Author: Jodie Siganto 25 August 2015

 

The new Australia meta-data retention obligations come into force on 13 October 2015.  This note provides a broad overview of those obligations, their interaction with existing Privacy Act obligations and reference to some of the advice made available on the issues raised by data retention obligations and privacy.

Key Takeaways

·       New meta-data retention obligations start on 13 October 2015, but telco’s can get up to 18 months extra to implement appropriate measures.

·       Obligations in the data retention legislation include encrypting stored data.

·       No standard or guidance on ‘encryption’ provided so far.

·       Further security provisions will be included in the Telecommunications Sector Security Reform (TSSR) initiative, draft provisions of which are currently under consideration.

·       Retained meta-data is deemed to be ‘personal information’ for purposes of the Privacy Act 1988 (Cth).

·       From 13 October 2015, all carriers, carriage service providers and internet service providers must comply with the Privacy Act in relation to retained meta-data, even if they might otherwise be exempt e.g. under the small business exemption.

·       The Office of the Australian Information Commissioner has published a new resource to assist telecommunications carriers and service providers to understand their key privacy obligations, including providing notice of collection and access to retained meta-data.

 

New Data Retention Obligations

The legislation amending the Telecommunications (Interception and Access) Act 1979 and introducing new requirements for telecommunications service providers to retain certain data was passed in May 2015 and becomes effective on 13 October 2015.[1] From that date, licensed carriers, carriage service providers and internet service providers that use communications infrastructure in Australia to provide any of their services may be required to retain and secure specific telecommunications data for two years. Some services are specifically excluded—for example, broadcasting services.[2]

The data retention obligations apply irrespective of organisation size and/or customer base.

The legislation specifies the types of data that must be retained, depending on the nature of the service being offered.[3] Broadly, the data set includes information relating to the:

·       source and destination of a communication;

·       date, time and duration of a communication;

·       communication type; and

·       location of communications equipment.

This data must be kept for two years from its creation.[4] Service providers are not required to retain data about services offered by other providers. For example, a wholesale-only service provider is only required to retain items in the data set that are relevant to provision of its wholesale service.

Service providers that cannot fully comply with these obligations by 13 October 2015 should apply to the Communications Access Coordinator (a statutory officer within the Attorney-General’s Department) for either:

·       an extension of up to 18 months by lodging a Data Retention Implementation Plan that details how they will achieve compliance in the extended period; [5] or

·       an exemption from and/or variation of the data retention obligations in relation to a specific service. [6]

Data Retention Implementation Plans

Providers who are concerned that they will not be ready to comply with the amended Act by 15 October 2015 can apply for up to a further 18 months to progressively achieve compliance by seeking approval of a Data Retention Implementation Plan.[7] If a plan is approved, providers can use this additional time to plan, build and test data retention systems. Service providers wishing to submit an Implementation Plan are advised to do so by mid-August 2015 to enable consideration and approval of the plan before the obligations commence.

Where a service provider has an agreed Implementation Plan, compliance with that Plan becomes a civil penalty provision.

Security Obligations – Encryption & protection

In a recent Protiviti survey, 64 percent of respondents said metadata retention was acceptable as long as adequate security controls were put in place to protect the data.[8] Despite that concern, the security provisions contained in the new Act are quite broad. The legislation states that service providers must protect the confidentiality of data retained under the Act by:

·       Encrypting the information; and

·       Protecting the information from unauthorised interference or unauthorised access.[9]

This is an improvement on the initial draft of the legislation, which did not refer to security.  The original Explanatory Memorandum supporting the legislation, explained this omission by noting forthcoming amendments to the Telecommunications Act (the proposed Telecommunications Sector Security Reforms (TSSR)) and existing obligations under the Privacy Act.[10]

In its advisory report on the data retention amendments, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) also referred to the additional protection of data expected to occur through the enactment of the TSSR initiative.[11]  The PJCIS recommended that the government enact the TSSR prior to the end of the implementation phase of the data retention regime.[12] In June 2015, the government announced the TSSR, by way of draft amendments to the Telecommunications Act.[13]  The TSSR will be covered in more detail in a separate article, though it is worth noting here that the draft TSSR has been much criticised and seems unlikely to be passed by 13 October 2015.

As part of its consideration of securing the retained data, the PJCIS recommended that service providers be required to encrypt retained data[14] (which recommendation was incorporated into the final legislation).[15]  The PJCIS also recommended that the Data Retention Implementation Working Group[16] develop an appropriate standard of encryption to be incorporated into regulations, and that the Communications Access Co-ordinator be required to consider a provider’s compliance with this standard as part of the Data Retention Implementation Plan process. 

No guidance or standard has yet been provided in regard to encryption by the Data Retention Implementation Working Group.

It is also worth noting that the AG’s Guidance on data retention provides that ‘The obligation to retain and secure the data set, commencing from 13 October 2015, is a civil penalty provision.’[17]  Where there civil penalty provisions are contravened, the Australian Communications and Media Authority (ACMA) can issue infringement notices. Penalties under the infringement notice regime are currently set at $10,200 per contravention.  However, the provision requiring the encrypting and protecting of the data is not specified as a provision attracting any pecuniary penalty for breach.[18]  Accordingly, it is not clear how that civil penalty provision might attach to obligations to protect the data. However, there are other sanctions for non-compliance.  For example,compliance with the obligations of the Telecommunications Interception Act is a condition of all carrier licences and part of the service provider rules.[19]  In addition, under the Telecommunications Act, if the Federal Court is satisfied that a person has contravened a condition of its carrier licence or the service provider rules, the Court may order the person to pay to the Commonwealth up to $10 million for each contravention.

Meta Data and the Privacy Act

The amended Telecommunications Interception Act provides that data retained under the Act will be personal information about an individual for the purposes of the Privacy Act, provided that the information relates to:

·       the individual; or

·       a communication to which the individual is a party.[20]

The service provider will also be deemed to be an organisation to which the Privacy Act applies.[21]

This means that all service providers must comply with the provisions of the Privacy Act in regard to retained meta-data, even if they might otherwise have been exempt from the Privacy Act, for example, under the small business exemption. 

Compliance with the Privacy Act will include notifying individuals of collection, providing copies of all retained data to customers who request it and not transferring the data overseas without complying with the provisions of APP 8.

OAIC Privacy Business Resource 11

The Office of the Australian Information Commissioner (OAIC) has published Privacy business resource 11: Telecommunications service providers’ obligations arising under the Privacy Act[22] to assist telecommunications carriers and service providers to understand their key privacy obligations under the data retention scheme.

The resources acknowledges that, following commencement of that scheme, all carriers, carriage service providers and internet service providers must comply with the Privacy Act in relation to the retained meta data, including those who might otherwise have been exempt.

In terms of compliance, the resource refers service providers to the following key obligations:

·       Establishing practices, procedures and systems that ensure compliance;

·       Having a clearly expressed and up-to-date privacy policy;

·       Notifying individuals when their personal information is collected;

·       Protecting and securing the personal information they collect and retain;

·       Ensuring personal information sent overseas is protected;

·       Providing individuals with access to the personal information they collect and retain about them.

 

Further information

The data retention legislation, amending the Telecommunications Interception Act is available here:

Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 https://www.comlaw.gov.au/Details/C2015A00039

The Attorney General’s Department has provided a series of online resources available via: http://www.ag.gov.au/dataretention.  These resources include:

For FAQs and application templates, as well as case-by-case support, service providers may email the office of the Communications Access Coordinator at cac@ag.gov.au or call 02 6141 2884.

The OAIC’s Privacy Business Resource 11 – Telecommunications service providers’ obligations arising under the Privacy Act 1988 as a result of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 is available here: http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-1.

About the Author – Dr Jodie Siganto

Jodie Siganto graduated as a lawyer from the University of Queensland and after 8 years in private practice became in-house counsel for Tandem Computers followed by roles with Unisys Asia and Dell based in Singapore.  She returned to Australia in 2000, founding Bridge Point Communications (specialists in data networking and security) with two other colleagues.  She is currently a director of IT Security Training Australia, an (ISC)² educational affiliate, specializing in the delivery and development of privacy, IT security and network related training courses around Australia.  Jodie has completed a PhD at QUT which examined the Privacy Commissioner’s exercise of powers in relation to NPP 4 and the extent to which that is supportive of industry practice.   Jodie is the Chair of the AISA Policy Committee, is a regular speaker at industry events and is currently participating in a research study partly led by researchers from Royal Holloway, University of London, which is mapping some of the unique traits of information security practitioners in Australia.

 


[1] Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 https://www.comlaw.gov.au/Details/C2015A00039.  The current version of the Telecommunications (Interception and Access) Act, which as at 25 August 2015 does not include the 2015 amendments, is available here: https://www.comlaw.gov.au/Details/C2015C00305.

[2] This explanation is provided in The Australian Communications and Media Authority ‘Australia’s data retention obligations become law’ 5 June 2015 http://www.acma.gov.au/theACMA/engage-blogs/engage-blogs/Telco/Australias-data-retention-obligations-become-law.  The general obligation to retain data is contained in Part 5-1A Section 187A of the amended Act.

[3] Section 187AA of the amended Act.

[4] Section 187C of the amended Act.

[5] Service providers may submit a Data Retention Implementation Plan to the Communications Access Coordinator to request more time to develop capability to meet their data retention obligations.  The submission of a plan is confidential.  See Part 1, Division 2 of the amended Act.

[6] Attorney-General’s Department ‘Industry Implementation of Data Retention’ < http://www.ag.gov.au/NationalSecurity/DataRetention/Pages/Industry-Implementation-of-data-retention.aspx>.

[7] Part 1, Division 2 of amended Act.

[8] http://www.cso.com.au/article/555596/data-retention-acceptable-long-security-access-managed-survey/.

[9] Section 187BA of the amended Act.

[10] Parliament of Australia, Explanatory Memorandum - Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, 13.

[11]  Parliamentary Joint Committee on Intelligence and Security, Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, February 2015, [7.101], 290.

[12] Parliament of the Commonwealth of Australia, Explanatory Memorandum - Telecommunications and other legislation Amendment Bill 2015, 3.

[13] Department of Communications, ‘Telecommunications Sector Security Reforms’ https://www.communications.gov.au/departmental-news/telecommunications-sector-security-reforms. Attorney-General’s Department, ‘Telecommunications Sector Security Reforms’ http://www.ag.gov.au/telcosecurity.

[14] PJCIS Advisory Report, Recommendation 37, 299.

[15] Parliament of the Commonwealth of Australia, Revised Explanatory Memorandum - TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) AMENDMENT (DATA RETENTION) BILL 2015, [7], 3.

[16]The Data Retention Implementation Working Group is a joint government-industry working group consulting on the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015.

[17] Attorney-General’s Department, ‘Data Retention Guidelines for Service Providers’ < http://www.ag.gov.au/NationalSecurity/DataRetention/Documents/DataRetentionGuidelinesForServiceProviders.pdf>, 5.

[18] Pursuant to Section 187M of the amended Act, pecuniary penalties only apply to breach of Section 187A or Section 187D(a).

[19] Attorney-General’s Department, ‘Data Retention Guidelines for Service Providers’, 5.

[20] Section 187LA (1).

[21] Section 187LA (2).

[22] Office of the Australian Information Commissioner ‘Privacy Business Resource 11 – Telecommunications service providers’ obligations arising under the Privacy Act 1988 as a result of Part 5-1A of the Telecommunications (Interception and Access) Act 1979’ July 2015 < http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-11>.