- Create relevant policies, with Board oversight or equivalent, outlining commitment to prevent, assess, and mitigate to the best of their ability the risks to freedom of expression and privacy associated with designing, selling, and operating telecommunications technology and telecommunications services.
Telenor is committed to respecting human rights. This is reflected in our Code of Conduct, approved by the Board of Directors, and our Supplier Conduct Principles . More detailed mandatory requirements are set out in policies approved by the Group CEO and manuals approved at CxO-level. These governing documents are adopted and implemented in all subsidiaries where Telenor has operational control.
Privacy and freedom of expression are covered in Group policies and manuals. They outline requirements to respect human rights, conduct regular human rights due diligence, ensure privacy of customer data and appropriate handling of authority requests for access to data.
Recognising that authorities may have legitimate needs to require telecommunications companies to comply with requests that limit free communication, the purpose of the manuals on authority requests is to ensure proper handling of such requests and minimising risk of too broad restrictions.
As reported in our update last year the requirements related to authority requests were revised in 2013 to better reflect the Industry Dialogue Guiding Principles. They cover authority requests for access to personal data, network shutdowns, distribution of authority information, and censorship, and specify:
- Organisation – incl. dedicated function(s) and qualified personnel to handle requests
- Process – incl. evaluation of legal basis and risk of human rights impact
- Record keeping and reporting
- Notification and escalation
During 2014 we have focused on implementing these requirements. We have engaged extensively with all our Business Units (BUs), including regional workshops and individual follow-up. The work will continue in 2015 and beyond.
- Conduct regular human rights impact assessments and use due diligence processes, as appropriate to the company, to identify, mitigate and manage risks to freedom of expression and privacy – whether in relation to particular technologies, products, services, or countries – in accordance with the Guiding Principles for the Implementation of the UN ‘Protect, Respect and Remedy’ framework.
Requirements for regular human rights due diligence, based on the UN Guiding Principles on Business and Human Rights, are included in our sustainability policy. This policy also includes privacy & freedom of expression. During 2014 we have worked on implementing this requirement, using our Human Rights Due Diligence Toolkit, as well as extensive BU follow-up (for more info see Annual Report 2014).
However, our primary tool for assessing impacts and managing risks related to privacy and freedom of expression is the group-wide requirements relating to handling of authority requests (ref. response to Principle 1). This is the starting point for due diligence processes both Group and at BU levels.
We view these due diligence activities as processes of continuous improvement. Our ambition for 2015 is to further develop our guidance materials and training to strengthen implementation.
- Create operational processes and routines to evaluate and handle government requests that may have an impact on freedom of expression and privacy.
As outlined in the response to Principles 1 & 2 above, the key requirements for professional handling of authority requests are included in manuals. The BUs develop local operational processes and routines to fulfil the mandatory Group requirements.
During 2014 we have experienced that while such processes and routines may adequately address the majority of authority requests, particularly challenging situations may also require additional guidance. Our ambition is to develop such guidelines in 2015.
- Adopt, where feasible, strategies to anticipate, respond and minimise the potential impact on freedom of expression and privacy in the event that a government demand or request is received that is unlawful or where governments are believed to be mis-using products or technology for illegitimate purposes.
Ref. our responses to principles 1, 2 & 3 above our Group-wide requirements outline some measures to anticipate, respond and minimise potential impact on freedom of expression and privacy. While the manuals specify how to respond to a specific request, the context in which a request is made may significantly affect our ability to utilise the full range of tools to anticipate, respond and minimise potential impact.
We typically seek to be transparent where possible, engage with relevant authorities, discuss with peers (both locally and within the Industry Dialogue) and have conversations with other stakeholders. We also see that there is a need for tools to engage both when a particular incident occurs, and in a more long-term perspective. We believe the stakeholder conversations of the Industry Dialogue are important in this regard.
We also see that this longer-term perspective can bring useful conversations with relevant authorities, like in Pakistan.
Situations relating to national security concerns, political instability, and martial law or similar may be challenging to navigate. This may significantly reduce the range of strategies available. New laws may also be passed which further extend authority access and limit company leverage. In such situations principle 5 also comes into play and personnel risk may influence strategies adopted by the company.
- Always seek to ensure the safety and liberty of company personnel who may be placed at risk.
Health, safety and employee security are fundamental principles included in our Code of Conduct. The safety of our staff is vital and may come into play when handling authority requests of various kinds. We have a fundamental responsibility for the safety of our staff.
We have had experiences during 2014 where this has been the case and where we have had concerns related to employee safety.
- Raise awareness and train relevant employees in related policies and processes.
We have general awareness activities connected with our Code of Conduct, and all employees have to sign this document. With respect to privacy and freedom of expression in particular, our focus in 2014 has been on raising top management awareness, and training of key personnel at both Group and BU level. This has primarily been conducted during regional workshops and in individual follow-up activities with the BUs.
We see a need for continuous awareness and training related to these complex issues. Our ambition for 2015 is to further develop these activities.
- Share knowledge and insights, where relevant, with all relevant and interested stakeholders to improve understanding of the applicable legal framework and the effectiveness of these principles in practice, and to provide support for the implementation and further development of the principles.
Telenor Group has sought to share our approach to privacy and freedom of expression with stakeholders, e.g. through our sustainability update on Myanmar where lawful intercept was a topic addressed by our BU CEO. We also have regular dialogue with investors, NGOs, government and other stakeholders. We also seek to provide information on our website and through our annual sustainability reporting.
Throughout the year we have also been able to share experiences through our work in the Industry Dialogue (ID). Regular stakeholder events have been conducted in connection with our quarterly face-to-face meetings, and two learning forums have been held together with the Global Network Initiative (GNI) Telecommunications Industry Dialogue
During 2014 we also worked with the Institute of Human Rights and Business (IHRB) on a case study relating to the challenge of network shutdowns in Pakistan.
- Report externally on an annual basis, and whenever circumstances make it relevant, on their progress in implementing the principles, and on major events occurring in this regard.
Telenor’s report on progress implementing the principles is included in this table.
With respect to major events, we have sought to be transparent to the extent possible. We have experienced that transparency can be a good tool for engagement with governments and other stakeholders, e.g. through our Myanmar Sustainability Update. However, we have also experienced significant challenges resulting from openness about authority requests.
- Help to inform the development of policy and regulations to support freedom of expression and privacy including, alone or in cooperation with other entities, using its leverage to seek to mitigate potential negative impacts from policies or regulations.
Telenor Group engages with a range of stakeholders, including government and civil society, on a bilateral basis as well as through the Industry Dialogue. We also participate at relevant events like the Stockholm Internet Forum.
In Myanmar we have had a good interaction with civil society and a constructive dialogue with the authorities, and expressed our view that there is need for regulations based on international good practice, and that these regulations when drafted should be subject to public consultation. Also, as stated above we have a good dialogue on network shutdowns in Pakistan.
- Examine, as a group, options for implementing relevant grievance mechanisms, as outlined in Principle 31 of the UN Guiding Principles for Business and Human Rights.
During 2014 grievance mechanisms have been discussed as part of the Industry Dialogue meetings, we have shared good practices and discussions will continue.
Telenor Group has a hotline to compliance, where breaches of our Code of Conduct can be reported.
DNV GL has been commissioned by Telenor to carry out a claims check of Telenor’s status on alignment with the Industry Dialogue Guiding Principles for 2014. The engagement has been undertaken in accordance with a procedure based on DNV GL’s general method for assessments of sustainability reporting, which has been tailored to specific Telenor requirements.