhold my number my own provider can set the appropriate marker but whether or not that number is displayed to the called party will depend on the behaviour of networks which I have not opted to use and which may be unknown to me. Without customer choice the beneficial influence of market forces can not operate. Question 1 Do stakeholders agree that the objective of protecting consumers' privacy rights justifies the regulation of CLI services? Why is the consumer interest not addressed by general law? B1. Consumers' privacy rights with regard to CLI services are covered by specific data protection legislation. At present this is the Telecommunications (Data Protection and Privacy) Regulations (SI 1999 No.2093) which is the UK implementation of the Telecommunications Data Protection Directive (97/66/EC). This Directive will be superseded by the Privacy Directive (2002/58/EC) which must be implemented in the UK by 31 October 2003. To this extent the question of whether or not CLI services should be regulated is outside the scope of this consultation which focuses more narrowly on the modalities of that regulation. B2. Given the existence of this specific legislation two questions arise. Firstly, what purpose is served by 'extra' regulation in the shape of the Guidelines and why aren't the Regulations sufficient; secondly, as the Office of the Information Commissioner is responsible for enforcing the Regulations, why should Oftel be involved? In both cases the answer is grounded in practicality. B3. An understanding of the way in which networks provide CLI services and the way in which network signalling protocols enable customers' privacy wishes to be identified and acted upon requires a good level of technical expertise. This becomes even more desirable where, increasingly, the integrity of CLI services depends on the interaction of separate technologies – say between ISDN and VoIP. This type of technical knowledge resides within Oftel, not with data protection experts. The 1999 Regulations recognise the importance of the enforcement authority being able to access technical expertise by placing an obligation on Oftel 'to comply with any reasonable request made by the Commissioner … for advice on technical and similar matters relating to telecommunications' (Regulation 38). Question 2 Do stakeholders agree that the Office of the Information Commissioner should continue to have access to Oftel's technical expertise on matters relating to electronic communications, in particular on matters relating to CLI services provided over such networks? B4. Moreover, although the Regulations set out a basic set of customer rights regarding the management of their CLI information it would not be appropriate for data protection legislation to mandate a practical network implementation of those rights. However, there is a gap between the abstract declaration of a set of rights and the additional concepts and tools that are required to flesh them out and give them practical expression. This is what the Guidelines and its predecessor Codes of Practice, developed in collaboration with the industry, has done since 1996. B5. Many of the central concepts that are used in the deployment of CLI services are to be found in the Guidelines, not in the legislation. These include the key classifications of number 'available', 'unavailable' and 'withheld', the distinction between 'network' and 'presentation' numbers, the vital consumer protection rule that a presentation number must not be a premium rate number and rules governing the uses that providers may make of their privileged access to withheld CLI information. Question 3 Do stakeholders agree that the Guidelines add value to data protection legislation by enabling communications providers to achieve a practical implementation of the rights conferred by such legislation?
Annex B How to make comments on the questions raised in this consultation document B.1 Oftel is publishing this consultation document so that interested parties may comment on the issues which it addresses. The closing date for submitting comments is 21 May 2003. B.2 Where possible, comments should be made in writing and sent by e-mail to frank.phillips@oftel.gov.uk. However, copies may also be posted or faxed to the address below. If any interested parties are unable to respond in one of these ways, they should discuss alternatives with the Oftel manager named below: Frank Phillips Further copies of this document B3 Paper copies and alternative formats such as large print, Braille, disc and audio cassette can be made available on request. Please contact Oftel's Research and Information Unit by phoning 020 7634 8761 or by sending an e-mail to infocent@oftel.gov.uk. Publication of comments made by stakeholders B4 On this occasion, Oftel is not programming a formal period during which interested parties may comment on the responses made by others. Nevertheless, in the interests of transparency, comments will be published, except where respondents indicate that a response, or part of it, is confidential. Respondents are therefore asked to separate out any confidential material into a confidential annex which is clearly identified as containing confidential material. Oftel will take steps to protect the confidentiality of all such material from the moment that it is received at Oftel's offices. However, in the interests of transparency, respondents should avoid applying confidential markings wherever possible. B5 Non confidential responses can be viewed on Oftel's website in the Publications section under Responses to Oftel consultations. Comments can also be viewed at Oftel's Research and Information Unit. Appointments must be made in advance (see contact details in paragraph three). e-mail notifications B6 Oftel has a free e-mail based mailing list to help people stay informed about the work that Oftel is doing. Each time an Oftel document is published and placed on Oftel's website at www.oftel.gov.uk, subscribers to the list receive an e-mail alert. To register, please go to the What's New section of the website and access the electronic form.
Annex C Consumer protection policy review – checklist
|
|
||||||||||||||||||||
|
|
||||||||||||||||||||
 |
 |
|
|||||||||||||||||||
 |
|
||||||||||||||||||||
