This is the Online Safety (Relevant Electronic Services—Class 1A and Class 1B Material) Industry Standard 2024.

This industry standard commences on the day that is 6 months after the later of:

(a) the day after the day on which it is registered under the Act; and

(b) the day after the day on which it is registered under the Legislation Act 2003.

This industry standard is determined under section 145 of the Online Safety Act 2021.

The object of this industry standard is to improve online safety for Australians in respect of class 1A material and class 1B material, including by ensuring that providers of relevant electronic services establish and implement systems, processes and technologies to manage effectively risks that Australians will solicit, generate, distribute, get access to or be exposed to class 1A material or class 1B material through the services.

5 Application of this industry standard

(1) This industry standard applies to a relevant electronic service, wherever it is provided from, but only so far as it is provided to end-users in Australia.

(2) This industry standard applies to the exclusion of any industry code.

Part 2—Interpretation

Note: A number of expressions used in this industry standard are defined in the Act, including the following:

(a) child;

(b) class 1 material;

(d) Classification Board;

(e) Commissioner;

(f) computer game;

(g) consent;

(h) electronic service;

(i) material;

(j) parent;

(k) posted;

(l) publication;

(m) relevant electronic service;

(n) removed;

(o) service.

6 General definitions

Definitions

(1) In this industry standard:

account holder, for a relevant electronic service, means the person who is the counterparty to the agreement with the provider of the service for the provision of the service.

Example: A relevant electronic service may be provided to a family, where a parent or carer has the agreement with the provider of the service. The parent or carer is the account holder. Family members (including the parent or carer who is the account holder) who use the service are end-users.

Act means the Online Safety Act 2021.

appropriate: see section 11.

Australian child means a child who is in Australia.

child sexual abuse material means class 1 material that:

(a) describes, depicts, promotes or provides instruction in child sexual abuse; or

(b) is known child sexual abuse material.

child sexual exploitation material means class 1 material that:

(a) is or includes material that promotes, or provides instruction in, paedophile activity; or

(b) is or includes:

(i) child sexual abuse material; or

(ii) exploitative or offensive descriptions or depictions involving a person who is, appears to be or is described as a child; or

(c) describes or depicts, in a way that is likely to cause offence to a reasonable adult, a person who is, appears to be or is described as a child (whether or not the person is engaged in sexual activity);

and, in the case of a publication, also includes class 1 material that is or includes gratuitous, exploitative or offensive descriptions or depictions of:

(d) sexualised nudity; or

(e) sexual activity;

involving a person who is, appears to be or is described as a child.

class 1A material means:

(a) child sexual exploitation material; or

(b) pro-terror material; or

class 1B material means:

(a) crime and violence material (but not extreme crime and violence material); or

(b) drug-related material.

classified means classified under the Classification (Publications, Films and Computer Games) Act 1995.

Note: RC is a classification.

communication relevant electronic service means a relevant electronic service the predominant purpose of which is to enable an end-user to:

(a) communicate with another end-user; or

(b) view or search for other end-users for the purpose of communicating with them; or

other than the following:

(d) a dating service;

(e) an enterprise relevant electronic service;

(f) a telephony relevant electronic service;

(g) a gaming service with communications functionality;

(h) a gaming service with limited communications functionality.

complainant: see subsection 28(2).

complaint means a complaint referred to in paragraph 28(2)(b).

compliance report means a report required under subsections 36(2) or 37(2).

crime and violence material, in relation to a computer game, means class 1 material that is a computer game and that, without justification:

(a) promotes, incites or instructs in matters of crime or violence, or is or includes detailed instruction in, or promotion of, matters of crime or violence; or

(b) is or includes depictions of bestiality or similar practices; or

(c) depicts, expresses or otherwise deals with matters of crime, cruelty or violence in such a way that it offends against the standards of morality, decency and propriety generally accepted by reasonable adults to the extent that it should be classified RC; or

(d) is or includes depictions of violence that:

(i) have a very high degree of impact; and

(ii) are excessively frequent, prolonged, detailed or repetitive; or

(e) is or includes depictions of cruelty or realistic violence that:

(i) have a very high degree of impact; and

(ii) are very detailed; or

(f) is or includes depictions of actual sexual violence; or

(g) is or includes depictions of implied sexual violence related to incentives or rewards.

crime and violence material, in relation to a publication, means class 1 material that is, or is included in, the publication and that, without justification:

(a) promotes, incites or instructs in matters of crime or violence, or is or includes detailed instruction in matters of crime or violence; or

(b) is or includes realistic depictions of bestiality; or

(d) is or includes gratuitous, exploitative or offensive descriptions or depictions of violence that:

(i) have a very high degree of impact; and

(ii) are excessively frequent, emphasised or detailed; or

(e) is or includes gratuitous, exploitative or offensive descriptions or depictions of cruelty or real violence that:

(i) have a very high degree of impact; and

(ii) are very detailed; or

(f) is or includes gratuitous, exploitative or offensive descriptions or depictions of sexual violence.

crime and violence material, in relation to material that is not a computer game or a publication, means class 1 material that, without justification:

(a) promotes, incites or instructs in matters of crime or violence, or is or includes detailed instruction in matters of crime or violence; or

(b) is or includes depictions of bestiality or similar practices; or

(d) is or includes gratuitous, exploitative or offensive depictions of violence that:

(i) have a very high degree of impact; or

(ii) are excessively frequent, prolonged or detailed; or

(e) is or includes gratuitous, exploitative or offensive depictions of cruelty or real violence that:

(i) have a very high degree of impact; and

(ii) are very detailed; or

(f) is or includes gratuitous, exploitative or offensive depictions of sexual violence.

dating service means a relevant electronic service the predominant purpose of which is:

(a) to solicit, offer, promote or provide access to dating, relationship, compatibility, matrimonial, social or romantic referral services; and

(b) to enable end-users to communicate with other end-users online;

but does not include such a service to the extent that its purpose is to connect end-users who offer their services for payment.

Note: Examples of services for payment are escort or sex work services.

development program means a program required by section 22.

drug means a chemical, compound, or other substance or thing, that is included in Schedule 4 of the Customs (Prohibited Imports) Regulations 1956.

drug-related material, in relation to a computer game, means class 1 material that, without justification:

(a) depicts the unlawful use of drugs in connection with incentives or rewards; or

(b) depicts interactive, detailed and realistic use of drugs, being unlawful use; or

(c) depicts, expresses or otherwise deals with matters of drug misuse or addiction in such a way that the material offends against the standards of morality, decency and propriety generally accepted by reasonable adults to the extent that the material should be classified RC; or

(d) is or includes detailed instruction in the unlawful use of drugs.

drug-related material, in relation to a publication, means class 1 material that, without justification:

(a) depicts, expresses or otherwise deals with matters of drug misuse or addiction in such a way that the material offends against the standards of morality, decency and propriety generally accepted by reasonable adults to the extent that the material should be classified RC; or

(b) is or includes detailed instruction in the unlawful use of drugs.

drug-related material, in relation to material that is not a computer game or a publication, means class 1 material that, without justification:

(b) is or includes detailed instruction in the unlawful use of drugs; or

end-user, of a relevant electronic service, means a natural person who uses the service.

enforcement authority means a police force or other law enforcement authority.

enterprise relevant electronic service means a relevant electronic service:

(a) the account holder for which is an organisation (and not an individual); and

(b) the predominant purpose of which is to enable the account holder, in accordance with the terms of use for the service, to make the service available to a specified class of persons to facilitate communications between those persons; and

exploitative, in relation to a description or depiction of an event, means that the description or depiction:

(a) appears intended to debase or abuse, for the enjoyment of readers or viewers, the person or entity described or depicted; and

(b) has no moral, artistic or other value.

extreme crime and violence material, in relation to a computer game, means material that is crime and violence material in relation to a computer game where, without justification, the impact of the material is extreme because:

(a) the material is more detailed; or

(b) the material is realistic rather than stylised; or

(d) the gameplay links incentives or rewards to high impact elements of the game; or

(e) for any other reason.

extreme crime and violence material, in relation to a publication, means material that is crime and violence material in relation to a publication where, without justification, the impact of the material is extreme because of the emphasis, tone, frequency, context and detail of the relevant elements of the publication and other factors that heighten impact.

extreme crime and violence material, in relation to material that is not a computer game or a publication, means crime and violence material where, without justification, the impact of the material is extreme because:

(a) the material is more detailed; or

(b) the material is highly interactive; or

(d) for any other reason.

gaming service with communications functionality: a relevant electronic service is a gaming service with communications functionality if:

(a) the predominant purpose of the service is to enable end-users in Australia to play online games with other end-users; and

(b) the service enables sharing of user-generated URLs, hyper-linked text, images or videos between end-users;

but none of the following is a gaming service with communications functionality:

(d) a service that limits the sharing of user-generated material between end-users to any of the following:

(i) in-game images or footage;

(ii) user-generated designs (such as environments and artwork);

(iii) virtual objects or maps;

(iv) pre-selected messages;

(v) non-hyper-linked text that is subject to automated filtering technology;

(vi) ephemeral voice interactions.

gaming service with limited communications functionality means a relevant electronic service the predominant purpose of which is to enable end-users in Australia to play online games with other end-users without enabling the sharing of user-generated URLs, hyper-linked text, images or videos between end-users (other than material of a kind referred to in paragraph (d) of the definition of gaming service with communications functionality in this subsection).

industry code has the meaning given in section 132 of the Act.

justification: see subsection (2).

known child sexual abuse material means material that:

(a) is or includes images (either still images or video images); and

(b) has been verified as child sexual abuse material by a governmental (including multi-lateral) or non-governmental organisation:

(i) the functions of which are or include combating child sexual abuse or child sexual exploitation; and

(ii) in the case of a non-governmental organisation—that is generally recognised as expert or authoritative in that context; and

(i) is managed by an organisation of a kind described in paragraph (b); and

(ii) is made available to government agencies, enforcement authorities and providers of relevant electronic services for the purpose of their using technological means to detect or manage child sexual abuse material on relevant electronic services.

Example: An example of a database referred to in paragraph (c) is the database managed by the National Center for Missing & Exploited Children.

known pro-terror material means material that has been verified as pro-terror material.

Note 1: Known pro-terror material may include material that can be detected via hashes, text signals, searches of key words terms, URLs or behavioural signals or patterns that signal or are associated with online materials produced by terrorist entities that are on the United Nations Security Council Consolidated List.

That List was accessible, on the registration of this industry standard, at https://www.un.org/securitycouncil/content/un-sc-consolidated-list.

Note 2: Material may, for example, be verified as a result of a decision of the Classification Board. Material may also be verified by using tools provided by independent organisations that are recognised as having expertise in counter-terrorism. Examples of these organisations include Tech Against Terrorism and the Global Internet Forum to Counter Terrorism.

offensive: see subsection (3).

pre-assessed relevant electronic service means each of the following:

(a) a communication relevant electronic service;

(b) a dating service;

pro-terror material means:

(a) class 1 material that:

(i) directly or indirectly counsels, promotes, encourages or urges the doing of a terrorist act; or

(ii) directly or indirectly provides instruction in the doing of a terrorist act; or

(iii) directly praises the doing of a terrorist act in circumstances where there is a substantial risk that the praise might have the effect of leading a person (regardless of the person’s age or any mental impairment that the person might suffer) to engage in a terrorist act; or

(b) material that is known pro-terror material.

However, material accessible using a relevant electronic service is not pro-terror material if its availability on the service can reasonably be taken to be part of public discussion, public debate, entertainment or satire.

provide a relevant electronic service includes make the service available.

provider, in relation to a telephony relevant electronic service, has the meaning given to carriage service provider in section 87 of the Telecommunications Act 1997.

RC or RC Refused Classification means the “Refused Classification” classification under the Classification (Publications, Films and Computer Games) Act 1995.

risk assessment means an assessment of a kind required by subsection 7(1).

risk profile, for a relevant electronic service, means the risk profile of the service determined under subsection 7(7).

sexual activity is not limited to sexual intercourse.

store: material is stored on a relevant electronic service if it is:

(a) in storage used for the service; or

(b) accessible through or using the service.

telephony relevant electronic service means a short messaging service (SMS) or a multimedia messaging service (MMS) provided over a public mobile telecommunications service as defined in subsection 32(1) of the Telecommunications Act 1997.

terms of use, for a relevant electronic service, means the provisions of the agreement under which the service is provided and includes anything that may reasonably be regarded as the equivalent of terms of use.

Note: For what must be included in terms of use for a relevant electronic service see section 13.

terrorist act has the meaning given by section 100.1(1) of the Criminal Code (no matter where the action occurs, the threat of action is made or the action, if carried out, would occur).

Tier 1 relevant electronic service means a relevant electronic service:

(a) that is a Tier 1 relevant electronic service under paragraph 7(8)(a); or

(b) that is determined under subsection 7(9) to be a Tier 1 relevant electronic service.

Tier 2 relevant electronic service means a relevant electronic service that is a Tier 2 relevant electronic service under paragraph 7(8)(b).

violence means an act of violence or an obvious threat of an act of violence.

young Australian child means an Australian child who is under 16.

Justification

(2) For this industry standard, in determining whether material is without justification, the matters to be taken into account include:

(a) the standards of morality, decency and propriety generally accepted by reasonable adults; and

(b) the literary, artistic or educational merit (if any) of the material; and

(d) the persons or class of persons to or amongst whom it is published or is intended or likely to be published.

Offensive material

(3) The question whether material is offensive for the purposes of this industry standard is to be determined in accordance with the Act, including section 8 of the Act.

Part 3—Risk assessments and risk profiles

7 Requirement to carry out risk assessments and determine risk profiles of relevant electronic services

Risk assessments to be carried out

(1) The provider of a relevant electronic service must, at the times required by and in accordance with this Part, carry out an assessment of the risk that class 1A material or class 1B material:

(a) will be generated or accessed by, or distributed by or to, end-users in Australia using the service; and

(b) will be stored on the service.

Timing of risk assessments

(2) If the provider of the service was providing the service before the commencement of this industry standard, the risk assessment must be carried out as soon as practicable after, but no later than 6 months after, the commencement of this industry standard.

(3) Subsection (2) does not apply if a risk assessment that met the requirements of this Part had been carried out in respect of the service within 6 months before the commencement of this industry standard.

(4) A person must not start to provide a relevant electronic service to an end-user in Australia unless a risk assessment of the service has been carried out in accordance with this Part within 6 months before the person started to provide the service.

(5) The provider of a relevant electronic service must not make a material change to the service unless:

(a) a risk assessment of the service, as proposed to be changed, has been carried out in accordance with this Part; or

(b) the change will not increase the risk of class 1A material or class 1B material being accessed by, or distributed to, end-users in Australia using the service, or being stored on the service.

Certain services exempt from risk assessment requirements

(6) Subsections (1) and (4) do not apply to any of the following:

(a) an enterprise relevant electronic service;

(b) a gaming service with limited communications functionality;

(d) a relevant electronic service that is determined under subsection (9) to be a Tier 1 relevant electronic service.

Note: However, subsection (1) applies to a relevant electronic service mentioned in this subsection if the service is materially changed.

Risk profiles of relevant electronic services

(7) The provider of a relevant electronic service that conducts a risk assessment of the service must, on completion of the assessment, determine, in accordance with subsection (8), what the risk profile of the service is.

(8) The risk profile of a relevant electronic service is worked out as follows:

(a) if the risk that class 1A material or class 1B material will be solicited or accessed by, or distributed to, end-users in Australia using the service, or will be stored on the service, is high—the service is a Tier 1 service;

(b) if the risk that class 1A material or class 1B material will be solicited or accessed by, or distributed to, end-users in Australia using the service, or will be stored on the service, is medium—the service is a Tier 2 service.

(c) if the risk that class 1A material or class 1B material will be solicited or accessed by, or distributed to, end-users in Australia using the service, or will be stored on the service, is low—the service is a Tier 3 service.

(9) However, the provider of a relevant electronic service may, at any time, without having conducted a risk assessment, determine that the risk profile of the service is Tier 1.

8 Methodology, risk factors and indicators to be used for risk assessments and risk profile determinations

Requirement for plan and methodology

(1) If the provider is required by this Part to carry out a risk assessment for a service, the provider must formulate in writing a plan, and a methodology, for carrying out the assessment that ensure that the risks mentioned in subsection 7(1) in relation to the service are accurately assessed.

(2) The provider must ensure that the risk assessment is carried out in accordance with the plan and methodology.

(3) The provider must ensure that a risk assessment is carried out by persons with the relevant skills, experience and expertise.

Forward-looking analyses of likely changes

(4) As part of a risk assessment carried out as required by this Part, the provider must undertake a forward-looking analysis of:

(a) likely changes to the internal and external environment in which the service operates or will operate, including likely changes in the functionality or purpose of, or the scale of, the service; and

(b) the impact of those changes on the ability of the service to meet the object of this industry standard.

Note: For the object of this industry standard see section 4.

Matters to be taken into account

(5) Without limiting subsection (1), the methodology for the conduct of a risk assessment must specify the principal matters to be taken into account in assessing relevant risks, which must include the following, so far as they are relevant to the service:

(a) the predominant purpose of the service;

(b) the functionality of the service, including the extent to which material posted on, distributed using or generated by the service will be available to end-users of the service in Australia;

(d) the terms of arrangements under which the provider acquires content to be made available on the service;

(e) the ages of end-users and likely end-users of the service;

(f) the outcomes of the analysis conducted as required by subsection (4);

(g) safety by design guidance and tools published or made available by a government agency or a foreign or international body;

(h) the risk to the online safety of end-users in Australia in relation to material generated by artificial intelligence.

Note 1: Arrangements referred to in paragraph (d) may include provisions that, if complied with, will reduce the risk that class 1A material and class 1B material will be made available through the service.

Note 2: Examples of agencies mentioned in paragraph (g) are the Commissioner and the Digital Trust & Safety Partnership.

9 Documenting risk assessments and risk profiles

(1) As soon as practicable after determining the risk profile of a relevant electronic service, the provider of the service must record in writing:

(a) details of the determination; and

(b) details of the conduct of any related risk assessment;

sufficient to demonstrate that they were made or carried out in accordance with this Part.

(2) The record must include the reasons for the results of the assessment and the determination of the risk profile.

Part 4—Online safety compliance measures

Division 1—Preliminary

10 This Part not exhaustive

This Part does not prevent the provider of a relevant electronic service from taking measures, in addition to and not inconsistent with those required by this Part, to improve and promote online safety for Australians.

11 Determining what is appropriate

(1) In determining whether something (including action) in relation to a relevant electronic service is appropriate, the matters to be taken into account include:

(a) the extent to which the thing achieves or would achieve the object of this industry standard in relation to the service; and

(b) in relation to a breach of applicable terms of use of a relevant electronic service in relation to class 1A material or class 1B material:

(i) the nature of the material and the extent to which the breach is inconsistent with online safety for end-users in Australia; and

(ii) the extent to which the thing will or may reasonably be expected to reduce or manage the risk that the service will be used to solicit, access, distribute or store class 1A material or class 1B material; and

(c) whether the thing is or would be proportionate to the level of risk to online safety for end-users in Australia from the material being accessible through the service.

Note 1: For the object of this industry standard see section 4.

Note 2: For paragraph (b), appropriate action may include exercising any of the provider’s rights under the terms of use for the service in relation to the breach.

(2) For paragraph (1)(c), in deciding whether a thing is or would be proportionate to the level of risk to online safety of end-users in Australia, take into account the scale and reach of the service.

12 Index of requirements for relevant electronic services

The following table sets out the provisions of this Part applicable to providers of relevant electronic services.

Item	For this kind of relevant electronic service …	the applicable provisions of this Part are…
1	all relevant electronic services	sections 32, 33 and 38
2	pre-assessed relevant electronic services	Note: These are: (a) communication relevant electronic services (b) dating services (c) gaming services with communications functionality
3	communication relevant electronic services	(a) the provisions listed in item 1 (b) all provisions of Divisions 2, 3 and 4 (except section 37)
4	dating services	(a) the provisions listed in item 1 (b) all provisions of Division 2 except section 20 (c) all provisions of Divisions 3 and 4 (except section 37)
5	enterprise relevant electronic services	(a) the provisions listed in item 1 (b) section 13 and subsection 37(1)
6	gaming services with communications functionality	(a) the provisions listed in item 1 (a) all provisions of Divisions 2, 3 and 4 (except section 37)
7	gaming services with limited communications functionality	(a) the provisions listed in item 1 (b) section 16
8	telephony relevant electronic services	(a) the provisions listed in item 1 (b) sections 13, 14, 15, 16, 23, 24, 25, 28 and 29 (c) subsection 37(2)
9	Tier 1 relevant electronic service	(a) the provisions listed in item 1 (b) all provisions of Divisions 2, 3 and 4 (except section 37)
10	Tier 2 relevant electronic service	(a) the provisions listed in item 1 (b) sections 13, 14, 15, 16, 17, 18, 23, 24, 25, 28 and 29 (c) subsection 37(2) and (3)
11	Tier 3 relevant electronic service	the provisions listed in item 1

Division 2—Compliance measures

13 Terms of use

(1) This section applies to the following:

(a) an enterprise relevant electronic service;

(b) a pre-assessed relevant electronic service;

(d) a Tier 1 relevant electronic service;

(e) a Tier 2 relevant electronic service.

However, subsection (6) does not apply to an enterprise relevant electronic service.

Provisions to be included in terms of use

(2) The provider of a service must include in the terms of use for the service provisions:

(a) requiring the account holder of the service to ensure that the service is not used in breach of community standards set out or described in the terms of use; and

(b) requiring the account holder of the service to ensure that the service is not used, whether by the account holder, or by an end-user in Australia, to solicit, access, distribute or store (as applicable, having regard to the purpose and functionality of the service) class 1A material or class 1B material; and

(c) regulating the use of the service by end-users and requiring the account holder of the service to ensure that end-users of the service comply with those provisions; and

(d) giving rights for the provider to do any of the following if the service is used to solicit, access, distribute or store child sexual exploitation material or pro-terror material:

(i) suspend the provision of the service to a specified end-user of the service for a specified period;

(ii) impose specified restrictions on the use of the service by a specified end-user of the service for a specified period;

(iii) terminate the agreement for the provision of the service;

(iv) remove or delete the material from the service, or limit access to it through the service.

(3) It is not necessary that a particular form of words be used in the terms of use so long as the contractual effect of the terms of use are as required by subsection (2).

Enforcement of terms of use

(4) If the provider of a relevant electronic service becomes aware of a breach of the obligation mentioned in paragraph (2)(b), the provider must enforce its contractual rights in respect of the breach in an appropriate way.

Note: For appropriate see section 11.

(5) In proceedings in respect of a contravention of subsection (4), the provider bears the evidential burden of establishing:

(a) the action it took to enforce the rights; and

(b) that the action that it took conformed to the requirements of subsection (4).

Publication of terms of use

(6) The provider of a service must publish its terms of use for the service.

(7) The publication must:

(a) be in plain language; and

(b) be accessible on the website and application (if any) for the service; and

(c) describe the broad categories of material within class 1A material and make it clear that class 1A material is not permitted on the service; and

(d) describe the broad categories of material within class 1B material and specify the extent to which that material is not permitted on the service, or is subject to specified restrictions.

14 Systems and processes for responding to breaches of terms of use: class 1A material

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) The provider of a service must implement systems and processes that ensure that, if the provider becomes aware that there is or has been a breach of an obligation under the terms of use for the service in respect of class 1A material, the provider takes appropriate action to ensure that:

(a) the breach, if it is continuing, ceases; and

(b) the risk of further such breaches is minimised.

Note: For appropriate see section 11.

(3) Without limiting subsection (2), the systems and processes must include ones under which the provider:

(a) reviews reports by end-users of the service in Australia that class 1A material is accessible using the service; and

(b) appropriately prioritises those reports and, if necessary, escalates them to senior management personnel of the provider for action.

Note: For paragraph (a), reports include the reports referred to in section 28.

15 Responding to class 1A material

Note: For class 1B material see section 24.

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) If the provider of a service becomes aware that the service is being or has been used, whether by the account holder, or by an end-user in Australia, to solicit, access, distribute or store class 1A material (whether or not this amounts to a breach of the terms of use for the service), the provider must:

(a) as soon as practicable, remove the material, or cause the material to be removed, from the service unless:

(i) it is not technically feasible or reasonably practicable for the provider to do so; or

(ii) the provider has been required by an enforcement authority to deal with the material in a manner that requires the material to be retained; and

(b) take appropriate action to ensure that:

(i) the service no longer permits access to or distribution of the material; and

(ii) any related breach of the terms of use for the service, if it is continuing, ceases; and

(iii) the risk of further such breaches of the terms of use for the service is minimised.

Note: For appropriate see section 11.

16 Notification of child sexual exploitation material and pro-terror material

(1) This section applies to the following:

(a) a gaming service with limited communication functionality;

(b) a pre-assessed relevant electronic service;

(d) a Tier 1 relevant electronic service;

(e) a Tier 2 relevant electronic service.

(2) If the provider of a service:

(a) becomes aware of child sexual exploitation material, or pro-terror material, on the service; and

(b) believes in good faith that the material affords evidence of a serious and immediate threat to the life or physical safety of a person in Australia;

the provider must, as soon as practicable, report the matter to an enforcement authority, or otherwise as required by law.

(3) If the provider of a service:

(a) becomes aware of child sexual exploitation material on the service; and

(b) believes in good faith that the material is not known child sexual abuse material;

the provider must, as soon as practicable, notify an organisation of a kind referred to in paragraph (b) of the definition of known child sexual abuse material in subsection 6(1).

(4) If the provider of a service:

(a) identifies pro-terror material on the service; and

(b) believes in good faith that the material is not known pro-terror material;

the provider must, as soon as practicable, notify an appropriate non-governmental organisation that:

(d) is generally recognised as having expertise in counter-terrorism.

(5) Subsections (2), (3) and (4) are in addition to any other applicable law.

17 Resourcing trust and safety functions

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service;

(2) The provider of a service must have and implement, in respect of the service, management, supervision and internal reporting arrangements to ensure that at all times the provider:

(a) complies with the requirements of this industry standard; and

(b) can otherwise effectively supervise the online safety of the service.

Note: These arrangements may include duties and responsibilities for personnel, and systems, processes and technologies.

(3) The provider of a service must have, or have access to, sufficient personnel who have the skills, experience and qualifications needed to ensure that the provider complies with the requirements of this industry standard at all times.

18 Safety features and settings

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service;

(2) Before the provider of the service makes a material change to the service, the provider must:

(a) carry out an assessment of the kinds of features and settings that could be incorporated into the service to minimise the risk that class 1A material or class 1B material:

(i) will be accessed by, or distributed to, end-users in Australia using the service; or

(ii) will be stored on the service; and

(b) determine, on the basis of the assessment, the most appropriate and effective features and settings for the service; and

(3) Subsections (4), (5), (6) and (7) do not limit subsection (2) and apply whether or not a material change is made or proposed to the service.

Communication relevant electronic services, gaming services with communications functionality and Tier 1 relevant electronic services

(4) In the case of each of the following:

(a) a communication relevant electronic service the predominant purpose of which is:

(i) to enable end-users in Australia to view, search for or communicate with other end-users (target end-users) on the service without knowing the target end-users’ phone numbers or email address; or

(ii) to recommend target end-users to end-users in Australia, based on interests or connections common to the end-users;

(b) a gaming service with communications functionality; and

the provider must ensure that:

(d) if the service allows the sending of messages between end-users—it has tools and settings that allow end-users in Australia to block messages from other end-users; and

(e) if the service displays, or allows for the display of, an end-user’s online status—it has tools and settings that an end-user in Australia can use to prevent the display or communication of the end-user’s online status; and

(f) if the provider allows young Australian children to become account holders or end-users of the service—it has tools and settings that prevent end-users who are over 18 from using the service to contact a young Australian child without the consent of the child’s parent or carer; and

(g) the account of a young Australian child with the service is private by default; and

(h) the location of a young Australian child who is an end-user of the service is not available to end-users of the service without the consent of the child’s parent or carer.

Dating services

(5) The provider of a dating service must ensure that the tools and settings for the service:

(a) allow an end-user of the service to block messages from another end-user of the service; and

(b) do not permit a person to become an end-user of the service unless the person is registered with the service as an end-user; and

(c) do not permit a person to register with the service as an end-user unless the person provides the person’s phone number, email address or other identifier.

Communication relevant electronic services

(6) The provider of a communication relevant electronic service must ensure that the settings for the service:

(a) do not permit a person to become an end-user of the service unless the person is registered with the service as an end-user; and

(b) do not permit a person to register as an end-user of the service unless the person provides the person’s phone number, email address or other identifier.

Data retention

(7) The provider of a service must retain information provided as required by paragraph (5)(c) or (6)(b) for at least 2 years.

General information about tools and settings

(8) The provider of a service must provide information that explains the tools and settings provided as required by this section. The information:

(a) must be “in service”, that is, not on a separate website to the website for the service; and

(b) must be easily accessible and easy to use; and

19 Detecting and removing known child sexual abuse material

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service.

(2) The provider of a service must implement appropriate systems, appropriate processes and appropriate technologies to:

(a) detect and identify known child sexual abuse material that:

(i) is stored on the service; or

(ii) is accessible by an end-user in Australia using the service; or

(iii) is being or has been accessed or distributed in Australia using the service; and

(b) remove known child sexual abuse material from the service as soon as practicable after the provider becomes aware of it.

Note 1: The technologies that the provider may use include hashing technologies and machine learning.

Note 2: For appropriate see section 11.

(3) Subsection (2) does not require a provider to use a system or a technology if:

(a) it is not technically feasible or reasonably practicable for the provider to do so; or

(b) to do so would require the provider to:

(i) implement or build a systemic weakness, or a systemic vulnerability, into the service;

(ii) in relation to an end-to-end encrypted service—implement or build a new decryption capability into the service, or render methods of encryption used in the service less effective.

(4) If, because of subsection (3), a provider does not implement any systems as described in subsection (2), the provider must take appropriate alternative action.

(5) If, because of subsection (3), a provider does not implement any technologies as described in subsection (2), the provider must take appropriate alternative action.

Note: For appropriate see section 11.

(6) This section does not affect the operation of section 21.

Note: This section does not prevent a provider from complying with legal obligations to preserve evidence of offences.

20 Detecting and removing known pro-terror material

(1) This section applies to the following:

(a) a communication relevant electronic service;

(b) a gaming service with communications functionality;

(2) The provider of a service must implement appropriate systems, appropriate processes and appropriate technologies to:

(a) detect and identify known pro-terror material that:

(i) is stored on the service; or

(ii) is being distributed by or to an end-user in Australia using the service; and

(b) remove known pro-terror material from the service as soon as practicable after the provider becomes aware of it.

Note: The technologies that the provider may use include hashing technologies and machine learning.

(3) Subsection (2) does not require a provider to use a system or a technology if:

(a) it is not technically feasible or reasonably practicable for the provider to do so; or

(b) to do so would require the provider to:

(i) implement or build a systemic weakness, or a systemic vulnerability, into the service;

(ii) in relation to an end-to-end encrypted service—implement or build a new decryption capability into the service, or render methods of encryption used in the service less effective.

(4) If, because of subsection (3), a provider does not implement any systems as described in subsection (2), the provider must take appropriate alternative action.

(5) If, because of subsection (3), a provider does not implement any technologies as described in subsection (2), the provider must take appropriate alternative action.

Note: For appropriate see section 11.

(6) This section does not affect the operation of section 21.

Note: This section does not prevent a provider from complying with legal obligations to preserve evidence of offences.

21 Disrupting and deterring child sexual exploitation material and pro-terror material

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service; and

(b) a Tier 1 relevant electronic service.

(2) The provider of a service must implement systems and processes and, if it is appropriate to do so, technologies that:

(a) effectively deter end-users of the service from using the service; and

(b) effectively disrupt attempts by end-users of the service to use the service;

to create, offer, solicit, access, distribute, or otherwise make available, or store child sexual exploitation material or pro-terror material (including known child sexual abuse material and known pro-terror material).

Note: For appropriate see section 11.

Note: Examples of systems, processes and technologies include hashing technologies, machine learning and artificial intelligence systems that scan for known child sexual abuse material and those designed to detect key words, behavioural signals and patterns associated with child sexual abuse material.

22 Development programs

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service; and

(b) a Tier 1 relevant electronic service;

for a calendar year if the average monthly number of active end-users of the service, in Australia, over the immediate previous calendar year was 1,000,000 or more.

(2) The provider of the service must establish and implement, for the calendar year, a program of investment and development activities (development program) in respect of systems, processes and technologies.

Note: See also section 35.

(3) A development program must include:

(a) investments and activities designed to develop systems, processes and technologies that enhance the ability of the provider or of other providers of relevant electronic services:

(i) to detect and identify child sexual abuse material or pro-terror material (including known child sexual abuse material and known pro-terror material) on the service; and

(ii) to deter end-users of the service from using the service, and to disrupt attempts by end-users of the service to use the service, to solicit, generate, create, access, distribute or store child sexual exploitation material or pro-terror material (including known child sexual abuse material and known pro-terror material); and

(iii) to reduce the risk to the online safety of end-users in Australia in relation to class 1A material or class 1B material generated by artificial intelligence; and

(b) arrangements for cooperating and collaborating with other organisations in activities of the kind referred to in paragraph (a) and to enhance online safety for Australians.

(4) A development program may include arrangements for the provider to make available to other providers of relevant electronic services, or organisations engaged in promoting online safety for Australians, systems, processes and technologies of a kind referred to in paragraph (3)(a) (including making them available without charge).

(5) The value and scale of the investment and development activities implemented in a calendar year must effectively address the need to enhance the ability of the provider to do the things mentioned in subsection (3), having regard to the nature and functionalities of the service concerned and the average monthly number of active end-users of the service, in Australia over the immediate previous calendar year.

(6) Examples of activities that may be part of a provider’s development program include:

(a) joining industry organisations intended to address serious online harms; and

(b) sharing information on best practice approaches relevant to the service; and

(c) working with the Commissioner to share information, intelligence, best practice and other information relevant to addressing categories of class 1A material or class 1B material that are relevant to the service; and

(d) collaborating with non-government or other organisations that facilitate the sharing of information, intelligence, best practices and other information relevant to addressing categories of class 1A or class 1B material that are relevant to the service.

(7) Examples of investments that may be part of a provider’s development program include:

(a) procuring online safety systems and technologies for use in connection with the service or enhancing online safety systems and technologies used in connection with the service; and

(b) conducting research into and development of online safety systems and technologies; and

(c) providing support, either financial or in kind, to organisations the functions of which are or include working to combat child sexual abuse, child sexual exploitation or terrorism.

23 Systems and processes for responding to breaches of terms of use: class 1B material

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) The provider of a service must implement systems and processes that ensure that, if the provider becomes aware that there is or has been a breach, in Australia, of an obligation under the terms of use for the service in respect of class 1B material, the provider takes appropriate action to ensure that:

(a) the breach, if it is continuing, ceases; and

(b) the risk of further such breaches is minimised.

Note: For appropriate see section 11.

(3) Without limiting subsection (2), the systems and processes must include ones under which the provider:

(a) reviews reports by end-users of the service in Australia that class 1B materials are accessible using the service; and

(b) appropriately prioritises those reports and, if necessary, escalates them to senior management personnel of the provider for action.

24 Responding to breaches of terms of use: class 1B material

Note: For breaches in respect of class 1A material see section 15.

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) If the provider of a service becomes aware that there is or has been a breach of an obligation under the terms of use for the service in respect of class 1B material, the provider must:

(a) as soon as practicable, remove the material, or cause the material to be removed, from the service unless it is not technically feasible or reasonably practicable for the provider to do so; and

(b) take appropriate action to ensure that:

(i) the service no longer permits access to or distribution of the material; and

(ii) the breach, if it is continuing, ceases; and

(iii) the risk of further such breaches is minimised.

Note: For appropriate see section 11.

(3) Without limiting what is appropriate action, appropriate action may include exercising any of its contractual rights under the terms of use for the service in relation to the breach.

Note: For contractual rights required to be included in terms of use see paragraph 13(2).

25 Giving information about the Commissioner to end-users in Australia

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) The provider of a service must ensure that information:

(a) describing the role and functions of the Commissioner; and

(b) describing how to refer a matter about the service or the provider to the Commissioner; and

is accessible to end-users of the service in Australia at all times through a dedicated location on the website for the service.

26 Responding to communications from, and referring certain unresolved complaints to, the Commissioner

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service.

(2) The provider of a service must implement policies and procedures that ensure that:

(a) it responds in a timely and appropriate manner to communications from the Commissioner about compliance with this industry standard; and

(b) if the provider becomes aware that a complainant is dissatisfied with the way in which the report or complaint was dealt with or with the outcome of a complaint—the provider refers the complaint to the Commissioner in accordance with section 31.

27 Dedicated section of service for online safety information

(1) This section applies to any of the following:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service.

. (2) The provider of a service must ensure that the information required by section 25 and paragraph 28(3)(c), and other online safety information made available by the provider, is accessible at all times through a dedicated location “in service”, that is, not on a separate website to the website for the service.

Division 3—Reports and complaints

28 Mechanisms for end-users and account holders to report, and make complaints, to providers

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) The provider of a service must provide 1 or more tools that enable end-users and account holders of the service in Australia to do the following:

(a) make a report to the provider, identifying or flagging class 1A material or class 1B material accessible on or through the service;

(b) make a complaint to the provider about:

(i) material referred to in paragraph (a); or

(ii) the provider’s non-compliance with this industry standard.

An end-user or account holder who makes a report or complaint under this section is a complainant.

(3) The tools must:

(a) be available “in service”, that is, not on a website separate to the website for the service, unless it is not technically feasible or reasonably practicable for the provider to do this; and

(b) be easily accessible and easy to use; and

(d) enable the complainant to specify the harm associated with the material, or the non-compliance, to which the report or complaint relates.

(4) A provider must ensure that the identity of a complainant is not accessible, directly or indirectly, by any other end-user or account holder of the service without the express consent of the complainant.

29 Dealing with reports and complaints—general rules

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a telephony relevant electronic service;

(d) a Tier 2 relevant electronic service.

(2) If a person makes a report or complaint to the provider of the service under subsection 28(2), the provider must:

(a) respond promptly to the complainant acknowledging the report or complaint; and

(b) take appropriate and timely action to investigate the report or complaint.

Note: For appropriate see section 11.

(3) Paragraph (2)(b) does not apply if:

(a) the provider believes on reasonable grounds that the report is frivolous, vexatious or otherwise not made in good faith; or

(b) the matter the subject of the report is being investigated, or has been investigated, by the Commissioner under Division 5 of Part 3 of the Act.

(4) The provider of the service must:

(a) notify the complainant of the outcome of any investigation into the report or complaint and the action proposed by the provider in consequence of the investigation; or

(b) if the provider did not investigate the report or complaint because of subsection (3)—notify the complainant of that fact and of any action proposed by the provider in consequence of the complaint.

(5) The provider of a service must:

(a) record in writing its systems, processes and technologies used to conduct investigations and reviews under this Division; and

(b) ensure that its personnel who investigate reports and complaints, and conduct reviews, as required by this Division, have appropriate training and experience, including training in and experience of the provider’s applicable policies and procedures.

30 Dealing with reports and complaints—additional rules for pre-assessed relevant electronic services and Tier 1 relevant electronic services

(1) This section applies to:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service;

where a complainant makes a report or complaint to the provider about class 1A material or class 1B material accessible on or through the service, of the service and so applies in addition to section 29.

Note: See subsection 26(2).

(2) The provider of a service must:

(a) ensure that the complainant can, within 1 month after being notified under subsection 29(4), require the provider to conduct a review of the outcome of the investigation into the report or complaint; and

(b) if the complainant requires such a review—ensure that:

(i) the outcome is reviewed in accordance with subsection (3); and

(ii) the complainant is notified promptly of the outcome of the review.

(3) For a review under subsection (2):

(a) the review must be conducted by a person other than the person who conducted the investigation into the report or complaint concerned; and

(b) the provider must take appropriate action to facilitate the review.

31 Unresolved complaints about non-compliance to be referred to the Commissioner

(1) This section applies to the following services:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service.

(2) If:

(a) a complainant makes a report or complaint to the provider about the provider’s non-compliance with this industry standard; and

(b) the provider becomes aware that the complainant is dissatisfied with:

(i) the way in which the report or complaint was dealt with; or

(ii) the outcome of the report or complaint;

the provider must refer the complaint to the Commissioner.

Note: For paragraph (a) see section 29.

(3) The Commissioner may, by written notice to the provider, require the provider to give the Commissioner, within a specified period, specified information or documents that it holds that are relevant to the complaint. The provider must comply with the requirement.

Division 4—Requirements for reporting to the Commissioner

32 Commissioner may require documents about risk assessments and other information

(1) The Commissioner may, by written notice to the provider of a relevant electronic service, require the provider to give the Commissioner any of the following documents:

(a) the most recent risk profile determination for the service;

(b) the record, as required by section 9, of the most recent risk assessment for the service;

(d) the provider’s development program for a specified calendar year.

Note: For development programs see section 22.

(2) The provider must give the documents to the Commissioner within the period specified in the notice.

Note: See also section 38.

33 Reports relating to technical feasibility and practicability of compliance with provisions of Division 2

(1) The Commissioner may, by written notice to the provider of a relevant electronic service, require the provider to give the Commissioner, within a specified period, a report:

(a) that describes:

(i) the cases in which it was not, or would not, be technically feasible; or

(ii) the cases in which it was not, or would not, be reasonably practicable;

for the provider to comply with an obligation under Division 2 to implement systems or technologies of a particular kind; and

(b) in the case of obligations under subsection 19(2)—that describes the systems and technologies that were or are available but were not, or would not be, implemented because of paragraph 19(3)(b); and

(c) in the case of obligations under subsection 20(2)—that describes the systems and technologies that were or are available but were not, or would not be, implemented because of paragraph 20(3)(b); and

(d) in each case—that describes the alternative action taken or that would be taken as required by subsection 19(4) or (5) or 20(4) or (5).

Note 1: Section 19 is about known child sexual abuse material.

Note 2: Section 20 is about known pro-terror material.

(2) The report must provide justification for the actions described, and the conclusions, in the report.

(3) The Commissioner may, by written notice to the provider, require the report to be in a specified form. The provider must comply with the requirement.

(4) A report may relate to 2 or more services.

(5) The provider must give the report to the Commissioner within the period specified in the notice under subsection (1).

Note: See also section 38.

34 Notifying changes to features and functions of relevant electronic services

Note: A provider is required to carry out an assessment under subsection 18(2) before the provider makes a material change to the service.

(1) This section applies to the following:

(a) a communication relevant electronic service;

(b) a dating service;

(d) a Tier 1 relevant electronic service.

(2) If the provider of a service decides to:

(a) add a new feature or function to the service; or

(b) remove a feature or function from a service or make a feature or function inoperable for a service;

the provider must notify the Commissioner in writing of the proposed change as soon as practicable after making the decision unless the provider believes, on reasonable grounds, that the proposed change will not significantly increase the risk that the service will be used to solicit, access, distribute or store class 1A material or class 1B material.

(3) If:

(a) a new feature or function is added to a service; or

(b) a feature or function is removed from a service, or made inoperable for a service;

the provider of the service must notify the Commissioner in writing of the change as soon as practicable after it is implemented unless the provider believes, on reasonable grounds, that the change has not significantly increased the risk that the service will be used to solicit, access, distribute or store class 1A material or class 1B material.

35 Reports on outcomes of development programs

(1) The Commissioner may, by written notice to the provider of a relevant electronic service to which section 22 applied in respect of a particular calendar year, require the provider to give the Commissioner, within a specified period, a report that specifies:

(a) the activities and investments undertaken by the provider in respect of the calendar year to implement its development program; and

(b) the outcomes of those activities and investments in terms of enhancing online safety for end-users in Australia.

(2) The Commissioner may, by written notice to the provider, require the report to be in a specified form. The provider must comply with the requirement.

(3) The provider must give the report to the Commissioner within the period specified in the notice under subsection (1).

Note: See also section 38.

36 Commissioner may require compliance reports

(1) This section applies to the following:

(a) a pre-assessed relevant electronic service;

(b) a Tier 1 relevant electronic service.

(2) The Commissioner may, by written notice to the provider of a service, require the provider to give the Commissioner a report (a compliance report) for the most recent calendar year before the date of the notice (the reporting period).

(3) A compliance report under subsection (2) must include the following:

(a) the average number of monthly active users of the service in Australia during the reporting period, and how that number was worked out;

(b) for a Tier 1 relevant electronic service—details of the most recent risk assessment for the service, including about the plan and methodology required by subsection 8(1);

(c) for a pre-assessed relevant electronic service—a description of the service’s functionalities and features during the reporting period and an explanation why the service is properly characterised as the relevant kind of service;

(d) details of the steps that the provider took during the reporting period to comply with the requirements of this Part;

(e) an explanation why the steps taken as mentioned in paragraph (d) were appropriate, having regard, among other things, to the features of the service during the reporting period;

(f) a statement of the extent to which it was not, during the reporting period, technically feasible or reasonably practicable for the provider to detect or remove class 1A material or class 1B material from the service, and why;

(g) each of the following:

(i) the amount of child sexual exploitation material and pro-terror material (identified material) that the provider identified in relation to the services during the reporting period;

(ii) how the identified material was identified as child sexual exploitation material or pro-terror material;

(iii) details of the action that the provider took in respect of the identified material;

(h) the number of complaints made to the provider about the provider’s compliance with this industry standard during the reporting period.

Note: For subparagraph (g)(ii), examples of methods for identifying material include end-user reports and use of hashing technologies.

(4) The report must provide justification for the conclusions in the report.

(5) The Commissioner may, by notice to the provider, require the compliance report to be in a specified form. The provider must comply with the requirement.

(6) A compliance report may relate to 2 or more services.

(7) If information required to be included in a compliance report has otherwise been given to the Commissioner, the provider may refer to the report or notification by which it was given instead of repeating it in the compliance report.

(8) A compliance report must be given to the Commissioner within 2 months after the notice under subsection (2) is given to the provider.

Note: See also section 38.

37 Compliance and other certificates and reports required by Commissioner

Enterprise relevant electronic services

(1) The Commissioner may, by written notice to the provider of an enterprise relevant electronic service, require the provider to certify that, except as specified in the certificate, the provider has complied with section 13 during the most recent calendar year before the date of the notice.

Other relevant electronic services

(2) The Commissioner may, by written notice to the provider of either of the following:

(a) a telephony relevant electronic service;

(b) a Tier 2 relevant electronic service;

require the provider to give the Commissioner a report (a compliance report) for the most recent calendar year before the date of the notice (the reporting period).

(3) A compliance report under subsection (2) must include the following:

(a) for a telephony relevant electronic service—a description of the service’s functionalities and features during the reporting period and an explanation why the service is properly characterised as a telephony relevant electronic service;

(b) for a Tier 2 relevant electronic service—details of the most recent risk assessment, including about the plan and methodology required by subsection 8(1);

(i) details of the steps that the provider took during the reporting period to comply with the requirements of this Part; and

(ii) an explanation why those steps were appropriate, having regard, among other things, to the features of the service during the reporting period; and

(iii) a statement of the extent to which it was not, during the reporting period, technically feasible or reasonably practicable for the provider to detect or remove class 1A material or class 1B material from the service, and why.

(4) A compliance report must provide justification for the conclusions in the report.

(5) The Commissioner may, by written notice to the provider, require the compliance report to be in a specified form. The provider must comply with the requirement.

(6) A compliance report may relate to 2 or more services.

Giving certificates and reports

(7) A provider must comply with a notice under subsection (1) or (2) within 2 months after the notice is given to the provider.

Note: See also section 38.

38 Extension of reporting deadlines

The Commissioner may, on application, grant a provider an extension of time, for a specified period or to a specified date, for giving the Commissioner a document, report, certificate or notification under this Division, and may do so before or after the time for giving the document, report, certificate or notification has passed.