guides

Call recording compliance in Australia: the complete 2026 guide

Call recording under Australian law - federal Telecommunications (Interception and Access) Act, state listening-device laws, Privacy Act requirements, industry retention rules. The compliance reality for Australian businesses.

By Cloud Phone System Australia · 19 August 2025

This guide covers the practical compliance reality for Australian businesses recording calls. It’s not legal advice - for industry-specific situations, consult your Australian compliance team or a privacy lawyer. But the principles below cover 95% of common recording scenarios.

The legal framework

Three layers apply:

Federal: Telecommunications (Interception and Access) Act 1979. Australia is a “one-party consent” jurisdiction - at least one party must consent to the recording. For business calls, the business is the consenting party. The Act primarily targets unauthorised interception, not consensual recording.

State: Listening-device / surveillance-device laws. Each state has its own act (Victoria’s Surveillance Devices Act 1999, NSW’s Surveillance Devices Act 2007, etc) with subtly different requirements. Most align with the one-party-consent principle. Some states have stricter rules about recording in certain contexts (workplaces, doctor’s offices).

Privacy Act 1988 (Cth) + Australian Privacy Principles. Once you’ve recorded the call, the audio file is personal information about the caller. The APPs apply: collection notice, purpose limitation, storage security, access/correction rights, retention limits.

In practice, Australian businesses recording calls need to: (1) disclose at call connection, (2) limit collection to a stated purpose, (3) secure the recordings, (4) honour access/deletion requests, (5) enforce retention rules.

The compliant disclosure

The standard at-connect message:

“This call may be recorded for quality and training purposes. Please stay on the line to continue.”

Variants for specific industries:

Medical - “This call may be recorded as part of your patient record. If you’d prefer not to be recorded, please call back during reception hours to speak directly.”
Legal - “This call may be recorded for matter notes. Please proceed if you consent.”
Finance - “For regulatory compliance, this call will be recorded and retained in line with our regulatory obligations.”

3CX plays the disclosure automatically when recording is enabled. We script the message per your industry as part of deployment.

Retention

Retention windows vary by industry and by your own compliance obligations - the rules sit with industry bodies, regulators and your professional-indemnity insurer rather than with us. Check what applies to your business with your compliance team or industry body before you set a retention policy.

What 3CX does support: configurable retention windows per-queue or per-extension, automatic purging when the window expires, and audit-logged deletion events for evidence. We’ll configure the platform to whatever rule you give us.

Storage requirements

Encryption at rest. AES-256 is standard. 3CX encrypts call recordings at rest by default.

Access control. Role-based - only authorised users see recordings. Audit log of every playback, download or deletion.

Location. No specific Australian “data sovereignty” law for general business recordings, but the APPs require disclosure if data goes overseas. For medical/financial/government, Australian-hosted is strongly recommended; for general business, it’s good hygiene. CPS hosts in Australian data centres by default.

Retention enforcement. Automatic deletion at retention expiry. No manual purging required.

Backup. Backed-up recordings inherit the same retention rules. Don’t keep backups beyond retention or you’ve created a compliance hole.

Privacy Act access and erasure requests

Under APP 12 (access) and APP 13 (correction), individuals can request access to personal information about them - including recordings of their calls with your business. Standard process:

Receive request (in writing or verbally).
Verify identity before disclosing anything.
Locate recordings - 3CX recording lookup by caller phone number.
Provide access within 30 days (extension possible if request is complex).
Document the request and response.

Reasonable refusal grounds: third-party privacy (recording includes other identifiable individuals), commercial-in-confidence, legal professional privilege, threat to safety. Most refusals require formal explanation.

Erasure requests under APP 13 (correction): comply unless there’s a lawful retention requirement (e.g. 7-year financial regulatory retention overrides a customer’s deletion request).

Recording specific call types

Inbound to your business. The standard at-connect disclosure handles consent. Default-on recording is the simplest pattern.

Outbound from your business. Agent should state at the start of the call: “I’m recording this call for accuracy of our notes - let me know if you’d prefer I didn’t.” We provide scripts.

Internal calls. Generally not recorded unless explicitly justified. Configurable per-extension in 3CX.

Video meetings. Same disclosure rules. 3CX video conferences can be recorded; participants must be informed (a banner appears in the meeting UI when recording).

Mobile calls. 3CX mobile app records calls the same way as desk extensions. Disclosure handled the same way.

Sensitive-data handling

For calls capturing credit card details, Medicare numbers, drivers licence numbers, or other sensitive data, two compliant approaches:

Pause recording during capture (AI Edition). Agent pauses recording while the caller reads card details; resumes after. The pause is logged. PCI DSS-aligned.

Redact post-call. Full recording captured; redaction process removes sensitive segments after the fact. More fragile but workable.

Most regulated Australian contact centres use the pause-recording approach.

Cross-border considerations

If your business is in Australia but customers are overseas, additional rules may apply:

EU customers (GDPR) - explicit consent required; data subject rights are stricter; data transfer to Australian may require Standard Contractual Clauses.
US healthcare customers (HIPAA) - BAA agreements with vendors; specific encryption standards.
NZ customers - similar one-party consent model to Australian.

3CX is configurable to meet GDPR and HIPAA-aligned controls. CPS configures per requirement.

What CPS configures

For every customer requiring recording, we set up:

Recording rule per scope (all, extensions, queues, call types).
Disclosure message at call connection.
Encrypted storage.
Retention rule per industry.
Role-based access controls.
Audit logging.
Backup retention aligned with primary retention.
Privacy Act access workflow (training reception/admin staff on how to look up and provide recordings).

For AI Edition customers, we additionally configure:

Full-call transcription with speaker diarization.
Sentiment analysis (for contact centres).
Start/stop recording rights for sensitive-data workflows.

Frequently asked

Do I need consent from both parties to record a call in Australia?

No - Australia is a 'one-party consent' jurisdiction under the federal Telecommunications (Interception and Access) Act 1979. State listening-device laws have similar provisions. In practice, the business is the consenting party. Disclosure to the other party is best practice and increasingly expected - the standard at-connect message ('this call may be recorded') is the compliant approach.

How long must I retain call recordings?

Retention windows are set by your industry body, regulator or professional-indemnity insurer - they're not our call. Check what applies to your business and we'll configure 3CX to that rule. The platform supports configurable retention with automatic purging and audit-logged deletion events.

Can I be required to provide a recording to a customer?

Under the Privacy Act 1988, individuals can request access to personal information about them - including call recordings of their interactions with your business. The standard response window is 30 days. Reasonable refusal grounds exist (commercial-in-confidence, third-party privacy) but the default is access on request. 3CX makes this practical - recording lookup by caller is one-click.

Where can call recordings be stored?

There's no specific 'must be in Australia' law, but for personal information under the Privacy Act, you must disclose if data goes overseas and take reasonable steps to ensure overseas recipients comply with the APPs. For regulated industries (especially medical, government, financial), best practice is Australian data centres. Cloud Phone System Australia hosts in Australian data centres by default.

What if a customer requests deletion of their recording?

Under the Privacy Act, individuals can request correction or deletion of personal information about them. You must comply unless there's a lawful reason to retain (e.g. regulatory retention requirements). 3CX makes deletion practical: find recordings by caller, delete the recording with audit log.

Does 3CX meet HIPAA, GDPR or other international standards?

3CX is HIPAA-aligned (relevant for Australian businesses serving US healthcare customers) and GDPR-aligned (relevant for Australian businesses with EU customers). Specific configuration is needed for each - for example, GDPR requires explicit consent and clear data-subject rights workflows; HIPAA requires BAAs and specific encryption standards. We configure per requirement.

Need compliance-grade recording?

We deploy 3CX recording for medical, legal, financial and contact-centre customers across Australia. Industry-specific retention, disclosure and storage configured during deployment.

Get my quote Call 1300 680 824