Data Protected - Australia

Contributed by Allens

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Commonwealth of Australia has enacted the Privacy Act 1988 (Cth) (the “Privacy Act). It has also enacted other legislation granting privacy rights, including the Taxation Administration Act 1953 (Cth), the Telecommunications Act 1997 (Cth) and Telecommunications (Interception and Access) Act 1979 (Cth).

Substantive amendments to the Privacy Act came into effect on 12 March 2014 in respect of a number of areas including direct marketing, privacy collection statements and privacy policies, collection of unsolicited personal information, disclosure of personal information outside Australia and credit reporting. Substantial penalties can now be imposed for "serious" or "repeated" interferences with the privacy of data subjects.

On 13 February 2017, the Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 which introduces a mandatory data breach notification regime into the Privacy Act (see below).

A number of Australian States and Territories have also enacted privacy legislation. In particular, New South Wales, the Australian Capital Territory, the Northern Territory, Queensland, Tasmania and Victoria all have specific privacy laws. In addition, the Australian States and Territories have enacted a range of other legislation which provides privacy rights. This other legislation addresses issues such as surveillance, use of criminal record information and use of health information.

The remainder of this summary only considers the Privacy Act (except to the extent otherwise specified).

Entry into force

The Privacy Act came into effect on 1 January 1989. The Privacy Amendment (Private Sector) Act 2000 (Cth) came into effect on 21 December 2001, amending the Privacy Act to establish a national scheme to regulate private sector organisations' handling of personal data. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into effect on 12 March 2014, introducing the significant changes described above. The Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect on 22 February 2018.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Office of the Australian Information Commissioner ("Commissioner")

GPO Box 5218                      
Sydney                                  
NSW 2001                             

www.oaic.gov.au

The Commissioner heads the Office of the Australian Information Commissioner (the “OAIC”) and is supported by the Freedom of Information Commissioner and the Privacy Commissioner. In practice, the Commissioner is responsible for the majority of the privacy related functions of the OAIC, including the investigation of complaints made by data subjects.

The previous regulatory authority, the Office of the Privacy Commissioner, was integrated into the OAIC on 1 November 2010.

Notification or registration scheme and timing

There is no notification or registration scheme for organisations that handle personal data.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The Privacy Act applies to activities of organisations within Australia.

The Privacy Act also applies to the overseas activities of Australian organisations and foreign organisations that have an "Australian link". An organisation is considered to have a link with Australia if: (i) there is an organisational link: for example, the organisation is a company incorporated in Australia, or a trust created in Australia; or (ii) the organisation carries on business in Australia or an external territory and collects or holds personal data in Australia or an external territory.

If an organisation's overseas activity is required by the law of a foreign country, then that activity is not taken to amount to an interference with the privacy of a data subject.

Is there a concept of a controller and a processor?

There is no distinction between entities which control, as opposed to process, personal data. Any handling of personal information, whether holding, processing or otherwise, is potentially subject to data protection legislation.

Are both manual and electronic records subject to data protection legislation?

Yes. The Privacy Act applies to any personal data that is gathered, acquired or obtained from any source and by any means. The definition of personal data in the Privacy Act expressly includes reference to personal data whether recorded in a material form or not.

Are there any national derogations?

Generally, private sector organisations and federal government agencies are subject to the Privacy Act, and State and Territory government agencies are subject to separate State and Territory legislation.

The Privacy Act contains exemptions for certain organisations. For example, operators of small businesses (broadly, businesses with an annual turnover for the previous financial year of $3,000,000 or less) are not generally subject to the Privacy Act. There are exemptions for personal, family or household affairs, media organisations and political parties. However, there is no general exemption for not-for-profit organisations.

There is a limited exemption from the application of the Privacy Act for the sharing of personal data (other than personal data that is sensitive data) between companies in the same group. Principles regarding the disclosure of personal data outside Australia apply even where the transfer is between group companies.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The Privacy Act defines personal data (referred to in the Privacy Act as “personal information”) to be “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not". The distinction between these definitions is unlikely to be substantive.

Is information about legal entities personal data?

No, unless the legal entity is a data subject (for example a sole trader), or the information identifies individuals (for example, the employees or customers of the legal entity).

What are the rules for processing personal data?

The Privacy Act does not specifically refer to “processing” personal data and there is no distinction between entities which control, as opposed to process, personal data. This means that any handling of personal data, whether using, holding, processing or otherwise, is potentially subject to the Privacy Act. The Privacy Act contains the Australian Privacy Principles (the “APPs”) regarding the handling of personal data which generally apply to both private sector organisations and federal government agencies.

While the APPs contain obligations which are broadly similar in operation and effect to the conditions for processing personal data, these provisions are dispersed throughout the APPs.

The APPs provide, as a general rule, that an organisation should only use or disclose personal data for the purpose for which it was collected. However, an organisation may use or disclose personal data about a data subject for another purpose (a secondary purpose) if the data subject has consented or the secondary purpose is related to the primary purpose and such use or disclosure might reasonably be expected by the data subject. If the personal data is sensitive personal data, the secondary purpose must be directly related to the primary purpose. There are a number of exceptions to this general rule. 

Are there any formalities to obtain consent to process personal data?

There are no specific formalities to obtain consent set out in the Privacy Act (except where an organisation wishes to obtain consent to cross-border disclosure, see below). Consent can be express or implied, written or oral, but in any event requires both knowledge of the matter agreed to and voluntary agreement of the relevant data subject. The level of consent required in any particular case will depend upon, among other things, the seriousness of the consequences for the data subject if the personal data were to be used or disclosed.

Are there any special rules when processing personal data about children?

There are no special rules relating to the processing (or otherwise) of personal information about children.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The Privacy Act defines sensitive personal data (referred to in the Privacy Act as “sensitive information”) in broadly the same way as the standard types of sensitive personal data.

Are there additional rules for processing sensitive personal data?

Generally, an organisation is not allowed to collect sensitive information from a data subject unless the data subject has consented and the personal data is reasonably necessary for one or more of the organisation's functions or activities. An organisation can collect sensitive information from a data subject without consent in certain limited circumstances, for example where collection is required by Australian law. Non-profit organisations may collect sensitive information from a data subject without consent if the information relates to the activities of the organisation and the information relates solely to members or individuals who have regular contact with the organisation in connection with its activities.

An organisation may only use or disclose sensitive data for a purpose other than the primary purpose of collection (secondary purpose) if: (i) the secondary purpose is directly related to the primary purpose of collection and such use or disclosure might reasonably be expected by the data subject; (ii) the data subject has consented; (iii) the use or disclosure is authorised or required under law; or (iv) another exception exists.

Are there additional rules for processing information about criminal offences?

 

The Privacy Act classifies a criminal record as a type of sensitive information. Therefore, the rules are the same as for sensitive information (described above).

 

Are there any formalities to obtain consent to process sensitive personal data?

There are no specific formalities to obtain consent set out in the Privacy Act (except where an organisation wishes to obtain consent to cross-border disclosure, see below). Consent can be express or implied, written or oral, but in any event requires both knowledge of the matter agreed to and voluntary agreement of the relevant data subject. The level of consent required in any particular case will depend upon, among other things, the seriousness of the consequences for the data subject if the personal data were to be used or disclosed.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no legal requirement to appoint a data protection officer. However, the Australian Privacy Principles Guidelines published by the OAIC (the "APP Guidelines") recommend that organisations consider appointing such officers as part of good governance mechanisms to ensure compliance with the Privacy Act. The APP Guidelines are not legally binding.

What are the duties of a data protection officer?

Not applicable (see above).

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

APP 1 requires that organisations have a clearly expressed and up-to-date privacy policy that details the management of personal information by the organisation. The privacy policy must be made reasonably available, free of charge. The privacy policy must contain a range of information specified in APP 1, including (but not limited to), how the organisation collects and holds personal information and the purposes for which the organisation collects, holds, uses and discloses personal information.

APP 1 also imposes a positive requirement on organisations to actively take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. What constitutes “reasonable steps” depends on a number of factors, such as the size and resources of the organisation, the nature of the personal information held and the practicality of implementing particular practices. The APP Guidelines, however, are clear that APP entities are not excused from implementing appropriate procedures on the grounds of inconvenience or cost. The APP Guidelines give a number of examples of the practices that organisations should consider implementing (for example, regular staff training on the APPs).

Are privacy impact assessments mandatory?

There is no express requirement to carry out privacy impact assessments. However, as discussed above, APP 1 requires organisations to take "reasonable steps" to implement privacy practices, procedures and systems that will ensure compliance with the APPs. The APP Guidelines suggest that to comply with APP 1, organisations should consider conducting privacy impact assessments for new projects or data handling practices.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

At or before the time of collection (or as soon as practicable afterwards) an organisation collecting personal data must take reasonable steps to make a data subject aware of a number of prescribed matters, for example, the identity of the organisation, the purposes of the processing, the types of organisations to whom the personal data may be disclosed and that the organisation's privacy policy contains certain information (for example, how to make a complaint).

Where personal data is not collected directly from the data subject, an organisation must take reasonable steps to make sure the data subject is informed of the same matters in respect of its indirect collection.

Rights to access information

As a general rule, an organisation must, upon request, give the data subject access to any personal data held about them. However, there are exceptions to this general rule including, by way of example, where the provision of access to personal data could have an unreasonable impact on the privacy of other data subjects or where denying access is required or authorised by or under law.

Rights to data portability

An organisation must, following a valid request from a data subject, give access to the information in the manner requested by the data subject, if it is reasonable and practical to do so. A data subject could use this right to ask for their personal data in a portable format. If the organisation does not provide access in the manner so requested by the individual, it will need to set out its reasons for not doing so in written notice to the individual. Other than the above, data subjects do not have a right to receive data in a portable electronic format.

Right to be forgotten

Data subjects in Australia do not have a right to have their personal information erased.

The closest thing to a right of this nature in Australia is the data subject's right under APP 13, which grants data subjects a right to request to have their personal information corrected. An organisation must take reasonable steps to confirm and correct any personal information if it is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If an organisation refuses to correct personal data, it must give reasons to the data subject who has requested such correction and information about the mechanisms available to complain about the refusal.

Further, under APP 11.2, if an organisation holds personal information about a data subject and the organisation no longer needs it for any purpose for which it may be used or disclosed under the APPs, it must in most cases take reasonable steps to destroy or de-identify the information (see further under 'Security' below).

Objection to direct marketing and profiling

The APPs provide that organisations must not use or disclose personal data for direct marketing unless an exception applies.

The first exception applies where: (i) the organisation collected the data from the data subject (and the information was not sensitive information); (ii) the data subject would reasonably expect the organisation to use or disclose the information for direct marketing; (iii) the organisation provides a simple means by which the data subject can "opt out" of the direct marketing communications; and (iv) the data subject has not made a request to opt out.

The second exception applies where: (i) the personal data has been obtained from third parties or the data subject would not reasonably expect the data to be used for direct marketing; (ii) the data subject has given its consent to the use of the personal information for direct marketing (or it is impracticable to obtain that consent); (iii) the organisation provides a simple means by which the data subject can "opt out" of the direct marketing communications; (iv) each direct marketing communication contains a prominent "opt-out" notice; and (v) the data subject has not made a request to opt out.

The third exception applies where the personal data is sensitive information and the data subject has given their consent to the use of the personal data for direct marketing. 

A fourth exception applies for organisations contracted or sub-contracted under a government contract to provide services to the Commonwealth or a State or Territory. This includes, for example, contractors who provide services to Ministers or Departments.

APP 7 does not apply to the extent that the Do Not Call Register Act 2006 (Cth) or the Spam Act 2003 (Cth) apply. These Acts are described in more detail below.

Other rights

Wherever it is lawful and practicable, data subjects must have the option of not identifying themselves when dealing with the organisation.

As noted above, a data subject may submit a complaint to the Commissioner about an act or practice that may be an interference with the privacy of the data subject. The complaint may then be investigated by the Commissioner.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

APP 11 requires an organisation to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information. APP 11 requires organisations to take reasonable steps to protect the personal data they hold from misuse, interference and loss and unauthorised access, modification or disclosure. APP 11 does not mandate any specific security obligations or standards.

The OAIC, however, has published a "Guide to Information Security" which provides non-binding guidance on the reasonable steps organisations are required to take to protect the personal data they hold. According to the guide, reasonable steps require consideration of: (i) the nature of the organisation; (ii) the amount and sensitivity of the personal information held; (iii) the possible adverse consequences for an individual in the case of a breach; (iv) the practical implications of implementing the security measure, including the time and cost involved; and (v) whether a security measure is itself an invasion of privacy.

Organisations also need to be aware of other laws (in addition to the APPs) that impose obligations in relation to personal data security. For example, credit reporting bodies and credit providers must comply with Part IIIA of the Privacy Act and the registered Credit Reporting Code, which requires certain steps to be taken to maintain the security of credit reporting information. Likewise, a tax file number recipient must comply with the Privacy (Tax File Number) Rule 2015, and health care providers must comply with various health records acts.

Specific rules governing processing by third party agents (processors)

There are no specific rules governing the handling of personal data by third parties. The obligation placed on organisations under APP 11 to take reasonable steps to protect personal data from misuse, interference and loss and unauthorised access, modification or disclosure has the effect of requiring those organisations to take reasonable steps to ensure that any third party handling personal data on their behalf also takes the same steps to protect personal data. The "Guide to Information Security" referred to above also provides non-binding guidance in relation to the processing of information by third parties.

Organisations should be aware that the OAIC has released specific guidance in relation to third party providers of cloud computing. In particular, the OAIC states that to comply with APP 11, organisations must assess the security controls of the third party cloud computing provider, which may include consideration of their governance arrangements, controls relating to software security, access security and network security.

Notice of breach laws

Although the Privacy Act does not currently contain any obligation to notify the Commissioner or affected data subjects of a security breach, non-binding guidance issued by the OAIC states that organisations should do so where there is a real risk of serious harm as a result of the breach.

However, from 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 will require organisations to notify the Commissioner and affected data subjects if they believe that there has been an "eligible data breach".

An eligible data breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity and that access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. In this event, an entity must provide a statement to the Commissioner as soon as practicable, as well as notify affected data subjects or data subjects at risk as soon as practicable after notifying the Commissioner. The Commissioner may also direct an entity to make a notification in respect of a data breach.

An exception to the notification requirement applies where an entity has taken remedial action early enough for serious harm not to have occurred or not to be likely to still occur.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

As APP 8 regulates the “disclosure” of personal data overseas (as opposed to the “transfer” of information), APP 8 applies whenever an organisation makes personal data available to entities located outside Australia, even where the information is stored in Australia.

APP 8 provides that, prior to disclosing personal data to a recipient who is located outside Australia, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal data. This requirement does not apply if: (i) the overseas recipient is bound by a law similar to the APPs that the data subject can enforce; (ii) the data subject consents to the disclosure of the personal data in the particular manner prescribed by APP 8; or (iii) another exception applies (for example, that the disclosure of the personal data is required by Australian law).

Obtaining the consent described above can be difficult, and in many cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the data subject. Accordingly, in most cases the organisation must take "reasonable steps" to ensure that the overseas recipient does not breach the APPs prior to disclosing that information to the overseas recipient. The APP Guidelines indicate that taking "reasonable steps" usually involves the organisation obtaining a contractual commitment from the overseas recipient that it will handle the personal data in accordance with the APPs.

Further, unless an exception applies, the Privacy Act provides that if the overseas recipient does breach the APPs (despite the organisation having taken the "reasonable steps" referred to above), the organisation may be held accountable. This amounts to deemed liability falling upon the organisation for a breach committed by the overseas recipient.

Organisations also need to consider APP 11 when disclosing personal data to overseas recipients. The obligation to take reasonable steps to protect personal data from misuse, interference and loss and unauthorised access, modification or disclosure will apply to the disclosure of personal data to an overseas recipient. Organisations disclosing personal data to overseas recipients will need to ensure that the personal data will continue to be secure once disclosed. Once an organisation discloses personal data to an organisation in a foreign country, the Privacy Act will apply to the overseas organisation only to the extent set above.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional right for organisations to disclose personal data overseas on the basis of a prior notification and approval of the Commissioner.

Use of binding corporate rules

There is currently no ability for organisations to use binding corporate rules in respect of the cross-border disclosure of personal data.

_____________________________________________________________________ Top

Enforcement

Fines

The Commissioner may apply to the Federal Court or Federal Circuit Court for an order that the organisation pay a penalty of up to $420,000 for individuals or $2.1m for corporations for "serious" or "repeated" interferences with privacy, these penalties constitute regulatory fines and cannot be used to compensate data subjects for breaches of the Privacy Act.

Imprisonment

A breach of the Privacy Act does not result in criminal penalties. The Commissioner does not have the power to apply to a court for a criminal penalty (including imprisonment) for a contravention of the Privacy Act, or for a "serious" or "repeated" interference with privacy.

Compensation

In response to complaints made by data subjects, the Commissioner has the power, among other things, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation or to make a determination which includes declarations that: (i) the data subject is entitled to a specified amount to reimburse the data subject for expenses reasonably incurred in connection with the making and investigation of the complaint; (ii) the data subject is entitled to a specified amount as compensation; (iii) the organisation has engaged in conduct constituting an interference with the privacy of a data subject and that it must not repeat or continue such conduct; and (iv) the organisation perform any reasonable act or course of conduct to redress any loss or damage suffered by the data subject

A determination of the Commissioner regarding an organisation is not binding or conclusive. However, the data subject or the Commissioner has the right to commence proceedings in the court for an order to enforce the determination.

Other powers

The Commissioner also has the power to audit organisations (referred to in the Privacy Act as "assessments"), accept enforceable undertakings, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.

Practice

According to the OAIC's 2016-17 Annual Report, the Office received 2,494 privacy complaints (a 17% increase from the 2,128 privacy complaints received in 2015-16) and received 16,793 written, telephone and in person enquiries in the year ending 30 June 2017.

The OAIC received 114 voluntary data breach notifications, primarily from the Australian Government, health service providers, and the finance, retail and telecommunications sectors.

The OAIC has made 9 determinations in the same period. Some of the typical remedies include apologies, review training of staff, review of information handling procedures and documentation as well as compensation (ranging from $1,000 to $20,000), either jointly or separately.

Three organisations have entered into enforceable undertakings with the Commissioner in this period. Among other things, some of the requirements in these undertakings include that the relevant organisation: (i) improve its information security environment; (ii) develop and finalise privacy training for all staff members; (iii) engage an independent third party to conduct a privacy review; and (iv) establish a data breach response plan.

To date, no civil penalties have been imposed on organisations under the Privacy Act.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The Spam Act 2003 (Cth) (the “Spam Act”) governs the sending of commercial electronic messages. Its key operative provisions came into force on 10 April 2004.

The Do Not Call Register Act 2006 (Cth) (the “DNCR Act”) and Do Not Call Register Regulations 2006 govern telemarketing and fax marketing. The operative sections of the DNCR Act took effect on 31 May 2007. The Telemarketing and Research Industry Standard 2007 and the Fax Marketing Industry Standard 2011 have also been implemented (from 31 May 2007 and 4 May 2011 respectively) and regulate telemarketing and fax marketing in addition to the DNCR Act.

Although the APPs deal with direct marketing, the APPs do not apply to the extent that the DNCR Act or the Spam Act apply.

Both the Spam Act and the DNCR Act are regulated by the Australian Communications and Media Authority.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The use of cookies is not specifically regulated in Australia. However, personal data collected via the use of cookies is subject to Australian privacy laws in the same manner as all other personal data.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Spam Act requires that all “commercial electronic messages” identify the sender and, unless exempt, be sent with the consent of the recipient and include a functional unsubscribe mechanism. 

The Spam Act regulates the sending of commercial electronic messages which have an “Australian link”, which is where: (i) the sending of the message was authorised by a data subject physically present in Australia when the message was sent; (ii) the organisation who sent the message is an organisation whose central management and control is in Australia when the message is sent; or (iii) the relevant electronic account-holder is a person who is physically present in Australia at the time the message is accessed or is an organisation that carries on business or activities in Australia at the time the message is accessed.

Conditions for direct marketing by e-mail to corporate subscribers

The Spam Act does not distinguish between individual and corporate recipients of commercial electronic messages.

Exemptions and other issues

Exemptions from the Spam Act requirements include certain messages authorised by government bodies, registered political parties, religious organisations and charities or charitable institutions, subject to certain conditions. By regulation, facsimile messages are also exempted from the Spam Act requirements. However, fax marketing activities may be covered by the DNRC Act (see below).

Commercial electronic messages may be sent where consent is obtained. Consent may be express or inferred from the conduct of the person and the business or other relationship between the sender and the person. In limited circumstances, consent may be inferred from publication of an e-mail address.

Civil penalties are among the remedies that may apply where an organisation has breached the Spam Act.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The DNCR Act establishes a compulsory Do Not Call Register (the “Register”) of telephone numbers belonging to individuals who have opted out of receiving telemarketing calls. Individuals are able to submit their Australian fixed line or domestic mobile telephone numbers to be recorded on the Register. With some exceptions, it is an offence to make an unsolicited telemarketing call to any registered number. For the purposes of the DNCR Act, “telemarketing call” is defined as a voice call (including recorded or synthetic voices) to a telephone number, where that telephone call is for a commercial purpose.

The DNCR Act allows organisations seeking to make or authorise telemarketing calls to submit a list of Australian telephone numbers to the ACMA for checking against the Register so as to identify and eliminate from that list the telephone numbers of those people who have listed their telephone number on the Register – a practice known as “washing”. A “washed” list may for a certain time be relied upon by the person submitting it as stating a list of telephone numbers to which telemarketing calls may be made without breaching the DNCR Act.

Telemarketing activities applying to numbers not entered on the Register or conducted by organisations not subject to the DNCR Act are governed by the Telemarketing and Research Industry Standard 2007 (the “TRCI Standard”). The TRCI Standard establishes minimum standards in relation to the hours and days that telemarketing and research calls are able to be made, the nature, purpose and source of telemarketing or research calls, the termination of telemarketing calls upon the request of the recipient and the provision of calling line information.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

An Australian number is eligible to be entered on the Register if it is: (i) used or maintained primarily for private or domestic purposes; (ii) used or maintained exclusively for transmitting and/or receiving faxes; (iii) used or maintained exclusively for use by a government body; or (iv) an emergency service number.

Telemarketing calls to corporate subscribers, unless they fall into one of the categories above, are therefore unlikely to be caught by the DNCR Act. Telemarketing activities applying to numbers not entered on the Register or conducted by organisations not subject to the DNCR Act are governed by the TRCI Standard.

Exemptions and other issues

Exemptions from the DNCR Act requirements include calls authorised by government bodies, religious organisations and charities or charitable institutions, subject to certain conditions. However, such entities may be covered by the TRCI Standard when making specific types of telemarketing calls.

Telemarketing calls may be made to a telephone number which is registered on the Register if the relevant person has consented to receiving such calls. Consent may be express or inferred from the conduct of the person and the business or other relationship between the marketer and the person.

Remedies for breach of the DNCR Act include civil penalties and injunctions.

_____________________________________________________________________ Top