TELECOMMUNICATIONS AMENDMENT (ACCESS TO MOBILE NUMBER INFORMATION FOR AUTHORISED RESEARCH) REGULATIONS 2018 (F2018L01756) EXPLANATORY STATEMENT

Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

TELECOMMUNICATIONS AMENDMENT (ACCESS TO MOBILE NUMBER INFORMATION FOR AUTHORISED RESEARCH) REGULATIONS 2018 (F2018L01756)

EXPLANATORY STATEMENT

 

Telecommunications Act 1997

 

Telecommunications Regulations 2001

 

Telecommunications Amendment (Access to Mobile Number Information for Authorised Research) Regulations 2018

 

 

Issued by the Authority of the Minister for Communications and the Arts.

Authority

Subsection 594(1) of the Telecommunications Act 1997 (the Act) provides that the Governor-General may make regulations prescribing matters required or permitted to be prescribed by the Act, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

Subsections 292(1) of the Act provides that where circumstances are specified in regulations, the prohibitions on the disclosure or use of information obtained by telecommunications carriers and carriage service providers in the course of providing their services (set out in sections 276 of the Act) will not apply in those specified circumstances.

Under the authority of the Act, the Governor-General has made the Telecommunications Regulations 2001 (the Principal Regulations). The Principal Regulations specify, among other matters, circumstances where the prohibitions contained in section 276 of the Act do not apply.

Under subsection 33(3) of the Acts Interpretation Act 1901, where an Act confers a power to make, grant or issue any instrument of a legislative character (including rules, regulations or by-laws), the power shall be construed as including a power exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke, amend, or vary any such instrument.

Purpose

The Telecommunications Amendment (Access to Mobile Number Information for Authorised Research) Regulations 2018 (the Amending Regulations) amend the Principal Regulations to allow for the disclosure of unlisted mobile phone numbers and their associated postcodes as recorded in the Integrated Public Number Database (IPND) for certain research purposes. This will enable research entities to more effectively sample mobile and mobile-only users and in turn a representative cross-section of the community.

Background

The Integrated Public Number Database (IPND) is an industry-wide database containing information relating to all public telephone numbers (both listed and unlisted) and associated customer information, including name and address information. It also includes information such as whether the number or address is to be listed in a public number directory, and whether the number is used for residential, business, government or charitable purposes.

The IPND is maintained by Telstra Corporation Limited (Telstra) under clause10 of the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997. All carriage service providers that supply carriage services to customers that have public numbers are obliged to provide customer information to Telstra for inclusion in the IPND.

The use and disclosure of information contained in the IPND is regulated under Part 13 of the Act. Section 276 of the Act includes general prohibitions on the disclosure or use of information obtained by telecommunications carriers and carriage service providers in the course of providing their services.

Part 13 of the Act includes exceptions to these general prohibitions, including subsections 292(1) of the Act, which provides that where circumstances are specified in regulations (made by the Governor-General under section 594(1) of the Act), section 276 does not prohibit the disclosure or use of information in the IPND.

Section 285 of the Act contains a further exception for the disclosure, to certain recipients, of IPND information, other than information relating to an unlisted telephone number, including for conducting research of a kind specified by the Minister in a legislative instrument.

The Amending Regulations set out an additional exception to the general use and disclosure prohibitions to allow for the disclosure of unlisted mobile telephone numbers and their associated postcode recorded in the IPND for certain research purposes. .

Regulation Impact Statement

In November 2018 a preliminary RIS was prepared and submitted to the Office of Best Practice Regulation (OBPR). The OBPR advised on 27 November 2018 that a Regulation Impact Statement was not required (OBRP ID: 24616).

Consultation

In accordance with section 17 of the Legislation Act, the Department consulted with the Attorney-General's Department, the Office of the Australian Information Commissioner, and Telstra about the Amending Regulations.

Other Matters

The Amending Regulations commence on the day after the instrument is registered on the Federal Register of Legislation.

The Amending Regulations are a legislative instrument for the purposes of subsection 8(3) of the Legislation Act 2003.

Details of the accompanying Amending Regulations are set out at Attachment A.

Statement of Compatibility with Human Rights

A statement of compatibility with human rights for the purposes of Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 is at Attachment B.

 

 

                            Attachment A

 

Notes on the Telecommunications Amendment (Access to Mobile Number Information for Authorised Research) Regulations 2018

 

Item 1--Name

Section 1 specifies the name of the Amending Regulations as the Telecommunications Amendment (Access to Mobile Number Information for Authorised Research) Regulations 2018.

Item 2--Commencement

Section 2 provides that the whole of the Amending Regulations commence the day after the instrument is registered on the Federal Register of Legislation. The note accompanying the subsection clarifies that the table relates only to the provisions of the Amending Regulations as originally made and will not be amended to deal with any later amendments of the instrument.

Item 3 --Authority

Section 3 provides that the authority for making the Amending Regulations is the Telecommunications Act 1997 (the Act). Subsection 594(1) of the Act provides that the Governor-General may make regulations prescribing matters required or permitted to be prescribed by the Act, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

Item 4 --Schedules

Section 4 provides that each instrument specified in a Schedule to the Amending Regulations is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms. There is one Schedule to the Amending Regulations - Schedule 1 sets out the amendments to the Telecommunications Regulations 2001 (the Principal Regulations).

Schedule 1 - Amendments

Item 1 - Regulation 1.7

Item 1 inserts new definitions into the Principal Regulations.

Australian Parliament is defined to mean the Parliament of the Commonwealth, a Parliament of a State or a Legislative Assembly of a Territory.

authorised research is defined to mean, under a research authorisation, a kind or kinds of research to which the authorisation applies.

authorised research entity is defined to mean an entity referred to in paragraph 5.12(2)(a) (outlined in further detail below).

authorised unlisted mobile number information is defined to mean, in relation to an authorised research entity, unlisted mobile number information to which a research authorisation covering that entity applies.

breach, in relation to an Australian Privacy Principle, has the meaning given by section 6A of the Privacy Act 1988; and in relation to a registered APP code, has the meaning given by section 6B of that Act.

Commonwealth entity is defined to have the same meaning as in the Public Governance, Performance and Accountability Act 2013; that is, Department of State; a Parliamentary Department; a listed entity (as prescribed); a body corporate that is established by a law of the Commonwealth; or a body corporate that is established under a law of the Commonwealth (other than a Commonwealth company) and is prescribed by an Act or the rules to be a Commonwealth entity.

The definition of contacted person cross refers to subregulation 5.20(2) (outlined in further detail below).

covered by the Privacy Act: The regulations provide that both an organisation within the meaning of the Privacy Act 1988, or a small business operator (within the meaning of that Act) that has chosen to be treated as an organisation under section 6EA of that Act, are covered by the Privacy Act for the purposes of the regulations.

de-identified: The regulations provide that research information, in relation to a contacted person, is de-identified if it does not identify, or no longer identifies the contacted person; and is not reasonably capable or is no longer reasonably capable of being used to identify the contacted person.

electoral matter is defined to mean matter which is intended or likely to affect voting in an election to an Australian Parliament or to a local government authority; or a referendum under a law of the Commonwealth or of a State or Territory.

The definition of former research entity cross refers to paragraph 5.30(2)(a) (outlined in further detail below)

integrated public number database is defined to mean the database maintained by Telstra as mentioned in clause 10 of Part 4 of Schedule 2 to the Act.

IPND Scheme authorisation means an authorisation granted under the integrated public number database scheme (the IPND Scheme). The IPND Scheme is enabled under section 295A of the Telecommunications Act 1997 and is provided for in the Telecommunications Integrated Public Number Database Scheme 2017.

The definition of permitted research cross refers to regulation 1.7A (outlined in further detail below).

personal information is defined to have the same meaning as in the Privacy Act 1988. That is, information or an opinion about an identified individual or an individual who is reasonable identifiable - whether the information or opinion is true or not - and whether the information or opinion is recorded in a material format or not.

 

political representative is defined to be a member of an Australian Parliament or a councillor (however defined) of a local government authority.

public number has the same meaning as in section 472 of the Telecommunications Act 1997; that is, a number specified in the numbering plan.

registered APP code is defined to have the same meaning as in the Privacy Act 1988. An APP code is a written code of practice about information privacy under section 26C of that Act. A registered APP code is one that is included on the Codes Register established under section 26U of that Act and is in force.

registered political party is defined to have the same meaning as in the Commonwealth Electoral Act 1918; that is, a political party registered under Part XI of that Act.

research authorisation is defined to mean an authorisation (granted by the ACMA) under subregulation 5.11(1) (outlined in further detail below).

research employee is defined to mean, in relation to a research entity, an individual employed or engaged by the entity to conduct authorised research.

The definition of research entity cross refers to subregulation 5.8(2) (outlined in further detail below).

research information is defined to mean, in relation to a contacted person, any information obtained from the person when the person is contacted by an authorised research entity for the purposes of authorised research.

unlisted mobile number information is defined to mean information that is contained in the integrated public number database, relates to a person's mobile number that is unlisted, is indicated by the database as not being used for government business or charitable purposes, and consists only of either the number or the postcode of the persons address or both.

Item 2 - After regulation 1.7

Item 2 inserts a new regulation 1.7A which provides the meaning of permitted research under the Amending Regulations. Subregulation 1.7A (1) provides that research is permitted research if one or more of the following apply:

a)      the research is relevant to public health, including epidemiological research;

b)      the research relates to an electoral matter and is conducted by or for:

(i) a registered political party; or

(ii) a political representative; or

(iii) a candidate in an election for an Australian Parliament or a local government authority;

c)      the research will contribute to the development of public policy and is conducted by or for the Commonwealth or a Commonwealth entity.

The intent of this provision is to limit the kinds of research for which the ACMA may grant a research authorisation, and in turn the kinds of research for which access to unlisted mobile number information in the IPND may be granted. The kinds of research specified in this regulation, mirror those provided in the Telecommunications (Integrated Public Number Database - Permitted Research Purposes) Instrument 2017; that is, the research purposes for which access to information about listed numbers is already available.

The ACMA can authorise research which is relevant to public health, including epidemiological research. Any person can be authorised to access information from the IPND to conduct that type of research. However, an authorisation can only be granted to the types of person specified paragraph 1.7A(1)(b) to undertake research relating to an electoral matter or those persons specified in paragraph 1.7A(1)(c) to undertake research in relation to the development of public policy. These constraints mirror those provided in the Telecommunications (Integrated Public Number Database - Permitted Research Purposes) Instrument 2017.

Subregulation 1.7A(2) provides that despite subregulation 1.7A(1), research is not permitted research if:

a)      in the case of a research entity conducting research on its own behalf--the research is conducted for a primarily commercial purpose; or

b)      in the case of a research entity conducting research for another person or body--the research entity is conducting the research for a primarily commercial purpose of the other person or body.

This provision is intended to ensure that a research entity is prohibited from accessing information in the IPND under a research authorisation primarily for a commercial purpose. However, the provision is intended to allow a research entity that is conducting research on behalf of another person or body to obtain financial benefit in return for providing the research services (such as payment for the service of carrying out the research).

 

 

Item 3 - Before regulation 5.1A

Item 3 makes a technical amendment to Part 5 of the Principal Regulations to insert a new heading for Division 5.1 - Specified circumstances. Division 5.1 will contain existing regulations 5.1A, 5.2, 5.3, 5.4, as well as new regulation 5.6 inserted by Item 4. This amendment is consequential to the insertion of new Division 5.2 - Research Authorisations pursuant to Item 4.

Item 4 - At the end of Part 5

Item 4 amends Part 5 of the Principal Regulations to insert a new regulation 5.6, which specifies an additional circumstance overriding the prohibitions against disclosure or use of information or documents under section 276 of the Act.

Item 4 also amends Part 5 of the Principal Regulations to insert a new Division 5.2. Division 5.2 puts in place an administrative scheme that governs research authorisations that allow for the disclosure of unlisted mobile number information to an authorised research entity. The administrative scheme details the processes for applying for and granting research authorisations, conditions that apply to authorisations and the ending of authorisations (amongst other things).

Regulation 5.6 - Disclosure of information - unlisted mobile number information

Subsection 292(1) of the Act provides that where circumstances are prescribed in regulations, the prohibitions against disclosure or use of information or documents under section 276 of the Act do not apply. Regulation 5.6 prescribes for the purposes of subsection 292(1) of the Act an additional circumstance overriding these prohibitions.

Under regulation 5.6, section 276 of the Act will not prohibit use or disclosure of information or a document where:

a)      the disclosure is made by Telstra to an authorised research entity, and

b)      the information is, or the document consists of, authorised unlisted mobile number information (that is, information to which a research authorisation granted by the ACMA pursuant to new regulation 5.11 applies).

The practical effect of regulation 5.6 is to allow Telstra (the IPND Manager) to disclose information about unlisted numbers and their associated postcode as recorded in the IPND, if authorised to do so by the ACMA.

Division 5.2 - Research authorisations

Subdivision 5.2.1 - Introduction

Regulation 5.7 - Simplified outline of this Division

Regulation 5.7 provides a simplified outline of Division 5.2.

Subdivision 5.2.2 - Application for, and grant of, research authorisations

 

 

Regulation 5.8 - Applying for research authorisations

Regulation 5.8 allows a person to apply for a research authorisation in writing, in a form approved by the ACMA. The application must specify each person to be covered by the authorisation (i.e. the regulation allows for authorisations to cover multiple persons), the kind/s of unlisted mobile number information being sought, the kind/s of research for which the unlisted mobile number is sought and reasons as to why the information has been sought. An application must be accompanied by the applicable charge (if any) determined by the ACMA under section 60 of the Australian Communications and Media Authority Act 2005, and a completed privacy impact assessment in a form approved by the ACMA.

Regulation 5.9 - ACMA may request further information

Regulation 5.9 empowers the ACMA to request, in writing, that a research entity specified in an application for a research authorisation provide further information in relation to the application for a research authorisation. If that entity does not provide the further information within 90 days of the request being made, the ACMA may treat the application as if the relevant research entity was not specified in the application. The intent of regulation 5.9 is to create an incentive for persons covered by an application for an authorisation to provide information requested by the ACMA promptly. If that information is not provided within a 90 day timeframe, then the authorisation process can continue to proceed in relation to other persons specified in the application.

Regulation 5.10 - ACMA may consult

Regulation 5.10 allows the ACMA to consult with any person or body that the ACMA considers appropriate before granting a research authorisation. This could include, for example, consultation with statutory office-holders like the Privacy Commissioner in relation to the privacy-related matters (see subparagraph 5.11(2)(d) which requires the ACMA to have regard to the extent to which an entity's collection, use and disclosure of personal information has complied with, or is consistent with the Privacy Act 1988).

Regulation 5.11- Research authorisations

Regulation 5.11 specifies that the ACMA must grant a research authorisation if, following the making of an application in accordance with the requirements set out in regulation 5.8, the ACMA is reasonably satisfied of certain specified matters set out in paragraphs 5.11(1)(a) to (e).

Under paragraph 5.11(1)(a), the ACMA must be reasonably satisfied that the kind/s of research proposed by the applicant is permitted research. This means that the research for which the information can be disclosed must be either research relating to public health, an electoral matter, or research that contributes to the development of public policy.

Under paragraph 5.11(1)(b), the ACMA must be reasonably satisfied that the research entity will comply with the conditions of the authorisation, including any additional conditions specified by the ACMA under subregulation 5.12(4).

Under paragraph 5.11(1)(c), the ACMA must be satisfied that each research entity will comply with the use and disclosure prohibitions imposed on former research entities when an authorisation ends or entities are removed (as detailed below in relation to regulations 5.30 and 5.31).

The note after subregulation 5.11(1) clarifies that where the ACMA decides not to grant an authorisation, a research entity or any other person affected by the decision may request that the ACMA reconsider its decision pursuant to regulation 5.32.

Subregulation 5.11(2) sets out the factors which the ACMA must have regard to in determining whether a research entity will comply with the conditions of an authorisation, as required by paragraph 5.11(1)(b).

Paragraph 5.11(2)(a) requires the ACMA to have regard to the practices, procedures, processes and systems the entity has in place, or intends to put in place, to comply with the conditions of the authorisation. For example, it is a condition of an authorisation under regulation 5.19 that an authorised research entity comply with the Privacy Act 1988 where it collects, uses or discloses personal information about an individual for the purposes of authorised research. Pursuant to paragraph 5.11(2)(a), in considering if the entity will comply with regulation 5.19, the ACMA may have regard to the specific information management procedures an entity has in place to control and track the use and disclosure of personal information. The ACMA could also have regard to the information security practices and technical systems that an entity has in place to ensure it can comply with APP 11 - security of personal information. APP 11 requires an entity to take such steps as are reasonable to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.

Where an entity has previously been covered by a research authorisation, paragraph 5.11(2)(b) requires the ACMA to have regard to the extent to which the entity has complied with, or is complying with, the conditions of that authorisation.

Paragraph 5.11(2)(c) requires the ACMA to have regard to the extent to which the entity has complied with, or is complying with, the conditions of any IPND authorisation that it has been granted.

Paragraph 5.11(2)(d) requires the ACMA to have regard to the extent to which the entity's collection, use and disclosure of personal information has complied with, or is consistent with the Privacy Act 1988. This criteria applies regardless of whether that Act normally applies to the entity (including registered political parties and other entities that are normally exempt under section 6C of that Act). The regulations have been designed to allow the ACMA to consult with others, including the Privacy Commissioner, in relation to this criteria (subregulation 5.10 refers).

Subregulation 5.11(3) requires that, where an entity has previously been covered by a research authorisation, the ACMA must have regard to past compliance with the use and disclosure prohibitions under regulation 5.30 or 5.31, in determining that paragraph 5.11(1)(c) is satisfied.

Subregulation 5.11(4) makes it clear that subregulations 5.11(2) and 5.11(3) do not limit the matters to which the ACMA may have regard when considering whether to grant a research authorisation.

Subregulation 5.11(5) provides that, for the purposes of Subdivision 5.2.6 (review of decisions), if the ACMA does not make a decision on the application within the period specified in sub regulation 5.11(6) (detailed below) the ACMA is taken to have decided not to grant the authorisation.

Subregulation 5.11(6) specifies the period referenced in subregulation 5.11(5) as the period that ends the later of 90 days after receiving the application. If the ACMA has requested further information about an application under subregulation 5.9 (1), the period referenced in in subregulation 5.11(5) is 90 days after the end of the period for compliance with the last request made under that subregulation.

Regulation 5.12 – Content of research authorisations

Regulation 5.12 specifies the form and content of research authorisations granted by the ACMA. The ACMA's authorisation must be in writing (subregulation 5.12(1)). The authorisation must specify each research entity covered by the authorisation, the kind/s of research to which the authorisation applies, and the kind/s of unlisted mobile number information that may be disclosed to the research entity - that is, whether the research entity will receive only the number, or both the number and postcode (subregulation 5.12(2)).

Subregulation 5.12(3) provides that a research authorisation must specify the period that the authorisation if in effect. This period starts on the day Telstra first discloses authorised unlisted mobile number information to an authorised research entity covered by the authorisation and ends no later than 12 months afterwards. However, research authorisations can have a duration of less than 12 months.

Subregulation 5.12(4) provides that the ACMA may specify conditions additional to those specified in new subdivision 5.2.3 to which the authorisation is subject. This provision allows the ACMA to impose specific conditions tailored to the particular research activity, in order to both support effective research and protect personal information. For example, the ACMA could specify conditions relating to information management, security or handling procedures that an entity must adhere to in relation to the personal information it will collect during its research activity. Such conditions could be used where a proposed research activity might collect particularly sensitive personal information such as health information.

Note 1 after subregulation 5.12(4) indicates that an authorised research entity can request that the ACMA review a decision to impose an additional condition on a research authorisation, in accordance with regulation 5.32.

Note 2 after subregulation 5.12(4) makes it clear that the ACMA can consult with others about the imposition of additional conditions in research authorisations, in accordance with regulation 5.10.

Regulation 5.13 - Notice relating to research authorisations

If the ACMA grants a research authorisation, subregulation 5.13(1) requires the ACMA to provide each research entity identified in the authorisation, and Telstra (the IPND Manager), a copy of the authorisation.

If the ACMA grants an authorisation that specifies additional conditions, subregulation 5.13(2) requires that the ACMA must, as soon as is reasonably practicable, give written notice to each authorised research entity and any other person affected by the decision, that they may request the ACMA reconsider its decision (using the process set out at regulation 5.32).

If the ACMA decides not to grant a research authorisation, subregulation 5.13(3) requires that the ACMA to give the applicant written notice indicating that the authorisation has not be granted, the reasons the authorisation was not granted, and advising that the applicant or any other person affected by the decision may request the ACMA to reconsider its decision under regulation 5.32.

Note 1 after subregulation 5.13(3) references section 27A of the Administrative Appeals Tribunal Act 1975. Section 27A of that Act requires that a person who makes a reviewable decision, such as the ACMA in this case, take such steps as are reasonably necessary to give any person whose interests are affected by the decision notice in writing of the making of the decision, and of the right of the person to have the decision reviewed.

Note 2 after subregulation 5.13(3) clarifies that a research entity is taken not to be specified in an application if the entity does not provide the ACMA with further information as requested under regulation 5.9 within 90 days after the ACMA requests that information. The intent of regulation 5.9 is to create an incentive for persons covered by an application for an authorisation to provide information requested by the ACMA promptly. If that information is not provided within a 90 day timeframe, then the authorisation process can continue to proceed in relation to other persons specified in the application.

Regulation 5.14 - Period of research authorisations

Regulation 5.14 provides that research authorisations are valid for the period specified in the authorisation. This regulation is to be read with subregulation 5.12(3) such that the maximum period for an authorisation to be in effect is 12 months, starting on the day Telstra (the IPND Manager) first discloses the authorised unlisted mobile number information to the research entity. Authorisations may specify a shorter period than 12 months. The regulations do not contemplate extensions of research authorisations. Rather, research entities can apply for an additional research authorisation in the same terms in advance of an authorisation expiring if further time is needed to undertake the research.

Subdivision 5.2.3 - Authorisation Conditions

Regulation 5.15 - Authorisation conditions

Regulation 5.15 provides that a research authorisation is subject to the conditions set out in subdivision 5.2.3 and any additional conditions specified by the ACMA (see subregulation 5.12(4) and regulation 5.26).

 

 

Regulation 5.16 - Receipt of authorised unlisted mobile number information

Regulation 5.16 provides that the first research entity to receive authorised unlisted mobile number information from Telstra under an authorisation, must provide written notice to the ACMA and each other authorised research entity covered by the authorisation within 10 business days. As the period of an authorisation commences when Telstra first discloses authorised unlisted mobile information to a research entity (regulation 5.12(3)), this regulation ensures that the ACMA and all parties covered by the authorisation are aware that the authorisation period has begun.

Regulation 5.17 - Use and disclosure of authorised unlisted mobile number information

Regulation 5.17 limits the use and disclosure of authorised unlisted mobile number information.

An authorised research entity can only make a record of or use unlisted mobile number information for authorised research purposes as specified in the authorisation. Subregulation 5.17(2), when read together with subregulation 5.17(3), limits the disclosure of unlisted mobile number information: to the research entity's employees, any other authorised research entities covered by the authorisation be for the purposes of authorised research as specified in the authorisation; or as otherwise authorised or required by any other law.

The ACMA may also request authorised unlisted mobile number information (for example, for compliance purposes), and the research entity is required to disclose this information on request pursuant to subregulation 5.17(4).

Regulation 5.18 - Covered by the Privacy Act

Regulation 5.18 provides that an authorised research entity must be covered by the Privacy Act 1988 (as defined in regulation 1.7) unless that entity is a registered political party. This is because registered political parties are exempt organisations under section 6C of that Act.

However, subregulation 5.19 (detailed below) extends the application of the Australian Privacy Principles or a registered APP code to registered political parties by making compliance with them a condition of the authorisation.

Regulation 5.19 - Compliance with the Privacy Act

Subregulation 5.19(1) requires that, where an authorised research entity collects, uses or discloses personal information for the purposes of authorised research they must do so in a way that does not breach the Australian Privacy Principles or a registered APP code that binds the entity. Subregulation 5.19(2) provides that the obligation in subregulation 5.19(1) applies to registered political parties who are normally exempt under section 6C of the Privacy Act 1988 or acts which are normally exempt under section 7C that Act.

Section 7C of the Privacy Act 1988 prescribes a range of political acts and practices which are normally exempt from the requirements of that Act. These include acts done or practices engaged in by a member of a Parliament or a councillor of a local government authority (the political representative) in conjunction with:

-          an election under electoral law,

-          a referendum under a law of the Commonwealth or a law of a State or Territory; or

-          the participation by the political representative in another aspect of the political process.

This exemption extends, subject to the conditions of subsections 7C (2) - (6) of the Privacy Act 1988 to the contractors, sub-contractors and volunteers of political representatives.  

The effect of this subregulation is to ensure that all research entities including registered political parties, will be required to adhere to the Australian Privacy Principles which govern how personal information must be handled, used and managed. The Australian Privacy Principles cover areas such as:

-          the open and transparent management of personal information including having a privacy policy

-          how personal information can be used and disclosed (including overseas)

-          maintaining the quality of personal information

-          keeping personal information secure; and

-          the right for individuals to access and correct their personal information.

Given the broad scope of potential research activities which could be carried out under a research authorisation, there is the potential for research entities to handle personal information which is 'sensitive information'. For the purposes of the Australian Privacy Principle, sensitive information is personal information which include information about an individual's:

-          health (including predictive genetic information)

-          racial or ethnic origin

-          political opinions

-          membership of a political association, professional or trade association or trade union

-          religious beliefs or affiliations

-          philosophical beliefs

-          sexual orientation or practices

-          criminal record

-          biometric information that is to be used for certain purposes; or

-          biometric templates.

The Australian Privacy Principles place stringent obligations on organisations that handle sensitive information. 

5.20 - Contacting persons for authorised research

Regulation 5.20 outlines the requirements that apply when a research entity contacts a person for authorised research using authorised unlisted mobile information.

Subregulation 5.20(1) specifies than an authorised research entity may contact a person using authorised unlisted mobile number information, only by calling the person. As illustrated by the example after subregulation 5.20(1), this provision makes it clear that an authorised research entity must not contact a person using authorised unlisted mobile number information by other means such as text message.

Subregulation 5.20(2)(a) specifies information research entities must provide to a contacted person when using authorised unlisted mobile number information for the purpose of conducting research. Research entities must tell the contacted person the entity's name, the contact details of the entity, the purpose of the research, how the mobile number was obtained, how the entity will use the research information collected, and if asked, how the person can access their personal information.

Subregulations 5.20(2)(b) - (c) require the research entity to confirm that it has the consent of the contacted person in relation to certain matters. Research entities are compelled by the subregulations to seek and obtain the contacted person's consent to use and disclose the research information collected, and inform the contacted person that consent can be withdrawn at any time during the call.

 

Subregulations 5.20(2)(d) and 5.20(2)(e) require that the research entity give the contacted person any other information required by law (such as under the Privacy Act 1988) and comply with all other applicable laws relating to unsolicited communications. For instance the Telecommunications (Telemarketing and Research Calls) Industry Standard 20017 (the Standard) applies to all telemarketing calls, research calls and calls from public interest groups (such as charities, registered political parties and religious organisations) made to Australian numbers - and so will apply to all calls made under a research authorisation. The standard sets the minimum benchmarks for: when research calls can be made; information that must be provided during a research call; when calls must be terminated; and the use of calling line identification.

 

Contacted Person does not consent to the use and disclosure of research information

The regulations provide that if a contacted person informs the research entity that he or she does not consent or withdraws consent to the use and disclosure of research information during the call, any such information must not be recorded, used or disclosed by the research entity that has made the call (with the exception of making a notice required by subregulation 5.20(3) as outlined below). In addition any research entity covered by the research authorisation must not use the unlisted mobile number information relating to the person. This allows a contacted person to 'opt out' of receiving further calls under a specific research authorisation.

Subregulations 5.20(3) and 5.20(4) also detail further steps that a research entity must take if a contacted person does not consent or withdraws consent. Under subparagraph 5.20(3)(c)(i), the entity must take all reasonable steps to destroy any research information that the entity has relating to the person within 10 business days after the person informs the entity that they do not consent or has withdrawn consent. Under subparagraph 5.20(3)(c)(ii), the entity is also required to notify any other authorised research entities covered by the authorisation that the authorised unlisted mobile number information relating to the person must not be used.

Subregulation 5.20(4) requires that where a research entity is notified that authorised unlisted mobile number information relating to a contacted person must not be used (pursuant to subparagraph 5.20(3)(c)(ii)), the entity must not use the unlisted mobile number information relating to the contacted person. That is, the entity must not make contact with the person using the unlisted mobile number information subsequent to that entity receiving the notice under the relevant research authorisation.

Subregulations 5.20(5) and (6) stipulate the internal dispute resolution procedures that research entities must have in place to deal with inquiries or complaints about the use or disclosure research information relating to a person. If a contacted person makes a complaint, research entities must inform account holders that they have the option to refer their complaint to the ACMA, and provide the account holder with the ACMA's contact information. The research entity is also obliged to provide reasonable assistance to the ACMA in relation to any such complaint if requested to do so by the ACMA.

Regulation 5.21 - Disclosure of research information

Regulation 5.21 deals with the disclosure of research information.

Subregulation 5.21(1) establishes a general prohibition on the disclosure of research information relating to a contacted person by an authorised research entity unless the disclosure is permitted by subregulations 5.21(2) and 5.21(3), or the disclosure is otherwise authorised or required by law. The prohibition in this provision has effect while an entity is covered by a research authorisation. As the note after subregulation 5.21(1) indicates, regulation 5.31 deals with the recording, use and disclosure of research information after the authorisation ends or the entity is removed from the authorisation.

Subregulation 5.21(2) allows a research entity to disclose research information relating to a contacted person to the entity's research employees.

Subregulation 5.21(3) allows the disclosure of research information where it is de-identified and does not include the person's public number. The intention of this subregulation is to allow for the disclosure of research information to those entities covered by the research authorisation and also more broadly to entities outside of the research authorisation. For instance, the subregulation will allow for the publication of a report or a media release about the research, so long as the research information is de-identified information and does not contain the public numbers of contacted persons. Similarly, the disclosure of a de-identified dataset to an entity not covered by the research authorisation for a different or subsequent purpose would be permissible.

However, research entities who are involuntarily removed from a research authorisation (pursuant to subregulation 5.28 which is outlined below), will not be permitted to make a record of, use, or disclose any research information that they have collected, and will be required to destroy that information (see below subregulation 5.31). This provision is designed to encourage research entities not to breach authorisation conditions.

Subregulation 5.21(4) provides that regulation 5.21 is subject to subregulation 5.20(3). The note after subregulation 5.21(4) indicates that subregulation 5.20(3) provides that an authorised research entity must not record, use or disclose research information relating to a contacted person if the person does not consent, or withdraws consent, to the use and disclosure of that information.

 

 

Regulation 5.22 - Technical system for receiving authorised unlisted mobile number information

Regulation 5.22 requires that research entities must have technical systems in place to receive authorised unlisted mobile information that accords with Telstra's technical methods.

Regulation 5.23 - Compliance with the Act

Regulation 5.23 requires that research entities are subject to any requirements imposed by the Telecommunications Act 1997 and legislative instruments made under that Act.

Regulation 5.24 - Employees of the authorised research entity

Subregulation 5.24(1) requires research entities to take all reasonable steps to ensure that their employees are made aware of research authorisation conditions and cooperate with the research entity in complying with those conditions. If the entity's employee becomes aware of an act or omission that would result in a breach of a condition, the employee is required to notify the entity in writing as soon as reasonably practicable. If an employee becomes aware of an act or omission by another entity covered by the research authorisation that would result in a contravention, the employee would have an obligation to notify their employer. 

Regulation 5.25 - Contravention of authorisation conditions

Regulation 5.25 provides that once a research entity becomes aware of a contravention of a condition in an authorisation by the entity, it must notify the ACMA as soon as reasonably practicable. The same notification obligation applies if the entity becomes area of a breach by another entity covered by the same authorisation. Subregulation 5.25(2) also requires a research entity to take reasonable steps to minimise the effects of any breach of a condition of an authorisation. Subregulation 5.25(3) makes the requirement to take reasonable steps to minimise the effects of the contravention a condition of the authorisation.

Subdivision 5.2.4 - Changes to authorisations

Regulation 5.26 - Changes made by the ACMA

Subregulation 5.26(1) provides that after the ACMA grants a research authorisation it may, in writing, specify other conditions to which the authorisation is subject, or vary or revoke any condition specified in the authorisation. Subregulation 5.26(2) provides that before taking action under regulation 5.26(1) the ACMA may consult with any person or body that the ACMA considers is appropriate. Subregulation 5.26(3) provides that the ACMA must give written notice of any action taken under regulation 5.26(1) to each authorised research entity covered by the authorisation stating the action taken; reasons for that action; and indicating that the entity or another entity affected by the decision may request the ACMA reconsider the action taken pursuant to regulation 5.32 (except where the change is to revoke a condition of an authorisation).

The Note after subregulation 5.26(3) references section 27A of the Administrative Appeals Tribunal Act 1975. Section 27A of that Act requires that a person who makes a reviewable decision, such as the ACMA in this case, take such steps as are reasonably necessary to give any person whose interests are affected by the decision notice in writing of the decision, and of the right of the person to have the decision reviewed.

Subregulation 5.26(4) requires that the notice must be given as soon as reasonably practicable and before the action under regulation 5.26(1) is expressed to take effect.

By virtue of subregulation 5.26(1), the ACMA must also give Telstra written notice of a change made under regulation 5.26(1) as soon as reasonable practicable. This will ensure that Telstra, as the IPND Manager, is aware of the action taken, and can ensure that its future actions are consistent with them.

Subdivision 5.2.5 - Removal of authorised research entities

Regulation 5.27 - Effect of removal

Regulation 5.27 provides that an authorised research entity ceases to be covered by a research authorisation if the entity is removed from the authorisation.

Regulation 5.28 - Removal of authorised research entities - contravention of research authorisation

Subregulation 5.28(1) empowers the ACMA to remove an authorised research entity from a research authorisation if it is satisfied that a condition of any research authorisation covering that entity has been contravened. As indicated in the accompanying note, any such a decision is subject to reconsideration on request by any person affected by the decision (pursuant to regulation 5.32).

Subregulation 5.28(2) allows the ACMA to consult with any person or body considered appropriate prior to removing an entity under subregulation 5.28(1).

Before removing an entity subregulations 5.28(3) and 5.28(4) require the ACMA to give the entity written notice stating that the ACMA proposes to remove it from the authorisation; and invite the entity to make a submission the ACMA about the proposed removal within a specified period of time. The specified period for the making of a submission must not be not shorter than 30 days.

Subregulations 5.28(5) requires that where the ACMA removes an entity, it must, as soon as reasonably practicable, notify that entity in writing, and provide the reasons for the entity's removal. The notice must state that the entity and any affected person may request reconsideration of the decision to remove the entity (pursuant to regulation 5.32).

Subregulation 5.28(6) requires that the ACMA provide written notice of any such removal to: any other authorised research entity covered by the authorisation; and Telstra as soon as reasonable practicable.

Subregulation 5.28(7) provides that if the ACMA removes an entity from a research authorisation, an application for a further research authorisation covering that entity cannot be made until after the end of that research authorisation. By prohibiting further applications for a period of following a breach, this subregulation ensures that an entity that has been removed from an authorisation for contravention of a condition cannot immediately apply for a further authorisation and thereby evade the consequences of removal. This provision therefore creates an incentive for research entities to comply with authorisation conditions.

Regulation 5.29 - Voluntary removal of authorised research entities

Subregulation 5.29(1) specifies that an authorised research entity can provide a written request to the ACMA to be removed from a research authorisation.

Subregulation 5.29(2) provides that when considering a request for voluntary removal, the ACMA may have regard to whether the entity has received a notice that it has been removed for contravention under regulation 5.28. This subregulation has been included to ensure that the ACMA has, at its discretion, the option to not allow an entity to voluntarily remove itself from a research authorisation in circumstances in which the ACMA has issued a notice to that research entity that it proposes to remove the entity from the authorisation. In the absence of this provision, a research entity could voluntarily remove itself from an authorisation to avoid the consequences that would flow from a contravention of an authorisation condition.

If the ACMA decides to remove an entity on the basis of a voluntary request, subregulation 5.29(3) requires that it give notice as soon as practicable to both the entity and Telstra. If the ACMA does not remove an entity subregulation 5.29(4) requires the AMCA to notify the entity in writing that it has not been so removed, the reasons for that decision, and that the decision is subject to review under regulation 5.32.

The Note after subregulation 5.29(4) references section 27A of the Administrative Appeals Tribunal Act 1975. Section 27A of that Act requires that a person who makes a reviewable decision, such as the ACMA in this case, take such steps as are reasonably necessary to give any person whose interests are affected by the decision notice in writing of the decision, and of the right of the person to have the decision reviewed.

Regulation 5.30 - No use or disclosure of authorised unlisted mobile number information by former research entities.

Regulation 5.30 limits the use and disclosure of authorised unlisted mobile number information by a former research entity after authorisation period ends or the entity is removed from an authorisation.

Subregulation 5.30(1) specifies that the regulation is made for the purposes of subparagraph 5.11(1)(c), which requires the ACMA to grant a research authorisation if it is reasonably satisfied, amongst the other criteria set out at subregulation 5.11(1), that the each research entity covered by the authorisation will comply with the use and disclosure requirements of regulation 5.30 and regulation 5.31

Subregulation 5.30(2) provides that the regulation applies in situations where an authorised research entity receives unauthorised unlisted mobile number information under an authorisation, and the authorisation subsequently ends or the research entity is removed from the authorisation.

Subregulation 5.30(3) provides that a former research entity must not record or use unlisted mobile number information, or disclose that information unless authorised by unless authorised or required by the ACMA to disclose that information to the ACMA or by any other law. The former research entity is also required to take all reasonable steps to destroy the information within 10 days after the authorisation ends or the former research entity is removed as the case requires.

Subregulation 5.30(4) requires the former research entity to disclose the information to the ACMA on request.

Regulation 5.31 - Use or disclosure of research information after end of research authorisation etc.

Regulation 5.31 limits the use and disclosure of research information by a former research entity after authorisation period lapses or the entity is removed.

Once a research period ends or a research entity voluntarily withdraws from a research authorisation, those entities - former research entities - will be permitted to make a record of, or use, the research information relating to a contacted person where the information is de-identified and does not include the person's public number.

However if a former research entity has been removed for contravention under regulation 5.28, the research entity will be prohibited from making a record of, using or disclosing research information. They will also be required to take all reasonable steps to destroy the research information.

Subregulation 5.31(1) provides that the regulation is made for the purposes of subregulation 5.11(1)(c), which requires the ACMA to grant a research authorisation if it is reasonably satisfied, amongst the other criteria set out at subregulation 5.11(1), that the each research entity covered by the authorisation will comply with the use and disclosure requirements of regulations 5.30 and 5.31.

Subregulation 5.31(2) provides that if an authorised research entity has research information relating to a contacted person, and the authorisation ends or the entity is voluntarily removed under regulation 5.29, the entity must not make a record of, use or disclose the information unless it is de-identified and does not include the person's public number.

This allows former research entities that have complied with all conditions of the research authorisation to make effective use of the research information gathered, so long as it is de-identified. For instance this provision will allow for the release of a report or the disclosure of a de-identified dataset to an entity not covered by the research authorisation for a different or subsequent purpose.

Subparagraphs 5.31(3)(a) - (b) prohibit a former research entity who is removed under subregulation 5.28 from using, disclosing or recording any research information it has relating to a contacted person. Regulation 5.28 allows the ACMA to remove an authorised research entity from a research authorisation if it is satisfied that a condition of any research authorisation covering that entity has been contravened. Subregulation 5.33(3)(c) requires that such a former research entity take all reasonable steps to destroy the information within 10 days of its removal from the authorisation.

The effect of this provision is that an entity who is removed by the ACMA for contravention of an authorisation condition - for instance non-compliance with the Privacy Act 1998 - will be prevented from making use of any research information that they have obtained. Non-compliant research entities will forfeit any research information they have obtained in the event of a breach of a condition in an authorisation. This provision encourages compliance with the conditions of a research authorisation.

Subdivision 5.2.6 - Review of decisions

Regulation 5.32 - Decisions that may be subject to reconsideration by the ACMA

Regulation 5.32 provides for the review of decisions by the ACMA. Persons dissatisfied with an ACMA decision to: not grant a research authorisation; to grant a research authorisation subject to additional conditions; to specify additional conditions to which an authorisation is subject; vary an additional condition; remove an entity from an authorisation; or not voluntarily remove an entity from an authorisation, may request a review of the decision. A request must be in writing, in a form approved by the ACMA and must set out the reasons for the request. To ensure that such requests are made in a timely way, the regulations specify that the request must be made within 28 days from when the decision was made.

Regulation 5.33 - Reconsideration by the ACMA

Regulation 5.33 specifies that upon receipt of a request under regulation 5.32, the ACMA must reconsider the decision and either affirm, vary or revoke the decision. Before making a decision on reconsideration the ACMA may consult with any person or body considered appropriate. The ACMA must notify the applicant in writing of its decision and provide reasons.

The note after subregulation 5.33(4) references section 27A of the Administrative Appeals Tribunal Act 1975. Section 27A of that Act requires that a person who makes a reviewable decision, such as the ACMA in this case, take such steps as are reasonably necessary to give any person whose interests are affected by the decision notice in writing of the decision, and of the right of the person to have the decision reviewed.

Regulation 5.34 - Deadlines for reconsiderations

Regulation 5.34 provides that the ACMA's original decision is taken to be affirmed 90 days after receiving a request, if it does not make a decision on the request in subregulation 5.33(1) before then.

Regulation 5.35 - Review by the Administrative Appeals Tribunal

Regulation 5.35 provides for review of an ACMA decision by the Administrative Appeals Tribunal.

Regulation 5.33 provides for the initial review of a decision by the ACMA to: not grant a research authorisation; to grant a research authorisation subject to additional conditions; to specify additional conditions to which an authorisation is subject; vary an additional condition; remove an entity from an authorisation; or not voluntarily remove an entity from an authorisation may request a review of the decision. Upon receipt of an application to review a decision under regulation 5.32, regulation 5.33 requires that the ACMA either affirm, vary or revoke the decision.

Where the ACMA affirms or varies a decision under regulation 5.33, regulation 5.35 provides for a review of that decision by application to the Administrative Appeals Tribunal.

Subdivision 5.2.7 - Offences

Regulation 5.36 - Offences of contravening a condition etc.

Regulation 5.36 establishes strict liability offences for certain contraventions that carry a maximum penalty of 10 penalty units.

The offence in subregulation 5.36(1) is triggered if an authorised research entity covered by a research authorisation contravenes any condition of the authorisation other than regulation 5.19, which makes compliance with the Privacy Act 1988 a condition of an authorisation. For entities that are subject to the Privacy Act 1988, there is an enforcement regime in place for contravention of that Act.

The Privacy Act 1988 contains civil penalty provisions for interference with an individual's privacy and breach of the Australian Privacy Principles. It also confers a range of investigatory and enforcement powers on the Privacy Commissioner. These include powers to investigate a matter following a complaint or via a 'Commissioner Initiated Investigation', as well as the power to seek injunctions, enforceable undertakings and civil penalty orders.  

The offence in subregulation 5.36(2) deals with authorised research entities that are not covered by the Privacy Act 1988 and therefore not captured by the enforcement regime in that Act. The offence is triggered where an authorised research entity contravenes regulation 5.19 - by breaching an Australian Privacy Principle or registered APP code - and that entity is either a registered political party or the act done to contravene regulation 5.19 is an exempt act under section 7C of the Privacy Act 1988. This provision ensures that there are consequences for a breach of the Australian Privacy Principles by entities that are not typically covered by the Privacy Act 1988.

The offence in subregulation 5.36(3) is triggered where a former research entity contravenes the use and disclosure provisions relating to authorised unlisted mobile number information in subregulation 5.30(3) or (4). Subregulation 5.30(3) prohibits a former research entity from using or disclosing authorised unlisted mobile number information once the authorisation has ended and subregulation 5.30(4) requires that a former research entity disclose that information to the ACMA if the ACMA requests it.

The offence in subregulation 5.36(4) is triggered where a former research entity contravenes the use and disclosure provisions relating to research information in subregulation 5.31(2) or (3). If an authorisation ends or an entity is voluntarily removed from an authorisation under regulation 5.29, subregulation 5.31(2) prohibits the entity from using or disclosing authorised research information unless that information is de-identified and does not contain a contacted person's public number. Where an entity is involuntarily removed from an authorisation under regulation 5.28, subregulation 5.31(3) prohibits the entity from using or disclosing that information and requires that it take all reasonable steps to destroy it within 10 business days of their removal.

 

Attachment B

 

Statement of Compatibility with Human Rights

 

Prepared in accordance with subsection 9(1) of the Human Rights (Parliamentary Scrutiny) Act 2011

 

Telecommunications Amendment (Access to Mobile Number Information for Authorised Research) Regulations 2018

 

The regulations are compatible with human rights, being the rights and freedoms recognised or declared by the international instruments listed in subsection 3(1) of the Human Rights (Parliamentary Scrutiny) Act 2011 as they apply to Australia.

 

Overview of the Amendments

 

The Integrated Public Number Database (IPND) is maintained by Telstra Corporation Limited (Telstra) under clause 10 of the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997. The IPND is a centralised database containing records of Australian public telephone numbers and associated customer details.

The information in the IPND includes customer name, address, phone number, whether the service is fixed or mobile, whether the service is listed or unlisted, and details about the telecommunications company providing the customer with the service.

The data contained in the IPND may only be accessed from Telstra for approved purposes as specified in Telstra's Carrier Licence Conditions, or as allowed by Part 13 of the Act.

The Telecommunications Amendment (Access to Mobile Number Information for Authorised Research) Regulations 2018 (the Regulations), seek to improve the access of authorised research organisations to unlisted mobile number information and associated postcode data in the IPND, for specific permitted research purposes.

Research entities are presently unable to access unlisted mobile number information or associated postcode information from the IPND for research purposes, which has resulted in costly and randomly generated non-geographically tagged sampling. The Regulations will allow research entities to access unlisted mobile phone numbers and their associated postcodes located in the IPND for specific research purposes as prescribed in the research entities research authorisation in order to better target research.

Privacy protections similar to those that apply in relation to listed numbers will apply to mobile number information.

Human rights implications

 

Having considered the likely impact of the amendments and the nature of the applicable rights and freedoms, it has been determined that the amendments engage the right to privacy in Article 17 of the International Covenant on Civil and Political Rights (the ICCPR).

 

Right to privacy - Article 17   ICCPR

 

Article 17 of the ICCPR provides for the right to protection against arbitrary and unlawful interferences with privacy. It states that:

 

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

 

2. Everyone has the right to the protection of the law against such interference or attacks.

 

Article 17 prohibits arbitrary or unlawful interference with an individual's privacy, family, home or correspondence. Non-arbitrary interference, and some limitations provided by law, are permissible. In order for limitations to be deemed non-arbitrary, there must be a legitimate objective and it must be reasonable, necessary and proportionate.

 

Article 17 does not set out the reasons for which the guarantees in it may be limited. However, limitations contained in other articles, for example, those which are necessary in a democratic society in the interests of national security, public order, the protection of the rights or freedoms of others, might be legitimate objectives in appropriate circumstances. In any event, limitations on privacy must be authorised by law and must not be arbitrary. Robust research is in the public interest, and can justify a limitation on the right to privacy.

 

Collecting, using, storing, disclosing or publishing personal information amounts to an interference with privacy. In order for the interference with privacy not to be 'arbitrary', any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. Reasonableness, in this context, incorporates notions of proportionality, appropriateness and necessity.

 

Under the Regulations, limited data contained within the IPND would be made available to a research entity through an authorisation scheme administered by the Australian Communications and Media Authority (ACMA). Research entities will only be permitted to access authorised unlisted mobile numbers and postcode data from the IPND Manager, Telstra, with a valid authorisation. Other personal identifying information will not be disclosed by the IPND Manager. The use and disclosure of the unlisted mobile number information is confined to the purposes set out in the authorisation. At the conclusion of a research authorisation, that information must be destroyed. Any resultant research information must be de-identified before being further used or disclosed.

 

Research entities will be subject to a range of obligations that seek to limit the impact on the privacy of individuals. These safeguards are outlined below:

 

*         Research entities will be required to apply to the ACMA for a research authorisation prior to accessing information from the IPND. Research authorisations will prescribe the kind or kinds of unlisted mobile number information being sought and the reasons for seeking the information (regulation 5.8);

*         Research authorisations must be accompanied by a privacy impact assessment (PIA) (regulation 5.8);

*         The ACMA may take a range of matters into account when considering whether to grant a research authorisation, including the practices, procedures, processes and systems the applicant has in place, or intends to put in place, to comply with the conditions of the authorisation. The ACMA will also have the authority to specify each research entity that would be able to access IPND information when deciding whether to grant a research authorisation. The ACMA will be permitted to take into account the previous conduct of all entities listed in the application and the extent to which each entity has complied with the conditions of any previous IPND Scheme authorisation granted to it (regulation 5.11);

*         Research entities must be covered by the Privacy Act 1988.  Entities that are exempt from that Act must comply with the Australian Privacy Principles or a registered APP code. The ACMA must have regard to the extent to which the applicant's collection, use and disclosure of personal information has complied with the Privacy Act. (regulation 5.11(2));

*         Research entities will be bound by the conditions set out in an authorisation (regulation 5.12);

*         Research authorisations will be limited to a period specified by the ACMA which can be no greater 12 months. Research entities will be required to re-apply for an authorisation after this period (regulation 5.12);

*         Research entities will be prohibited from using and disclosing authorised unlisted mobile number information for purposes that are not listed in the research authorisation or after the authorisation period has lapsed (regulations 5.17, 5.30 and 5.31) unless otherwise required by law;

*         Research entities will be covered by, and be required to comply with, the Privacy Act 1988, for the period of their research authorisation. Research entities must comply with the Privacy Act 1988 and registered political parties must comply with the APPs or a registered APP code if personal information is collected, used or disclosed for the purpose of authorised research (regulation 5.19);

*         Research entities must seek the account holder's consent at the beginning of a call, and inform the account holder of their right to withdraw consent at any time during the call (regulations 5.20);

*         Research entities must have internal dispute resolution procedures in place to address complaints from account holder about the use or disclosure of their information, or any research information collected during a call (regulation 5.20); and 

*         Research entities will be required to notify the ACMA of any contravention of a condition of a research authorisation as soon as reasonably practicable and take reasonable steps to minimise the effects of the contravention (regulation 5.25).

*         Former research entities will be prohibited from using or disclosing authorised unlisted mobile number information once authorisation period ends. Former research entities will not be permitted to make a record of, or use, the authorised unlisted mobile number information. Research entities must take all reasonable steps to destroy the unauthorised mobile number information once the authorisation ends or the entity is removed from the research authorisation (regulation 5.30(3)).

*         Research entities will be subject to an offence of strict liability for contravening a condition of a research authorisation or the use a disclosure requirements for former research entities (subregulations 5.36(1)-5.36(4)).

Conclusion

To the extent the Amending Regulations engage the above listed human right, the Amending Regulations are compatible with those rights because are consistent with the right to privacy and contain strong privacy protections.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback