The Australian Communications and Media Authority (the ACMA) recognises the importance of the privacy and the protection of personal information. The purpose of this policy is to describe how the ACMA manages and protects the personal information that it collects and holds.
To this end, this policy sets out:
- the kinds of personal information the ACMA collects and holds
- how that information is collected and held by the ACMA
- the purposes for which the ACMA collects, holds, uses and discloses personal information.
The policy also explains how to apply to the ACMA for access to, and correction of, your personal information, as well as how to make a complaint if you consider that the ACMA has breached its privacy obligations imposed under the Privacy Act 1988 (the Privacy Act). It also explains how the ACMA will deal with such applications and complaints.
This policy applies to all ACMA activities that involve the management of personal information (whether digitally, in paper form or otherwise) by any staff or any contracted service providers of the ACMA.
About the ACMA
The ACMA is an independent statutory authority established under the Australian Communications and Media Authority Act 2005 (the ACMA Act). The ACMA operates under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act).
The ACMA is responsible for the regulation of broadcasting, telecommunications, radiocommunications and the internet in Australia. These responsibilities are set out in a range of Acts, the principal Acts being: the Broadcasting Services Act 1992; the Radiocommunications Act 1992; the Telecommunications Act 1997; and the Telecommunications (Consumer Protection and Service Standards) Act 1999.
The ACMA is also responsible for the regulation of unsolicited communications under the Do Not Call Register Act 2006 and the Spam Act 2003.
The key activities undertaken by the ACMA under these laws are:
1. Regulation—including the development of codes of practice in consultation with industry groups and the maintenance of statutorily prescribed public registers.
2. Compliance and enforcement—including the conduct of investigations of alleged breaches of an Act, legislative instrument or registered code.
3. Planning and management of radiofrequency spectrum
4. Licensing—including the issuing and renewal of carrier, television, radio, spectrum and apparatus licences.
5. Revenue collection—including the collection of licence fees, taxes and charges.
6. Research, education, advice and reporting on matters relating to the media and communications industry—including engaging in public consultations and participation in international regulatory forums.
In addition, the ACMA undertakes a range of corporate activities, including the management and recruitment of staff, procurement and contract management.
The ACMA is subject to the Freedom of Information Act 1982 (FOI Act) and the Ombudsman Act 1986.
The ACMA’s information management processes must comply with the Archives Act 1983 and the Privacy Act, as applicable.
You can also find more about the ACMA here.
About the Privacy Act
The Privacy Act imposes obligations in relation to the collection, security, quality, access, use and disclosure of personal information. These obligations are detailed in the Australian Privacy Principles (APPs) which are found in Schedule 1 to the Privacy Act. These privacy obligations apply to the ACMA.
You can find more information about the Privacy Act here.
What do we mean by personal information?
The term personal information is defined in the Privacy Act. It means information or an opinion, whether true or not, about an identified (or reasonably identifiable) living person.
The term personal information is defined in the Privacy Act. It means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
The APPs impose higher obligations if the personal information is sensitive information. Sensitive information is defined in the Privacy Act and includes information or an opinion about an individual’s:
- racial or ethnic origin
- political opinions or membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association or trade union
- sexual orientation or practices
- criminal record
- health, genetic and biometric information.
This policy refers to such information as sensitive personal information.
Personal information that the ACMA collects and holds
The types of personal information that are held by the ACMA depend on the relevant activity being undertaken.
This information may include names, residential and business addresses (street and email addresses), personal and business telephone numbers, occupations, employment histories and financial information.
The recruitment and management of staff may involve the collection and storage of some sensitive personal information, for example, criminal history or health information. Such information will only be collected where staff has consented to the collection and the information is reasonably necessary for, or directly related to, those activities. However, most activities undertaken by the ACMA will ordinarily not involve the collection of sensitive personal information.
How the ACMA collects personal information
It is the ACMA’s usual practice to collect personal information directly from the person.
However, we may also collect personal information from third parties where:
- we are required or authorised to do so, for example, obtaining information for the purposes of an investigation
- we have your consent to do so, or
- it is not reasonably practicable to collect the information from you.
Personal information may be collected in a range of ways. The primary ways are discussed below.
Personal information may be collected when you:
- complete a complaint or enquiry form
- send us an email
- post comments on our website
- send us a letter or facsimile
- contact us by telephone.
Collection may be solicited by the ACMA (where you provide the information in response to an ACMA initiated interaction or invitation) or unsolicited (where you initiate the contact and correspond with the ACMA).
If personal information is unsolicited, it will not be collected unless it is reasonably necessary for, or directly related to, one or more of the ACMA’s functions or activities (see APP 3, APP 4 and the meaning of purpose of collection).
Whether you will be able to correspond with the ACMA on an anonymous basis or by using a pseudonym will turn on the facts, including the purpose for your corresponding with the ACMA. In some instances, anonymity may not be practical as the ACMA may require proof of your identity before it can action the matter, for example, licensing decisions. In other instances, anonymity or use of a pseudonym may be permitted.
Forms and notices
There is a range of forms and notices which may be used to collect personal information to enable the ACMA to fulfil its statutory obligations.
The ACMA’s purpose and legal authority to collect personal information will typically be set out in the form or notice.
The purpose of the collection will vary according to the law which authorises or requires the collection, for example, investigations; licence applications, renewals and transfers; control and compliance notifications; payment of licensing fees, taxes and charges; applications for exemptions/exceptions; declarations of conformity.
In some instances, the form or notice will also explain how the information provided will be managed, for example, the ‘Application for apparatus licence(s) (R057)’ form has a number of fields marked with an asterisk. A note on the form advises the applicant that the personal information provided in the fields so marked will be included in the Register of Radiocommunications Licences and will be made available to the public.
The ACMA has an online recruitment system for job applicants. In order to use this system, you will need to register and provide your name, email address and a password.
Any application submitted by you will include additional relevant personal information, including details of your employment history and preferred contact details, for example, a telephone number or email address.
The personal information of job applicants is collected and held to enable the ACMA to manage the recruitment processes as required by the Public Service Act 1999.
Some positions within the ACMA require a security clearance. The ACMA’s clearance process is required to comply with the requirements prescribed in the Australian Government’s Protective Security Policy Framework and Personnel Security Protocol.
All information provided by you for a security process is only used for assessing your suitability to hold the relevant security clearance.
More information on the ACMA’s online recruitment process is available here. Details of the ACMA’s security clearance processes are available here. Information on the Protective Security Policy Framework is available here and information on the Personnel Security Protocol is available here.
Procurement is a process undertaken by the ACMA to acquire goods and services. The ACMA’s procurements must comply with, among other things, the Australian Government’s Commonwealth Procurement Rules.
A procurement may involve approaching the market to tender. The tender process will involve the collection of personal information, for example, names, telephone numbers and contact details of tenderers.
Contracts entered into by the ACMA on behalf of the Commonwealth may contain personal information. The information may include names, telephone numbers and contact details of the contracting parties.
The personal information is collected and held to enable the ACMA to meet its legal obligations, including those under the PGPA Act and the Commonwealth Procurement Rules.
From time to time, the ACMA undertakes public consultation to invite submissions from interested persons. The ACMA may also conduct surveys and hold public forums inviting feedback and information on specific issues.
The ACMA is committed to ensuring the effectiveness of its stakeholder consultation processes, which are an important source of evidence for its regulatory development activities.
There is no legal requirement or obligation on members of the public or industry to participate in these activities.
The consultation documentation will make clear the purpose of the consultation and the purpose of the collection of personal information. This information is provided prior to the collection of personal information. In general, the ACMA publishes all submissions received, including any personal information in the submissions. If a submitter wishes to provide particular information in confidence, they are asked to identify the material (including any personal information) over which confidentiality is claimed and to provide a written explanation for the claim. Each confidentiality claim is assessed by the ACMA on a case-by-case basis. If the ACMA accepts a claim, the information will not be published.
If a submitter wishes to make a submission anonymously or through use a pseudonym, they are asked to contact the ACMA to see whether it is practicable to do so, in light of the subject matter of the consultation. If it is practicable, the ACMA will notify the submitter of any procedures that need to be followed and whether there are any other consequences of making a submission in that way.
Access to online and subscription services
If you register for access to an online or subscription service we will collect and store all the details you provide in the course of registering, for example, your name, your organisation, your contact details and communication preferences. This information is collected and held to enable the ACMA to manage user access and to provide the service requested.
The ACMA has online payment systems to assist people in making a payment to the ACMA, for example, payment of licence fees, smart numbers or subscriptions. The ACMA uses secure online credit card processing facilities, including SecurePay®, which is operated by the Australia Post, and ANZ eGate®, which is operated by the ANZ Bank.
You will receive information about the terms and conditions of gaining access to an online or subscription service (including details about which credit card processing facility is used for such a service) before any personal information is collected.
Whether you will be able to use a pseudonym in an online or subscription service will depend on the nature of the service.
Clickstream data and cookies
Clickstream data is a record of a user’s browsing activities on the internet. Cookies are small pieces of information exchanged between your web browser and a website server, which are stored on your computer and can be read by the website server to enable it to identify and authenticate your computer when you visit the website and to track your browsing activities on the website. For example, if you sign in to use a sign-in-only service, a cookie could enable the website to remember throughout your browsing session that you have signed in, so that you do not have to enter your username and password on every page you visit. A cookie could also enable the website to track details about the pages you visit.
Like many websites, the ACMA’s website uses session-based cookies (or temporary cookies) and persistent cookies. A session-based cookie only lasts for as long your browsing session and ends when you close your browser. A persistent cookie remains on your computer after you close your browser and will be sent back to the website each time you visit until you clear the cookie from your browser.
You can set your browser to notify you before you receive a cookie so that you may refuse to accept it. You can also set your browser to turn off cookies and you can delete them. If you turn off or delete cookies, this may affect your access to certain features of the ACMA’s website.
When you browse our website, our server collects and holds the following information:
- your server address
- your top-level domain name, for example, .gov, .com, .edu, .org, .au, .nz
- the pages you accessed and how long you stayed on a page
- the date and time you visited the site
- the previous site you visited
- your physical geographical location when you visited the site, for example, country, state/territory, city
- the type of browser and operating system you used, for example, Internet Explorer, Windows
- the type of device and brand you used, for example, tablet, Apple iPad.
This information is collected for the following purposes:
- website and system administration, including monitoring to prevent security breaches
- to help us understand how users are using the site over a period of time, in order to make improvements to information, products and infrastructure
- to enable us to customise the information and products you receive
- research and development.
If you sign up to one or more of our subscription services, our server will collect and hold the following additional information for the purpose of customising the information and products to be provided:
- your identity, linked to the information you provided to us in your subscription form, for example, name, last name, email address
- whether you opened a subscription e-mail that we sent you
- which links, if any, you clicked on in a subscription e-mail that we sent you.
No attempt will be made to identify users or their browsing activities, except where:
- a user has signed up to one of our subscription services, or
- in the event of an investigation, when a law enforcement agency or other government agency may exercise its legal authority to inspect our internet web server logs.
The ACMA’s website uses both Australian Government and commercial web-hosting facilities.
Purposes of collection
We will only collect personal information if it is reasonably necessary for, or directly related to, one or more of the ACMA’s functions or activities.
If the information is sensitive personal information, the collection will only occur if you have consented to it or it is otherwise permitted under the Privacy Act.
Any collection will be by lawful and fair means.
Using and disclosing personal information
We will only use your personal information for the purpose for which you have provided it.
We will not use it for any other purpose, nor will we disclose it, unless one of the following applies:
- we have your consent to do so
- you have been told or you would reasonably expect, that information of the kind may be used or disclosed for the other purpose, being a purpose which is related to the original purpose or, if the information is sensitive personal information, directly related to the original purpose
- the use or disclosure is required or authorised by or under an Australian law, for example, the FOI Act or Part 7A of the ACMA Act (see below) or a court/tribunal order, for example, a subpoena
- the ACMA reasonably believes that it is reasonably necessary for one or more enforcement-related activities
- a permitted general situation exists.
Part 7A of the ACMA Act empowers the ACMA to share authorised disclosure information (defined in section 3 of that Act) in certain circumstances, including to an authority of a foreign country responsible for regulating matters relating to communications or media (see section 59D). The definition of authorised disclosure information encompasses personal information given in confidence to the ACMA in connection with the performance of any of its functions or the exercise of any of its powers. The ACMA may make a disclosure on request or of its own volition. The decision to disclose will be made in light of the facts. For more information see the ACMA’s Regulatory Guide No 3 – Information sharing under Part 7A of the Australian Communications and Media Authority Act 2005.
Information on the operation of the FOI Act is available here.
Security of personal information
The protection and security of information held by the ACMA is of critical importance.
The ACMA has a range of measures in place to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
All information collected by the ACMA is secured and managed in accordance with the Australian Government’s Protective Security Policy Framework, Information Security Manual and the Archives Act (and see also the pages of the National Archives of Australia website regarding Commonwealth records management).
The ACMA’s ePort security statement is available here.
Making a complaint
The ACMA must manage your personal information in accordance with the obligations imposed under the APPs. If you consider that the ACMA has breached an APP you may lodge a complaint. You should use the contact details under Contact us to submit your complaint.
In submitting your complaint you should provide the details of the alleged breach and any information in support.
We may require you to provide some proof of your identity in order to action your complaint.
The ACMA’s Privacy Contact Officer will ordinarily conduct the initial assessment of the issues raised to determine the most appropriate course of action. What will be the most appropriate course of action will turn on a range of factors, including the seriousness of the issues raised.
We will acknowledge receipt of the complaint. We will also advise you of the outcome of the ACMA’s consideration of the issues raised.
Note: In some limited circumstances, you may be able to submit your complaint directly to the Office of the Australian Information Commissioner (see here for further details).
Applying for access to and correction of personal information
You have certain rights to request access to, and the correction of, your personal information.
These rights are set out in APP 12 and APP 13 in the Privacy Act.
We may require you to provide some proof of your identity in order to handle your request.
If you wish to apply for access to, or the correction of, your personal information, please use the contact details under Contact us.
If you are applying for correction of personal information, you should:
- specify the personal information
- explain why you consider that the personal information should be corrected, that is, why that personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading
- provide any documents/information in support.
Your application will be acknowledged on receipt. You will be advised in writing of the outcome of your application. If your application is refused, we will explain our reasons for that decision.
By e-mail: firstname.lastname@example.org
Privacy Contact Officer
Australian Communications and Media Authority
PO Box Q500 Queen Victoria Building
Sydney NSW 1230
Telephone: 02 9334 7700