What are the rules about phone companies sharing my personal information?

In Plain English

Phone companies in Australia have to follow strict rules about sharing your personal information. These rules are designed to protect your privacy and give you control over your data.

Here's a breakdown:

  • Consumer Data Right (CDR): You have the right to access certain data that phone companies hold about you (like billing and account info) and to securely share it with accredited third parties. This can help you compare services or switch providers more easily.
  • Privacy Safeguards: The Competition and Consumer Act 2010 includes privacy safeguards that limit how phone companies can use, collect, and share your information. They generally need your express consent.
  • Integrated Public Number Database (IPND): If you have a listed phone number, your information goes into the IPND. Access to this database is restricted, and there are rules about who can use it and for what purposes (like publishing phone directories or conducting research).
  • Domestic and Family Violence Protections: If you're affected by domestic violence, phone companies have to take extra steps to protect your information and prevent it from being disclosed to a perpetrator.
  • Prepaid Mobile Services: If you use a prepaid mobile service, phone companies have to verify your identity. There are rules about how they can collect, record, and use your personal information during this process.
  • General Privacy: The Privacy Act 1988 sets out Australian Privacy Principles (APPs) that phone companies must follow. These principles cover things like how they collect, use, store, and disclose your personal information.

Detailed Explanation

Several pieces of legislation and related instruments govern how telecommunications companies handle personal information in Australia.

  1. Consumer Data Right (CDR)

    • The Consumer Data Right (Telecommunications Sector) Designation 2022 designates the telecommunications sector as subject to the CDR, giving consumers more control over their data.
    • This Designation allows individuals and businesses to access specified data held by businesses and to authorize secure access to this data by accredited third parties, as per subsection 56AC(2) of the Competition and Consumer Act 2010.
    • The classes of information subject to CDR include customer-provided data, billing and account information, and information about retail telecommunications products.
    • The Competition and Consumer Act 2010 protects against arbitrary interference with privacy by establishing consumer data right specific privacy safeguards, modelled off the existing Australian Privacy Principles (APPs) but with additional obligations.
    • Materially enhanced information, which is data significantly enhanced through analysis or transformation, is also covered by the CDR, meaning customers can authorize its disclosure, even though data holders aren't required to disclose it.

    • Integrated Public Number Database (IPND) Scheme

    • The Telecommunications (Integrated Public Number Database Scheme – Conditions for Authorisations) Determination 2017 sets out conditions for authorisations to access personal information in the IPND.

    • Sections 276 and 277 of the Telecommunications Act generally prohibit the disclosure or use of information obtained by carriers and carriage service providers, including IPND information.
    • Section 285 of the Telecommunications Act provides an exception, permitting disclosure of IPND information by Telstra (as the IPND Manager) to authorised persons.
    • Authorisations are subject to conditions designed to protect personal information and privacy, such as restrictions on cross-border disclosure (section 6), safeguarding protected information (section 7), and secure disposal of information (section 10).
    • Research entities accessing customer data from the IPND must comply with specific rules, including obtaining consent for data use and complying with privacy laws (Telecommunications Integrated Public Number Database Scheme 2017).

    • Domestic and Family Violence Consumer Protections

    • The Telecommunications (Domestic, Family and Sexual Violence Consumer Protections) Industry Standard 2025 includes provisions to protect affected persons' personal information.

    • Providers must securely store information collected under the Standard and protect it from misuse, interference, loss, or unauthorized disclosure, particularly to a perpetrator (section 27).
    • Providers not subject to the Privacy Act 1988 must adhere to equivalent privacy protections, including restrictions on use and disclosure (section 28).
    • In case of unauthorized access or disclosure of an affected person’s personal information, providers must notify both the ACMA and the affected person within two days (section 29).

    • Prepaid Mobile Services

    • The Telecommunications (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) Determination 2017 and its amendment Telecommunications (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) Amendment Determination 2025 (No. 1) mandate identity checks for prepaid mobile carriage services.

    • Carriage service providers (CSPs) must obtain and verify customer identity information before activating a prepaid mobile service (Part 4).
    • The determination includes provisions to ensure that the collection and use of personal information is reasonable, necessary, and proportionate to the objectives of law enforcement and national security.
    • The Telecommunications Regulations 2021 also outline the rules for obtaining information and verifying the identity of customers of prepaid mobile services.

    • General Privacy Legislation

    • The Privacy Act 1988 sets out the Australian Privacy Principles (APPs) that govern how organizations, including telecommunications companies, handle personal information.

    • These principles cover various aspects of data management, including collection, use, disclosure, security, and access.
    • APP 6 restricts the use or disclosure of personal information.
    • APP 7 regulates direct marketing, requiring organizations to provide a simple means for individuals to request not to receive direct marketing communications.
    • APP 8 governs cross-border disclosure of personal information, requiring entities to take reasonable steps to ensure overseas recipients do not breach the APPs.

    • Customer Identity Authentication

    • The Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 aims to prevent unauthorized high-risk customer interactions by requiring carriage service providers to authenticate customer identity.

    • This determination authorizes the collection and use of personal information for fraud prevention, subject to the Privacy Act 1988 and Part 13 of the Telecommunications Act.
    • The determination enhances privacy protections by providing additional measures for customers to authenticate their identity and requiring providers to publish advice on identity processes.