Commonwealth Coat of Arms of Australia

 

Telecommunications (Domestic, Family and Sexual Violence Consumer Protections) Industry Standard 2025

 

The Australian Communications and Media Authority makes the following standard under subsection 125AA(1) of the Telecommunications Act 1997.

Dated: 6 June 2025

Nerida O’Loughlin

[signed]

Member

 

Cathy Rainsford

[signed]

General Manager

 

Australian Communications and Media Authority

 

 

 

Contents

 

Part 1—Preliminary

1  Name

2  Commencement

3  Authority

4  Application of industry standard

5  Definitions

6  References to other instruments

Part 2—Sexual violence outside a domestic and family violence situation

7  Requirement where a consumer has experienced sexual violence outside a domestic and family violence situation

Part 3—Providing support

8  Requirement to advise affected persons of available support

9 Application of sections 10 and 11

10  Requirement to agree on a preferred communication method

11  Requirement to discuss support options

12  Minimum requirements for support

13  Providing support to affected persons

14  A provider must not require evidence

15  Communications with an affected person

Part 4—Requirements relating to availability of DFV support information

16  Requirement to publish, on commencement of this provision, information relating to available support for affected persons

17  Requirement to publish a DFV statement

18  Requirements regarding access to DFV support services

Part 5—General requirements relating to policies and procedures

19  Develop domestic and family violence policies and procedures

20  Minimum requirements for DFV policies and procedures

Part 6—Training

21  Training for all personnel

22  Training of customer facing personnel

Part 7—Monitoring and review

23  Requirement to review policy and procedures

24  Requirement to monitor personnel

Part 8—Security and privacy

25  Requirements relating to the security and privacy of an affected person

26  Requirement on carriers to provide assistance

27  Security of personal and sensitive information

28  Privacy

29  Where privacy is breached

Part 9—Record keeping

30  Requirements to keep records

31  Record retention

Part 10—Consultation

32  Requirement to consult

Part 11—Conferral of functions and powers

33  Conferral of functions and powers on the TIO

 

 

Part 1—Preliminary

  This industry standard is the Telecommunications (Domestic, Family and Sexual Violence Consumer Protections) Industry Standard 2025.

  Each provision of this industry standard specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. 

 

Column 1

Column 2

Provisions

Commencement

1.  Part 1, subsections 13(3), 13(4), 13(5), 15(1) and sections 16, 19, 21, 22 and 32.

1 July 2025.

2.  Anything in this industry standard not elsewhere covered by this table

1 January 2026.

Note 1:      This table relates only to the provisions of this industry standard as originally made. It will not be amended to deal with any later amendments of this industry standard.

Note 2:      The Federal Register of Legislation may be accessed free of charge at www.legislation.gov.au.

Note 3.      The provisions referred to in column 1, item 2 of this table commence on 1 January 2026.  However, they do not apply to small providers until the date specified in subsection 4(2).

  This industry standard is made under subsection 125AA(1) of the Telecommunications Act 1997.

  1.       For the purposes of subsection 125AA(1) of the Act:
  1.     this industry standard applies to participants in the following sections of the telecommunications industry:
  1.      carriage service providers in their dealings with consumers; and
  2.    carriers in relation to their supply of carriage services to carriage service providers;
  1.     this industry standard is drafted to give effect to the objectives set out in section 7 of the Telecommunications (Domestic, Family and Sexual Violence Consumer Protections Industry Standard) Direction 2024.
  1.       The provisions in column 1, item 2 of the table in section 2 of this industry standard do not apply to a small provider until 1 April 2026.
  1.       In this industry standard:

Act means the Telecommunications Act 1997.

active service has the meaning given by subsection (2).

affected person means an individual who is a consumer and who identifies as someone who is, or may be, experiencing domestic and family violence including a former, prospective or current consumer.

agreed communication method means the method of, and, where applicable, time for, communicating as agreed under subsection 10(2).

authorised representative means a person who has authority from a consumer to deal with a provider on behalf of that consumer as their authorised agent.

bill means an invoice from a provider which advises a customer of the total of each amount of money due for payment by a customer under a consumer contract.

business day means a day that is not a Saturday, Sunday or gazetted public holiday in the location of the provider’s principal place of business.

business hours means the hours between 9.00am and 5.00pm local time.

coercive control means a repeated pattern of behaviour used by an individual that has the effect of creating and maintaining control over another individual by exerting power and dominance in everyday life to deny freedom and autonomy through fear, control, pressure or manipulation.

consumer means:

  1.       an individual who acquires or may acquire a telecommunications product for the primary purpose of personal or domestic use and not for resale;
  2.       a not-for-profit organisation which acquires or may acquire one or more telecommunications products which are not for resale; or
  3.       a business which acquires or may acquire one or more telecommunications products which are not for resale and which, at the time it enters into the consumer contract:
  1.                   does not have a genuine and reasonable opportunity to negotiate the terms of the consumer contract; and
  2.                has or will have an annual spend with the provider which is or is estimated on reasonable grounds by the provider to be, no greater than $40,000.

A reference to a consumer includes a reference to the consumer’s authorised representative.

consumer contract means an arrangement or agreement between a provider and a customer for the supply of a telecommunications product to that customer, including a standard form of agreement formulated by a provider for the purposes of section 479 of the Act.

credit management action means any action taken by a provider in relation to telecommunications products supplied by the provider to a customer, including a restriction, suspension or disconnection, to:

(a) manage any credit risks that are relevant to the provider; or

(b) collect outstanding debts from customers.

customer means a consumer who has entered into a consumer contract with a provider and includes a current customer of a provider or former customer who owes money to a provider in connection with their consumer contract.

disconnection means the termination of a telecommunications service provided to a consumer under a consumer contract.

domestic and family violence refers to behaviours of an individual that are designed to create a dependency or to isolate, monitor, dominate, or control another individual.  These behaviours may consist of physical violence and/or other types of abuse, power, coercion or control that cause harm including life threatening communications, unwelcome communications, economic and financial abuse, technology facilitated abuse, threats and intimidation, emotional or psychological abuse, systems abuse, coercive control and sexual violence (other than non-domestic sexual violence).  Domestic and family violence can occur in any personal relationship including between intimate partners, parents and children, immediate and extended family groups, communal and extended kinship connections, and in carer and guardianship arrangements.

domestic and family violence policy (DFV policy) means the policy developed by a provider under paragraph 19(1)(a).  

domestic and family violence policy training (DFV policy training) means the training delivered or arranged for by a provider under section 21.

domestic and family violence procedures (DFV procedures) means written procedures developed by a provider under paragraph 19(1)(b).

domestic and family violence statement (DFV statement) means the written statement prepared by a provider under subsection 17(1).

domestic and family violence support (DFV support) means the support provided by a provider under Part 3.

economic and financial abuse means a pattern of behaviour used by an individual to control, exploit or sabotage the money, finances or economic resources, of another individual which affects the other individual’s ability to obtain, use or maintain economic resources, economic security and potential for self-sufficiency and independence.

end-user means the consumer using a telecommunications product who is not a customer.

inclusive design means a design process in which a product, service, or environment is designed to be usable for as many people as possible regardless of age, ability and circumstance.

intersectional approach means an approach that recognises that the experience of domestic and family violence can be different based on a range of cultural, individual, historical, environmental or structural factors including (but not limited to) race, age, geographic location, sexual orientation, ability or class.

large provider, for a financial year, means a provider with at least 30,000 services in operation on 1 July in that financial year.

life threatening communications has the meaning given by the C525 Handling of Life Threatening and Unwelcome Communications Industry Code.

Note:  The C525 Handling of Life Threatening and Unwelcome Communications Industry Code can be accessed free of charge on Communications Alliance’s website: https://www.commsalliance.com.au.

non-domestic sexual violence means sexual violence outside of a domestic and family violence situation.

perpetrator means the individual who has or is using or is alleged to be using domestic and family violence against another individual.

personnel means staff, contractors or agents engaged by or on behalf of a provider who are involved, either directly or indirectly, with consumers in Australia.

Example: A senior manager or other manager employed by the provider who has direct or indirect involvement in the provider’s dealings with consumers will fall within this definition of “personnel”.

provider means a carriage service provider referred to in subparagraph 4(1)(a)(i).

quick exit function means a button that is prominently displayed on a webpage, that allows the user to instantly leave the webpage with a single click, and which redirects the user to a webpage not connected with the provider, to hide what the user was looking at.

restriction means a restriction imposed by a provider on a consumer’s access to telecommunications services, or to a feature of those services, that are offered for supply by the provider and includes reducing data speeds or imposing spend controls or other usage limits.

service in operation, on 1 July in a year, means a service that is both:

(a)   a telecommunications service; and

(b)   an active service on that day.

Note:  A service in operation can be pre-paid or post-paid, and it can be the subject of a contract of fixed duration or can be a service without a minimum or maximum term.

sexual violence means sexual behaviour that occurs where consent is not freely given or obtained, is withdrawn or the individual is unable to consent due to their age or other factors.  It can be physical or non-physical.  It occurs any time an individual is forced, coerced, or manipulated into any sexual activity.  It may occur within intimate relationships, friendships or with acquaintances and strangers.

small provider, for a financial year, means a provider with fewer than 30,000 services in operation on 1 July in that financial year.

specialised domestic and family violence training (specialised DFV training) means the training delivered or arranged for by a provider under section 22.

subscription broadcasting service has the same meaning as in the Broadcasting Services Act 1992.

subscription television narrowcasting service has the same meaning as in the Broadcasting Services Act 1992.

support telephone numbers means the following telephone numbers:

1800 Respect 1800 737 732

1800 ElderHelp 1800 353 374

Full Stop 1800 385 578

National Debt Helpline 1800 007 007

National Disability Abuse and Neglect Hotline 1800 880 052

Rainbow Sexual, Domestic and Family Violence Helpline 1800 497 212.

suspension means a suspension imposed by a provider on a consumer’s access to a telecommunications service, apart from access to emergency service numbers.

systems abuse means the manipulation of legal and other systems by a perpetrator, in order to exert control over, threaten or harass another individual which may result in depleting that individual’s financial resources and emotional wellbeing, and adversely impacting that individual’s capacity to maintain employment or to care for children.

technology facilitated abuse means abuse that is facilitated using technology, which may include telecommunications products and services, to control, abuse, track, intimidate, threaten or harass an individual.

telecommunications goods means any goods supplied by a provider for use in connection with the supply of a telecommunications service, whether or not the goods are supplied in conjunction with, or separately from, a telecommunications service.

telecommunications product means telecommunications goods or a telecommunications service.

telecommunications service means:

(a) a listed carriage service or any service supplied by a provider in connection with that service; and

(b) a content service (other than a subscription broadcasting service or a subscription television narrowcasting service) provided by a provider in connection with the supply of a listed carriage service.

TIO means the Telecommunications Industry Ombudsman.

trauma informed means recognising the prevalence of trauma and its impacts on the emotional, psychological and social well-being of people and communities.  Trauma-informed practice means integrating an understanding of past and current experiences of violence and trauma in all aspects of service delivery. The goal of trauma-informed systems is to avoid re-traumatising individuals and to support safety, choice and control to promote healing.

unwelcome communications has the meaning given by the C525 Handling of Life Threatening and Unwelcome Communications Industry Code.

Note: The C525 Handling of Life Threatening and Unwelcome Communications Industry Code can be accessed free of charge on Communications Alliance’s website: https://www.commsalliance.com.au.

warm transfer occurs when a member of the provider’s personnel (the transferor) answers a query from an affected person and transfers the query to another member of the provider’s personnel (the transferee), and:

  1.       where the affected person has made a telephone call to the transferor – the transferor explains the details of the affected person’s query to the transferee on behalf of the affected person; or
  2.       where the affected person is using an online written chat function on the provider’s website or through the provider’s mobile application – the transferor makes available the written details of the affected person’s query to the transferee on behalf of the affected person,

before transferring the query, to avoid the affected person having to repeat their circumstances.

The transferor may be an individual or an automated computer system.

The transferee must be an individual.

  1.       A service is an active service on 1 July in a given year if the provider of the service has issued an invoice to, or received a payment from, a customer for the provision of that service to the customer on any day in the three months prior to July of that given year.

Note: A number of other expressions used in this industry standard are defined in the Act, including the following:

  1.         ACMA;
  2.        carriage service;
  3.         carriage service provider;
  4.        carrier;
  5.         content service;
  6.         listed carriage service.

 

Note: Financial year is defined in the Acts Interpretation Act 1901 to mean a period of 12 months starting on 1 July.

  In this industry standard, unless the contrary intention appears:

(a) a reference to any other legislative instrument is a reference to that other legislative instrument as in force from time to time; and

(b) a reference to any other kind of instrument is a reference to that other instrument as in force or existing from time to time.

Note 1: For references to Commonwealth Acts, see section 10 of the Acts Interpretation Act 1901; and see also subsection 13(1) of the Legislation Act 2003 for the application of the Acts Interpretation Act 1901 to legislative instruments.

Note 2: For references to instruments that are not legislative instruments, see section 589 of the Act.

Note 3:  All Commonwealth Acts and legislative instruments are registered on the Federal Register of Legislation which may be accessed free of charge at www.legislation.gov.au.

 

Part 2—Sexual violence outside a domestic and family violence situation

Where a consumer discloses to a provider that they have experienced non-domestic sexual violence, the provider must treat the consumer as an affected person for the purposes of providing or offering telecommunications support in accordance with the following provisions:

  1.     subsection 8(2)
  2.     section 10
  3.     section 13;
  4.     section 14;
  5.     subsections 15(2), (3) and (4).

 

 

Part 3—Providing support

  1.     For subsection (2) and subsection 9(1), where a provider interacts with an affected person, the provider must ask the affected person to confirm that it is safe for the affected person to communicate with the provider.
  2.     If a provider has received the confirmation under subsection (1), the provider must advise the affected person (unless this advice has already been given):
  1.     that the provider can assist the affected person in accordance with the provider’s DFV policy;
  2.     if the provider has personnel or a specialised team that provides tailored assistance to affected persons:
  1.                   about that team; and
  2.                that the affected person can request to have a warm transfer to a member of that team; and
  1.     that there are support organisations listed in the provider’s DFV statement and where that statement can be located by the affected person.
  1.     Following the provision of information to an affected person under subsection (2), a provider must ask the affected person if they want to access further information and support from the provider.
  1.     Sections 10 and 11 apply if:
  1.     an affected person has indicated, in response to a provider’s question under subsection 8(3), that they want to access more information or support from the provider; and
  2.     the provider has received the confirmation under subsection 8(1).
  1.     When dealing with an affected person, a provider need only comply with subsections 10(1) and 11(1) once.
  1.     Where this section applies, the provider must:
  1.     advise the affected person what communication methods are offered by the provider; and
  2.     ask the affected person what their preferred communication method is and whether the affected person has a preferred time of day for communication from the provider using that method of communication.
  1.     For subsection (1), that method, and time of day where relevant, will be the agreed communication method for the affected person on matters relating to domestic and family violence until such time as a different communication method or time of day for communication, is requested by the affected person.
  2.     If there is an agreed communication method in place for an affected person, the provider must only communicate with the person on matters relating to domestic and family violence using that method, unless:
  1.     the provider is under a legal obligation to communicate with the affected person via a different communication method; or
  2.     the affected person contacts the provider using a different communication method and confirms that the provider can use that different communication method for the purposes of that communication.
  1.     Where this section applies, the provider must:
  1.     identify whether the affected person is the customer or is an end-user of the telecommunications products;
  2.     where the affected person is a customer and there is an authorised representative listed on an affected person’s account – advise the affected person:
    1.          what the authorised representative can access on the account; and
    2.        that the affected person can keep, change or remove the authorised representative;
  3.     advise the affected person how they can make changes to their account and update their personal information;
  4.     ask what concerns the affected person has about their privacy, safety and security in relation to their telecommunications product and their account (if applicable);
  5.     if the affected person identifies that they have concerns for the purposes of paragraph (d) – discuss with the affected person what options are available to the affected person to protect their privacy, safety and security according to whether the affected person indicates they are the customer or an end-user of the relevant telecommunications products; and
  6.      ask the affected person for their instructions on which of the options discussed in paragraph (e), the affected person would like to adopt in relation to their telecommunications products and account (if applicable).
  1.     If the affected person indicates to the provider that their circumstances have changed, and requests that the instructions given pursuant to paragraph (1)(f) be updated, the provider must, as soon as practicable, amend the instructions as requested.
  2.     The provider must act in accordance with any instructions agreed with an affected person under this section.

For paragraph 11(1)(e), the provider must make available to an affected person, at least the following support options:

  1.     the setting up of a new account that is not linked to the perpetrator; and
  2.     privacy, safety and security protections on the affected person’s account, for example, a PIN or password, or the sending of a verification code to a safe number or email address provided by the affected person or within a mobile application.
  1.    Where an affected person has sought assistance from a provider – the provider must keep the affected person informed about that matter via the agreed communication method, if any.

Note: For agreed communication method, see subsection 10(2).

  1.     Where an affected person expresses or indicates concern about their safety to a provider, the provider must:
  1.     prioritise taking action to assist the person with any needs they may have in relation to their telecommunications product; and
  2.     where the affected person is the customer of the relevant account – in the 30 days, or in such other longer period agreed with the affected person, if any, after the person has first expressed or indicated concern about their safety – the provider must not restrict, suspend or disconnect the affected person’s telecommunications service, unless it is requested by the affected person.
  1.     Subject to subsection (5), in cases where:
  1.       an affected person’s telecommunications service has been restricted, suspended or disconnected (the service limiting action); and
  2.       the person requests that the service limiting action be reversed urgently because of a domestic and family violence related safety risk,

the provider of the telecommunications service must reverse the service limiting action as a matter of urgency, the first time that the affected person contacts the provider and raises the domestic and family violence related safety risk.

  1.     For subsection (3), if reversal of the service limiting action is not practical, the provider must offer the affected person an equivalent telecommunications service.

Note: For example, if the affected person’s account cannot be reconnected, the provider may offer the affected person a new telecommunications service on the same or equivalent terms.

  1.     Subsection (3) does not apply where reversal of the service limiting action would contravene another law of the Commonwealth. 

Note: For example, see sections 65, 67 and 69 of the Telecommunications (Emergency Call Service) Determination 2019 which prohibit the supply of carriage services to a mobile phone that is not configured to be able to access the emergency call service.

  1.     Where the customer of a telecommunications product:
    1.       has been identified as an affected person; and
    2.       has sought assistance from the provider within the last 60 days,

 before taking credit management action, the provider must:

  1.       take into account the potential impact on the affected person of such action at that time;
  2.       take into account whether any other person has contributed to the debt; and
  3.       review the affected person’s records to ensure that any action agreed to has been undertaken, including, for example, that payment plans have been set up correctly or payment extensions have been processed.
  1.     Subject to subsection (2), a provider must not require evidence or supporting material which demonstrates that a consumer is an affected person.
  2.     Subsection (1) does not apply where:
  1.       the provider is under a legal obligation to obtain evidence or supporting material in relation to a claim that a consumer is an affected person; or
  2.       obtaining such evidence or supporting material is reasonably necessary to protect the interests of an affected person.
  1.     For subsection (2), the provider must rely on evidence it already has in its system before requesting only the minimum amount of evidence or information needed for the relevant purpose mentioned in that subsection.
  1.     A provider must not require an affected person to contact or engage with the perpetrator of the affected person’s domestic and family violence, or with the perpetrator’s authorised representative.
  2.     When communicating with an affected person, a provider must not require the affected person to disclose the circumstances of the abuse as a precondition to accessing support or assistance.
  3.     When:
  1.     a member of the personnel of a provider (the transferor) is speaking on the phone or chatting via an online chat function, to an affected person; and
  2.     the affected person needs to be transferred to another member of the provider’s personnel (the transferee) for appropriate support,

the transferor must offer a warm transfer to the affected person.

  1.     If an affected person accepts the offer of a warm transfer under subsection (3), the provider must undertake the warm transfer to the transferee.
  2.     If an affected person raises domestic and family violence as a safety concern with the provider of their telecommunications product and makes a request about how their bill is to be received, and the provider is able to comply with that request – the provider must comply with the request.

 

Part 4—Requirements relating to availability of DFV support information

  1.     Subject to subsection (2), a provider must publish on its website information about:
  1.     the specific support, if any, the provider offers to an affected person;
  2.     how an affected person can access any support that is available.
  1.     If a provider does not offer specific support to affected persons – the provider must publish on its website:
    1.       information about one or more organisations that an affected person can contact for support in relation to domestic and family violence, including how an affected person can contact such organisations;
    2.       a statement that the provider will have further support in place on the date on which section 17 of this industry standard applies to the provider; and
    3.       where affected persons should direct any requests for support from the provider.

This section ceases to have effect at the end of the day before section 17 of this industry standard applies to the provider.

  1.     A provider that offers to supply telecommunications products to consumers must publish a DFV statement which includes information about how and where consumers can find DFV support.
  2.      A DFV statement must include:
  1.     an express statement that the provider has procedures and policies in place to protect the safety of affected persons;
  2.     an express statement that the provider is committed to:
    1.        keeping affected persons connected to their telecommunications service;
    2.      where a service has been restricted, suspended or disconnected (the service limiting action) and where affected persons express or indicate concern about their safety – reversing the service limiting action in relation to the telecommunications service as a matter of urgency; and
    3.    where subparagraph (ii) applies, but reversal of the service limiting action is not practical – offering the affected person an equivalent telecommunications service.
  3.     recognition that domestic and family violence, and, non-domestic sexual violence, can be a reason for non-payment and that consumers affected by domestic and family violence, or non-domestic sexual violence, may be entitled to financial hardship assistance under the Telecommunications (Financial Hardship) Standard 2024;
  4.     how consumers can contact the provider for assistance (including hours, method of contact and how to organise call backs); and
  5.     how the consumer can access information from one or more third party domestic and family violence support organisations.

Note: A third party domestic and family violence support organisation includes 1800 Respect.

  1.      A DFV statement must:
  1.     be in writing in print or digital form;
  2.     be clear and use plain language;
  3.     be accurate and up to date;
  4.     use a font style and size that is clear and easy to read;
  5.     be accessible, including to consumers with disabilities, from cultural or linguistically diverse backgrounds or with other special needs;
  6.      be made clearly available to consumers:
    1.        on the home page of the provider’s website; and
    2.      if the provider uses a mobile application – on the mobile application; and
    3.    if:
  1.   the provider offers an online written chat function;
  2.   a consumer has indicated during a chat that they are, or may be, an affected person; and
  3.   the consumer has consented to the provision of the statement,

on the online written chat function.

Note:  See section 2 for commencement information. 

 

  1.     A provider must provide a range of contact channels to facilitate direct access for affected persons to its DFV support, including at least 2 of the following communication channels:
  1.     a domestic and family violence specialist support phone number;
  2.     a dedicated webform through which an affected person can request the provider to initiate contact with the affected person;
  3.     an online written chat function;
  4.     in person, in a retail store operated by the provider;
  5.     an email address.

Note:  A provider may provide additional channels to those mentioned in subsection (1).

  1.     For subsection (1), at least one of the communication channels must allow an affected person to connect to a member of the personnel of the provider who is an individual.
  2.     For subsection (1), if an affected person requests a provider to initiate contact or to call the affected person back at a later time, the provider must use:
  1.     the agreed communication method for the affected person; or
  2.     any other communication method, and do so at any particular time, specified by the affected person, if the provider can support that communication method at the time of day specified by the affected person.
  1.      A provider must have personnel who are accessible during business hours to directly assist affected persons.

Part 5—General requirements relating to policies and procedures

  1.       A provider that offers to supply telecommunications products to consumers must develop:
  1.     a DFV policy relating to its interactions with affected persons that complies with the minimum requirements in subsection 20(1);
  2.     DFV procedures which:
  1.        require personnel to give effect to its DFV policy;
  2.      require compliance with its obligations under this industry standard; and
  3.    comply with the minimum requirements in subsection 20(2);
  1.       The provider must ensure that its DFV policy and its DFV procedures are in place at all times after the end of:
  1.     for large provider – the 6 month period starting on the commencement of this section; and
  2.     for a small provider – the 9 month period starting on the commencement of this section.
  1.       The provider must:
  1.     comply with its DFV policy; and
  2.     comply with its DFV procedures.
  1.       The provider’s most senior responsible executive must:
    1.       approve the provider’s DFV policy;
    2.       approve the provider’s DFV statement; and
    3.       be responsible for the implementation and operation of the provider’s DFV procedures.
  1.      A provider’s DFV policy must:
  1.     be in writing;
  2.     prioritise the safety of affected persons;
  3.     set out how the provider will support and manage affected persons;
  4.     set out the options for assistance the provider can offer to affected persons;
  5.     set out the support the provider can offer to its personnel who deal with affected persons;
  6.      set out how the provider will protect the privacy and security of an affected person, including record-keeping requirements about the handling and disclosure of personal information that are tailored to protecting the privacy and security of an affected person;
  7.     set out how a provider will use inclusive design in the development and review of its systems, processes and telecommunications products to identify and reduce risks to affected persons; and
  8.     set out how the provider will use an intersectional approach in supporting consumers who are or may be experiencing domestic and family violence, and, where applicable, non-domestic sexual violence.
  1.     A provider’s DFV procedures must:
  1.     be trauma informed;
  2.     set out how personnel can safely and appropriately identify, support and assist consumers that are affected persons;
  3.     set out how personnel can safely and appropriately engage with perpetrators;
  4.     set out how personnel will implement the requirements in subsections 27(1) and (2);
  5.     set out how personnel can manage and respond to domestic and family violence, and where applicable, non-domestic sexual violence, including clearly identifying;
  1.             the responsibilities of personnel in relation to dealing with affected persons;
  2.           escalation channels that personnel can use;
  3.         when the escalation channels should be used; and
  4.          the support that is available to personnel to assist affected persons;
  1.      set out how actions agreed with an affected person will be recorded in a way that is safe from inadvertent disclosure to perpetrators, including when the actions have been completed; and
  2.    set out the provider’s processes to minimise the number of times an affected person has to explain their circumstances.

Part 6—Training

  1.     A provider must deliver, or arrange for a third party individual or organisation that has expertise in dealing with domestic and family violence to deliver, training on its DFV policy to all of its personnel.
  2.     The DFV policy training must be delivered to the personnel:
  1.     either:
  1.      for:
    1.     a large provider – within 9 months after the day on which this section commences; or
    2.      a small provider – within 12 months after the day on which this section commences; or

Note: See section 2 for commencement information. 

  1.    for a person subsequently engaged as personnel by a provider - within one month of the person’s commencement as personnel for the provider; and
  1.     annually after the personnel first receive the training.
  1.     A provider must deliver, or arrange for a third-party individual or organisation that has expertise in dealing with domestic and family violence to deliver, specialised DFV training to:
  1.     its personnel who deal directly with general inquiries from consumers;
  2.     its personnel who are likely to deal with domestic and family violence related issues due to the area in which they work; and
  3.     any specialist domestic and family violence support personnel.

Note: For paragraph (b), relevant areas may include, for example, sales, credit collections, financial hardship, fraud, privacy and complaint management.

  1.     The specialised DFV training referred to in subsection (1) must cover:
  1.     the application of the provider’s DFV policy and its DFV procedures;
  2.     the nature and impact of domestic and family violence with a focus on how domestic and family violence relates to telecommunications services;
  3.     how to identify affected persons;
  4.     recognising how intersectional issues may impact affected persons and the support they require;
  5.     how to engage with affected persons, including responding to affected persons where there is a change in their circumstances; and
  6.      how to recognise and prioritise the safety of affected persons, and of personnel, in engaging with perpetrators.
  1.     The specialised DFV training may be tailored as applicable to fit the relevant personnel’s specific role.
  2.     The specialised DFV training must be delivered to the personnel referred to in subsection (1):
  1.     either:
  1.        for those personnel who deal directly with consumers at the time this section commences:
  1.     for personnel of a large provider – within 9 months after the day on which this section commences; or
  2.      for personnel of a small provider – within 12 months after the day on which this section commences; or

Note: See section 2 for commencement information.

  1.      for personnel not covered by subparagraph (i) – before they first start dealing directly with consumers; and
  1.     annually after the personnel first receive the training.

 

Part 7—Monitoring and review

A provider must monitor and review its DFV policy and its DFV procedures and make any relevant changes to ensure the policy and procedures are fit for purpose:

  1.     at least once in each period of 24 months after:
  1.      for a large provider – the day on which this section commences; or
  2.    for a small provider – the day on which this section first applies to small providers; and

Note: See section 2 for commencement information.  See subsection 4(2) for the application of this section to small providers.

  1.     at any time, upon the provider becoming aware that its DFV policy or its DFV procedures are not operating to protect the safety of affected persons.
  1.     A provider must develop and implement an internal monitoring program to assess its personnel’s compliance with its DFV policy and its DFV procedures.
  2.     If the internal monitoring program implemented for subsection (1) indicates non-compliance by the provider’s personnel with the provider’s DFV policy or DFV procedures – the provider must commence action to ensure compliance by personnel with the DFV policy and DFV procedures, within 10 business days.
  3.     The most senior responsible executive of the provider must approve the internal monitoring program developed for subsection (1).
  4.     Not less than every 6 months starting from:
  1.     for a large provider – 6 months after the day on which this section commences; or
  2.     for a small provider – 6 months after the day on which this section first applies to small providers,

the most senior responsible executive of the provider must review the outcomes of the internal monitoring program developed for subsection (1). 

  Note: See section 2 for commencement information.  See subsection 4(2) for the application of this section to small providers.

  1.     If the outcome of a review under subsection (4) indicates that the provider’s DFV policy or DFV procedures are not operating to protect the safety of affected persons, the provider must make any relevant changes to its DFV policy or DFV procedures as soon as practicable to ensure the policy and procedures are fit for purpose.

 

Part 8—Security and privacy

  1.     Unless required by law, a provider must not, without the affected person’s consent, disclose to any other person any information about an affected person which:
    1.        can be used to identify or locate an affected person;
    2.        includes the contact details for an affected person; or
    3.        includes an affected person’s financial information.
  2.     A provider must provide a quick exit function on all webpages that relate to support for affected persons.
  3.     Any calls made using a telecommunications service to the support telephone numbers must not be recorded on any bill, record or other material issued to a customer in relation to the service.
  4.     A provider must only access an affected person’s information for a legitimate purpose directly related to management of the account.

A carrier must provide reasonable assistance to enable a provider to comply with the requirement in subsection 25(3).

  1.     Any information collected by a provider under this industry standard in relation to an affected person must be stored securely in accordance with the measures in place under subsection (2).
  2.     A provider must implement measures to ensure the information it retains under this industry standard is protected from misuse, interference, loss or disclosure to a perpetrator, including:
    1.         details of the affected person’s arrangements agreed between the person and the provider;
    2.         the affected person’s current address and billing details; and
    3.         the fact that the affected person has been identified, or has identified, as being an affected person.

Where a provider is not subject to the requirements of the Privacy Act 1988, it must ensure that personal information it collects in connection with this industry standard:

  1.       is not disclosed to a third party, or used, except:
  1.      where the disclosure is to the TIO or the ACMA as required to manage a complaint made to, or an investigation conducted by, either of those entities;
  2.    with the express consent of the consumer; or
  3. where disclosure is otherwise required or authorised by or under an Australian law or a court or tribunal order; and
    1.       is disposed of, or destroyed, in a secure manner when it is no longer needed under this industry standard or any other applicable laws.

Note: Where a provider is subject to the Privacy Act 1988, Australian Privacy Principle 6 in Schedule 1 to that Act will apply to the use or disclosure of personal information it collects in connection with this industry standard.

  1.     If the personal information of an affected person held by a provider is accessed or disclosed without authorisation – the provider must, within two days of becoming aware of the unauthorised access or disclosure:
  1.     subject to subsection (2), notify the affected person; and
  2.     notify the ACMA.
  1.     If notifying the affected person under paragraph (1)(a) would be inconsistent with the agreed communication method for the affected person – the provider must wait until the next time it can notify the affected person that is consistent with the agreed communication method.
  2.     When a provider notifies an affected person under subsection (1), the provider must provide the affected person with the contact details of a national or state based domestic and family violence support service for safety planning assistance.

Note: The Privacy Act 1988 includes obligations on some providers to notify individuals and the Office of the Australian Information Commissioner of a notifiable data breach.

 

Part 9—Record keeping

  1.     A provider must keep records that are sufficient to demonstrate its compliance with the requirements of this industry standard:
  2.     Where a provider keeps records under this section:
  1.       it must limit the collection of information to information necessary to demonstrate compliance; and
  2.       it must take such steps as are reasonable in the circumstances:
  1.        to protect the information from misuse, interference and loss, and unauthorised access, modification or disclosure; and
  2.      to ensure the information is disposed of, or destroyed, in a secure manner where the record is no longer needed under this industry standard or any other applicable laws.
  1.     Subject to subsection (2), a provider must:
  1.     keep the records required to be kept under subsection 30(1) for a minimum of 2 years or for as long as the affected person receives assistance under this industry standard, whichever is longer; and
  2.     make the records available to the ACMA, upon written request.
  1.     Where an affected person has made a complaint to a provider, the provider must keep the records required to be kept under subsection 30(1) that are relevant to that complaint:
  1.     for minimum of 2 years; or
  2.     if the complaint is not resolved within 2 years, for 12 months after the date the complaint is resolved.
  1.     Where practicable, records kept under subsection (1) must not contain the personal information of an affected person.
  2.     For paragraph 14(2)(a), where a provider obtains evidence or supporting material – it must:
  1.     only retain a copy or record of the information received from the affected person for the period that it is required in order to meet the legal obligation;
  2.     after the legal obligation has been met, dispose of, or destroy, all copies or records of the information in a secure manner; and
  3.     keep a record of the type of evidence that was sought, provided and sighted by the provider.
  1.     For paragraph 14(2)(b), where a provider obtains evidence or supporting material – after sighting the evidence or supporting material, it must:
  1.     dispose of, or destroy, all copies or records of the information in a secure manner; and
  2.     keep a record of the type of evidence that was sought, provided and sighted by the provider.


Part 10—Consultation

  1.       In developing its DFV policy, DFV procedures, DFV policy training and specialised DFV training, a provider must consult with:
  1.       a national or state based domestic and family violence support service or organisation; and
  2.       either:
  1.        a panel comprised of people with lived experience of domestic and family violence or representatives of people with lived experience of domestic and family violence; or
  2.      a national or state-based organisation that represents a group who are or may be disproportionately affected by domestic and family violence, for example, individuals with disabilities, First Nations people, people from culturally and linguistically diverse backgrounds or people who identify as LGBTQIA+.
  1.       When reviewing its DFV policy and DFV procedures under paragraph 23(a), a provider must consult with:
  1.       a national or state based domestic and family violence support service or organisation; and
  2.       either:
  1.        a panel comprised of people with lived experience of domestic and family violence or representatives of people with lived experience of domestic and family violence; or
  2.      a national or state-based organisation that represents a group who are or may be disproportionately affected by domestic and family violence, for example, individuals with disabilities, First Nations people, people from culturally and linguistically diverse backgrounds or people who identify as LGBTQIA+.
  1.       For a large provider, consultation undertaken for subsections (1) and (2) must be undertaken by the provider directly.
  2.       For a small provider, consultation undertaken for subsections (1) and (2) may be undertaken on behalf of the provider by an industry group or body that represents the provider.
  3.       A provider must take into account the responses, if any, to consultations conducted under this Part when developing and reviewing its DFV policy, DFV procedures, DFV policy training and specialised DFV training.


Part 11—Conferral of functions and powers

This industry standard confers on the TIO the functions and powers of:

  1.     receiving;
  2.     investigating;
  3.     facilitating the resolution of;
  4.     making determinations in relation to;
  5.     giving directions in relation to; and
  6.      reporting on,

consumer complaints about matters referred to in this industry standard.

Note:  See section 114 of the Act.