5.1
After reviewing the evidence, the Committee has no major concerns over ASIO’s access to data under the MDRR. For that reason, most of the Committee’s comments will concern access to data under the MDRR by law enforcement agencies.
5.2
As most people who have their metadata accessed will have little knowledge that this has been done the impacts on privacy whether real or perceived by an individual are difficult to assess.
5.3
The Committee notes the technical difference between the mandatory data retention regime prescribed by Part 5-1A of the TIA Act allowing access to metadata and access to telecommunications data as provided for in sections 280 and 313(3)of the Telecommunications Act. In practice telecommunications data kept under the mandatory date retention regime can, after the two year retention period has expired and as long as it is still being kept, be accessed by a wide range of agencies under section 280 and 313(3) of the Telecommunications Act.
Effectiveness of the regime
5.4
It is clear that the MDRR provides substantial assistance to law enforcement and intelligence services in their investigations. This must be balanced against criticism that the regime is costly, can be intrusive and lacks transparency. In addition there have been some targeted suggestions from law enforcement and oversight bodies as to how the regime could be made better.
5.5
The Committee’s view is that the regime is effective but that there are a number of amendments that can be made to address the concerns of civil society and law enforcement.
Dataset and data cost
5.6
One of the key safeguards built into the MDRR was the prohibition on disclosure of, or indeed, the storing of the ‘contents’ or ‘substance’ of telecommunications data.
5.7
The keeping of location data is a matter that is of some interest to the Committee. As pointed out by some submitters in any other context ‘tracking’ the location of an individual would be subject to a warrant. In addition, concerns raised around the COVID Safe app location data show that location data is considered by the general public to be important and private.
5.8
Balanced against this is the obvious benefit to law enforcement in being able to access location data. It is of the highest importance when looking for missing persons and, apart from placing a suspect at the ‘scene of the crime’, can also be used to exculpate a potential suspect from an investigation.
5.9
On balance the Committee was not persuaded to recommend that location data be removed from the dataset under the regime at this time.
5.10
There was strong evidence to the Committee from law enforcement that data does not come to them in a standardised format and that there is a price disparity in the charges made by different carriers for the provision of data.
5.11
Noting these concerns from law enforcement the Committee recommends that the Australian Government work to establish guidance to ensure that the data provided under the MDRR is delivered in a clear, consistent and secure manner.
5.12
Within 18 months from the date of the Committee’s report, the Committee recommends that the Department of Home Affairs prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies. In general terms, the purpose of the national guidelines would be to ensure greater clarity, consistency and security in respect of requests for – and the collection and management of – telecommunications data by enforcement agencies across Australia.
To that end, the national guidelines must be:
consistent with the requirements of the Telecommunications (Interception and Access) Act 1979 and other relevant Commonwealth legislation (as amended in accordance with the other recommendations made by the Committee in this report); and
adopted and followed by each enforcement agency.
In developing the national guidelines, the Department of Home Affairs should meet and consult with (at a minimum):
the Privacy Commissioner;
the Commonwealth Ombudsman;
each criminal law-enforcement agency;
industry representatives;
the Law Council of Australia; and
the Department of Infrastructure, Transport, Regional Development and Communications.
The national guidelines should be made public (except to the extent they contain classified information, if any).
5.13
At the time the Bill creating the MDRR was first introduced, concerns were raised about the difficulty in distinguishing between content and telecommunications data (‘metadata’).
5.14
Concerns have again been raised that:
The distinction in the legislation is not clearly specified
Some non-content data can actually provide quite detailed information about an individual, their habits, practices and associates
The proliferation of new technologies that may collect this kind of data
Some service providers retain more information than is required (eg, content data) and this may be accessible.
5.15
Multiple submitters recommended that the terms ‘content’ and ‘substance’ be clearly defined, including the Law Council, the Ombudsman and the OAIC.
5.16
The OAIC, for example, submitted that clarifying these terms would create greater certainty and enhance privacy protections by reducing the potential for more personal information to be collected than is necessary.
5.17
The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended to clearly define the term “content or substance of a communication” for the purpose of providing greater certainty and enhancing privacy protections.
The Department of Home Affairs should, at a minimum, meet and consult with the following in seeking to develop this definition:
the Communications Alliance and other industry representatives;
the Commonwealth Ombudsman;
the Inspector-General of Intelligence and Security;
the Law Council of Australia; and
the Privacy Commissioner.
Moreover, in defining the term “content or substance of a communication”, Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual.
5.18
The Committee heard of examples where providers handed over IP addresses and URLs to authorities in response to requests for telecommunications data. There is currently no provision in the legislation outlining actions to be taken by agencies when such data breaches occur.
5.19
While the Committee does not hold specific concerns, for reasons of transparency, where IP addresses and URLs are provided to law enforcement agencies or ASIO, the Committee recommends that the agency destroy this data, if possible, and report its receipt and destruction to either the IGIS or Ombudsman, as appropriate.
5.20
The Committee recommends that Telecommunications (Interception and Access) Act 1979 be amended so that, if a provider discloses any of the information referred to in section 187A(4) of the Telecommunications (Interception and Access) Act to ASIO or a criminal law-enforcement agency, ASIO or the enforcement agency (as applicable) must:
immediately quarantine the information;
notify the Commonwealth Ombudsman or the IGIS (as applicable) of the disclosure; and
following consultation with the Ombudsman or the IGIS (as applicable), destroy the information.
Retention period
5.21
An issue for consideration with any metadata retention regime is the retention period.
5.22
Whilst it is clear that intelligence services, law enforcement and some civil society groups would like to have the retention period extended, the Committee agrees with the Department of Home Affairs which pointed out that, on balance, the retention period should not be changed.
5.23
The Committee therefore recommends that the data retention period be kept at two years.
5.24
The Committee recommends that the data retention period be kept at two years.
5.25
Issues around Internet of Things (IoT) were not considered by the Committee in its 2015 report this is an issue that has emerged as a result of advancements in technology.
5.26
The Communications Alliance raised concerns about communication types that underlie the Internet of Things:
The definition of the relevant services and communications to which Part 5-1A applies is very wide and would, in our view, include communication types that underlie the Internet of Things, i.e. communications between machines, sensors and connected ‘things’, without the direct involvement of a person. This does not appear meaningful but would, if pursued for implementation, cause exorbitant costs to C/CSPs and imply an explosion in the amount of data that would be required to be retained.
The legislation ought to put beyond doubt that such communications are excluded from the DR Regime.
5.27
Other submitters also raised concerns about these being included, and suggested considering industry-wide exemptions for certain IoT technologies or use-cases. Generally, there appears to be some confusion as to whether this type of data is captured by the regime.
5.28
The Committee notes that there has been no case put forward by the Government and considered by the Parliament for requiring information generated by Internet of Things devices to be retained, the Committee therefore recommends that such information be excluded from the data retention scheme.
5.29
The Committee recommends that section 187A of the Telecommunication (Interception and Access) Act 1979 be amended to clarify that service providers are not required to store information generated by Internet of Things devices.
5.30
If the Government considers that there are clear benefits in requiring service providers to keep information for particular Internet of Things devices, and that those benefits outweigh the costs, the Telecommunication (Interception and Access) Act 1979 could be further amended to impose clear and specific requirements on providers to retain that information.
Warrants and authorisations
5.31
Evidence from civil society put forward a case for the granting of a warrant in order to access the MDRR. As one example the Australian Human Rights Commission recommended that
a warrant or authorisation system by a court or administrative body be implemented for access to retained communications data.
5.32
Set against that argument is one advanced by various law enforcement agencies as to the administrative burden that would occur if a warrant system is put in place.
5.33
The Committee notes the tension between the rights of Australian citizens to their privacy and the pressures facing law enforcement when investigating crime. The Committee is not satisfied that a warrant should be required for data held as part of the MDRR. However, the Committee considers that access should require a higher level of authorisation within each agency as well as more detailed reporting in relation to how, when and for what reason that access is granted.
5.34
The Committee did receive a great deal of evidence including written guidelines, some confidential, around the processes for authorisations. In addition to this the Committee received a large volume of data on the number of authorisations and the broad category offences investigated using access to metadata.
5.35
The evidence to the Committee shows that law enforcement access metadata on a regular basis. Authorised officers receive varying degrees of training and agencies accessing data under the MDRR are subject to oversight. Data collected for the regime is kept inconsistently and only as strictly required by law and not with a view to wider oversight requirements. This is not the fault of the Criminal Law Enforcement Agencies (CLEAs); it is a situation that flows from the way the MDRR has been legislated.
5.36
It is the Committee’s view that there is a need for more information to be collated about the current functioning of the matter data retention regime. This would assist all relevant oversight and review bodies in undertaking their work as well as affording a higher degree of transparency which the Committee believes will give the Parliament and the Australian community greater trust in the use of these powers.
Annual reporting
5.37
The Committee therefore recommends that the Australian Government amend annual reporting requirements for those agencies with access to the MDRR to include additional reporting requirements.
5.38
The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended to include the following additional reporting requirements:
the number of authorised officers in each enforcement agency and ASIO;
the number of authorisations made by each authorised officer;
the number of individuals that the authorisations by each enforcement agency and ASIO related to; and
in respect of authorisations in relation to criminal investigations, the specific offence – or offences – that the authorisations related to.
Record-keeping
5.39
The oversight function of the PJCIS was made difficult during this inquiry due to the absence of consolidated data about the operation of the MDRR. There was no accurate information available on the number of authorisations made for particular types of offences nor any ability to scrutinise the reason why an individual’s information was accessed. In some cases, the reason would be obvious and very brief factual detail would suffice (eg: a murder investigation, individual is a suspect or close associate etc). In other cases, the relevance or appropriateness of accessing an individual’s telecommunications data may be less obvious and a brief record of the reasons would be of great assistance.
5.40
Oversight functions (including by the Ombudsman and this Committee) would be significantly enhanced through the ability of the Department of Home Affairs to generate a report of important information —set out by agreed guidelines—from each agency having access to the MDRR. This could be achieved by each agency adhering to an agreed format and method of recording prescribed information, which could be provided to Home Affairs, an oversight agency or a parliamentary committee on request for aggregation into a report. If it were deemed to be more cost effective, a national database created and managed by Home Affairs could also be an option albeit this would require consideration regarding privacy, security and rules for access. Ideally, data entered as part of the request for authorisation could be recorded in the agreed fields to reduce duplication of effort.
5.41
The Committee recommends that, in consultation with other stakeholders (agencies with access to the Mandatory Data Retention Regime, the Inspector General of Intelligence and Security, the Commonwealth Ombudsman and the Commonwealth Privacy Commissioner), the Department of Home Affairs should within 18 months of this report develop guidelines for data collection to be applied across the Mandatory Data Retention Regime and the most cost effective way to achieve the intended outcome of facilitating better oversight, including an ability for enforcement agencies and Home Affairs to produce reports to oversight agencies or Parliament when requested.
As a minimum, any such report should include the following information (in respect of each occasion on which the powers in Chapter 4 of the Telecommunication (Interception and Access) Act 1979 were used):
the section of the Telecommunication (Interception and Access) Act 1979 used to access the data;
the case number associated with the authorisation;
the specific offence – or offences – that the investigation related to;
if the authorisation related to a missing person case, the name of the missing person
brief reasons why the authorised officer was satisfied that the disclosure was reasonably necessary;
where the data related to a person who did not have an obvious relationship to a suspect in an investigation, brief reasons why the authorised officer was satisfied that any interference with the privacy of the person that may have resulted from the disclosure or use of the telecommunications data was justifiable and proportionate;
the name(s) of the officers involved in the case;
the name and appointment of the authorising officer;
if the agency became aware that the carrier disclosed any of the information referred to in section 187A(4) and action taken.
Where practicable, the report should also include:
whether or not the data was used to rule someone out from an investigation;
whether or not the person whose data was accessed was eventually charged, prosecuted and/or convicted of a crime;
whether or not the data accessed eventually led to the charge, prosecution and/or conviction of another person for a crime; and
the cost of the disclosure.
For the Australian Security Intelligence Organisation, the additional record-keeping requirements should include:
the nature of the national security risk that led to the authorisation being given; and
brief reasons why the authorised officer is satisfied that any interference with the privacy of the person that may result from the disclosure or use of the telecommunications data is justifiable and proportionate.
5.42
In addition to the record keeping required of agencies that access data held under the MDRR the Committee also sees a need for telecommunication service providers to keep detailed records of the kinds of information included in each disclosure of telecommunications data, including the types of telecommunications data that were disclosed.
5.43
This recommendation is designed to address a concern expressed by the OAIC about the record-keeping requirements in the Telecommunications Act and the challenges that it poses for oversight.
5.44
In conjunction with other recommendations made by the Committee, this recommendation would also go some way to addressing the concern about carriers disclosing content – or browsing history / URLs – in response to requests for telecommunications data.
5.45
As the OAIC explains in its submission:
Section 306 of the Telecommunications Act 1997 (Telecommunications Act) sets out a requirement for telecommunications service providers to keep records of disclosures of telecommunications data to enforcement agencies. The information that these records must contain are specified in s 306(5) and include:
the name of the person making the disclosure
the date of the disclosure
the grounds for the disclosure (such as the legislative provision under which the disclosure is authorised)
any applicable authorisation under the Telecommunications (Interception and Access) Act 1979 (TIA Act)
any other bodies involved in the request
the telecommunications service used.
Service providers are not required to keep records of information relating to the kinds of information included in a disclosure, such as the types of telecommunications data that were disclosed.
This means that the OAIC’s inspections under section s 309 of the Telecommunications Act do not allow officers to consider whether only necessary personal information is being disclosed by service providers when responding to information requests from enforcement agencies.
Accordingly, the OAIC recommends that the Committee consider an amendment to s 306(5) of the Telecommunications Act that requires service providers to keep records relating to the kinds of information included in disclosures. Such an amendment could, for example, require service providers to itemise the types of telecommunications data set out in s 187AA of the TIA Act that were disclosed.
The OAIC could then oversee the extent to which service providers comply with such a requirement, utilising the monitoring functions conferred by s 309 of the Telecommunications Act.
5.46
The Committee recommends that section 306(5) of the Telecommunications Act 1997 be amended to require telecommunications service providers to keep detailed records of the kinds of information included in each disclosure of telecommunications data, including the types of telecommunications data that were disclosed.
Retention of data by investigators
5.47
The inquiry also brought to the Committee’s attention that there is no requirement under the TIA Act for agencies to retain the telecommunications data they receive from a carrier for a particular period or for the purposes of an inspection. Although s 186A(3) of the TIA Act mandates that agencies keep certain records for a period of three years or until they have reported to the Minister under s 186J, these obligations do not include a requirement to retain the telecommunications data obtained under an authorisation. This leads to the anomaly whereby law enforcement agencies have been noted as having destroyed data and the Ombudsman is unable to check whether the telecommunications data the agency received complied with the parameters set by the relevant authorisation.
5.48
In the case of ASIO the IGIS informed the Committee that there have been no changes to ASIO’s legislation or policies since the introduction of the MDRR that would require data that is not relevant, or no longer relevant to national security, to be destroyed by ASIO. As such, issues around ASIO’s destruction of data have not been addressed. The Committee notes that, at the time of finalising this report, ASIO Guidelines from 2007 were in the process of being updated.
5.49
The Committee’s starting view is that data accessed via the MDRR should be at least kept long enough to allow for the IGIS and the Commonwealth Ombudsman to carry out their inspection activities. However the Committee notes, there may be situations, particularly in relation to long running intelligence investigations and possibly also in relation to longer running law enforcement investigations where data is needed to be held for longer.
5.50
In the case of ASIO it is clear, from the IGIS’s evidence, that they do keep data for a period that would assist with long running investigations.
5.51
Evidence from the Ombudsman that law enforcement are destroying data early concerns the Committee. Apart from the obvious oversight issues the Committee is concerned that data that could be used for investigation by law enforcement is being destroyed early.
5.52
The Committee therefore recommends that the Telecommunication (Interception and Access) Act 1979 should be amended as follows:
long enough to allow for the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman (as applicable) are able to perform their oversight functions; and
ASIO and enforcement agencies are required to delete telecommunications data as soon as practicable after the telecommunications data is no longer needed (e.g. in the case of an enforcement agency, after an investigation has concluded)
5.53
The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended so that:
ASIO and enforcement agencies are required to retain telecommunications data for a prescribed minimum period to ensure that the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman (as applicable) are able to perform their oversight functions; and
Having satisfied the requirements of the Inspector-General of Intelligence and Security or the Commonwealth Ombudsman (as applicable) ASIO and enforcement agencies are required to delete telecommunications data as soon as practicable after the telecommunications data is no longer needed (e.g. in the case of an enforcement agency, after an investigation has concluded).
5.54
The Committee will continue to closely monitor the use of JIWs by law enforcement agencies and ASIO through its ongoing oversight role and other inquiries.
5.55
The Commonwealth Ombudsman raised concerns about the issuing of internal authorisations based on verbal applications. In their view, there may be operational reasons for this but if it is to be permitted it should be clarified in the legislation.
5.56
It is the Committee’s view that verbal authorisations can only ever be justified in emergency situations.
5.57
The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended so that:
authorised officers may only make verbal authorisations for the disclosure of telecommunications data in emergency situations; and
the record-keeping obligations that apply to written authorisations also apply to verbal authorisations except that:
the written record must be made as soon as practicable after the making of the verbal authorisation; and
for each verbal authorisation, the authorised officer must make a record of the reasons why the authorisation had to be made verbally.
5.58
Evidence received by the Committee shows that thousands of officers across Australia are designated as ‘authorised officers’. This is largely a function of how these designations are made by some agencies (e.g. entire classes of officers – like all Commissioned Officers – being made authorised officers). Some individual officers are making many hundreds of authorisations for historic telecommunications data each year; other individuals are not making any authorisations at all.
5.59
Authorised officers are subject to some degree of training, however evidence demonstrated training is not compulsory and there is no consistency across agencies. The Department of Home Affairs told the Committee that ‘[e]ach agency appears to have taken a different approach to training and guidance material for telecommunications data that are issued by the agency, and the existing qualifications and experience of their authorised officers’.
5.60
The Committee regards the numbers of authorised officers being in the thousands as disconcerting and recommends means of reducing those numbers, by having regard to issues such as the seniority and level, and qualification and experience of officers.
5.61
The Committee considers that a national regime which consistently applies requirements for training and the qualifications and experience of authorised officers would provide a higher degree of transparency on the operation of the MDDR across the nation. The Committee considers that following such a regime being established, the IGIS, Ombudsman and ANAO, as appropriate, could be requested to audit the qualifications, experience and training provided to authorised officers.
5.62
Further to this and, noting that there is no independent issuing authority, the Committee considers that only officers in the relevant command chains or operational oversight/integrity streams should be capable of being designated as authorised officers. The indiscriminate authorisation of entire classes / ranks of officers as ‘authorised officers’ is, in the Committee’s view, inappropriate.
5.63
The head of an enforcement agency should be required to turn his or her mind to certain matters to ensure that only officers in a functional appointment (ie. one pertaining to the supervision or agency oversight of operations) with appropriate and relevant experience, seniority and training are being authorised to exercise the significant powers in Chapter 4.
5.64
The Committee recommends that section 5AB of the Telecommunications (Interception and Access) Act 1979 be amended with a view to reducing the number of officers and officials of criminal law-enforcement agencies who may be designated as “authorised officers” and the circumstances in which those designations may be made. At a minimum:
only officers or officials who hold a supervisory role in the functional command chain should normally be capable of being designated as ‘authorised officers’;although
other individuals who hold specific appointments – rather than entire classes of officers or officials – may be capable of being designated as ‘authorised officers’;
in order to authorise an individual to be an authorised officer, the head of an enforcement agency must be satisfied that it is necessary for the individual to be an ‘authorised officer’ in order for the individual to carry out his or her normal duties; and
prior to the head of an enforcement agency authorising an individual to be an ‘authorised officer’:
the relevant senior officer or official must complete a compulsory training program in relation to Chapter 4 of the Telecommunications (Interception and Access) Act 1979; and
the head of the enforcement agency must be satisfied that the senior or official has the requisite experience, knowledge and skills to exercise the powers under Chapter 4 of the Telecommunications (Interception and Access) Act 1979.
5.65
The Committee notes that the Commonwealth Ombudsman explained in his submission:
Section 180(7) of the TIA Act states that an authorisation must be revoked if the authorised officer is satisfied that disclosure of the telecommunications data is no longer required. However, the legislation is silent as to when a revocation takes effect. This is an important consideration as it determines the point in time an authorisation ceases to be in force and, in turn, removes the basis upon which the agency can access the telecommunications data.
If the revocation instrument specifies the date and time it is to take effect, we will take this to be the point in time at which the authorisation is revoked and, therefore, no longer in force. In other instances, our Office has relied upon agencies’ policies and procedural documents to determine the time of effect. In some cases, compliance issues have arisen for agencies as a result of the unavoidable delay between the revocation instrument being signed and the agency notifying the carrier. In these circumstances, we have seen instances where a carrier continues to send telecommunications data to the agency post-revocation on the assumption that the authorisation remains in force. For this reason, some agencies have implemented a practice whereby the revocation instrument will specify that revocation takes effect after the carrier is notified.
5.66
The Committee does not feel it has received sufficient evidence on this issue to make a prescriptive recommendation in respect of when a revocation should take effect (though the practice of some agencies to specify that a revocation takes effect after a carrier is notified makes sense).
5.67
However, based on the evidence from the Commonwealth Ombudsman the it is clearly important that this matter be clarified.
5.68
The Committee recommends that section 180 of the Telecommunications (Interception and Access) Act be amended to specify when a revocation of an authorisation takes effect.
Agencies with access to data
5.69
In considering agencies who should have access to data held under the MDRR the Committee looked to recommendation 21 of its 2015 report in which the Committee stated:
The Committee recommends that enforcement agencies, which are agencies authorised to access telecommunications data under internal authorisation, be specifically listed in the Telecommunications (Interception and Access) Act 1979.
To provide for emergency circumstances the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare an authority or body as an enforcement agency subject to the following conditions:
the declaration ceases to have effect after 40 sitting days of either House;
an amendment to specify the authority or body as an enforcement agency in legislation should be brought before the Parliament before the expiry of the 40 sitting days; and
the amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.
Further, consistent with the existing provisions of the Bill, the Attorney-General must have regard to the factors listed in proposed paragraphs 176A(4)(b)-(f), and must also be satisfied on reasonable grounds that the functions of the agency include enforcement of the criminal law, administering a law imposing a pecuniary penalty, or administering a law relating to the protection of the public revenue.
5.70
Subject to the discussions below around further access allowed via section 280 of the Telecommunications Act, the Committee is satisfied with the agencies, as set out in section 110A of the TIA Act, which can request data retained under MDRR.
5.71
The Committee notes that, currently, the MDRR only requires a Bill including a new CLEA to be referred to the Committeeand not that a temporary declaration of a CLEA be referred to the Committee.
5.72
The Committee has had representations from the Corrective Services Administrators’ Council and the ATO as to their suitability for inclusion as a CLEA.
5.73
The Committee notes that the ATO specifically stated that it has not used other powers such as those under section 280 of the Telecommunications Act. In addition, the ATO pointed out that the Ministerial Declaration power would not, due to it only having effect for 40 sitting days, be an entirely appropriate way for the ATO to be granted CLEA status.
5.74
It was not the Committee’s intention or expectation that any agency declared as a CLEA would only be so declared for the 40 sitting days. The Committee’s expectation was that any declaration would be followed by an amending Bill including any declared agency as a CLEA.
5.75
To this end the Committee notes the set of criteria that the Department of Home Affairs has developed to assist the Minister in evaluating requests from agencies. These include:
the need for direct access to telecommunications data, including necessity rather than usefulness;
privacy safeguards implemented by the requesting agency;
the viability of the agency gaining adequate access via a joint operation with a law enforcement agency;
the agency’s ability to comply with the obligations of the TIA Act;
whether the declaration is in the public interest; and
other relevant matters such as consistency across jurisdictions.
5.76
The Committee finds that these are an appropriate set of issues of which to evaluate requests from agencies to become a CLEA. Should the Minister make a declaration in relation to the ATO, the Corrective Services Administrators’ Council or indeed, any other agency, followed by legislation amending section 110A of the TIA Act the Committee will consider any such legislation in light of the criteria set out above and the Committee’s own view on necessity, proportionality and transparency.
Thresholds for accessing data
5.77
Under the existing legislative thresholds of the TIA Act an individual officer can, without a warrant, authorise the disclosure of historic telecommunications data if he or she is satisfied that the disclosure is reasonably necessary to find a missing person, or for the enforcement of the criminal law or any law imposing a pecuniary penalty (including, for example, a parking infringement).
5.78
By contrast, the Committee notes that section 180 of the TIA Act limits authorisations for access to prospective information or documents to when the disclosure is reasonably necessary for the investigation of
an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
5.79
In promoting the importance of these powers, and the undesirability of imposing a warrant requirement, agencies emphasised the importance of the data retention regime in aiding the investigation of serious offences.
5.80
It is the Committee’s strong view that law enforcement access to data kept under the MDRR will only be available in the following circumstance:
Locating a missing person; or
an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
5.81
The Committee therefore has no concerns about authorisation for access to existing information and documents by voluntary disclosure or disclosure related to missing persons as set out in sections 177 and 178A of the TIA Act.
5.82
Access to existing information and documents granted for ‘enforcement of the criminal law’ (section 178) is drafted broadly and is subject to no limitations.
5.83
The Committee makes the following recommendation in order to tighten and limit access to existing information and documents by law enforcement. The Committee notes that ‘serious offence’ is defined in defined in section 5D of the Telecommunications (Interception and Access) Act 1979. The Committee recommends that section 178 of the TIA Act be limited in the same way and that access for pecuniary penalties or protection of the public revenue under section 179 of the TIA Act be repealed.
5.84
The Committee recommends that section 178 amended and section 179 be repealed so that an authorised officer cannot make an authorisation for access to existing information or documents unless he or she is satisfied that the disclosure is reasonably necessary for:
an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
For the avoidance of doubt ‘serious offence’ is as defined in section 5D of the Telecommunications (Interception and Access) Act 1979.
5.85
As set out above, following the implementation of this recommendation it will be clear and consistent with the Committee’s position, that law enforcement access to data kept under the MDRR will only be available in the following circumstances:
Locating a missing person; or
an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
5.86
In relation to ASIO’s access to data under the MDRR the Committee notes two observations made by the IGIS who commented that the threshold for ASIO to access retained data is low:
the threshold is, as you would know, very low that the request is made in connection with the performance of any of the organisation's functions. The number of requests that don't meet that threshold—I don't think we've found any.
And, unlike enforcement agencies, there is no legislative requirement for ASIO to consider privacy before making an authorisation (and while the ASIO Guidelines require some consideration, this is not as strong as the requirements imposed by section 180F of the TIA Act on criminal law-enforcement agencies:
the guidelines possibly could apply to some of the changes that have been made since 2007. But where they apply at such a high level of generality, it is very difficult for the agency both to know exactly what is required of it and for us then to oversee compliance. So our concern always on a statutory or legislative requirement, in the statute itself or in guidelines, is always whether it is sufficiently specific… Privacy is to be weighed against the value of the information that is sought in terms of security—how that should be weighed up. It is difficult to express that in guidelines that will apply. But for that to be addressed as specifically as possible would be of great assistance not only to us in oversight but, I think, also to ASIO in making its decisions.
5.87
The Committee notes that, while the following recommendation would increase the threshold for ASIO to authorise the disclosure of telecommunications data to be consistent with the threshold that applies to other powers in the TIA Act, there would still be no warrant requirement in relation to the disclosure of telecommunications data (unlike those other powers). Moreover, any ASIO employee could still be designated as an authorised officer for the purposes of accessing telecommunications data.
5.88
Additionally, as stated by the IGIS, making ASIO obligations clear in legislation makes compliance easier for ASIO Officers and, as a result, oversight of such compliance easier for the IGIS.
5.89
The Committee recommends that Division 3 of Part4–1 of the Telecommunication (Interception and Access) Act 1979 be amended to:
increase the threshold for ASIO to authorise the disclosure of telecommunications data so that it is consistent with the threshold for ASIO to intercept telecommunications or access stored communications under a telecommunications service warrant issued under Part 2-2 of the Act; and
introduce a new provision, modelled on section 180F of the Telecommunications (Interception and Access) Act, requiring ASIO to consider privacy before making an authorisation.
Telecommunications Act access to data
5.90
The Committee has considerable concern around the use of section 313(3) and 280(1)(b) of the Telecommunications Act to allow for access to metadata. Concerns around privacy and in relation to the use of this power are set out in detail in the previous chapters of this report. The early submissions that supported the use of these powers were very broad in their arguments and did not identify specific need or instances where these powers were of use.
5.91
On this issue the Committee first turns to the wording of section 280, which reads as follows:
280 Authorisation by or under law
(1) Division 2 does not prohibit a disclosure or use of information or a document if:
(a) in a case where the disclosure or use is in connection with the operation of an enforcement agency—the disclosure or use is required or authorised under a warrant; or
(b) in any other case—the disclosure or use is required or authorised by or under law.
5.92
While the Committee is not concerned where access is backed by a warrant, the catch all phrase ‘the disclosure or use is required or authorised by or under law’ is worded in a manner that has allowed a broad range of government agencies to access telecommunications data. This is concerning to the Committee.
5.93
In 2015, the Committee very deliberately recommended – in Recommendation 21 – that the agencies that can obtain access to retained metadata be specifically listed in the TIA Act. Following the Committee’s 2015 report, 22 law enforcement and security agencies were included in the definition of “criminal law-enforcement agency” under section 110A of the TIA Act. Under section 110A(3) of the TIA Act, the Minister has the flexibility to declare additional authorities or bodies as ‘criminal law-enforcement agencies’. Such a declaration is a disallowable instrument.
5.94
Notwithstanding the Committee’s 2015 report and the clear intention of the definition of “criminal law-enforcement agency” under section 110A of the TIA Act, at least 87 other agencies are gaining access to telecommunications data under section 280(1)(b) of the Telecommunications Act (operating in conjunction with other Commonwealth, state and territory laws authorising access to telecommunications data). Those agencies include various local councils, a number of state and Commonwealth government departments (e.g. the Commonwealth Department of Agriculture and the WA Department of Commerce), the Office of State Revenue NSW, South Australia Fisheries and the RSPCA. The Committee was disappointed that the Department of Home Affairs, which was aware of the concerns the Committee had with the section did not seek to assist the Committee in finding a way to amend this section.
5.95
The Committee notes that, when question of broader access was put to Mr Mike Burgess, Director- General of ASIO, he stated that:
I think all of us who are enabled under this law to get access to retain data should argue why we need it. I can speak for ASIO; I can't speak for the RSPCA. As I said, I remember the conversations at the time. I was working at Telstra at the time, and it's a matter that we raised in terms of: 'This doesn't make sense; there are too many people, on the face of it, that seem to have access to this.' I understand that concern, but I will refrain from further comments in that regard. I believe I have a very strong case for why ASIO needs it. Perhaps everyone else who can legally access it should put their own cases forward so they can be judged by the committee and the parliament.
5.96
The submissions that supported the use of these powers were very broad in their arguments and did not identify specific need or instances where these powers were of use. The Committee sought, via its secretariat, the Department of Home Affairs and the Department of Infrastructure, Transport and Communications, to give interested state and territory government agencies the opportunity to put their case as to why these powers should remain. There were very few submitters that took this opportunity up. Those that did were unable to convince the Committee of the need for this broad access to telecommunications data.
5.97
The evidence to this inquiry demonstrates there is a loophole here in relation to the agencies that should be allowed access to a person’s telecommunications data. The Committee is concerned to build on and retain confidence in the data retention regime and concludes that the number and type of agencies that can access a person’s telecommunications data via section 280 (1) (b) of the Telecommunications Act may undermine the social licence for ASIO and law enforcement agencies to access the information. The Committee received evidence that State Police agencies would be capable of accessing data as part of an investigation that would assist an authority (eg teachers registration board) were there concerns about conduct that met the threshold for a criminal offence ( eg suspected child grooming by a teacher). Therefore the Committee recommends complete repeal of section 280(1)b) of the Telecommunications Act 1997.
5.98
The Committee is aware that there may be other means whereby telecommunications data is accessible by other parts of the Telecommunications Act 1997 or, indeed, other Commonwealth legislation.
5.99
The Committee therefore recommends that the Government introduce any additional amendments to Commonwealth legislation that are necessary to ensure that:
only ASIO and the agencies listed in section 110A of the Telecommunications (Interception and Access) Act 1979 be permitted to authorise the disclosure of telecommunications data; and
those agencies can only access telecommunications data through Part 4–1 of the Telecommunications (Interception and Access) Act 1979 and through no other legal mechanism.
5.100
The Committee recommends that section 280(1)(b) of the Telecommunications Act 1997 be repealed.
Moreover, the Committee recommends that the Government introduce any additional amendments to Commonwealth legislation that are necessary to ensure that:
only ASIO and the agencies listed in section 110A of the Telecommunications (Interception and Access) Act 1979 be permitted to authorise the disclosure of telecommunications data; and
those agencies can only access telecommunications data through Part 4–1 of the Telecommunications (Interception and Access) Act 1979 and through no other legal mechanism.
Oversight and data sharing
5.101
The Committee is supportive of any amendments that increase the ability of oversight agencies to exchange information. The Committee noted the evidence that in some circumstances the OAIC is prevented from sharing information with other regulators because of disclosure restrictions in the Australian Information Commissioner Act 2010 (AIC Act).
5.102
The Committee notes the Ombudsman’s evidence that information sharing can help ensure appropriate oversight of all elements of the regime.
5.103
The Committee shares the Communications Alliance’s concerns in relation to the the delay in what they term as the tabling of the ‘past annual reports’: for the MDRR.
5.104
The Communications Alliance subsequently recommended that the legislation be revised to require that the reports, pursuant to s186 and 187P of the TIA Act, be tabled and published within three months of the end of the reporting period. As this would add to transparency around the scheme and increase public confidence in the functioning of the regime, the Committee agrees with this recommendation.
5.105
The sections referred to by the Communications Alliance are a little more nuanced than their suggested recommendation proposes. The Committee notes the following:
Section 186(1) requires that as soon as practicable, and in any event within 3 months, after each 30 June, the head (however described) of an enforcement agency must give the Minister a written report that relates to the year ending on that 30 June;
Section 186(2) provides that the Minister must prepare a report that contains the information set out in each report under subsection (1), other than the information referred to in paragraph (1)(cb). The report may contain any other information the Minister considers appropriate.
Section 186(3) provides that the Minister must cause a copy of a report under subsection (2) to be laid before each House of the Parliament within 15 sitting days of that House after the day on which the report was completed.
Section 187(P) requires that the Minister must, as soon as practicable after each 30 June, cause to be prepared a written report on the operation of this Part during the year ending on that 30 June.
5.106
Currently Section 186(2) has no express time in which the Minister’s report must be completed. Therefore it is specifically section 186(2) — the Minister’s report — that the Communications Alliance is suggesting be prepared within 3 months. Again the Committee notes that section 186(3) requiring tabling of the Minister’s report within 15 sitting days.
5.107
Section 187(P) uses the term ‘as soon as practicable’ which, in practice, has allowed reports to be prepared in a timeframe that has caused the concerns referred to above.
5.108
Taking the above details in account the Committee recommends that sections 186 and 187P of the Telecommunication (Interception and Access) Act 1979 be amended so that:
the Minister must complete the report(s) referred to in section 186(2) and 187P as soon as practicable and, in any event, within 3 months after each 30 June; and
the Minister must cause a copy of the report(s) to be tabled in each House of the Parliament as soon as practicable and, in any event, within 15 sitting days after the date on which the report is completed.
5.109
The Committee recommends that sections 186 and 187P of the Telecommunication (Interception and Access) Act 1979 be amended so that:
the Minister must complete the report(s) referred to in section 186(2) and 187P as soon as practicable and, in any event, within 3 months after each 30 June; and
the Minister must cause a copy of the report(s) to be tabled in each House of the Parliament as soon as practicable and, in any event, within 15 sitting days after the date on which the report is completed.
5.110
The Committee notes the evidence from the Office of the Australian Information Commissioner (OAIC) that State and Territory enforcement agencies are not subject to the Privacy Act and therefore have no obligation to report Notifiable Data Breaches to the OAIC. In the absence of notifiable data breach schemes in the states and territories the Committee recommends that section 6F of the Privacy Act 1988 be amended to prescribe that State and Territory CLEAs be regarded as ‘organisations’ for the purposes of the Notifiable Data Breach regime.
5.111
The Committee recommends that state and territory criminal law-enforcement agencies under section 110A be prescribed as ‘organisations’ under section 6F of the Privacy Act 1988 the Privacy Act in relation to their collection and use of telecommunications data for the purposes of the Notifiable Data Breach regime.
5.112
The Committee was interested to hear about the anomaly brought to it by the Law Enforcement Conduct Commission whereby the TIA Act allows the LECC to communicate lawfully intercepted information for the purposes of a police disciplinary hearing, for a decision by the police Commissioner to terminate the appointment of an officer and/or for the misbehaviour or improper conduct of an officer whilst telecommunications data disclosures alone are not currently lawful for this purpose.
5.113
The Committee agrees that the disclosure of telecommunications data for this purpose is both proportional and necessary, and represents best practice in allowing for the co-operation of agencies in order to manage disciplinary action.
5.114
The Committee recommends that section182(2) of the Telecommunications (Interception and Access) Act 1979 Act be amended in line with section 68(d) for the consideration of the communication of telecommunications data for disciplinary action and termination of employment.
5.115
The Ombudsman explained to the Committee in the public hearing on 7 February 2020 that the Ombudsman has oversight of the law enforcement agencies and the OAIC has an oversight / regulatory role in respect of the telecommunications providers.
5.116
In its submission, the OAIC spoke about the desirability of those two oversight agencies being able to talk to each other and exchange information and the Ombudsman agreed. However, section 29 of the AIC Act prevents the OAIC from exchanging information with the Ombudsman. As noted by the Ombudsman in the public hearing:
We agree with her that there is a bit of a gap there. If we see something that the telcos have provided to the law enforcement agencies that is over and above what the law enforcement agencies were asking for or were authorised to get, we would like to be able to have a good discussion with the Information Commissioner about that so there is appropriate oversight of all the different elements of this.
5.117
The Committee recommends that section 29 of the Australian Information Commissioner Act, and any other statutes that apply similar constraints on information sharing by relevant oversight agencies, be amended so that agencies that have an oversight function in respect of the mandatory data retention regime are able to share intelligence on matters of regulatory concern where there is a public interest in doing so.
5.118
As the implementation of the Committee’s recommendations will require the Government to introduce legislation, the Committee is likely to have at least one opportunity to consider aspects of the scheme – including amendments to it – well in advance of June 2024.
5.119
The Committee considers it prudent to recommend to provide the Committee with an option to conduct a comprehensive review of the scheme by June 2025 if the Committee considers it necessary or desirable.
5.120
The Committee recommends that the Intelligence Services Act 2001 and the Telecommunications (Interception and Access) Act 1979 be amended so that the Committee may commence a review of the mandatory data retention scheme by June 2025.
Storage and security of telecommunications data
5.121
In its 2015 report the Committee noted concerns around the storage and security of the MDRR.
5.122
The main concern the Committee had in relation to storage was the possibility that data held under the MDRR could be stored offshore.
5.123
Nearing the end of their deliberations the Committee sought further information from the Communications Alliance on this issue. The Communications Alliance stated that:
Our members store the data retained pursuant to the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 in compliance with all applicable legislative requirements.
… Australia’s largest carriers have indicated that they store this data onshore, i.e. in Australia, and typically in data centres or facilities which they control. These facilities are held to high protective security standards. These carriers have taken the decision to do so because of a company-specific assessment of their respective technical, operational and commercial requirements and taking into account individual risk profiles for data storage.
5.124
While the Committee was pleased to hear that offshore data storage does not appear to currently occurring it remains concerned that offshore storage is still permitted under the mandatory data retention regime. Data stored overseas could be subject to foreign regulation that could have extra-territorial application to the telecommunication service provider itself, potentially enabling foreign governments to legally access the telecommunications data. In addition offshore storage would necessarily involve contracting with external foreign parties, which potentially heightens the risk of a data breach.
5.125
Further, regardless of the actual security and legislative requirement imposed by offshore data storage, the Committee finds that part of the social license granted to telecommunications service providers, law enforcement and ASIO under the MDRR is that Australians’ data will be stored in Australia.
5.126
The Committee recommends that Division 1 of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 be amended to require service providers to store information of the kind specified in or under section 187AA, or documents containing information of that kind, on servers located in Australia unless specifically exempted.
5.127
The Committee took detailed evidence as to the desirability for minimum standards in relation to the security of stored data. In relation to this the Communications Alliance stated that any legislative or regulatory requirements ought to focus ‘on whether the data is stored securely and protected from unauthorised access and interference.’ The Communications Alliance went on to state:
Any requirements ought to be flexible, globally interoperable, ensuring the free movement of data while protecting consumers to ensure continued digital transformation and the promotion of Australia's global competitiveness.
5.128
In addition to the work of agencies developing guidelines on the operation of the mandatory data retention scheme as set out in dot point one of Recommendation One, agencies’ work on minimum standards in relation to security of data will help to build public confidence. These standards should be developed by the agencies that have access to the telecommunications data and, in the case of entities subject to telecommunications data retention requirements, by the Australian Communications and Media Authority
5.129
The Committee recommends that:
agencies that have access to telecommunications data should develop minimum standards for the security of telecommunications data held within their control or premises; and,
entities subject to telecommunications data retention requirements under the Telecommunications (Interception and Access) Act should be required to demonstrate to the Australian Communications and Media Authority that they have met minimum standards for ensuring the security of retained data:
these minimum standards, applying to entities subject to telecommunications data retention requirements should be developed by the Australian Communications and Media Authority.
International developments
5.130
Given that the international developments regarding the data retention schemes are in a state of legal and technological flux, it is the Committee’s view that Australia should view its own scheme as a relatively independent entity. The current data retention regime’s usefulness with regard to agencies’ functions and power to investigate the current threat environment should be regarded as paramount, provided that the scheme operates effectively and appropriately within Australia’s domestic environment.
Mr Andrew Hastie MP
Chair
13 October 2020