1.1
The Parliamentary Joint Committee on Intelligence and Security (the Committee) is required by Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (TIA Act) to undertake a review of the mandatory data retention regime (MDRR). Section 187N of the TIA Act provides for the review to be completed by 13 April 2020.
1.2
The mandatory data retention regime is a legislative framework which requires carriers, carriage service providers and internet service providers to retain a defined set of telecommunications data for two years, ensuring that such data remains available for law enforcement and national security investigations.
Conduct of the inquiry
1.3
The Committee of the 45th Parliament formerly adopted the review and called for submissions on 4 April 2019. The Committee resolved to focus on:
the continued effectiveness of the scheme, taking into account changes in the use of technology since the passage of the Bill;
the appropriateness of the dataset and retention period;
costs, including ongoing costs borne by service providers for compliance with the regime;
any potential improvements to oversight, including in relation to journalist information warrants;
any regulations and determinations made under the regime;
the number of complaints about the scheme to relevant bodies, including the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security;
security requirements in relation to data stored under the regime, including in relation to data stored offshore;
any access by agencies to retained telecommunications data outside the TIA Act framework, such as under the Telecommunications Act 1997; and
developments in international jurisdictions since the passage of the Bill.
1.4
Since deciding on these terms of reference, the government referred a press freedom inquiry to the Committee. That inquiry required the Committee to look closely at Journalist Information Warrants. As such, while this report sets out the requirements for a Journalist Information Warrant and discusses the warrants where relevant, the Committee has left comment about Journalist Information Warrants to its press freedom inquiry.
1.5
The provisions under review are primarily Part 5-1A of TIA Act, which implemented the current mandatory data retention regime. Outside of the TIA Act framework, but within the Committee’s terms of reference, are provisions in the Telecommunications Act 1997. For clarity, ‘access to metadata’ or ‘metadata’ refers to access to data held under the 5.1 of the TIA Act and ‘access to telecommunications data’ refers to access to data via 280 and 313(3) of the Telecommunications Act.
1.6
Following the Australian Federal election on 18 May 2019, the Committee of the 46th Parliament again formerly adopted the review and accepted 47 submissions and 22 supplementary submissions to the review. Appendix A sets out a list of submitters.
1.7
The Committee held public hearings for its inquiry as follows on 7, 14 and 28 February in Parliament House Canberra. Appendix B sets out a list of witnesses appearing at the public hearings.
Report structure
1.8
This report contains five chapters:
the introduction, which outlines the provisions under review;
operation, effectiveness and oversight;
access to telecommunications data under the Telecommunications Act 1997;
a comparison to relevant international regimes; and
Committee inquiries and legislative history
1.9
The Committee has a long history with the debate and legislation in relation to the mandatory data retention regime. The Committee has released two major reports on the topic. Details of these reports and their recommendations are set out below.
Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation
1.10
In May 2012 the then Attorney-General the Hon. Nicola Roxon MP asked the Parliamentary Joint Committee on Intelligence and Security (the Committee) to inquire into a number of potential reforms to Australia’s national security legislation. Subsequent to this request, the Committee was provided with a discussion paper outlining the reforms the Australian Government was considering, as well as some on which the government sought the views of the Committee.
1.11
A mandatory data retention regime was one of the matters that the Government sought the Committee’s views on.
1.12
The Committee’s report reflected that, at the time, there was diversity of views within the Committee as to whether there should be a mandatory data retention regime. The Committee recommended that, should the Government decide that such a regime was necessary that
Any draft legislation should include the following features:
any mandatory data retention regime should apply only to meta-data and exclude content;
the controls on access to communications data remain the same as under the current regime;
internet browsing data should be explicitly excluded;
where information includes content that cannot be separated from data, the information should be treated as content and therefore a warrant would be required for lawful access;
the data should be stored securely by making encryption mandatory;
save for existing provisions enabling agencies to retain data for a longer period of time, data retained under a new regime should be for no more than two years;
the costs incurred by providers should be reimbursed by the Government;
a robust, mandatory data breach notification scheme;
an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers; and
oversight of agencies’ access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.
Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014
1.13
On 21 November 2014, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 was referred to the Committee by the then Attorney-General, Senator the Hon George Brandis, QC. The Committee undertook a thorough review of the legislative environment that the Bill would operate in, in response to the substantial public concern raised about the potential for the erosion of democratic freedoms, such as freedom of political communication.
1.14
In its report on the Bill, the Committee concluded that a mandatory data regime was justified as a ‘necessary, effective and proportionate response’, but concluded that:
While it is imperative to equip security and law enforcement agencies with the capability to conduct investigations, these powers must be contained by appropriate authorisations and balanced by oversight and safeguards. In considering each provision of the Bill, the Committee has sought to confirm that adequate safeguards and oversight mechanisms are in place. The Committee considers that the recommendations made in this report serve to strengthen the functioning and integrity of the proposed data retention regime.
1.15
To ensure that these safeguards and mechanisms were in place, the Committee made 43 detailed recommendations, which included the recommendations of the previous Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation that related to the data retention scheme.
1.16
On 3 March 2015, the Government released its response to the Committee’s Advisory Report. It stated that the Government would support all of the recommendations made in the Committee’s unanimous, bipartisan report.
1.17
One of the recommendations made by the Advisory Report was that the Attorney-General’s Department review whether:
the agencies which may access the content of communications (either by way of interception warrants or stored communications warrants) under the Telecommunications (Interception and Access) Act 1979 should be standardised, and
the Attorney-General’s declaration power contained in proposed section 110A of the Telecommunications (Interception and Access) Act 1979 in respect of criminal law-enforcement agencies should be adjusted accordingly.
1.18
The Government tabled the Attorney-General’s Department’s review on 13 April 2017, entitled Review of Whether There Should be Exceptions to the Prohibition on Civil Litigant Access to Retained Telecommunications Data. The review concluded that:
1. Although there is a history of telecommunications data being obtained to support a modest number of civil cases, the review has received insufficient evidence to sustain a recommendation that regulations be made to allow civil litigants to access data retained solely for the purpose of the data retention scheme.
2. The prohibition preserves civil litigants’ access to data that is not retained for the purpose of the data retention scheme while restricting access to data accumulated and used solely for the purpose of the scheme.
3. Should evidence reveal a need for exceptions in the future, regulations could be considered at that time. This would be subject to consultation and involve consideration of privacy issues and the impact on telecommunications providers.
4. It would be open to the Parliamentary Joint Committee on Intelligence and Security to examine the prohibition and regulation making power in 2019 when it undertakes its prescribed statutory review of the data retention scheme.
1.19
The PJCIS has undertaken the anticipated review into these matters in this inquiry and associated report.
The provisions under review – Part 5-1A of the Telecommunications (Interception and Access) Act 1979
1.20
Part 5-1A of TIA Act was inserted in order to enact new obligations on telecommunications and internet service providers to retain prescribed metadata for a period of two years for the purposes of access by national security authorities, criminal law enforcement agencies and enforcement agencies. It also requires service providers to encrypt the retained metadata, subject to certain exemptions, and outlines which enforcement agencies have access to the information and documents available under the scheme.
1.21
Part 5-1A of the Telecommunications (Interception and Access) Act 1979 is set out in full in Appendix C to this report.
1.22
The Committee notes that, for completeness, Division 2—Data retention implementation plans is set out below. However the Committee did not consider this Division as part of its inquiry as the plans ceased to be in force 18 months after Division 1 on the Bill commenced. The Bill commence on 13 April 2015.
1.23
The Committee notes the following conclusions from the Australian national Audit Office’s Administration of the Data Retention Industry Grants Program report:
The design of the Data Retention Industry Grants Program by the Attorney-General’s Department was not fully effective. While funding was provided to each eligible provider that applied, in aggregate the department has funded 79 per cent of provider costs, substantially above the 50 per cent level identified as reasonable when the decision was taken to establish the program, with some providers having all their costs paid for by the government.
A single round grants program was established to give effect to the decision that the Australian Government pay a reasonable portion of the telecommunications industry’s costs of implementing the legislated mandatory data retention scheme. The design of the program exposed the Australian Government to the risk that it would make a more generous contribution than the 50 per cent of total industry costs the government had considered reasonable. This risk was realised:
the amount of funding awarded represented 65 per cent of the aggregate of providers’ cost estimates included in their applications for grant funding (involving increased grant funding of $28 million compared with funding 50 per cent of estimated industry costs); and
the proportion of costs being met by the Australian Government increased to 79 per cent compared with that expected when funding was awarded as a result of actual costs reported by providers being, in aggregate, $39.9 million less than had been estimated by providers when they applied for funding. This included 26 providers where the Australian Government fully funded the data retention implementation costs reported by those providers (involving $23.0 million in funding) notwithstanding that the program guidelines had stated that the Australian Government would not fully fund any provider. On average, the Australian Government contributed 82 per cent towards each provider’s reported actual costs.
Implementation of the program was not to an appropriate standard having regard to the risks involved and the policy outcomes being sought. In particular:
conflicts of interest were not well managed;
there were significant errors and delays in the development and signing of grant agreements; and
the grant reporting arrangements, and their administration, provide a low level of assurance.
Division 1—Obligation to keep information and documents
1.24
Section 187A requires a service provider to keep, or cause to be kept, information of a kind (or documents containing information of that kind) specified ‘in or under’ section 187AA. Paragraph 187A(3) provides that the metadata retention obligations will apply to a service if it is a service for carrying communications, provided that:
it is operated by a carrier or internet service provider and
the person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services.
1.25
Paragraph 187A(3)(b)(iii) provides that the metadata retention obligations also apply to any service for which a declaration made by the Minister under proposed section 187A(3A).
1.26
Section 187AA outlines what kinds of information a service provider must keep under the regime, which includes:
the subscriber, account, service and device information relating to the relevant service;
the source of the communication;
the destination of a communication;
the date, time and duration of a communication, or of its connection to a relevant service;
the type of a communication or of a relevant service used in connection with a communication; and
the location of equipment, or a line, used in connection with a communication.
1.27
Subsection 187AA(2) provides the Minister with the power to modify the data set. However, this power is subject to a number of limitations set out in proposed subsections 187AA(3) to (5).
1.28
Subsection 187B excludes entities such as governments, universities and corporation from the requirement to retain metadata on their own internal networks, and also ensures that small businesses are not required to retain metadata. Subsection 187B(2) provides that the Communication Access Co-ordinator (CAC) may declare that subsection 187A(1) applies to a service that would otherwise be excluded, thereby applying metadata retention obligations to that service. Such a declaration must abide by the requirements in subsections 187B(3)(ba) to (bb) and subsections 187B(6) to (7).
1.29
Section 187BA requires service providers to ensure the confidentiality of metadata they collect and retain by encrypting it and protecting the information from unauthorised interference or unauthorised access.
1.30
Lastly, section 187C provides when the types of metadata set out in the data set must start being collected, and how long they must subsequently be retained—that is, for two years after the information or document came into existence. Section 187C(3) clarifies that this requirement does not prevent a service provider from keeping metadata for a period longer than the designated two years if they choose to do so.
Division 2—Data retention implementation plans
1.31
This division governs the implementation of data retention plans. Data retention plans allow the telecommunications industry to design a pathway to full compliance with their telecommunications data retention obligations within 18 months of the commencement of those obligations, while also allowing for interim measures that result in improved data retention practices.
1.32
Section 187D outlines the effect of data retention implementation plans, while section 187E provides that a service provider may apply to the CAC for approval of a data retention implementation plan for one or more of the services they operate. Section 187L ensures the confidentiality of such applications.
1.33
Section 187F provides the factors that the CAC must take into account before making a decision to approve the plan or request that the plan be amended (following the consultation process with relevant enforcement agencies, security authorities and, if required, the ACMA). While undertaking this process, the CAC must consult with agencies and the ACMA, as outlined under section 187G, which may lead to a request for the original plan to be amended (see 187G(2) to (6) for the amendment approval or refusal process, as well as section 187J for provisions relating to amending a plan that is already in force).
1.34
Section 187H provides that a data implementation plan for a relevant service comes into effect when the CAC notifies the service provider of the approval of its plan.
Division 3—Exemptions
1.35
Section 187K of the TIA Act provides that the CAC may exempt a service provider from any or all aspects of their data retention obligations. Under current administrative arrangements, the Office of the Communications Access Coordinator sits in the Department of Home Affairs.
1.36
Such a request and a decision must be made in writing. The CAC may decide to allow an exemption after taking into account:
the interests of law enforcement and national security’
the objects of the Telecommunications Act 1997;
the service provider’s history of compliance;
the service provider’s costs, or anticipated costs of compliance; and
any alternative data retention or information security arrangements that the service provider has identified.
1.37
A service provider may also apply in writing to the Australian Communications and Media Authority (AMCA) for a review of a decision under subsection 187K(1). The matters that must be taken into account by the ACMA are outlined under subsection 187KA(4), and align with the factors that must be taken into account by the CAC (as listed above), as well as any other matters that the ACMA considers to be relevant.
Division 4—Miscellaneous
1.38
This final division outlines other matters that impact the functioning of the regime, including:
subsection 187KB allowing for the Commonwealth to make a grant of financial assistance to service providers;
subsection 187L providing for confidentially of applications made by service providers, whether to the CAC or to the ACMA;
subsection 187LA outlines the application of the Privacy Act 1988 in relation to a service provider, allowing a service provider to operate as an organisation within the remit of the Privacy Act 1988 to the extent that the activities of the service provider relate to retained data;
subsection 187M establishes that section 187A(1) (the obligation of service providers to keep information and documents) and paragraph 187D(a) (the service provider must comply with a data retention implementation plan) are civil penalty provisions; and
subsection 187P requires the Minister to provide a written report on the functioning of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 ‘as soon as practicable after each 30 June on the operation of the Part during the year ending on that 30 June.’
1.39
Subsection 187N provides for the review of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 and the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 by the Parliamentary Joint Committee on Intelligence and Security.
1.40
The review of the Telecommunications (Interception and Access) Act 1979 is being undertaken in this report, and the Committee’s review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 is being undertaken as a separate inquiry.
Other relevant provisions
Division 4A - primary and secondary disclosures of information and/or documents covered by the scheme for the purposes of enforcing foreign or international laws.
1.41
Division 4A outlines authorisation provisions for primary and secondary disclosures of information and/or documents covered by the scheme for the purposes of enforcing foreign or international laws.
Subdivision A: Primary disclosures
1.42
Section 180A outlines access to existing information or documents for the purpose of the enforcement of the criminal law of a foreign country. Under these provisions, the Australian Federal Police may authorise the disclosure of specified information or specified documents that came into existence before the time the person from whom the disclosure is sought receives notification of the authorisation, as long as the authorised officer is satisfied that the disclosure is reasonably necessary for the enforcement of the criminal law of a foreign country.
1.43
Subsequent to this, an authorised officer of the Australian Federal Police may authorise the disclosure of the information or documents so disclosed to a foreign law enforcement agency, provided that the authorised officer is satisfied that the disclosure is reasonably necessary for the enforcement of the criminal law of a foreign country and the disclosure is appropriate in all the circumstances.
1.44
Section 180B applies to authorisations for access to prospective information or documents for the purpose of enforcement of the criminal law of a foreign country. As with section 180A, an authorised officer of the Australian Federal Police may authorise the disclosure of specified information and/or specified documents that come into existence during the period for which the authorisation is in force.
1.45
However, the authorised officer must not make the authorisation unless: the Attorney‑General has authorised the making of the authorisation under the Mutual Assistance in Criminal Matters Act 1987; the authorised officer is satisfied that the disclosure is reasonably necessary for the investigation of a serious offence against the law of a foreign country and the authorised officer is satisfied that the disclosure is appropriate in all the circumstances.
1.46
Section 180B(5) outlines the length of time that an authorisation is in force (21 days, unless revoked earlier) and Section 180(6) and (7) outline the circumstances under which an extension of prospective authorisation is permitted.
1.47
Finally, section 180B(8) provides that an authorised officer of the Australian Federal Police may authorise the disclosure of the information or documents so disclosed to a foreign law enforcement agency if the authorised officer is satisfied that the disclosure is reasonably necessary for the enforcement of the criminal law of a foreign country and the disclosure is appropriate in all the circumstances.
Subdivision B: Secondary disclosures
1.48
Section 180C(1) outlines that, if specified information or specified documents are disclosed because of an authorisation given under Division 4, other than because of an authorisation under section 178A (missing persons), an authorised officer of the Australian Federal Police may authorise the disclosure of the information or documents so disclosed to a foreign law enforcement agency. However, the authorised officer must be satisfied that the disclosure is reasonably necessary for the enforcement of the criminal law of a foreign country and the disclosure is appropriate in all the circumstances.
1.49
Section 180D outlines the conditions under which an authorised officer of the Australian Federal Police may authorise the disclosure of the information or documents to the organisation or an enforcement agency and the use of the information or documents by the Australian Federal Police.
1.50
The authorised officer must not make the authorisation unless he or she is satisfied that, in the case of a disclosure to an organisation, the disclosure is reasonably necessary for the performance by an organisation of its functions. In the case of a disclosure to an enforcement agency, the disclosure must be reasonably necessary for the enforcement of the criminal law, the enforcement of a law imposing a pecuniary penalty or the protection of public revenue. In the case of use by the Australian Federal Police, the use must be reasonably necessary for the enforcement of the criminal law, the enforcement of a law imposing a pecuniary penalty or the protection of public revenue.
Subdivision C: Conditions of disclosure to a foreign country
1.51
Section 180E(1) stipulates that a person must not disclose information or a document in accordance with an authorisation under section 180A, 180B or 180C to a foreign country unless the information will only be used for the purposes for which the foreign country requested the information, any document or other thing containing the information will be destroyed when it is no longer required for those purposes, and, in the case of information or a document disclosed under section 180B, any other condition determined, in writing, by the Attorney‑General.
Section 180F - privacy
1.52
Section 180F of the TIA Act addresses concerns around the proportionality of the scheme by providing that the authorised officer must be satisfied on reasonable grounds that the authorisation is a necessary interference with the privacy of the person or persons. The authorised officer must consider the likely relevance and usefulness of the information or documents, as well as the reason why the disclosure or use concerned is proposed to be authorised.
Journalist Information Warrants
1.53
As Journalist Information Warrants may be practicably executed via the provisions in the TIA Act, the relevant provisions that allow for the warrants’ existence are outlined below.
1.54
Division 4C of Part 4-1 of the Telecommunications Act permits an enforcement agency to access telecommunications data under a Journalist Information Warrant. This kind of warrant enables an enforcement agency to make an authorisation for the use or disclosure of telecommunications data relating to the communications of a person working in a professional capacity as a journalist, or the employer of such a person, where the purpose of the authorisation would be to identify another person known or reasonably believed to be a source (sections 180H and 180T).
1.55
The warrant may specify conditions or restrictions related to the making of authorisations under the warrant. Such a warrant may be in place for up to 90 days (section 190U(3)) .The issue of a warrant generates an obligation on the enforcement agency to notify the respective oversight body (Part 4-2, subsections 185D(5)–(8)). A journalist in relation to whom such a warrant has been issued is not notified of the existence of the warrant.
Access provisions
1.56
In addition to the provisions in Part 5-1A of the TIA Act, there are other provisions within the Act that impact the functioning of the scheme. Additionally, provisions under the Telecommunications Act 1997 impact the functioning of the data retention scheme, and are discussed below.
Access provisions under the Telecommunications (Interception and Access) Act 1979
1.57
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 made changes to the range of agencies which could access metadata. Initially there were over 80 agencies (many not concerned with matters of national security or law enforcement) that could access this information. However, following the amendment of the Act, those agencies beyond criminal law enforcement agencies must now be declared an ‘enforcement’ agency by the Minister in order to access metadata via the TIA Act’s provisions.
1.58
Section 110A of the TIA Act sets out that each of the following are criminal law enforcement agencies (CLEA):
(a) the Australian Federal Police;
(b) a Police Force of a State;
(c) the Australian Commission for Law Enforcement Integrity;
(e) subject to subsection (1A), the Immigration and Border Protection Department;
(ea) the Australian Securities and Investments Commission;
(eb) the Australian Competition and Consumer Commission;
(f) the Crime Commission;
(g) the Independent Commission Against Corruption;
(h) the Law Enforcement Conduct Commission;
(j) the Crime and Corruption Commission;
(k) the Corruption and Crime Commission;
(l) the Independent Commissioner Against Corruption; and
(m) subject to subsection (7), an authority or body for which a declaration under subsection (3) is in force (that is, declared an enforcement agency by the Minister, as above).
1.59
Subsection 1A provides that paragraph (1)(e) applies to the Immigration and Border Protection Department only in connection with the investigation by that Department of a contravention of:
(a) the Customs Act 1901; or
(b) the Crimes Act 1914; or
(c) the Criminal Code; or
(d) the Environment Protection and Biodiversity Conservation Act 1999; or
(e) Part 6 of the Australian Border Force Act 2015; or
(f) an Act prescribed in a legislative instrument made by the Minister for the purposes of this paragraph; or
(g) a provision of an Act, being a provision prescribed in a legislative instrument made by the Minister for the purposes of this paragraph.
1.60
The head of an authority or body may request the Minister to declare the authority or body to be a criminal law-enforcement agency under subsection 110A(2), and the Minister may subsequently make such a declaration under subsection 110A(3).
1.61
Subsections 3A) and 3B further outline the considerations that the Minister must undertake when responding to a request for an agency to be declared a CLEA for the purposes of the Act, while subsection (4A) outlines the limitations and privacy protections that are placed on such a declaration.
1.62
Sections 175 and 176 set out that, for ASIO, both historical and prospective authorisations may only be made where the person making the authorisation is ‘satisfied that the disclosure would be in connection with the performance by the Organisation of its functions’.
1.63
Section 17 of the Australian Security and Intelligence Organisation Act 1979 set out that the functions of ASIO are:
(a) to obtain, correlate and evaluate intelligence relevant to security;
(b) for purposes relevant to security, to communicate any such intelligence to such persons, and in such manner, as are appropriate to those purposes;
(c) to advise Ministers and authorities of the Commonwealth in respect of matters relating to security, in so far as those matters are relevant to their functions and responsibilities.
(ca) to furnish security assessments to a State or an authority of a State in accordance with paragraph 40(1)(b);
(d) to advise Ministers, authorities of the Commonwealth and such other persons as the Minister, by notice in writing given to the Director‑General, determines on matters relating to protective security; and
(e) to obtain within Australia foreign intelligence pursuant to section 27A or 27B of this Act or section 11A, 11B or 11C of the Telecommunications (Interception and Access) Act 1979, and to communicate any such intelligence in accordance with this Act or the Telecommunications (Interception and Access) Act 1979; and
(f) to co‑operate with and assist bodies referred to in section 19A in accordance with that section.
1.64
Sections 177 to 180 of the TIA Act further outline other circumstances whereby sections 276, 277 and 278 of the Telecommunications Act 1997 (see below) do not prevent a disclosure of information by a holder of information or a document. These sections allow for authorisations to be made regarding:
the voluntary disclosure of information or a document if the disclosure is reasonably necessary for the enforcement of the criminal law or the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue (section 177);
the disclosure of existing information or a document for the purpose of enforcing criminal law (section 178) or for the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue (section 179);
the disclosure of information or a document that is reasonably necessary for the purposes of finding a person who the Australian Federal Police, or a police force of a state, has been notified is missing (section 178A); and
prospective access to information or documents, subject to the limitations listed, namely that:
the authorised officer must not make the authorisation unless he or she is satisfied that the disclosure is reasonably necessary for the investigation of:
(a) a serious offence; or
(b) an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
Access provisions under the Telecommunications Act 1997
1.65
In addition to the provisions of the metadata regime, as described above, agencies can access retained telecommunications data, outside the TIA Act framework, via the Telecommunications Act 1997.
1.66
Sections 276, 277 and 278 outline primary disclosure and use offences, whereby the disclosure of unauthorised content potentially lead to a conviction by imprisonment for a term not exceeding two years.
1.67
Section 276 outlines that any information or documents that include the contents or substance of a communication or the affairs or personal particulars of another person cannot be disclosed by eligible persons, such as a carriage service provider or telecommunications contractor.
1.68
Section 277 specifies that eligible number-database person (as defined under section 272) may not disclose any information or documents that relate to carriage services supplied, or intended to be supplied, to another person and the affairs or personal particulars of another person.
1.69
Section 278 prohibits emergency call person from disclosing or using any information or document that includes the contents or substance of a communication or the affairs or personal particulars of another person.
1.70
Section 279 provides exceptions to primary disclose and use offences, meaning that employees of carriers, carriage service providers and telecommunications contractors, if disclosing information as part of their duty as an employee, are able to disclose information required by sections 276, 277 and 278.
1.71
Section 280 of the Telecommunications Act 1997 provides that disclosure of information or a document is not prohibited:
(a) in a case where the disclosure or use is in connection with the operation of an enforcement agency—the disclosure or use is required or authorised under a warrant; or
(b) in any other case—the disclosure or use is required or authorised by or under law.
1.72
Additionally, section 313(3) of the Telecommunications Act 1997 provides that a carrier or carriage service provider must give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for the following purposes:
enforcing the criminal law and laws imposing pecuniary penalties;
assisting the enforcement of the criminal laws in force in a foreign country;
assisting the investigation and prosecution of:
crimes within the jurisdiction of the ICC (within the meaning of the International Criminal Court Act 2002); and
Tribunal offences (within the meaning of the International War Crimes Tribunals Act 1995);
protecting the public revenue; and
safeguarding national security.
Access for telecommunications data under warrant
1.73
A number of submitters to the Committee’s review have proposed the introduction of a requirement to obtain a warrant from a judicial officer or a member of Administrative Appeals Tribunal before accessing telecommunications data.
1.74
The TIA Act does provide for enforcement agencies to access telecommunications data via stored communications warrants (see Part 3-3). These can only be issued if it is reasonably necessary for investigating a serious offence (as defined in section 5D of the TIA Act).
1.75
While these are important provisions, they are outside of the scope of this Committee’s review of the mandatory data retention regime (that is, Part 5-1A of TIA Act). However, where relevant, this report does consider in-principle discussions about whether warrants should be considered as part of an amendment to Part 5-1A of the TIA Act.