1. Introduction
Australia’s telecommunications sector plays a crucial role in connecting millions of people. However, with this connectivity comes the responsibility of safeguarding vast amounts of personal information. Consequently, navigating the complex landscape of data regulations is essential to ensure compliance and maintain consumer trust. In this regard, the Privacy Act 1988 (APA), the Telecommunications Act 1997 (Telecom Act) and the Telecommunications (Interception and Access) Act 1979 (TIA Act) are pivotal to establishing clear obligations for how telecom entities collect, use, store, and disclose personal information while upholding privacy and security standards across the industry.
2. Understanding the Regime
At the core of this framework are two key types of entities: carriers and carriage service providers. Carriers are licensed operators that own and maintain the infrastructure for delivering phone and internet services. These entities are registered with the Australian Communications and Media Authority (ACMA). Carriage service providers, on the other hand, deliver services directly to consumers using a carrier’s infrastructure and are usually the primary handlers of consumer data. Collectively, these entities can be referred to as “telecom entities”.
Privacy protections are primarily governed by the APA, supported by the Telecom Act and the TIA Act. These laws work together to ensure that personal information is handled in accordance with the Australian Privacy Principles (APPs). The APA applies to telecom entities handling personal or sensitive information. Moreover, the Telecom Act also includes strong safeguards to ensure that privacy protections under the APA are not undermined by changes in telecommunications practices. It states industry codes and standards cannot override the APA or any registered APP code. Additionally, industry bodies are allowed to develop voluntary codes, which may cover areas like telecommunications and telemarketing. These codes must be fair and not overly burdensome. Before registering any such code, the ACMA must consult the Office of the Australian Information Commissioner (OAIC) if data privacy is involved.
The OAIC plays a key oversight role when it comes to data privacy. It provides guidance on the data privacy aspects of industry codes and standards developed under the Telecom Act, advises on record-keeping obligations, and contributes to the development of authorisation formats for law enforcement access to telecommunications data. It also monitors how retained telecommunications data is managed, treating it as personal information under the APA.
A. Security Mechanisms
Under the Australian Privacy Act (APA), telecom entities are required to take "reasonable steps" to implement technical, physical, and organisational security measures to protect personal information. For context, personal information means information or an opinion about an identified or reasonably identifiable individual, whether true or not, and whether recorded or not.
While the APA does not impose explicit obligations on third parties, its scope extends to any entity that 'holds' personal information—interpreted broadly to include not only those in physical possession of the data, such as outsourced service providers, but also those exercising control over it. As a result, third parties involved in processing personal information cannot evade accountability and are expected to adopt appropriate security safeguards in alignment with the APPs.
Securiti’s Data Security Posture Management empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.
B. Data Minimization
Although the APA does not include a standalone provision on data minimization, the principle is embedded within its broader framework. Under the APPs, telecom entities are required to collect personal information only when it is reasonably necessary for one or more of their functions or activities, and the collection must be carried out by lawful and fair means. This effectively imposes a data minimization obligation, restricting excessive or unnecessary data collection.
Securiti’s Sensitive Data Intelligence module uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies.
C. Data Breach
The Notifiable Data Breaches (NDB) Scheme under the APA imposes significant accountability on telecom entities when managing data breaches. The OAIC should be notified within 72 hours of discovering a data breach likely to create the risk of serious harm. Failure to meet this expectation may trigger regulatory scrutiny or enforcement action, particularly if delays appear unreasonable. Affected individuals must also be notified without undue delay, even if done in phases.
Beyond notification, the APA places a continuing obligation on telecom entities to implement and maintain effective systems and procedures for identifying, containing, and mitigating breaches. This underscores that compliance is not merely reactive but requires a proactive data breach response strategy, with direct implications for governance, risk management, and reputational integrity.
Securiti’s Breach Management solution automates breach notifications and compliance actions, providing incident response workflows that help organizations respond to privacy incidents promptly and effectively.
D. Impact Assessment
Under the APA, the OAIC holds the authority to direct agencies to conduct impact assessments where appropriate. While not mandatory for all organizations, conducting an impact assessment is strongly encouraged, particularly when initiating new projects or significantly altering existing data-handling practices. A well-executed impact assessment is not merely a procedural exercise; it serves as a strategic tool to:
- identifying privacy risks;
- assess compliance;
- engage with affected parties to understand their privacy concerns and expectations; and
- implement safeguards.
Failure to carry out impact assessments in high-risk scenarios can expose organizations to regulatory criticism, reputational harm, and increased legal vulnerability.
Securiti’s Assessment solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.
E. Data Protection Officer (DPO)
The APA does not require the appointment of a DPO. However, appointing a dedicated privacy officer or function is considered best practice, particularly for organisations that handle large volumes of personal information or engage in high-risk processing activities. Doing so signals a proactive commitment to privacy governance and can enhance internal accountability, improve incident response capabilities, and support ongoing compliance with the APPs. In the absence of a legal obligation, the failure to assign clear privacy responsibilities may hinder an organisation’s ability to manage risks effectively and respond to regulatory scrutiny.
Securiti’s Data Mapping module can equip Data Protection Officers with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities
F. Data Retention & Record of Processing Activities (ROPA)
While the APA does not impose a direct obligation to maintain a Record of Processing Activities (ROPA), it does require taking reasonable steps to destroy or de-identify personal information once it is no longer required for a lawful purpose. This principle implicitly encourages good data inventory and lifecycle management practices.
Moreover, as per the TIA, telecom entities must retain certain types of data—such as call times, sender and recipient details, and location data—for a minimum of two years. Although this excludes the content of communications, its storage must comply with privacy and data protection requirements under the APA.
Additionally, certain records, such as those about warrants, authorisations, ministerial notices, and international production orders, must generally be retained for at least three years or until reviewed by the Ombudsman, reinforcing transparency and oversight in surveillance activities.
Furthermore, the ACMA has the power to prescribe specific record-keeping rules for carriers, including standards for how records are created, stored, and reported.
Securiti’s Sensitive Data Intelligence module uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies.
G. Data Disclosure
The Telecom Act and the APA work together to regulate the use and disclosure of telecommunications data in Australia. Generally, disclosure of information that is obtained during the supply of telecom services is not allowed under the Telecom Act, unless an exception applies. If information is disclosed due to an exception, then a record must be maintained of disclosure and the OAIC is responsible for enforcing compliance with this obligation.
Moreover, disclosures to foreign authorities are permitted if an international agreement exists and the request complies with the APA. Before approving a disclosure, authorised officers must ensure it is justified and proportionate, considering factors such as the seriousness of the matter and the relevance of the data. This ensures consistent privacy protections while allowing necessary data sharing in limited and controlled circumstances.
Detailed guidance regarding disclosures for telecom entities has been given by the OAIC here.
Securiti’s Sensitive Data Intelligence module uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies.
A. Lawful basis of processing
Under the APA, telecom entities are permitted to collect personal information only when it is reasonably necessary for their functions or activities, and the collection must be carried out by lawful and fair means. This principle not only limits the scope of data collection but also reinforces the broader obligation of transparency and accountability in data handling.
Moreover, telecom entities are expected to implement open and transparent practices, such as privacy policies and collection notices, to inform individuals about how their data is being managed.
Securiti’s Data Privacy solution automates compliance with evolving global privacy regulations and principles.
B. Consent
As per the APA, consent is essential in certain situations—particularly when collecting sensitive information or using personal information for a secondary purpose. Consent must be voluntary, informed, current, and specific, and individuals must have the capacity to give it. Consent can be express (given clearly through words or actions), or implied (where it's reasonable to infer consent from circumstances). Importantly, individuals have the right to withdraw their consent at any time, and organisations must respect that withdrawal for all future uses.
The APA contains a more detailed list of information that would be categorized as sensitive. It includes information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions, religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association and unions;
- sexual orientation or practices; criminal record;
- health information;
- genetic information;
- biometric information used for automated biometric verification or biometric identification; or
- biometric templates.
Beyond the APA, telecom entities must also comply with the Spam Act 2003, which makes consent a legal prerequisite for sending commercial electronic messages. If a telecom entity engages in sending commercial electronic messages, it must meet three key requirements:
- obtain the recipient’s consent to send the message;
- clearly identify the sender and provide accurate contact details; and
- contain a functional unsubscribe facility, allowing recipients to opt out easily.
Securiti’s Consent Module automates consent tracking and management, simplifying the management of first-party and third-party consent and enabling organizations to obtain, record, track, and manage individuals' explicit consent.
C. DSR
The APA grants individuals key rights that include the right to access their personal information held by an organisation and to request corrections where the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading. These rights impose active obligations to respond to access and correction requests in a timely and transparent manner. Failing to do so may not only breach the APPs, but also expose telecom entities to complaints and potential regulatory action. Ensuring accessible mechanisms for individuals to exercise these rights is therefore critical to maintaining legal compliance and public trust.
Securiti’s Data Subject Rights Management solution automates handling requests like access, deletion, and correction. It streamlines request tracking, identity verification, and secure data transfer, ensuring timely compliance and reducing administrative workload.
D. Privacy Policy
Under the APA, telecom entities—like all APP entities—are required to maintain a clearly expressed and up-to-date privacy policy that outlines how they manage personal information. This policy must be made freely available and presented in an accessible format suitable for the target audience. The policy must include:
- the organization's name and contact details;
- types of personal information collected;
- collection and storage methods
- reasons for data collection;
- usage and disclosure of personal information;
- access and correction procedures
- complaint process for mishandling; and
- potential overseas disclosures and, if possible, the countries involved.
An incomplete or inaccessible privacy policy not only increases legal risk but can also damage public trust and customer confidence.
Securiti’s Privacy Policy and Notice Management enables organizations to rapidly build and deploy privacy notices, automate updates, and easily manage hundreds of privacy and cookie policies and notices via a unified privacy dashboard.
E. Vendors
Telecom entities engaging contracted service providers are expected to include specific contractual clauses prohibiting the service provider from doing anything that would result in a breach of the APPs. This reflects a broader principle of privacy by contract, where written agreements become a central mechanism for ensuring third-party compliance and managing legal risk. The absence of such controls may expose entities to liability, particularly in cases of offshore outsourcing or cloud services where direct oversight is limited.
Securiti’s Vendor Risk Management solution automates vendor risk assessments, enabling organizations to assess third-party privacy risks, track subcontractor engagements, and provide automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.
F. Cross-border data transfer
As per the APA, data can be transferred to a third country. However, the recipient country must have a law or binding rules that protect personal information, similar to the safeguards employed by Australia.
Moreover, a telecom entity that discloses personal information to an overseas recipient remains accountable for any actions or practices of the recipient that would violate the APPs unless certain exceptions apply. Other legal grounds for data transfers include:
- compliance with Australian laws or court orders;
- explicit consent from the data subject, with acknowledgment of the lack of APP enforcement; or
- transfers by Commonwealth Government agencies under international agreements or for enforcement activities.
Furthermore, disclosure is permitted in the following circumstances:
- lessening or preventing a serious threat to life, health or safety;
- taking appropriate action in relation to suspected unlawful activity or serious misconduct;
- locating a person reported as missing;
- necessary for a diplomatic or consular function or activity; and
- necessary for certain defence force activities outside Australia.
Securiti’s Data Access Governance (DAG) tool allows organizations to oversee and manage access to personal data across different jurisdictions.
Data governance involves developing and maintaining robust frameworks to manage data quality, accountability, and compliance with regulatory requirements. Telecom entities are expected to establish internal governance structures that define data ownership, oversight responsibilities, and procedures for ensuring the accuracy, consistency, and lifecycle management of data. These frameworks must align with the APA, Telecom Act and the TIA Act, which impose obligations around personal information handling and data retention. Telecom entities are also required to build systems that support traceability and auditing, particularly for retained data and disclosures made under lawful requests. Developing such frameworks enables telecom entities to meet compliance obligations, strengthen operational transparency, and ensure readiness for regulatory review or security incidents.
Securiti’s Data Governance provides a unified approach to managing data assets, ensuring compliance, security, and data quality across the organization. It automates policies, access controls, and data lifecycle management, enabling transparent, accountable, and consistent data practices aligned with regulatory standards.
While Australia does not yet have a dedicated, comprehensive Artificial Intelligence (AI) law, regulatory attention is increasingly focused on the responsible use of AI across sectors—including telecommunications. For telecom entities deploying AI systems to manage networks, enhance customer service, or automate decision-making, existing laws such as the APA or Australian Consumer Law apply by default. Although voluntary, the AI Ethics Principles published by the government offer guidance on best practices for responsible AI use. The eight core principles are:
- Human, Social and Environmental Wellbeing: AI should benefit individuals and society, contributing positively to sustainability and human dignity.
- Human-Centred Values: AI should respect human rights, diversity, and autonomy.
- Fairness: AI systems must avoid bias, ensure equitable treatment, and support inclusive outcomes.
- Privacy Protection and Security: AI should uphold privacy rights and provide robust data governance.
- Reliability and Safety: Systems must perform reliably and safely throughout their lifecycle.
- Transparency and Explainability: Decisions made by AI should be understandable and traceable by humans.
- Contestability: Individuals should be able to challenge and seek remedies for adverse decisions made by AI.
- Accountability: There must be clear responsibility and governance frameworks to manage AI risks.
Moreover, Australia’s Voluntary AI Safety Standard outlines 10 non-binding guardrails for the safe use of high-risk AI systems, such as generative and foundation models. These include testing for harm, managing incidents, securing systems by design, and maintaining human accountability. It’s also important to ensure lawful use, protect children, disclose risks, and verify safety through independent evaluations. While not mandatory, these standards support best practices in sectors like telecom.
Looking ahead, the Department of Industry, Science and Resources has been engaging in public consultations on AI regulation. The telecom sector—given its data intensity and infrastructure role—is expected to face more defined regulatory obligations as Australia moves toward formalizing its AI regulatory framework. In the meantime, telecom entities must ensure AI use aligns with current privacy, consumer protection, and ethical standards.
Securiti's AI Security & Governance module protects AI systems by managing data security, privacy, and compliance, ensuring safe and ethical AI operations.
7. Conclusion
Legacy methods of processing and securing user data are impractical for telecommunications providers owing to the sheer volume and variety of data they handle. Additionally, with recent developments in AI and privacy laws evolving at an accelerating rate, it makes both operational and regulatory sense to leverage automated tools to ensure swift compliance with regulatory updates.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data+AI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Several of the world's most reputable corporations rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
The Data Command Center comes equipped with several individual modules and solutions designed to ensure effective compliance with various obligations placed on them by data privacy regulations. These include privacy policy management, cookie consent management, breach management, data mapping, vendor management, universal consent, and DSR automation, among several others. Additionally, telecom operators can gain critical real-time insights into the state of their regulatory compliance with respect to all relevant provisions of each data privacy regulation they're subject to via a centralized dashboard that enables proactive adjustments.
Request a demo today and learn more about how Securiti can help telecommunications providers comply with any major existing and forthcoming data privacy and protection regulations.
