TELECOMMUNICATIONS REGULATIONS 2021 (F2021L00289) EXPLANATORY STATEMENT

Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

TELECOMMUNICATIONS REGULATIONS 2021 (F2021L00289)

EXPLANATORY STATEMENT

Issued by the authority of the Minister for Communications, Urban Infrastructure, Cities and the Arts

Telecommunications Act 1997

Telecommunications Regulations 2021

Purpose and operation of the Instrument

The Telecommunications Regulations 2021 (the Regulations) are made by the Governor-General under section 594 of the Telecommunications Act 1997 (the Act).

Section 594 provides that the Governor-General may make Regulations prescribing matters required or permitted to be prescribed by the relevant Acts, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

Subsection 33(3) of the Acts Interpretation Act 1901 relevantly provides that where an Act confers a power to make an instrument of a legislative character (including regulations) the power shall be construed as including a power exercisable in the like manner and subject to the like conditions to repeal, rescind, revoke, amend, or vary any such instrument.

The Regulations are a legislative instrument for the purposes of section 8 of the Legislation Act 2003.

The purpose of the Regulations is to repeal and remake the Telecommunications Regulations 2001 (the old regulations) in substance, noting that minor changes and additions have been made to reflect current drafting practice and to update a limited number of existing definitions. The old regulations are due to sunset on 1 April 2021.

Consistent with the object of the Act, the intention of the Regulations is to be part
of the Australian telecommunications regulatory framework promoting:

(a) the long-term interests of end-users of carriage services or of services provided by means of carriage services; and

(b) the efficiency and international competitiveness of the Australian telecommunications industry; and

These amended Regulations will maintain, wherever possible, the greatest practicable use of industry self-regulation, without the imposition of undue financial and administrative burden on participants in the Australian telecommunications industry.

Part 1 of the Regulations set out preliminary matters, such as the title of the Instrument, and the authority under which it is made. The Part also defines key terms used throughout the Regulations, inserting new definitions of mobile carriage service provider, premium content service, and proprietary network.

Part 2 specifies a range of matters in relation to which the Australian Communications and Media Authority (ACMA) may make a service provider determination, and these cover prepaid mobile carriage services; premium services; fixed or mobile voice or data carriage services; and information relating to the telecommunications industry.

Part 3 provides for several exceptions to the rule under section 115 of the Act which precludes industry codes and industry standards from dealing with certain design features and performance requirements relating to the unconditioned local loop service and the management of next-generation broadband networks.

Part 4 sets out three specific exceptions to the use and disclosure offences in Part 13 of the Act. These exceptions relate to:

- disclosure of protected information where the disclosure is to a provider
of the National Relay Service (NRS);

- the disclosure by the IPND Manager of an unlisted mobile number (a form of protected information) to an authorised research entity (including the rules for the issuance of research authorisations etc); and

- the disclosure of protected information by emergency call persons--research about emergency service numbers.

Part 5 specifies additional kinds of carriage services, ancillary goods and ancillary services for which standard agreements are required.

Part 6 deals with several matters related to the carrier powers and immunities regime under Schedule 3 to the Act. Namely, listing the international agreements for purposes of the definition of 'listed international agreement' under Schedule 3 to the Act and specifying the maximum distance for designated overhead lines.

Part 7 contains several application, saving and transitional provisions that a necessary as a consequence of the repeal of the sunsetting regulations,

The Schedule to the Regulations repeal the sunsetting regulations.

Under Division 13 of the Act, the sunsetting regulations contained an infringement notice scheme under Part 6. Infringement notices will now fall under the primary legislation.

The relevant provisions of Part 21 of the Act are all offences. This means, in the absence of infringement notices, the ACMA is limited in its enforcement action. However, historically the ACMA has made limited use of the infringement notice scheme.

The notes on the provisions of the new Regulations are set out in Attachment A.

Consultation

The Department of Infrastructure, Transport, Regional Development and Communications (the Department) has reviewed and assessed the performance of the Regulations in consultation with key stakeholders. The Department sought comments from the Australian Communications and Media Authority (ACMA), the Australian Communications Consumer Action Network (ACCAN), the Australian Competition and Consumer Commission (ACCC), Communications Alliance, as well as major telecommunications operators, including Telstra, Optus, Vocus and TPG.

The review and input received revealed the ongoing utility of the existing Regulations as well as the need for certain aspects of the Regulations to be clarified and updated.

Regulation impact assessment

The Office of Best Practice Regulation has assessed that remaking the instrument without substantial changes is not likely to have more than a minor and/or machinery regulatory impact on business, community organisations and individuals. As such, a RIS is not required. The OBPR reference number is 43405.

Statement of Compatibility with Human Rights

A statement of compatibility with human rights for the purposes of Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 is set out at Attachment B.

Attachment A

Notes on the provisions of the new Regulations

Part 1 - Preliminary

Section 1 - Name

This section provides for the Regulations to be cited as the Telecommunications Regulations 2021.

Section 2 - Commencement

Section 2 provides for the commencement of the Regulations. It provides that the whole of the instrument commences on the day after the instrument is registered on the Federal Register of Legislation.

Section 3 - Authority

Section 3 provides that the authority for the Regulations is the Telecommunications Act 1997 (the Act). Section 594 provides that the Governor-General may make Regulations prescribing matters required or permitted to be prescribed by the Act, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

Section 4 - Schedules

Section 4 specifies that each instrument is amended or repealed as set out in the applicable items. There is one Schedule to the Regulations. Schedule 1 sets out the sunsetting regulations. The effect of this section is that the sunsetting regulations in force immediately before the Regulations commence is repealed.

Section 5 - Definitions

Section 5 defines terms used in the Regulations. In particular, amended or new descriptions of a mobile carriage service provider, premium content service, and proprietary network.

Act means the Telecommunications Act 1997.

Australian Parliament means the Parliament of the Commonwealth, a Parliament of a State or a Legislative Assembly of a Territory.

authorised law enforcement officer means an authorised officer (within the meaning of the Telecommunications (Interception and Access) Act 1979) of a criminal law-enforcement agency (within the meaning of that Act).

authorised research, under a research authorisation, means a kind or kinds of permitted research to which the authorisation applies (see paragraph 22(2)(b)).

authorised research entity is defined to mean an entity referred to in paragraph 22(2)(a).

authorised unlisted mobile number information, in relation to an authorised research entity, means unlisted mobile number information to which the research authorisation covering the entity applies.

breach:

(a) in relation to an Australian Privacy Principle, has the meaning given by section 6A of the Privacy Act 1988; and

(b) in relation to a registered APP code, has the meaning given by section 6B of that Act.

Commonwealth entity has the same meaning as in the Public Governance, Performance and Accountability Act 2013; which is, a Department of State; a Parliamentary Department; a listed entity (as prescribed); a body corporate that is established by a law of the Commonwealth; or a body corporate that is established under a law of the Commonwealth (other than a Commonwealth company) and is prescribed by an Act or the rules to be a Commonwealth entity.

contacted person has the meaning given in subsection 30(2).

For the purposes of the Regulations, the following entities are considered to be covered by the Privacy Act:

(a) an organisation within the meaning of the Privacy Act 1988;

(b) a small business operator (within the meaning of that Act) that has chosen to be treated as an organisation under section 6EA of that Act.

de-identified: research information in relation to a contacted person is de-identified
if the information:

(a) does not identify, or no longer identifies, the contacted person; and

(b) is not reasonably capable, or is no longer reasonably capable, of being used to identify the contacted person.

electoral matter means a matter which is intended or likely to affect voting in:

(a) an election to an Australian Parliament or to a local government authority; or

(b) a referendum under a law of the Commonwealth or a law of a State or Territory.

former authorised research entity has the meaning given under paragraph 40(2)(a).

identifying number of a government document means the unique identifying number of a document that is issued by the Commonwealth or a State or Territory (such as a driver licence, Medicare card or passport). A receipt number or transaction number (such as a transaction number issued by the national Document Verification Service); or an Australian Business Number, Australian Company Number or Australian Registered Body Number are expressly excluded from being 'identifying number of a government document'.

integrated public number database (IPND) means the database maintained by Telstra as mentioned in Part 4 of Schedule 2 to the Act.

IPND Scheme authorisation means an authorisation granted under the integrated public number database scheme. The IPND Scheme is enabled under section 295A of the Telecommunications Act 1997 and is provided for in the Telecommunications Integrated Public Number Database Scheme 2017.

legacy service has the meaning given under subsection 13(3).

local government authority means a body established for the purposes of local government by or under a law of a State or a Territory.

mobile carriage service provider means:

(a) a carriage service provider who supplies a customer with a public mobile telecommunications service; or

(b) a carriage service intermediary who arranges for the supply by a carriage service provider to a customer of a public mobile telecommunications service.

Note: For the purposes of this definition, a 'customer' is the individual who enters into the contract (and is ostensibly responsible for payments) with a service provider. An 'end-user' is anyone who accesses that service (ie, family or friends of the customer. This is consistent with the usage of the terms in s32 of the Act.

National Relay Service has the same meaning as in the Telecommunications (Consumer Protection and Service Standards) Act 1999.

next-generation broadband service has the meaning given under subsection 13(2).

permitted research has the meaning under see section 6.

personal information has the same meaning as in the Privacy Act 1988. That is, information or an opinion about an identified individual or an individual who is reasonable identifiable - whether the information or opinion is true or not - and whether the information or opinion is recorded in a material format or not.

political representative means:

(a) a member of an Australian Parliament; or

(b) a councillor (however described) of a local government authority.

post-paid carriage service has the meaning given under subsection 8(3).

premium content service is defined to mean a content service if a charge for the supply of the service is:

(a) expected to be included in a bill sent to a customer of a mobile carriage service provider by or on behalf of that provider; or

(b) payable by a customer of a mobile carriage service provider to that provider or any person acting on behalf of that provider in advance; or in any other manner.

premium service has the meaning given under subsection 9(2).

prepaid mobile carriage service has the meaning given under subsection 8(2).

proprietary network means a telecommunications network used by a mobile carriage service provider that enables customers of the provider to access a premium content service by way of a mobile device where the service is not otherwise generally available.

public number has the same meaning as in section 472 of the Act ; that is, a number specified in the numbering plan..

registered APP code has the same meaning as in the Privacy Act 1988. An APP code is a written code of practice about information privacy under section 26C of that Act. A registered APP code is one that is included on the Codes Register established under section 26U of that Act and is in force.

registered political party has the same meaning as in the Commonwealth Electoral Act 1918; that is, a political party registered under Part XI of that Act.

research authorisation means an authorisation granted under subsection 21(1).

research employee, in relation to an authorised research entity, means an individual employed or engaged by the entity to conduct authorised research under a research authorisation.

research entity has the meaning given under subsection 18(2).

research information, in relation to a contacted person, means any information obtained from the person when the person is contacted by an authorised research entity for the purposes of authorised research under a research authorisation.

service provider determination has the same meaning as in section 99 of the Act.

unconditioned local loop service has the meaning given under subsection 12(2).

unlisted mobile number information is defined to be information that is

(a) contained in the integrated public number database; and

(b) to a person's mobile number that is unlisted; and the database indicates is not used for government, business or charitable purposes; and

Section 6 - Meaning of permitted research

Section 6 introduces a definition of permitted research which is used under research authorisations in section 21 of the Regulations.

Subsection 6(1) defines the reasons by which research is permitted under the Regulations.

Research is permitted research if the research is relevant to public health, including epidemiological research; or the research relates to an electoral matter and is conducted by or for one of the following:

(a) a registered political party; or

(b) a political representative; or

Permitted research also applies if the research will contribute to the development of public policy and is conducted by or for the Commonwealth or a Commonwealth entity.

The intent of this definition is to limit the kinds of research for which the ACMA may grant a research authorisation, and in turn the kinds of research for which access to unlisted mobile number information in the IPND may be granted. The kinds of research specified in this regulation, mirror those provided in the Telecommunications (Integrated Public Number Database - Permitted Research Purposes) Instrument 2017 (IPND Instrument); that is, the research purposes for which access to information about listed numbers is already available.

The ACMA can authorise research which is relevant to public health, including epidemiological research. Any person can be authorised to access information from the IPND to conduct that type of research. However, an authorisation can only be granted to the class of person specified in subsection 5(1) to undertake research relating to an electoral matter or for to the development of public policy. These constraints mirror those provided in the IPND Instrument.

Subsection 6(2) specifies when research will not be permitted research for the purposes of the Regulations. This provision is intended to ensure that a research entity is prohibited from accessing information in the IPND under a research authorisation primarily for a commercial purpose. However, the provision is intended to allow a research entity that is conducting research on behalf of another person or body to obtain financial benefit in return for providing the research services (such as payment for the service of carrying out the research).

Part 2 - Service provider determinations

Part 2 specifies matters in relation to which the ACMA may make a service provider determination for the purposes of section 99(3) of the Act. Under section 99, the ACMA may, by legislative instrument, make a service provider determination setting out rules that apply to service providers in relation to the supply of specified carriage services and specified content services.

However, the ACMA must not make a service provider determination unless the determination relates to a matter specified in regulations or in section 346 of the Act.

Section 7 - Purpose of this Part

Part 2 of the Regulations sets out those matters in relation to which service provider determinations may be made, namely: prepaid mobile carriage services; premium services; fixed or mobile voice or data carriage services; and information relating to the telecommunications industry.

Section 8 - Prepaid mobile carriage services

Subsection 8(1) specifies six matters in relation to which service provider determinations about the supply of prepaid mobile carriage services may relate.

The first matter is verifying customer identity (including by obtaining from the customers reasonably necessary information, using the National Document Verification Services or a similar service to check the veracity of a document produced by the customer; and finding out what other carriage services are provided to the customer).

The second matter is obtaining information from the customer about the customer's proposed use of the prepaid mobile carriage service. The third matter is recording and keeping the following type of information

(a) information verifying customer identity (but not including the identifying number of a government document);

(b) information about what the customer proposes to use the service for; and

(c) information that the carriage service provider possesses about the supply of the prepaid carriage service to the customer.

The fourth matter is destroying information that is recorded if the destruction is reasonable, including destruction when the information is no longer required by the carriage service provider.

The fifth matter is preventing the use of a prepaid mobile carriage service if:

(a) a customer fails to verify their identity (including by providing false or misleading information); or

(b) an authorised law enforcement officer gives the carriage service provider a written request to prevent a person using a prepaid mobile carriage service that states that action is necessary for a purpose in subsection 313(3) or (4) of the Act. (Note: Section 313 of the Act sets out purposes for which carriage service providers have a duty to give officers and authorities of the Commonwealth and the States and Territories such help as is reasonably necessary).

The sixth matter is advising customers of the effect of the service provider determination.

Subsections 8(2) and 8(3) provide definitions for 'prepaid mobile carriage service' and 'post-paid carriage service'. These definitions are based on (with some minor modification) those contained in the Telecommunications (Service Provider -- Identity Checks for Prepaid Mobile Carriage Services) Determination 2017.

Prepaid mobile carriage services are public mobile telecommunications services for which payment is made before the service is used (unless the supplier does not require payment for the initial supply of the service). Post-paid carriage services are public telecommunications services provided by a carrier to a customer before payment for the supply of the service is made. The supply occurs when the customer has arranged with the carriage service provider to pay an amount notified in an invoice, or instalments of fixed amounts at regular intervals, for the supply of the service.

Section 9 - Premium services

Subsection 9(1) provides that a service provider determination in relation to the supply of premium services may relate to the following matters:

(a) the terms and conditions on which premium services are offered or supplied;

(b) the liability of a customer in respect of the supply of premium services;

(d) the obligation of a service provider to notify customers about matters relating to premium services;

(e) the advertising of premium services;

(f) restrictions on access to premium services, or on access to a particular number used in the supply of premium services supplied using a carriage service provider's service;

(g) the barring of calls to premium services, or of calls to a particular number used in the supply of premium services

(h) the establishment of a registration scheme for service providers that are involved in the supply of premium services;

(i) the obligations of a carriage service provider in respect of premium services

(j) the prohibition or restriction of the imposition or collection of charges relating to the supply of carriage services or other services used in the supply of premium services;

(k) the issue of bills or accounts relating to the supply of carriage services or other services used in the supply of premium services;

(l) a matter relating to the supply of premium services used to access an internet service;

Subsection 9(2) defines 'premium service' as any of: a carriage service or content service using a number with a prefix of 190, 191, 193, 194, 195, 196, 197 or 199; a carriage service used to supply a content service or another service by way of a voice call (including a call using a recorded or synthetic voice) using a number that includes an access specified for use with an international service in the numbering plan; a public mobile telecommunications service that enables an end-user to access a proprietary network.

Section 10 - Fixed or mobile voice or data carriage services

Subsection 10(1) provides that a service provider determination may relate to the interests that customers (including prospective customers) have in relation to the supply of standard telephone services, public mobile telecommunications services and carriage services that enable customers to access the internet.

Subsection 10(2) provides that, without limiting subsection 10(1), a service provider determination relating to those services may include rules about: advertising, marketing and promotion; notifying customers about types and terms of services available (including prices); enabling customers to monitor the accumulation of charges; disconnection of services; and dealing with complaints.

Section 11 - Information relating to the telecommunications industry

Section 11 provides that a service provider determination may relate to information relating to the telecommunications industry that a carriage service provider must publish or distribute, and the way that information must be published or distributed.

Part 3 - Industry codes and industry standards

Part 6 of the Telecommunications Act 1997 allows bodies and associations that represent sections of the telecommunications industry, to develop industry codes that may be registered by the ACMA.

Subsection 115(1) of the Act ensure that if an industry body develops a code or the ACMA makes a standard, which has the indirect effect of imposing requirements on industry members to design facilities or equipment in a certain way, then that code or standard has no legal effect. However, subsection 115(2) provides that the rule in subsection 115(1) does not apply in certain circumstances, including where matters are specified in the regulations.

The design features of the unconditioned local loop service and the management of interference caused by next-generation broadband systems are also matters specified in the Regulations.

Section 12 - Industry codes and industry standards not to deal with certain design features and performance requirements--exception relating to the unconditioned local loop service

Subsection 12(1) specifies three matters for the purposes of subparagraphs 115(2)(a)(iii) and (b)(iii) of the Act. The effect of the provision is that the rule in subsection 115(1) of the Act will not apply to an industry code or an industry standard to the extent to which compliance with the code is likely to have the indirect effect of requiring a telecommunications network or a facility to have particular design features, or to have the direct or indirect effect of requiring the network or facility to meet performance requirements, that relate to:

1. interference between telecommunications systems operated using the unconditioned local loop service; or

2. the health and safety of a person operating or working on a telecommunications network or facility that incorporates, or is used in connection with, the unconditioned local loop service; or

3. the integrity of a telecommunications network or a facility that incorporates, or is used in connection with, the unconditioned local loop service.

This section enables industry bodies to develop and register industry codes that prescribe particular design features and minimum performance requirements for telecommunications networks and facilities operated by different service providers over the 'unconditioned local loop service', or for ACMA to make an industry standard covering such matters. The unconditioned local loop service is declared by the ACCC under subsection 152AL(3) of the Competition and Consumer Act 2010 to be a 'declared service'. It uses unconditioned (metallic) communications wire between the boundary of a telecommunications network at an end-user's premises and a point on a telecommunications network that is a potential point of interconnection located at or associated with a customer access module and located on the end-user side of the customer access module. A customer access module is a device that provides ring tone, ring current and battery feed to customers' equipment.

Section 13 - Industry codes and industry standards not to deal with certain design features and performance requirements--exception relating to next-generation broadband services

Subsection 13(1) specifies three matters for the purposes of subparagraphs 115(2)(a)(iii) and (b)(iii) of the Act. These matters are:

1. interference between telecommunications systems being operated to supply any of the following:

i. next-generation broadband services;

ii. legacy services;

iii. any other carriage services supplied over twisted pair cables;

2. the health and safety of a person operating or working on customer equipment, customer cabling, a telecommunications network or a facility that incorporates, or is used with, a next-generation broadband service;

3. the integrity of customer equipment, customer cabling, a telecommunications network or a facility that incorporates, or is used with, a next-generation broadband service.

Subsection 13(2) sets out the definition of next-generation broadband service as any one of the following services:

(a) VDSL (very high-speed digital subscriber line);

(b) VDSL2;

(d) G.fast;

(e) a service that uses a successor technology to any other next-generation broadband service.

Subsection 13(3) defines legacy service as any of the following services:

(a) PSTN (public switched telephone network);

(b) ADSL (asymmetric digital subscriber line);

(d) ADSL2+;

(e) SHDSL (single pair high-speed digital subscriber line);

(f) ISDN (integrated services digital network);

(g) another service (other than VDSL) covered by the Communications Alliance Industry Code C559:2012 Unconditioned Local Loop Service (ULLS) Network Deployment, as registered by the ACMA on 16 May 2012 under section 117 of the Act.

Note: A copy of the Unconditioned Local Loop Service (ULLS) Network Deployment Rules Industry Code is available on the Communications Alliance Ltd website at:
www.commsalliance.com.au/Documents/all/codes/c559

This Code was registered by the ACMA on 16 May 2012. The Code was reconfirmed in 2018 and the next review is scheduled to occur in 2023.

This definition is intended to capture telephony or broadband carriage services that use twisted pair cables, that operate over the unconditioned local loop service and that operate at speeds below 25 Mbps. The unconditioned local loop service typically operates between a telephone exchange and the end-user premises in the case of a single-dwelling unit, or the telephone exchange and the building basement in the case of a multi-dwelling unit.

The effect of subsection 13(2) is that an industry code or ACMA standard may, for example, set out performance requirements relating to the management of interference between competing next-generation or legacy services in a cable or cable bundle with a view to them operating at optimal performance levels. This could include, for example, requirements for affected systems to operate within certain frequency bands. For example, the code C658:2019 Next-Generation Broadband Systems Deployment in Customer Cabling is designed to prevent performance-degrading Unacceptable Interference within Customer Cabling that carries Legacy Systems (e.g. ADSL2+ technology) and/or Next Generation Broadband Systems (e.g. VDSL2 technology).

Part 4 - Protection of communications

The Privacy Act 1988 (Privacy Act) requires authorities to handle information in accordance with the Australian Privacy Principles. Exceptions to the use and disclosure of information outlined in this Part are restricted by limited circumstances and do not negate the ACMA's obligations under the Privacy Act.

Part 13 of the Act is directed at protecting the confidentiality of (among other things) personal information held by carriage service providers. The disclosure or use of such information is prohibited except in limited circumstances, such as for the purposes relating to the enforcement of the criminal law, assisting the ACMA to carry out its functions or powers, or providing emergency warnings. Part 13 also imposes a range of record-keeping requirements on carriage service providers in relation to authorised disclosure or use of information.

Division 1 - Exceptions to primary disclosure/use offences

Division 1 of Part 4 of the Regulation creates exceptions to the use and disclosure offences in Part 13 of the Act. Those offences are designed to apply to carriers, carriage service providers, number-database operators, emergency call persons and their respective associates and protect the confidentiality of information that relates to the contents of communications, carriage services supplied and the affairs and personal particulars of other people. The disclosure or use of protected information is authorised in limited circumstances (for example, disclosure or use for purposes relating to the enforcement of the criminal law).

Section 292 of the Act allows for regulations to be made specifying circumstances in which the offences in sections 276, 277 and 278 do not prohibit a disclosure or use of information or a document.

Section 14 - Disclosures to a National Relay Service Provider

The National Relay Service (NRS) assists Australians who are deaf, hard of hearing or have speech-impairment to communicate with voice callers.

Section 14 provides that section 276 of the Act does not prohibit the disclosure or use of information or a document if a carrier or carriage service provides it to a provider of a NRS, and the information or document relates to the use of the NRS by another person, and the disclosure or use is for the purpose of, or connected with, the supply of the NRS by the NRS provider to that other person.

Section 15 - Disclosures of unlisted mobile number information to authorised research entity

Section 15 provides that section 276 does not prohibit the manager of the Integrated Public Number Database Manager (IPND Manager) from disclosing or using unlisted mobile number information to an authorised research entity. Provisions governing authorisations to access that information for research purposes are set out in Division 2 of Part 4 of the Regulations.

Section 16 - Disclosures by emergency call persons--research about emergency service numbers

Section 16 provides that section 278 of the Act does not prohibit the disclosure or use of information or a document if the information is disclosed by an emergency call person to a researcher engaged by the ACMA to research the way emergency service numbers are dialled and used. The information must be disclosed solely to conduct the research. The ACMA and the researcher must also agree in writing that the research must conclude within 12 months of commencement and the researcher will not use or disclosure any information or document disclosed except to conduct the research. The exception does not authorise the disclosure or use of information or a document more than 12 months after the researcher starts the research.

Division 2 - Research authorisations

Subdivision A - Introduction

Section 17 - Simplified outline of this Division

Item 17 provides a simplified outline of the Division.

The use and disclosure of information contained in the IPND is regulated under Part 13 of the Act. Part 13 of the Act includes exceptions to these general prohibitions, including subsection 292(1) of the Act, which provides that where circumstances are specified in regulations, section 276 does not prohibit the disclosure or use of information in the IPND. Section 285 of the Act contains a further exception for the disclosure, to certain recipients, of IPND information, other than information relating to an unlisted telephone number, including for conducting research of a kind specified by the Minister in a legislative instrument.

Division 2 of Part 4 of the Regulations sets out an exception to the general use and disclosure offences in Part 13 of the Act to allow for the disclosure of unlisted mobile telephone numbers and their associated postcode recorded in the IPND for certain research purposes.

This enables authorised research entities to more effectively sample mobile and mobile-only users and in turn a representative cross-section of the community.

The IPND is an industry-wide database containing information relating to all public telephone numbers (both listed and unlisted) and associated customer information, including name and address information. It also includes information such as whether the number or address is to be listed in a public number directory, and whether the number is used for residential, business, government or charitable purposes.

The IPND is maintained by Telstra Corporation Limited (Telstra) under section 10 of the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 2019. All carriage service providers that supply carriage services to customers that have public numbers are obliged to provide customer information to Telstra for inclusion in the IPND.

Subdivision B - Application for, and grant of, research authorisations

Section 18 - Applying for research authorisations

Section 18 allows a person to apply for a research authorisation in writing. The application must specify each person to be covered by the authorisation (i.e. the section allows for authorisations to cover multiple persons), the kind/s of unlisted mobile number information being sought, the kind/s of research for which the unlisted mobile number is sought and reasons as to why the information has been sought. An application must be accompanied by the applicable charge (if any) determined by the ACMA under section 60 of the Australian Communications and Media Authority Act 2005, and a completed privacy impact assessment approved by the ACMA.

Section 19 - ACMA may request further information

Section 19 empowers the ACMA to request, in writing, that a research entity specified in an application for a research authorisation provide further information in relation to the application for a research authorisation. If that entity does not provide the further information within 90 days of the request being made, the ACMA may treat the application as if the relevant research entity was not specified in the application.

The intent of section 19 is to create an incentive for persons covered by an application for an authorisation to provide information requested by the ACMA promptly. If that information is not provided within a 90-day timeframe, then the authorisation process can continue to proceed in relation to other persons specified in the application.
A request made by the ACMA pursuant is not a legislative instrument, see item 4 of the table in subsection 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015.

Section 20 - ACMA may consult

Section 20 allows the ACMA to consult with any person or body that the ACMA considers appropriate before granting a research authorisation. This could include, for example, consultation with statutory office-holders like the Privacy Commissioner in relation to the privacy-related matters (see paragraph 21(2)(d)) which requires the ACMA to have regard to the extent to which an entity's collection, use and disclosure of personal information has complied with, or is consistent with the Privacy Act.

Section 21 - Research authorisations

Section 21 specifies that the ACMA must grant a research authorisation if, following the making of an application in accordance with the requirements set out in section 18, the ACMA is reasonably satisfied of certain specified matters.

The ACMA must be reasonably satisfied that the kind/s of research proposed by the applicant is permitted research. This means that the research for which the information can be disclosed must be either research relating to public health, an electoral matter, or research that contributes to the development of public policy.

The ACMA must also be reasonably satisfied that the research entity will comply with the conditions of the authorisation, including any additional conditions specified by the ACMA.

The ACMA must also be satisfied that each research entity will comply with the use and disclosure prohibitions imposed on former research entities when an authorisation ends or entities are removed.

The note after subsection 21(1) clarifies that where the ACMA decides not to grant an authorisation, a research entity or any other person affected by the decision may request that the ACMA reconsider its decision pursuant to section 42.

Subsection 21(2) sets out the factors which the ACMA must have regard to in determining whether a research entity will comply with the conditions of an authorisation, as required by paragraph 21(1)(b).

Paragraph 21(2)(a) requires the ACMA to have regard to the practices, procedures, processes and systems the entity has in place, or intends to put in place, to comply with the conditions of the authorisation. For example, it is a condition of an authorisation that an authorised research entity comply with the Privacy Act 1988 where it collects, uses or discloses personal information about an individual for the purposes of authorised research. Pursuant to paragraph 21(2)(a), in considering if the entity will comply with section 28, the ACMA may have regard to the specific information management procedures an entity has in place to control and track the use and disclosure of personal information. The ACMA could also have regard to the information security practices and technical systems that an entity has in place to ensure it can comply with Australian Privacy Principle 11 - security of personal information. APP 11 requires an entity to take such steps as are reasonable to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.

Where an entity has previously been covered by a research authorisation, paragraph 21(2)(b) requires the ACMA to have regard to the extent to which the entity has complied with, or is complying with, the conditions of that authorisation.

Paragraph 21(2)(c) requires the ACMA to have regard to the extent to which the entity has complied with, or is complying with, the conditions of any IPND authorisation that it has been granted.

Paragraph 21(2)(d) requires the ACMA to have regard to the extent to which the entity's collection, use and disclosure of personal information has complied with, or is consistent with the Privacy Act. This criteria applies regardless of whether that Act normally applies to the entity (including registered political parties and other entities that are normally exempt under section 6C of that Act). The sections have been designed to allow the ACMA to consult with others, including the Privacy Commissioner, in relation to this criteria (section 20 refers).

Subsection 21(3) requires that, where an entity has previously been covered by a research authorisation, the ACMA must have regard to past compliance with the use and disclosure prohibitions under section 40 or 41.

Subsection 21(4) makes it clear that subsections 21(2) and 21(3) do not limit the matters to which the ACMA may have regard when considering whether to grant a research authorisation.

Subsection 21(5) provides that, for the purposes of Subdivision F (review of decisions), if the ACMA does not make a decision on the application within the period specified in subsection 21(6) (detailed below) the ACMA is taken to have decided not to grant the authorisation.

Subsection 21(6) specifies the period referenced in subsection 20(5) as the period that ends the later of 90 days after receiving the application. If the ACMA has requested further information about an application under subsection 19(1), the period referenced in in subsection 21(5) is 90 days after the end of the period for compliance with the last request made under that subsection.

Section 22 - Content of research authorisations

Section 22 specifies the form and content of research authorisations granted by the ACMA. The ACMA's authorisation must be in writing (subsection 21(1)), noting that a research authorisation is not a legislative instrument. The authorisation must specify each research entity covered by the authorisation, the kind/s of research to which the authorisation applies, and the kind/s of unlisted mobile number information that may be disclosed to the research entity - that is, whether the research entity will receive only the number, or both the number and postcode (subsection 21(2)). A research authorisation is not a legislative instrument, (see item 4 of the table in subsection 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015).

Subsection 22(3) provides that a research authorisation must specify the period that the authorisation is in effect. This period starts on the day Telstra first discloses authorised unlisted mobile number information to an authorised research entity covered by the authorisation and ends no later than 12 months afterwards. However, research authorisations can have a duration of less than 12 months.

Subsection 22(4) provides that the ACMA may specify conditions additional to those specified in Subdivision C to which the authorisation is subject. This provision allows the ACMA to impose specific conditions tailored to the particular research activity, in order to both support effective research and protect personal information. For example, the ACMA could specify conditions relating to information management, security or handling procedures that an entity must adhere to in relation to the personal information it will collect during its research activity. Such conditions could be used where a proposed research activity might collect particularly sensitive personal information such as health information.

Note 1 after subsection 22(4) indicates that an authorised research entity can request that the ACMA review a decision to impose an additional condition on a research authorisation, in accordance with section 42.

Note 2 after subsection 22(4) makes it clear that the ACMA can consult with others about the imposition of additional conditions in research authorisations, in accordance with section 20.

Section 23 - Notice relating to research authorisations

If the ACMA grants a research authorisation, subsection 23(1) requires the ACMA to provide each research entity identified in the authorisation, and the IPND Manager, a copy of the authorisation.

If the ACMA grants an authorisation that specifies additional conditions, subsection 23(2) requires that the ACMA must, as soon as is reasonably practicable, give written notice to each authorised research entity and any other person affected by the decision, that they may request the ACMA reconsider its decision (using the process set out at section 42).

If the ACMA decides not to grant a research authorisation, subsection 23(3) requires that the ACMA give the applicant written notice indicating that the authorisation has not be granted, the reasons the authorisation was not granted, and advising that the applicant or any other person affected by the decision may request the ACMA to reconsider its decision under section 42.

The note after subsection 23(3) clarifies that a research entity is taken not to be specified in an application if the entity does not provide the ACMA with further information as requested under section 19 within 90 days after the ACMA requests that information. The intent of section 19 is to create an incentive for persons covered by an application for an authorisation to provide information requested by the ACMA promptly. If that information is not provided within a 90-day timeframe, then the authorisation process can continue to proceed in relation to other persons specified in the application.

Section 24 - Period of research authorisations

Section 24 provides that research authorisations are valid for the period specified in the authorisation. This section is to be read with subsection 22(3) such that the maximum period for an authorisation to be in effect is 12 months, starting on the day Telstra (the IPND Manager) first discloses the authorised unlisted mobile number information to the research entity. Authorisations may specify a shorter period than 12 months. This section does not contemplate extensions of research authorisations. Rather, research entities can apply for an additional research authorisation in the same terms in advance of an authorisation expiring if further time is needed to undertake the research.

Subdivision C - Authorisation conditions

Section 25 - Authorisation conditions

Section 25 provides that a research authorisation is subject to the conditions set out in this Subdivision and any additional conditions specified by the ACMA (see subsection 22(4) and section 36).

Section 26 - Receipt of authorised unlisted mobile number information

Section 26 provides that the first research entity to receive authorised unlisted mobile number information from the IPND Manager under an authorisation, must provide written notice to the ACMA and each other authorised research entity covered by the authorisation within 10 business days. As the period of an authorisation commences when the IPND Manager first discloses authorised unlisted mobile information to a research entity (section 22(3)), this section ensures that the ACMA and all parties covered by the authorisation are aware that the authorisation period has begun.

Section 27 - Use and disclosure of authorised unlisted mobile number information

Section 27 limits the use and disclosure of authorised unlisted mobile number information.

An authorised research entity can only make a record of or use unlisted mobile number information for authorised research purposes as specified in the authorisation. Subsection 27(2), when read together with subsection 27(3), limits the disclosure of unlisted mobile number information: to the research entity's employees, any other authorised research entities covered by the authorisation be for the purposes of authorised research as specified in the authorisation; or as otherwise authorised or required by any other law.

The ACMA may also request authorised unlisted mobile number information (for example, for compliance purposes), and the research entity is required to disclose this information on request pursuant to subsection 27(4).

Section 28 - Covered by the Privacy Act

Section 28 provides that an authorised research entity must be covered by the Privacy Act unless that entity is a registered political party. This is because registered political parties are exempt organisations under section 6C of that Act. Subsection 29 (detailed below) extends the application of the Australian Privacy Principles or a registered APP code to registered political parties by making compliance with them a condition of the authorisation.

Section 29 - Compliance with the Privacy Act

Subsection 29(1) requires that, where an authorised research entity collects, uses or discloses personal information for the purposes of authorised research they must do so in a way that does not breach the Australian Privacy Principles or a registered APP code that binds the entity. Subsection 29(2) provides that the obligation in subsection 29(1) applies to registered political parties who are normally exempt under section 6C of the Privacy Act or acts which are normally exempt under section 7C that Act.

The effect of this subsection is to ensure that all research entities, including registered political parties, will be required to adhere to the Australian Privacy Principles (APPs) which govern how personal information must be handled, used and managed. Given the broad scope of potential research activities which could be carried out under a research authorisation, there is the potential for research entities to handle personal information which is 'sensitive information'. The APPs place stringent obligations on organisations that handle sensitive information.

Section 30 - Contacting persons for authorised research

Making contact

Section 30 outlines the requirements that apply when a research entity contacts a person for authorised research using authorised unlisted mobile number information.

Subsection 30(1) specifies that an authorised research entity may contact a person using authorised unlisted mobile number information, only by calling the person. As illustrated by the example after subsection 30(1), this provision makes it clear that an authorised research entity must not contact a person using authorised unlisted mobile number information by other means such as text message.

Paragraph 30(2)(a) specifies information research entities must provide to a contacted person when using authorised unlisted mobile number information for the purpose of conducting research. Research entities must tell the contacted person the entity's name, the contact details of the entity, the purpose of the research, how the mobile number was obtained, how the entity will use the research information collected, and if asked, how the person can access their personal information.

Paragraphs 30(2)(b) and (c) require the research entity to confirm that it has the consent of the contacted person in relation to certain matters. Research entities are compelled by the subsections to seek and obtain the contacted person's consent to use and disclose the research information collected, and inform the contacted person that consent can be withdrawn at any time during the call.

Paragraph 30(2)(d) and 29(2)(e) require that the research entity give the contacted person any other information required by law (such as under the Privacy Act) and comply with all other applicable laws relating to unsolicited communications. For instance the Telecommunications (Telemarketing and Research Calls) Industry Standard 2017 (the Standard) applies to all telemarketing calls, research calls and calls from public interest groups (such as charities, registered political parties and religious organisations) made to Australian numbers - and so will apply to all calls made under a research authorisation. The standard sets the minimum benchmarks for: when research calls can be made; information that must be provided during a research call; when calls must be terminated; and the use of calling line identification.

The note accompanying this subsection indicates that for the purposes of paragraph 30(2)(e), the following applicable laws relating to unsolicited contact with another person apply: the Do Not Call Register Act 2006; the Privacy Act 1988;
and the Spam Act 2003.

Contacted person does not consent to the use and disclosure of research information

This section provides that if a contacted person informs the research entity that he or she does not consent or withdraws consent to the use and disclosure of research information during the call, any such information must not be recorded, used or disclosed by the research entity that has made the call (with the exception of making a notice required by subsection 29(3) as outlined below). In addition any research entity covered by the research authorisation must not use the unlisted mobile number information relating to the person. This allows a contacted person to 'opt out' of receiving further calls under a specific research authorisation.

Subsections 30(3) and 30(4) also detail further steps that a research entity must take if a contacted person does not consent or withdraws consent. Under subparagraph 30(3)(c)(i), the entity must take all reasonable steps to destroy any research information that the entity has relating to the person within 10 business days after the person informs the entity that they do not consent or has withdrawn consent. Under subparagraph 30(3)(c)(ii), the entity is also required to notify any other authorised research entities covered by the authorisation that the authorised unlisted mobile number information relating to the person must not be used.

Subsection 30(4) requires that where a research entity is notified that authorised unlisted mobile number information relating to a contacted person must not be used (pursuant to subparagraph 30(3)(c)(ii)), the entity must not use the unlisted mobile number information relating to the contacted person. That is, the entity must not make contact with the person using the unlisted mobile number information subsequent to that entity receiving the notice under the relevant research authorisation.

Internal dispute procedures

Subsections 30(5) and (6) stipulate the internal dispute resolution procedures that research entities must have in place to deal with inquiries or complaints about the use or disclosure research information relating to a person. If a contacted person makes a complaint, research entities must inform account holders that they have the option to refer their complaint to the ACMA, and provide the account holder with the ACMA's contact information. The research entity is also obliged to provide reasonable assistance to the ACMA in relation to any such complaint if requested to do so by the ACMA.

Section 31 - Disclosure of research information

Section 31 deals with the disclosure of research information.

Subsection 31(1) establishes a general prohibition on the disclosure of research information relating to a contacted person by an authorised research entity unless the disclosure is permitted by subsections 31(2) and 31(3), or the disclosure is otherwise authorised or required by law. The prohibition in this provision has effect while an entity is covered by a research authorisation. As the note after subsection 31(1) indicates, section 41 deals with the recording, use and disclosure of research information after the authorisation ends or the entity is removed from the authorisation.

Subsection 31(2) allows a research entity to disclose research information relating to a contacted person to the entity's research employees.

Subsection 31(3) allows the disclosure of research information where it is de-identified and does not include the person's public number. The intention of this subsection is to allow for the disclosure of research information to those entities covered by the research authorisation and also more broadly to entities outside of the research authorisation. For instance, the subsection will allow for the publication of a report or a media release about the research, so long as the research information is de-identified information and does not contain the public numbers of contacted persons. Similarly, the disclosure of a de-identified dataset to an entity not covered by the research authorisation for a different or subsequent purpose would be permissible.

However, research entities who are involuntarily removed from a research authorisation (pursuant to section 30), will not be permitted to make a record of, use, or disclose any research information that they have collected, and will be required to destroy that information (see below section 41). This provision is designed to encourage research entities not to breach authorisation conditions.

Subsection 31(4) provides that section 31 is subject to subsection 30(3). The note after subsection 31(4) indicates that subsection 30(3) provides that an authorised research entity must not record, use or disclose research information relating to a contacted person if the person does not consent, or withdraws consent, to the use and disclosure of that information.

Section 32 - Technical system for receiving authorised unlisted mobile number information

Section 32 requires that research entities must have technical systems in place to receive authorised unlisted mobile information that accords with Telstra's technical methods. A specification by Telstra of a technical method (if done by instrument) is not a legislative instrument. The specification by Telstra of a technical method (if done by instrument) would not be a legislative instrument (see item 5 of the table in subsection 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015).

Section 33 - Compliance with the Act

Section 33 requires that research entities are subject to any requirements imposed by the Act and legislative instruments made under the Act.

Section 34 - Employees of the authorised research entity

Section 34 requires research entities to take all reasonable steps to ensure that their employees are made aware of research authorisation conditions and cooperate with the research entity in complying with those conditions. If the entity's employee becomes aware of an act or omission that would result in a breach of a condition, the employee is required to notify the entity in writing as soon as reasonably practicable. If an employee becomes aware of an act or omission by another entity covered by the research authorisation that would result in a contravention, the employee would have an obligation to notify their employer.

Section 35 - Contravention of authorisation conditions

Section 35 provides that once a research entity becomes aware of a contravention of a condition in an authorisation by the entity, it must notify the ACMA as soon as reasonably practicable. The same notification obligation applies if the entity becomes aware of a breach by another entity covered by the same authorisation. Subsection 35(2) also requires a research entity to take reasonable steps to minimise the effects of any breach of a condition of an authorisation. Subsection 35(3) makes the requirement to take reasonable steps to minimise the effects of the contravention a condition of the authorisation.

Subdivision D - Changes to authorisations

Section 36 - Changes made by the ACMA

Subsection 36(1) provides that after the ACMA grants a research authorisation it may, in writing, specify other conditions to which the authorisation is subject, or vary or revoke any condition specified in the authorisation. Subsection 36(2) provides that before taking action under section 36(1) the ACMA may consult with any person or body that the ACMA considers is appropriate. Subsection 36(3) provides that the ACMA must give written notice of any action taken under section 36(1) to each authorised research entity covered by the authorisation stating the action taken; reasons for that action; and indicating that the entity or another entity affected by the decision may request the ACMA reconsider the action taken pursuant to section 42 (except where the change is to revoke a condition of an authorisation).

Subsection 36(4) requires that the notice must be given as soon as reasonably practicable and before the action under subsection 36(1) is expressed to take effect.

The ACMA must also give the IPND Manager written notice of a change made under subsection 36(1) as soon as reasonable practicable. This will ensure that the IPND Manager is aware of the action taken, and can ensure that its future actions are consistent with them.

Subdivision E - Removal of authorised research entities

Section 37 - Effect of removal

Section 37 provides that an authorised research entity ceases to be covered by a research authorisation if the entity is removed from the authorisation.

Section 38 - Removal of authorised research entities - contravention of research authorisation

Subsection 38(1) empowers the ACMA to remove an authorised research entity from a research authorisation if it is satisfied that a condition of any research authorisation covering that entity has been contravened. As indicated in the accompanying note, any such a decision is subject to reconsideration on request by any person affected by the decision (pursuant to section 38).

Consultation

Subsection 38(2) allows the ACMA to consult with any person or body considered appropriate prior to removing an entity under subsection 38(1).

Notice to entity of removal

Before removing an entity subsections 38(3) and 38(4) require the ACMA to give the entity written notice stating that the ACMA proposes to remove it from the authorisation; and invite the entity to make a submission the ACMA about the proposed removal within a specified period of time. The specified period for the making of a submission must not be not shorter than 30 days.

Notice of removal

Subsection 38(5) requires that where the ACMA removes an entity, it must, as soon as reasonably practicable, notify that entity in writing, and provide the reasons for the entity's removal. The notice must state that the entity and any affected person may request reconsideration of the decision to remove the entity (pursuant to section 41).

Subsection 38(6) requires that the ACMA provide written notice of any such removal to: any other authorised research entity covered by the authorisation; and the IPND Manager as soon as reasonable practicable after the ACMA removes the entity.

Further application for authorisation after removal

Subsection 38(7) provides that if the ACMA removes an entity from a research authorisation, an application for a further research authorisation covering that entity cannot be made until after the end of that research authorisation. By prohibiting further applications for a period of following a breach, this subsection ensures that an entity that has been removed from an authorisation for contravention of a condition cannot immediately apply for a further authorisation and thereby evade the consequences of removal. This provision therefore creates an incentive for research entities to comply with authorisation conditions.

Section 39 - Voluntary removal of authorised research entities

Subsection 39(1) specifies that an authorised research entity can provide a written request to the ACMA to be removed from a research authorisation.

The Note after Subsection 39(1) specifies that if the ACMA decides not to remove the entity, the entity, or any other person affected by the decision, may request the ACMA to reconsider its decision (as outlined in Subdivision F).

Subsection 39(2) provides that when considering a request for voluntary removal, the ACMA may have regard to whether the entity has received a notice that it has been removed for contravention under section 38(3). This subsection has been included to ensure that the ACMA has, at its discretion, the option to not allow an entity to voluntarily remove itself from a research authorisation in circumstances in which the ACMA has issued a notice to that research entity that it proposes to remove the entity from the authorisation. In the absence of this provision, a research entity could voluntarily remove itself from an authorisation to avoid the consequences that would flow from a contravention of an authorisation condition.

If the ACMA decides to remove an entity on the basis of a voluntary request, subsection 39(3) requires that it give notice as soon as practicable to both the entity and the IPND Manager. If the ACMA does not remove an entity subsection 39(4) requires the AMCA to notify the entity in writing that it has not been so removed, the reasons for that decision, and that the decision is subject to review under section 39.

Section 40 - No use or disclosure of authorised unlisted mobile number information by former research entities

Section 40 limits the use and disclosure of authorised unlisted mobile number information by a former research entity after authorisation period ends or the entity is removed from an authorisation.

Purpose of this section

Subsection 40(1) specifies that the section is made for the purposes of subparagraph 21(1)(c), which requires the ACMA to grant a research authorisation if it is reasonably satisfied, amongst the other criteria set out at subsection 21(1), that the each research entity covered by the authorisation will comply with the use and disclosure requirements of section 40 and section 41.

Scope of this section

Subsection 40(2) provides that the section applies in situations where an authorised research entity receives unauthorised unlisted mobile number information under an authorisation, and the authorisation subsequently ends or the research entity is removed from the authorisation.

Former authorised research entity must not use information

Subsection 40(3) provides that a former research entity must not record or use unlisted mobile number information, or disclose that information unless authorised by unless authorised or required by the ACMA to disclose that information to the ACMA or by any other law. The former research entity is also required to take all reasonable steps to destroy the information within 10 days after the authorisation ends or the former research entity is removed as the case requires.

Disclosure to the ACMA

Subsection 40(4) requires the former research entity to disclose the information to the ACMA on request.

Section 41 - Use or disclosure of research information after end of research authorisation etc.

Section 41 limits the use and disclosure of research information by a former research entity after authorisation period lapses or the entity is removed.

Once a research period ends or a research entity voluntarily withdraws from a research authorisation, those entities - former research entities - will be permitted to make a record of, or use, the research information relating to a contacted person where the information is de-identified and does not include the person's public number.

However if a former research entity has been removed for contravention under section 38, the research entity will be prohibited from making a record of, using or disclosing research information. They will also be required to take all reasonable steps to destroy the research information.

Purpose of this section

Subsection 41(1) provides that the section is made for the purposes of subsection 21(1)(c), which requires the ACMA to grant a research authorisation if it is reasonably satisfied, amongst the other criteria set out at subsection 21(1), that the each research entity covered by the authorisation will comply with the use and disclosure requirements of sections 40 and 41.

Research authorisation ends etc.

Subsection 41(2) provides that if an authorised research entity has research information relating to a contacted person, and the authorisation ends or the entity is voluntarily removed under section 38, the entity must not make a record of, use or disclose the information unless it is de-identified and does not include the person's public number.

This allows former research entities that have complied with all conditions of the research authorisation to make effective use of the research information gathered, so long as it is de-identified. For instance this provision will allow for the release of a report or the disclosure of a de-identified dataset to an entity not covered by the research authorisation for a different or subsequent purpose.

Authorised research entity is involuntarily removed from research authorisation

Paragraphs 41(3)(a) and (b) prohibit a former research entity who is removed under section 38 from using, disclosing or recording any research information it has relating to a contacted person. Section 37 allows the ACMA to remove an authorised research entity from a research authorisation if it is satisfied that a condition of any research authorisation covering that entity has been contravened. Subsection 41(3)(c) requires that such a former research entity take all reasonable steps to destroy the information within 10 days of its removal from the authorisation.

The effect of this provision is that an entity who is removed by the ACMA for contravention of an authorisation condition - for instance, non-compliance with the Privacy Act - will be prevented from making use of any research information that they have obtained. Non-compliant research entities will forfeit any research information they have obtained in the event of a breach of a condition in an authorisation. This provision encourages compliance with the conditions of a research authorisation.

Subdivision F - Review of decisions

Section 42 - Decisions that may be subject to reconsideration by the ACMA

Section 42 provides for the review of decisions by the ACMA. Persons dissatisfied with an ACMA decision to: not grant a research authorisation; to grant a research authorisation subject to additional conditions; to specify additional conditions to which an authorisation is subject; vary an additional condition; remove an entity from an authorisation; or not voluntarily remove an entity from an authorisation, may request a review of the decision. A request must be in writing, clearly setting out the reasons for the request. To ensure that such requests are made in a timely way, the sections specify that the request must be made within 28 days from when the decision was made.

Section 43 - Reconsideration by the ACMA

Section 43 specifies that upon receipt of a request under section 42, the ACMA must reconsider the decision and either affirm, vary or revoke the decision. Before making a decision on reconsideration the ACMA may consult with any person or body considered appropriate. The ACMA must notify the applicant in writing of its decision and provide reasons.

The note after subsection 43(4) references section 27A of the Administrative Appeals Tribunal Act 1975/ which requires a notice of decision and review rights to be given for reviewable decisions.

Section 44 - Deadlines for reconsiderations

Section 44 provides that the ACMA's original decision is taken to be affirmed 90 days after receiving a request, if it does not make a decision on the request in subsection 43(1) before then.

Section 45 - Review by the Administrative Appeals Tribunal

Where the ACMA affirms or varies a decision under section 43, section 45 provides for a review of that decision by application to the Administrative Appeals Tribunal.

Subdivision G - Offences

Section 46 - Offences of contravening a condition etc.

Section 46 establishes strict liability offences for certain contraventions that carry a maximum penalty of 10 penalty units.

The offence in subsection 46(1) is triggered if an authorised research entity covered by a research authorisation contravenes any condition of the authorisation other than section 29, which makes compliance with the Privacy Act a condition of an authorisation. For entities that are subject to that Act, there is an enforcement regime in place for contravention of that Act.

The Privacy Act contains civil penalty provisions for interference with an individual's privacy and breach of the APPs. It also confers a range of investigatory and enforcement powers on the Privacy Commissioner. These include powers to investigate a matter following a complaint or via a 'Commissioner Initiated Investigation', as well as the power to seek injunctions, enforceable undertakings and civil penalty orders.

The offence in subsection 46(2) deals with authorised research entities that are not covered by the Privacy Act and therefore not captured by the enforcement regime in that Act. The offence is triggered where an authorised research entity contravenes section 29 - by breaching an APP or registered APP code, and that entity is either a registered political party or the act done to contravene section 29 is an exempt act under section 7C of the Privacy Act. This provision ensures that there are consequences for a breach of the APPs by entities that are not typically covered by the Privacy Act.

The offence in subsection 46(3) occurs where a former research entity contravenes the use and disclosure provisions relating to authorised unlisted mobile number information in subsection 40(3) or (4). Subsection 40(3) prohibits a former research entity from using or disclosing authorised unlisted mobile number information once the authorisation has ended and subsection 40(4) requires that a former research entity disclose that information to the ACMA if the ACMA requests it.

The offence in subsection 46(4) is triggered where a former research entity contravenes the use and disclosure provisions relating to research information in subsections 41(2) or (3). If an authorisation ends or an entity is voluntarily removed from an authorisation under section 39, subsection 41(2) prohibits the entity from using or disclosing authorised research information unless that information is de-identified and does not contain a contacted person's public number. Where an entity is involuntarily removed from an authorisation under section 38, subsection 41(3) prohibits the entity from using or disclosing that information and requires that it take all reasonable steps to destroy it within 10 business days of their removal.

The offences included in section 46 of the Regulations are strict liability offences.

The Attorney-General's Department 'Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers' (AGD Guide) notes that strict liability may be necessary to ensure the integrity of a regulatory regime. Consistent with the AGD Guide, applying strict liability in relation to these offences in the Regulations is necessary. The offences contained in section 46 of the Regulations are aimed at upholding the integrity of the research authorisation process ensuring that the authorised research information (including personal information) is properly dealt with and any embedded personal information (such as a person's telephone number) is not disclosed to the public. By making these offences strict liability offences, it provides a strong deterrent for parties to improperly use or deal with personal information

A person would still have access to all of the defences in Part 2.3 of the Criminal Code Act 1995 (Criminal Code). Part 2.3 of the Criminal Code sets out defences that are generally available, such as a defence of honest and reasonable mistake and intervening conduct or event.

Nothing in the offence provisions under these Regulations abrogates the common law privilege against self-incrimination.

The offences in section 46 each attract 10 penalty units. This is considered to be consistent with the principles in the AGD Guide.

Part 5 - Standard agreements for the supply of carriage services

Section 47 - Supply of specified kinds of carriage services

Section 479 of the Act allows a carriage service provider (defined in section 87 of the Act to include a person who supplies, or proposes to supply, carriage services to the public using network units owned by a telecommunications carrier) to use a standard form of agreement as a contract with customers for the supply of a standard telephone service (defined in section 6 of the Telecommunications (Consumer Protection and Service Standards) Act 1999) and for such other carriage services or goods or services for use in connection with a carriage service as are specified in the regulations.

Part 5 of the accompanying regulations enables carriage service providers to use standard forms of agreement with their customers not only for the supply of a standard telephone service but also for the supply of other mass market carriage services, ancillary goods and ancillary services specified in the regulations.

Section 48 - Supply of specified kinds of ancillary goods

The following kinds of ancillary goods are specified in section 48:

(a) goods for use in connection with a standard telephone service;

(b) goods for use in connection with a carriage service of a kind as defined in this section.

Section 49 - Supply of specified kinds of ancillary services

For the purposes of paragraph 479(1)(d) of the Act, the following kinds of ancillary services are specified:

(a) a service for use in connection with a standard telephone service;

(b) a service for use in connection with a carriage service of a kind as defined in this section.

Part 6 - Carriers' powers and immunities

If a carrier engages in an activity covered by Division 2, 3 or 4 of Schedule 3 of the Act (which pertain to inspecting land, installing facilities and maintenance of facilities) the carrier must do so in a manner that is consistent with Australia's obligations under a listed international agreement that is relevant to the activity.

In addition, subparagraph 3(b)(ii) of the Act provides that reference in Part 1 of Schedule 3 of the Act to a designated overhead line is a reference to a line that is suspended above the surface of land (other than submerged land); or a river, lake, tidal inlet, bay, estuary, harbour or other body of water; and the maximum external cross-section of any part of which exceeds 13 mm; or if another distance is specified in the regulations--that other distance. Part 6 specifies another distance for the purposes of that provision.

Section 50 - Listed international agreements

Section 50 includes a table which specifies the international agreements, as those agreement are in force for Australia at the commencement of the Regulations for the purposes of the definition of 'listed international agreements' in clause 2 of Schedule 3 to the Act. A note accompanies section 50 which indicates that the international agreements specified in the table could in 2021 be viewed in the Australian Treaties Library on the AustLII website.

Section 51 - Designated overhead line

Section 51 specifies the distance of 48 mm as the maximum external cross-section distance of a designated overhead line for the purposes subparagraph 3(b)(ii) of Schedule 3 to the Act.

Part 7 - Application, saving and transitional provisions

Division 1 - Provisions for this instrument as originally made

This Division sets out sets out several transitional provision (and accompanying definitions) arising from the repeal of the Telecommunications Regulations 2001 and the commencement of the replacement Regulations.

Section 52 - Definitions

Section 52 provides for two key terms used in the Division, 'commencement time' being the time when the section comments, i.e. the day after the instrument is registered on the Federal Register of Legislation) and 'old regulations' (being the Telecommunications Regulations 2001).

Section 53 - Things done under the old regulations

Section 53 provides for a general application provision relating to things done under the old regulations. This section ensures that decisions made under the old regulations continue to have effect.

Subsection 53(1) provides that, if a thing that was done for a particular purpose under the old regulations as in force immediately before those regulations were repealed, and the thing could be done for that purpose under the new Regulations (the instrument), the thing has effect for the purposes of the instrument as if it had been done for that particular purpose under that instrument.

Subsection 53(2) of the Regulations clarifies that a reference to a thing being done includes a reference to a notice, approval or other instrument being given or made.

Section 53 only validates decisions made for a particular purpose under the old regulations, and does not retrospectively validate decisions made outside the limits of the old regulations or not made in accordance with a particular purpose contained in the old regulations.

Section 54 - Conduct, event, circumstances occurring before commencement

Section 54 is an avoidance-of-doubt application provision relating to conduct, events and circumstances occurring before the commencement of the Regulations. It ensures that the powers, functions or duties under the Regulations can be performed or exercised in relation to past events.

Subsection 54(2) of the Regulations states that, to avoid doubt, a function or duty may be performed, or a power exercised, under this instrument in relation to conduct engaged in, an event that occurred, or a circumstance that arose, before this section commences.

Subsection 54(2) of the Regulations provides that this section does not limit section 7 of the Acts Interpretation Act 1901 (as that Act applies in relation to this instrument because of paragraph 13(1)(a) of the Legislation Act 2003).

Section 55 - Service provider determinations

Section 55 makes clear that Part 2 under the Regulations applies in relation to any service provider determination made after the commencement time. Service provider determinations (which are made under section 99 of the Act) and that were in force prior to the repeal of the old regulations continue in full force and effect.

Section 56 - Industry codes and industry standards

Part 3 applies in relation to any industry code, whether registered before or after the commencement time; and any industry standard, whether determined before or after the commencement time.

Section 57 - Research authorisations

Research authorisations under the old regulations continue

Subsections 57(1) (and (2) set out transitional provisions to ensure that a research authorisation granted under the old regulations is treated as an authorisation that had been granted under section 21 of the Regulations and any accompany in conditions are treated as being specified under section 36 of the Regulations, additional any research entity removed under regulation 5.28 or 5.29 from the authorisation (as originally issued under the old regulation) is treated as having been removed.

Old regulations in relation to former authorised research entities continue to apply

Subsection 57(3) provides that despite the repeal of the old regulations, the old regulations in relation to former authorised research entities continue to apply. This has the effect of preserving the existing research authorisations and ensuring offences relating to former authorised research entities continue to apply.

Decisions made under the old regulations can be reviewed under this instrument

Subsection 57(4) and (5) provide that certain decisions can be reviewed under this instrument.

Subsection 57(4) states that despite the repeal of the old regulations, decisions made under the old regulations (mentioned in subregulation 5.32(1)) still apply as if the repeal had not happened. This is in relation to research authorisations and authorised research entities (within the meaning of the old regulations) that ended before the commencement of the new regulations. These can both be reconsidered and reviewed under this instrument.

Subsection 57(5) allows for an application for reconsideration of a decision that was made under the old regulations to be finished under this instrument. The ACMA's decision on a reconsideration under this instrument of a decision made under a provision of the old regulations has effect as if it had been made under the equivalent provision of this instrument.

Section 58 - Infringement notices

Despite the repeal of the old regulations by this instrument, Part 6 of the old regulations continues to apply in relation to infringement notices issued before the commencement time, as if the repeal had not happened.

Schedule 1 - Repeals

Schedule 1 repeals the whole of the Telecommunications Regulations 2001. The Regulations replace those regulations.

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Telecommunications Regulations 2021

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Instrument

The Telecommunications Regulations 2021 (the Regulations) will repeal the Telecommunications Regulations 2001 (the sunsetting regulations) and remake them with minor amendments and updates to reflect and to remove obsolete provisions.

Section 594 provides that the Governor-General may make Regulations prescribing matters required or permitted to be prescribed by the Telecommunications Act 1997 (the Act), or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

The Regulations comprise the following parts:

Part 1 of the Regulations set out preliminary matters, such as the title of the Instrument, and the authority under which it is made. The Part also defines key terms used throughout the Regulations, inserting new definitions of mobile carriage service provider, premium content service, and proprietary network.

Part 2 specifies a range of matters in relation to which the ACMA may make a service provider determination, and these cover prepaid mobile carriage services; premium services; fixed or mobile voice or data carriage services; and information relating to the telecommunications industry.

Part 3 provides for several exceptions to the rule under section 115 of the Act, which precludes industry codes and industry standards from dealing with certain design features and performance requirements relating to the unconditioned local loop service and the management of next-generation broadband networks.

Part 4 sets out three specific exceptions to the use and disclosure offences in Part 13 of the Act. These exceptions relate to:

* disclosure of protected information where the disclosure is to a provider of the National Relay Service;

* the disclosure by the IPND Manager of unlisted mobile number (a form of protected information) to an authorised research entity (including the rules for the issuance of research authorisations etc); and

* the disclosure of protected information by emergency call persons--research about emergency service numbers.

Part 5 specifies additional kinds of carriage services, ancillary goods and ancillary services for which standard agreements are required.

Part 7 deals with several matters related to the carrier powers and immunities regime under Schedule 3 to the Act. Namely, listing the international agreements for purposes of the definition of 'listed international agreement' under Schedule 3 to the Act and specifying the maximum distance for designated overhead lines.

Part 8 contains several application, saving and transitional provisions that a necessary as a consequence of the repeal of the sunsetting regulations,

The Schedule to the Regulations repeal the sunsetting regulations.

The purpose of the Regulations is to support the operation of the Act.

Human rights implications

The Instrument engages the following rights:

- The right to privacy in Article 17 of the International Covenant on Civil and Political Rights (the ICCPR).

- The right to freedom of expression in Article 19 of the ICCPR.

- The presumption of innocence in Article 14(2) of ICCPR.

Measures in detail

Part 2 - Service provider determinations

Part 2 specifies matters in relation to which the Australian Communications and Media Authority (ACMA) may make a service provider determination for the purposes of section 99(3) of the Act.

Under subsection 99(1) of the Act, the ACMA may make written determinations setting out rules that apply to service providers in relation to the supply of either or both specified carriage services or specified content services, which are called service provider determinations. Subsection 99(3) of the Act provides, relevantly, that the ACMA must not make a service provider determination unless the determination relates to a matter specified in the Regulations.

Paragraph 8(1)(e) of Part 2 of the Regulations specifies that the ACMA may make a determination preventing a service provider from supplying a person with a prepaid mobile carriage service if the customer fails to verify the customer's identity, including by giving false or misleading information. The effect of this specification is, for example, that the ACMA may make a determination about a service provider not allowing a person to use a public number for a prepaid carriage service if the service provider knows that the person has given information that is false or misleading.

Subparagraph 8(1)(e)(ii) of Part 2 of the Regulations specifies that the ACMA may make a determination preventing a service provider from supplying a person with a prepaid mobile carriage service if an authorised law enforcement officer gives the service provider a written request to prevent a person using a prepaid mobile carriage service that states that action is necessary for a purpose mentioned in subsections 313(3) or (4) of the Act. This covers action that is necessary for the purposes of: enforcing the criminal law and laws imposing pecuniary penalties; assisting the enforcement of the criminal laws in force in a foreign country; protecting the public revenue; or safeguarding national security.

The regulatory arrangements for prepaid mobile carriage services (prepaid mobile services) have been in place since 1997. The requirements were put in place to inhibit the use of anonymous prepaid mobile services, so that law enforcement and national security agencies can gain accurate information and evidence about users, should they need to do so.

This special regime for prepaid mobile carriage services has been put in place because there is no commercial driver for service providers to check the identity of prepaid customers. This is in contrast to the case of customers of post-paid telecommunications services where service providers have an incentive to undertake identity checks for credit management purposes. The identification information sought to be obtained from customers of prepaid mobile carriage services under this Part is thus already generally held by service providers in relation to customers of post-paid carriage services.

The provisions under Part 2 aim to assist law enforcement and national security agencies in identifying customers of prepaid mobile services for the purposes of their investigations. Carriage service providers (CSPs) can only obtain the minimum amount of information that is reasonably necessary to assist the relevant agencies and there are restrictions on the collection, recording and copying of personal information in the identity-checking process. CSPs need to advise customers of the effect of a service provider determination.

Part 4 - Division 2 - Research Authorisations

The Integrated Public Number Database (IPND) is maintained by Telstra Corporation Limited (Telstra) under section 10 of the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 2019. The IPND is a centralised database containing records of Australian public telephone numbers and associated customer details.

The information and data in the IPND includes customer name, address, phone number, whether the service is fixed or mobile, whether the service is listed or unlisted, and details about the telecommunications company providing the customer with the service. The IPND may only be accessed from Telstra for approved purposes as specified in Telstra's Carrier Licence Conditions, or as allowed by Part 13 of the Act.

Part 4 of the Regulations specify an exception to the disclosure and use prohibitions under Part 13 of the Act, and allow research entities to access unlisted mobile phone numbers and their associated postcodes located in the IPND for specific research purposes as prescribed in the research entities research authorisation in order to better target research. Privacy protections similar to those that apply in relation to listed numbers apply to mobile number information.

Subdivision G of Part 4 contains four offence provisions of strict liability. Under subsection 46(1) of the Regulations, an offence applies if an authorised research entity covered by a research authorisation contravenes any condition of the authorisation other than section 29, which makes compliance with the Privacy Act a condition of an authorisation.

The offence in subsection 46(2) is triggered where an authorised research entity contravenes section 29 - by breaching an APP or registered APP code - and that entity is either a registered political party or the act done to contravene section 28 is an exempt act under section 7C of the Privacy Act. This provision ensures that there are consequences for a breach of the APPs by entities that are not typically covered by the Privacy Act.

The offence in subsection 46(3) applies where a former research entity contravenes the use and disclosure provisions relating to authorised unlisted mobile number information in subsection 40(3) or (4).

The offence in subsection 46(4) applies where a former research entity contravenes the use and disclosure provisions relating to research information in subsection 41(2) or (3).

Human rights implications - Right to privacy

Article 17 of the ICCPR provides:

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks.

Article 17 of the ICCPR (like Article 16 of the Convention on the Rights of the Child and Article 22 of the Convention on the Rights of Persons with Disabilities) protects the right to freedom from unlawful or arbitrary interference with privacy. Certain provisions in the Instrument could be considered to limit the right to privacy, but not in an arbitrary or unlawful manner. The right to privacy is not an absolute right, however, and a limitation is not incompatible with the right itself.

Collecting, using, storing, disclosing or publishing personal information may amount to an interference with privacy. In order for the interference with privacy not to be 'arbitrary', any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. Reasonableness, in this context, incorporates notions of proportionality, appropriateness and necessity, particularly in relation to criminal law and national security.

Part 2 of the Regulations and the right to privacy

This Part authorises the collection, storage and use of personal information. However, to the extent that the Part could be said to authorise an interference with privacy, that interference will be neither unlawful nor arbitrary. It will not be unlawful because the collection, use and destruction of personal information is authorised by the Telecommunications Act. It will not be arbitrary because this Part specifies only the minimum amount of personal information that is reasonably necessary to assist with the legitimate objectives of law enforcement and national security. This Part limits the information that a determination may require to be obtained from a customer to:

the minimum amount of information that is reasonably necessary to identify a customer (subparagraph 8(1)a)(i));
information about the customer's existing carriage services (subparagraph 8(1)(a)(iii)); and
information about what the customer proposes to use the carriage service for (such as residential, business, government or charitable use) (paragraph 8(1)(b)).

Part 2 also imposes restrictions on the collection, recording, keeping and reproduction of personal information in the identity-checking process.

The Division requires carriage service providers to find out what other carriage services the customer has (subparagraph 8(1)(a)(iii)). This relates to the existing requirement of the Instrument for carriage service providers to record the number of other activated prepaid mobile services (if any) supplied to a customer.

Information about what the customer proposes to use the carriage service for (such as residential, business, government or charitable use) (paragraph 8(1)(b)) is also currently collected both for the Integrated Public Number Database and for law enforcement and national security purposes. This information assists law enforcement and security agencies in their investigations and allows them to narrow their inquiries. For instance, if a carriage service is used for business purposes, agencies will know that it may be used by multiple people and some call records may not be of interest.

In terms of the information that may be recorded and kept, while this extends to the information obtained when verifying the identity of a customer (including the type of document produced and information about existing services), as well as intended usage, the identifying number on a government document may not be recorded and kept (subparagraph 8(1)(c)(i)).

Safeguards

Authorities are required to handle information in accordance with the Australian Privacy Principles outlined by the Privacy Act 1988. Exceptions to the use and disclosure of information outlined in this Part are restricted by limited circumstances and do not negate the ACMA's obligations under the Privacy Act.

Note that there are differences in Division 1 of Part 4 in relation to exceptions to primary disclosure/use offences. Section 14 relates to a disclosure by a carrier or CSP to the National Relay Service provider about a person's use of the National Relay Service for the purpose of, or connected with the supply or proposed supply of the National Relay Service to that person. Section 15 relates to the disclosure by Telstra of unlisted numbers to an authorised research entity. Provisions governing authorised research entities are set out in Division 2 of Part 4 of the Regulations. Section 16 relates to the disclosure by an emergency call person to a researcher (contracted by agreement with the ACMA) of information or a document for research into the way emergency numbers are dialled or used.

Part 2 requires service providers to destroy the information that they have collected if the destruction is reasonable, including destruction when the information is no longer required by the carriage service provider (paragraph 8(1)(d)). The aim is to ensure that information is not retained when it is no longer required. Australian Privacy Principle 4.2 in the Privacy Act also imposes a requirement on organisations to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under the Privacy Act.

In addition to those safeguards, Part 13 of the Telecommunications Act is directed at protecting the confidentiality of customers' personal information held by CSPs. The disclosure or use of such information is prohibited except in limited circumstances, such as for purposes relating to the enforcement of the criminal law, assisting the ACMA to carry out its functions or powers, or providing emergency warnings.
Part 13 also imposes a range of record-keeping requirements on CSPs in relation to authorised disclosures or uses of information. The Information Commissioner (within the meaning of section 3A of the Australian Information Commissioner Act 2010) has the function of monitoring compliance with, and reporting to the relevant Minister, in relation to these record-keeping requirements, and on whether the records indicate compliance with limitations imposed on disclosure and use of personal information held by CSPs.

In conclusion, the collection, use, storage and disclosure of personal information enabled by Part 2 are neither 'unlawful' nor 'arbitrary'. The information is collected for the legitimate objectives of law enforcement and national security. The type of personal information authorised to be collected, and the safeguards included in the Act and Regulations around the subsequent use and disclosure of that personal information, are reasonable, necessary and proportionate to these objectives.

Further, it should be noted that the service provider determination made by the ACMA would be a disallowable instrument and will therefore be subject to Parliamentary scrutiny and require its own statement of compatibility. This provides a further safeguard against the occurrence of any arbitrary interference with privacy.

Part 4 of the Regulations and the right to privacy

Firstly, it should be noted that all research authorisations granted by the ACMA are covered by the Commonwealth Contract Terms, with the proviso that these can be superseded by any additional terms and conditions in a panel Deed of Standing Offer or the executed Research Work Order.

The Commonwealth Contract Terms includes the following:

C.C.22 Compliance with Commonwealth Laws and Policies.

Section B. Privacy Act 1988 (Cth) Requirements: In providing the Goods and/or Services, the Supplier agrees to comply, and to ensure that its officers, employees, agents and subcontractors comply with the Privacy Act 1988 (Cth) and not to do anything, which if done by the Customer would breach an Australian Privacy Principle as defined in that Act.

In addition, the grant of a research authorisation by the ACMA generally include the additional text:

The Supplier (researcher) will also be bound by the Privacy (Market and Social Research) Code 2014 and the AMSRS Code of Professional Behaviour, and will adhere to the Australian Privacy Principles under the Privacy Act 1988 (Cth).

Under Part 4 of the Regulations, limited data contained within the IPND would be made available to a research entity through an authorisation scheme administered by the ACMA. Under subsection 15(2), authorised research entities will only be permitted to access authorised unlisted mobile numbers and postcode data from the IPND Manager, Telstra, with a valid authorisation. Other personal identifying information will not be disclosed by the IPND Manager. The use and disclosure of the unlisted mobile number information is confined to the purposes set out in the authorisation. At the conclusion of a research authorisation, that information must be destroyed. Any resultant research information must be de-identified before being further used or disclosed.

Research entities will be subject to a range of obligations that seek to limit the impact on the privacy of individuals. These safeguards are outlined below:

a. Research entities will be required to apply to the ACMA for a research authorisation prior to accessing information from the IPND. Research authorisations will prescribe the kind or kinds of unlisted mobile number information being sought and the reasons for seeking the information
(subsection 18(1));

b. Research authorisations must be accompanied by a privacy impact assessment (subparagraph 18(c)(ii));

c. The ACMA may take a range of matters into account when considering whether to grant a research authorisation, including the practices, procedures, processes and systems the applicant has in place, or intends to put in place, to comply with the conditions of the authorisation (subsection 21(2)). For example, the ACMA will consider:

i. the previous conduct of all entities listed in the application and the extent to which each entity has complied with the conditions of any previous IPND Scheme authorisation granted to it (paragraph 21(2)(b));

ii. The extent to which the applicant's collection, use and disclosure of personal information has complied, or is consistent, with the Privacy Act
(paragraph 21(2)(d));

d. The ACMA will also have the authority to specify each research entity that would be able to access IPND information when deciding whether to grant a research authorisation (subsection 22(2));

e. Research entities must be covered by the Privacy Act (section 28)

f. Entities that are exempt from that Act must comply with the Australian Privacy Principles or a registered APP code (section 29);

g. Research entities will be bound by the conditions set out in an authorisation (section 21(4));

h. Research authorisations will be limited to a period specified by the ACMA which can be no greater 12 months (paragraph 22(3)(b)). Research entities will be required to re-apply for an authorisation after this period;

i. Research entities will be prohibited from using and disclosing authorised unlisted mobile number information for purposes that are not listed in the research authorisation or after the authorisation period has lapsed (section 40 and 41) unless otherwise required by law;

j. Research entities must seek the account holder's consent at the beginning of a call, and inform the account holder of their right to withdraw consent at any time during the call (section 30);

k. Research entities must have internal dispute resolution procedures in place to address complaints from account holder about the use or disclosure of their information, or any research information collected during a call (subsection 30(5);

l. Research entities will be required to notify the ACMA of any contravention of a condition of a research authorisation as soon as reasonably practicable and take reasonable steps to minimise the effects of the contravention (section 35).

m. Former research entities will be prohibited from using or disclosing authorised unlisted mobile number information once authorisation period ends and cannot make a record of, or use, the authorised unlisted mobile number information (section 41).

n. Research entities must take all reasonable steps to destroy the unauthorised mobile number information once the authorisation ends or the entity is removed from the research authorisation (sections 40 and 41).

o. Research entities will be subject to an offence of strict liability for contravening a condition of a research authorisation or the use a disclosure requirements for former research entities (subsections 46(1) - (4)).

In addition to these protections, the Privacy Act requires service providers to inform individuals about how the information collected will be used, ensure the physical security of the personal information held, and allow access to, and correction of, that information amongst other things.

The ACMA is bound by the statutory requirements of the Privacy Act, and must handle personal information in accordance with the APPs. These Regulations have the intent to provide clear, certain, transparent and non-arbitrary privacy protections to complement the Privacy Act provisions. These safeguards, together with the other restrictions on the handling of personal information described above, indicate that the instrument is reasonable, necessary and proportionate to the objectives of law enforcement and national security.

Human rights implications - Right to freedom of expression

Article 19(2) of the ICCPR (and Article 13 of the Convention on the Rights of the Child and Article 21 of the Convention on the Rights of Persons with Disabilities) protects the right to freedom of expression, including the right to seek, receive and impart information and ideas through any media of a person's choice. However, this right is subject to certain restrictions, including the protection of national security or public order. Protection of public order includes law enforcement, which is reasonable and necessary.

In paragraph 8(1)(e), where a carriage service provider prevents the use of a prepaid mobile service (because the provider has been unable to verify a customer's identity) under the Instrument, this may affect a person's right to freedom of expression.

Part 2 of the Regulations and the right to freedom of expression

The right to freedom of expression needs to be considered in the context of Part 2 of the Regulations which requires a service provider to prevent the use of a prepaid mobile carriage service if:

a customer fails to verify his or her identity, including by giving false or misleading information (subparagraph 8(1)(e)(i)); or
an authorised law enforcement officer gives the carriage service provider a written request to prevent a person using a carriage service that states that action is necessary for the purposes of:

o enforcing the criminal law and laws imposing pecuniary penalties;

o assisting the enforcement of the criminal laws in force in a foreign country;

o protecting the public revenue; or

o safeguarding national security.

One of the objectives of the regulatory framework consisting of the Telecommunications Act and Regulations, and the subsequent statutory responsibilities imposed on service providers, is to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of the Commonwealth or of the States and Territories. This objective goes to criminal law enforcement and preventing threats to national security.

Requiring individuals who use telecommunications networks and facilities to disclose their identity is one basic and crucial way to assist law enforcement agencies to identify and apprehend individuals who do use, or attempt to use, telecommunications networks and facilities in, or in relation to, the commission of offences that may, for example, be a security threat to the broader population. It is reasonable, necessary and proportionate to give effect to the legitimate law enforcement and national security objectives discussed above to make the use of prepaid mobile carriage services conditional upon providing the minimum amount of information that is reasonably necessary to identify the customer.

Preventing the use of a prepaid mobile carriage service by a person in circumstances where an authorised law enforcement officer considers that this is necessary to prevent unlawful activity or to enforce the criminal law is a reasonable, necessary and proportionate restriction on the freedom of expression.

Requiring persons who use telecommunications networks and facilities to disclose their identity is one basic and crucial way to minimise the risk of telecommunications networks being used in, or in relation to, the commission of offences. It also assists relevant agencies to identify and apprehend persons who do use, or attempt to use, telecommunications networks and facilities in, or in relation to, the commission of offences. Part 2 is, in this respect, a reasonable, necessary and proportionate restriction on the freedom of expression.

Human rights implications - Presumption of innocence

Article 14(2) of the ICCPR provides that everyone charged with a criminal offence shall have the right to be presumed innocent until proven guilty according to law. It imposes on the prosecution the burden of proving a criminal charge and guarantees that no guilt can be presumed until the charge has been proved beyond reasonable doubt. Under international law the term 'criminal offence' includes not only offences or penalties that are classified as a criminal offence under national law, but also other forms of penalties that may be designated as civil penalties under domestic law. The approach under international and comparative human rights law is to consider the substance and effect of the proceedings, rather than the 'label' itself.

Strict liability offences engage and limit the right to be presumed innocent as they allow for the imposition of criminal liability without the need for the prosecution to prove fault. In the case of a strict liability offence, the prosecution is only required to prove the physical elements of the offence.

By applying strict liability to all the physical elements of an offence will generally be considered appropriate where:

* the offence is not punishable by imprisonment;

* the offence is punishable by a fine of up to 60 penalty units for an individual (300 for a body corporate);

* the punishment of offences not involving fault is likely to significantly enhance the effectiveness of the enforcement regime in deterring certain conduct; and

* there are legitimate grounds for penalising persons lacking fault, for example, because he or she will be placed on notice to guard against the possibility of any contravention.

A strict liability offence will not violate the presumption of innocence if it pursues a legitimate objective and is reasonable, necessary and proportionate to that objective.

The offence provisions contained in the Regulations at section 46, Division 2 of Part 4 are strict liability offences. The offences in the Regulations are aimed at upholding the integrity of the research authorisation process and ensuring that the authorised research information (including personal information) is properly dealt with and personal information (such as a person's unlisted mobile number) is not disclosed to the public. By making these offences strict liability offences, it provides a strong deterrent for those parties to improperly use or deal with personal information. In this respect, it is considered a reasonable, necessary and proportionate restriction on the right to be presumed innocent until proven guilty in order to protect individual privacy.

Any authorised research entity that fails to comply with conditions set out by ACMA under Subdivision C would have been well aware of those conditions due to there being a research authorisation in place.

The conduct that is the subject of offences is not overly burdensome to comply with, and the penalty for each offence (10 penalty units) is also not unduly onerous. For these reasons, strict liability is a reasonable and proportionate response. Nothing in the offence provisions under these Regulations abrogates the common law privilege against self-incrimination.

Of course, it remains incumbent on the prosecution to prove the physical elements of these offences beyond a reasonable doubt. An accused will have access to the defences available under Part 2.3 of the Criminal Code Act 1995 (Criminal Code), where applicable. For example, the defence of intervening conduct or event (s10.1 of the Criminal Code), or the defence of honest and reasonable mistake of fact (s9.2 of the Criminal Code) may be available. These are considered to be a sufficient safeguard against error, abuse, and provide the opportunity to avoid penalty for reasonable excuses.

Conclusion

The Instrument is compatible with human rights. Any interference with privacy is neither unlawful nor arbitrary and there are strong privacy protections. The restrictions imposed on freedom of expression are reasonable, necessary and proportionate to give effect to the legitimate objectives of law enforcement and national security. The presumption of innocence is maintained as the instrument is reasonable, necessary and proportionate.

Minister for Communications, Urban Infrastructure, Cities and the Arts