Valory

11 June 2025

AI phone agents in Australia: privacy and call recording

Plain-English guidance on privacy, consent, and call recording for AI phone agents in Australia. Includes disclosure lines, vendor questions, and controls.

Secure office door with padlock icon representing privacy and call recording controls for AI phone agents in Australia

Trust starts with transparency. Tell people what is happening, why, and what the next step is. If you record calls or keep transcripts, act like it is sensitive data — because it often is.

This is plain-English guidance on privacy, consent, and call recording for AI phone agents in Australia. It includes disclosure lines, vendor questions, and practical controls. (If you're implementing a call overflow model, start with Peak period phone calls: triage without burnout.)

TL;DR

  • Trust starts with transparency. Tell people what is happening, why, and what the next step is.
  • If you record calls or keep transcripts, act like it is sensitive data. Because it often is.
  • Call recording rules vary by state and territory. The safest operational approach is to disclose and get consent at the start. (Sprintlaw)
  • Collect the minimum needed to complete the task. Avoid sensitive identifiers unless you have a deliberate secure process.
  • Do not guess. If the agent is not sure, it should escalate or take a message.
  • Run controls: change log, weekly QA, and an incident plan. Security and retention are not optional under the Privacy Act for covered organisations. (OAIC)

What “good” transparency sounds like

You want disclosure that is short, calm, and practical. It should happen early.

Example disclosure lines (pick one)

AI disclosure + help

  • “Hi, you are speaking with our virtual receptionist. I can help with bookings, changes, and general questions.”

Call recording disclosure

  • “This call may be recorded for quality and training. If you would prefer not to be recorded, tell me and I will offer another option.”

Transcript disclosure

  • “I may take notes to help the team follow up. I will only collect what is needed for your request.”

If your business is covered by the Privacy Act, you generally need to take reasonable steps to ensure people are aware of key collection matters, including why you are collecting information. (OAIC)

Call recording basics (general guidance, not legal advice)

Australia does not have one single “call recording law”. Recording private conversations is regulated through state and territory surveillance devices laws, and the rules can differ. (Sprintlaw)

Practical approach that works across Australia

If you operate across states, or you are not sure where the caller is, use the strict approach:

  1. Disclose recording at the start.
  2. Ask for consent, or give a clear opt-out path.
  3. If they opt out, stop recording and continue, or offer a callback on a non-recorded line.

Why this matters:

  • Some jurisdictions generally require all-party consent, while others can allow one-party consent with limits on how recordings can be used or shared. (Sprintlaw)
  • Even where recording may be lawful, mishandling access, retention, or disclosure can still create risk.

If you need certainty for your specific workflow, get legal advice for your state and your use case.

Data minimisation: what to collect, what to avoid

The safest AI phone agent is boring. It captures only what it needs and moves on.

Collect (most businesses)

  • first name
  • callback number
  • reason for the call (booking, change, quote, enquiry)
  • preferred time window
  • any operational constraint (for example, “needs wheelchair access”)

Avoid (unless you have a deliberate secure process)

  • Medicare numbers, licence numbers, and similar identifiers
  • full date of birth
  • detailed medical symptoms or history
  • payment card details over voice
  • anything you would not want read out loud in a busy office

Health service providers are covered by the Privacy Act even if they are small businesses, so data minimisation is especially important in clinics. (OAIC)

Checklist and shield representing privacy controls and compliance requirements
Checklist and shield representing privacy controls and compliance requirements

Storage, access, retention: vendor questions checklist

You are not just buying a voice. You are buying a data pathway.

Use this checklist when assessing any AI phone agent vendor or your own build.

Storage and residency

  • Where are recordings and transcripts stored?
  • Is data encrypted in transit and at rest?
  • Can you choose where data is hosted?

Access controls

  • Who can access recordings and transcripts?
  • Is access role-based?
  • Do you get audit logs for access and changes?

Retention and deletion

  • What is the default retention period?
  • Can you set different retention for recordings vs transcripts?
  • Can you delete specific calls and transcripts on request?
  • What happens to backups?

Under APP 11, covered organisations must take reasonable steps to secure personal information and to destroy or de-identify it when it is no longer needed (subject to other legal obligations). (OAIC)

Incident response

  • How are incidents detected and reported?
  • What is the notification process and timeframe?
  • Do you support the customer if a breach is likely to cause serious harm?

If an organisation is covered by the Privacy Act, the Notifiable Data Breaches scheme can require notification to affected individuals and the OAIC for eligible breaches. (OAIC)

The “do not guess” principle: accuracy and escalation

Most trust failures come from overconfidence.

Build the rule:

  • If the agent is not sure, it does not improvise.
  • It captures details and escalates to a person.

This matters for:

  • clinic enquiries that drift into clinical questions
  • pricing edge cases
  • cancellations and refunds
  • anything sensitive or emotional

A safe line:

  • “I want to make sure I get that right. I can take your details and have the team confirm it.”

Practical controls that make this safe in real life

You do not need a compliance program. You need operational discipline.

1) Change log

  • Record what changed, when, and why (hours, pricing posture, policies, scripts).
  • Tie changes to a named owner.

2) Weekly QA

  • Review a sample of calls.
  • Tag failures: wrong answer, unclear next step, over-collection, missed escalation.
  • Update scripts and knowledge in small increments.

3) Incident handling

  • Define what counts as an incident (wrong disclosure, wrong info, unauthorised access).
  • Define who is called, what is paused, and how issues are documented.
  • Have a “kill switch” that routes calls to a safe fallback.

4) Collection notice consistency

  • Keep your phone disclosures aligned with your website privacy policy and onboarding messages.
  • People should not be surprised later about what was collected and why. (OAIC)

Padlock icon representing call recording consent and secure retention controls
Padlock icon representing call recording consent and secure retention controls

Implementation checklist

  • Write your disclosure lines (AI, recording, notes) and test them out loud
  • Define the scope: what the agent will handle vs never handle
  • Decide whether you record calls, store transcripts, or both
  • Set retention periods and deletion processes
  • Confirm access control, encryption, and audit logs with your vendor
  • Add “do not guess” escalation rules
  • Start with after-hours and overflow only
  • Run weekly QA and keep a change log

Internal links you can use while implementing

CTA

If you want, we can share a privacy-first rollout checklist and run a short workshop to define your disclosures, boundaries, escalation rules, and retention settings before you pilot.

FAQ

Do we have to disclose AI?

There is no single one-line rule that fits every scenario. From a trust and risk perspective, clear disclosure is the safer approach. If you are collecting personal information, you generally need to take reasonable steps to ensure people understand what is being collected and why. (OAIC)

Do we need consent to record?

Call recording rules vary by state and territory, and some jurisdictions treat consent differently. The safest operational approach is to disclose recording at the start and obtain consent or offer an opt-out path. (Sprintlaw)

Can we delete transcripts?

Often, yes, but it depends on your systems and any record-keeping obligations you have. Under APP 11, organisations covered by the Privacy Act should take reasonable steps to destroy or de-identify personal information when it is no longer needed. (OAIC)

What about clinics and patient privacy?

Clinics and health service providers are covered by the Privacy Act even if they are small businesses. Treat health-related call content as sensitive and collect only what you need for booking and follow-up. (OAIC)

Do we have to record calls to run an AI phone agent?

No. You can run without recording, or keep only minimal metadata and outcomes. Recording can help QA, but it increases privacy and security obligations.

What should we ask a vendor before we start?

Ask about encryption, access control, audit logs, retention, deletion, backups, and incident response. If they cannot answer clearly, do not proceed.

What is the simplest safe way to pilot?

Start with after-hours and peak overflow, handle only FAQs and logistics, collect minimal details, and escalate anything uncertain. Then review calls weekly and tighten.

Back to Resources
    AI phone agents in Australia: privacy and call recording | Valory