2.1
This chapter examines the matters raised in submissions to the inquiry and sets out the committee's view.
2.2
Evidence received by the committee was overwhelmingly supportive of the bill's intended objective of protecting the lives and wellbeing of Australians. However, there were differing views as to the scope, clarity and necessity of the proposed amendments in achieving this objective. Submitters provided observations on the overarching principle of the bill as well as detailed commentary on specific provisions, which are outlined below.
2.3
The majority of evidence centred on the proposed changes to information use and disclosure requirements under sections 287 and 300 of the Telecommunications Act 1997 (the Act), which the Minister for Communications described as the 'most important measure' in the bill.
Balancing privacy and protection
2.4
As noted in Chapter 1 and discussed in detail by the Parliamentary Joint Committee on Human Rights (PJCHR), expanding access to personal information necessarily reduces individual privacy. In this sense, the bill presents a trade-off, as summarised by the Internet Association of Australia:
We recognise the need for a disclosure framework that adequately balances privacy protections on one hand, and allowing Australia's law enforcement agencies and emergency services to carry out their functions to ensure individual and wider public safety on the other.
2.5
Submitters including the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA), the Attorney-General's Department (AGD) and the Australian Communications Consumer Action Network argued that the proposed amendments strike an appropriate balance between the protection of privacy and the prevention of harm.
2.6
Other submitters disagreed, most notably the New South Wales Council for Civil Liberties (NSWCCL), which described the proposed amendments as 'unnecessary' and 'gratuitous'. The NSWCCL was of the view that the 'appropriate balance between information privacy and the free flow of information' has not been achieved.
2.7
The Law Council of Australia (Law Council) was more equivocal. It did not present an overarching assessment, but noted, for example, that a limitation on privacy is not automatically reasonable, necessary and proportionate simply because it has the potential to save lives. The Law Council observed that careful scrutiny of information disclosure is especially important in light of 'recent cyber incidents involving the theft and misuse of personal data'.
Serious threats to a person's life or health
2.8
AGD submitted that removing the word 'imminent' would enhance the clarity and utility of section 287 of the Act:
The department considers removing the word 'imminent' will make the provision clearer and easier to apply and understand. This will assist police and telecommunications providers to have a common understanding of the provision and the circumstances in which it is intended to be used, as well as the public.
2.9
The Australian Federal Police agreed that it would 'remove ambiguity and make it more straightforward for officers to understand when they can and cannot disclose or use such information'.
2.10
Law enforcement agencies were emphatic that the proposed amendment would expedite investigations and consequently save lives. South Australia Police said the change would:
…undoubtedly increase the ability to efficiently and effective locate 'at risk' persons and therefore significantly enhance the ability to save lives or prevent threats to a person's life or health.
2.11
As outlined in Chapter 1, the bill would remove the 'imminent' requirement for both initial disclosures under section 287 and subsequent disclosures under section 300 of the Act. DITRDCA provided an example to illustrate the practical importance of secondary disclosures:
[I]f a carrier were to rely upon section 287 to disclose triangulation information to the NSW Police about a missing person, and the triangulation data showed that the approximate location of the missing person's phone was somewhere in Queensland, NSW Police would be able to rely on section 300 to disclose that triangulation data to Queensland Police if NSW Police believes on reasonable grounds that doing so was reasonably necessary to prevent a serious threat to the person's life.
2.12
DITRDCA also noted that the proposed amendments to sections 287 and 300 would bring the Act into line with the general disclosure permissions set out in the Privacy Act 1988 (Privacy Act), which has already been amended to reflect the Australian Law Reform Commission's recommendations.
Who determines whether the threshold has been met?
2.13
Requests for information under section 287 are considered at the discretion of the information holder: if a telecommunications provider is not satisfied that there are sufficient grounds to authorise disclosure, it may decline the request. On that basis, the Law Council submitted that the exemption relies heavily on the 'the judgement of the disclosing party as to the nature of the threat in the relevant circumstance'. The Internet Association of Australia indicated that the removal of the word 'imminent' would heighten the importance of appropriately determining whether a threat is 'serious'.
2.14
The department informed the committee that, in practice, the determinations of telecommunications companies are guided by the information provided by law enforcement and emergency services. DITRDCA confirmed that the bill's intention is that telecommunications companies would be largely reliant on those representations in determining the seriousness of threats, noting:
This approach is consistent with the existing operational process of law enforcement agencies, and recognises that police or emergency service organisations have access to information, systems and resources that telecommunications companies do not.
2.15
The Australian Privacy Principles Guidelines, which are issued by the Office of the Australian Information Commissioner, provide interpretive guidance about the relevant considerations for when it is unreasonable or impracticable to obtain an individual's consent to access personal information. These guidelines can be utilised by organisations such as law enforcement agencies and telecommunications providers regarding the collection, use or disclosure of personal information under the Privacy Act.
2.16
Privacy provisions in the Telecommunications Act, such as those at Part 13, are consistent with equivalent general provisions in the Privacy Act. The Guidelines provide additional assistance in interpreting the elements of these provisions, including:
…when it is unreasonable or impracticable for an [Australian Privacy Principle] entity to obtain an individual's consent (APP Guidelines C.5-C.6); what constitutes a 'reasonable belief' that collection, use or disclosure is 'necessary' (APP Guidelines C.7-C.8); and the threshold for a 'serious' threat and a 'serious threat to public health or safety' when several people may be affected (APP Guidelines C.9-C.12).
2.17
Nonetheless, several submitters argued that there is a need for further guidance material to assist in assessing requests under sections 287 and 300 of the Act. Both the Law Council and the NSWCCL suggested this must include consideration of the 'wishes and circumstances of the person to whom the disclosure relates'.
Limitations and safeguards
Unreasonable or impractical to obtain consent
2.18
The bill would insert an additional safeguard that information may only be used or disclosed where it is 'unreasonable or impractical' to obtain the consent of the person to whom the information relates. DITRDCA, AGD and the Law Council observed that this requirement is consistent with the Australian Privacy Principles Guidelines.
2.19
The requirement would form part of section 300 as well as section 287, ensuring that any subsequent disclosure is subject to fresh consideration of the reasonableness and practicality of obtaining consent at that point in time.
2.20
While the Australian Privacy Principles Guidelines provide interpretive guidance on this requirement, the Law Council recommended the development of additional guidance on the circumstances in which obtaining consent would be unreasonable or impractical. It also suggested consideration be given to requiring documentation of the steps taken to obtain consent.
Scope of information that may be disclosed
2.21
Several submitters highlighted a lack of clarity as to the scope of information that may be disclosed under sections 287 and 300. This was also raised by the PJCHR and the Scrutiny Committee.
2.22
DITRDCA confirmed that the provisions apply only to information relating to the 'affairs or personal particulars' of a person, including locational information. DITRDCA and AGD underlined that sections 287 and 300 do not allow for the content or substance of communications to be made available in any circumstance. DITRDCA also noted that triangulation does not include GPS data.
2.23
The PJCHR suggested it may be beneficial to develop a definition of the 'affairs or personal particulars' of a person.
Other investigative approaches
2.24
In practice, the disclosure exemption contained in section 287 is not the first or only investigative method available. The committee was told that standard law enforcement operating procedures require the 'exhaustion of less intrusive methods' before a request can be made.
2.25
Other provisions of the Act may facilitate access to certain types of information, for example historic data and information previously obtained about a person. Existing guidance on the operation of section 287 clearly states that it 'should only be considered where time is of the essence and a person's wellbeing is at serious risk'.
Safeguards against misuse
2.26
Some submitters shared the concerns expressed by the PJCHR and the Scrutiny Committee that it is not clear how information disclosed under sections 287 and 300 would be protected.
2.27
DITRDCA reiterated that information is 'received and managed according to well-established protocols, and also subject to a range of safeguards of which only one is the Act'. DITRDCA noted that many of these procedures and protocols are not public, to avoid the disclosure of sensitive operational practices, but are subject to 'a range of oversight mechanisms, including at the federal level by a number of oversight bodies'.
2.28
The Police Federation of Australia drew the committee's attention to the existence of 'numerous safeguards to prevent the misuse of any information' disclosed under the proposed amendments. South Australia Police acknowledged concerns about potential misuse of information but told the committee it was:
…confident that its internal practices and policies including oversight by senior police officers are robust enough to sufficiently alleviate any concern whatsoever.
2.29
The PJCHR acknowledged the existence of non-legislative safeguards such as operational protocols but warned that their effectiveness depends upon 'robust internal police processes'. The Law Council expressed some scepticism, given:
…agencies (including law enforcement agencies) have, in the past, contravened existing measures to protect private data, including failing to properly store, protect and destroy it.
Less restrictive options
2.30
The NSWCCL urged consideration of 'less restrictive alternatives' to amending sections 287 and 300, such as improved guidance and training for police officers.
2.31
DITRDCA informed the committee that during the Inquest into the disappearance of CD, it was notified by the NSW Department of Communities and Justice of the emerging concerns about disclosures under section 287. In response, DITRDCA and the AGD jointly developed additional guidance material on the operation of the provision. However:
…[a]lthough this material had some utility in providing a common understanding across jurisdictions on the circumstances necessary for the information disclosure exemption to apply, law enforcement agencies indicated this material alone was unlikely to resolve the issue in the absence of broader legislative reform.
2.32
DITRDCA confirmed that less intrusive measures were considered in consultation on the draft bill but were ultimately determined to be insufficient:
[T]he consultation process of the Bill demonstrated that less intrusive methods such as the provision of guidance and training were insufficient to remove the legislative barrier posed by the term 'imminent'.
Notably, in the Inquest into the Disappearance of CD, Chief Inspector Charlesworth of the NSW Police, who refused the request to triangulate CD's mobile phone because there was insufficient evidence the threat was imminent, confirmed he would make the same decision today with the benefit of hindsight due to an inability to establish imminence.
Impact on vulnerable people
2.33
The NSWCCL and the Law Council raised concerns that the proposed amendments may have a disproportionate impact on the privacy of vulnerable people, such as First Nations people and those experiencing family or domestic violence.
2.34
Conversely, the Australian Federal Police suggested the amendments would be particularly beneficial to vulnerable people, as they would expedite assistance to missing persons at additional risk of harm due to their personal characteristics (such as age or illness) or the circumstances of their disappearance. DITRDCA concurred, noting that the amendments would be 'most likely to assist those in the community at-risk of self-harm through mental health factors'.
2.35
DITRDCA also pointed out that the proposed amendments would not change long-standing operational procedures to protect missing persons, including compulsory assessment of their vulnerability before selecting an investigative approach.
2.36
Both the NSWCCL and the Law Council observed that some missing persons may be escaping a dangerous situation, or have simply chosen to disconnect from friends and family, and may not wish to be located.
2.37
The NSWCCL argued that some missing persons may have a 'good reason' for not wanting to be found. In response, DITRDCA confirmed that where a person is assessed to have 'voluntarily' gone missing, police do not request location data.
Missing persons at risk of family or domestic violence
2.38
DITRDCA acknowledged that there are additional sensitivities in respect of domestic and family violence—in particular, where an individual is reported missing as a result of having exercised a 'free choice to disassociate themselves from friends and family for legitimate reasons, including removing themselves from harmful environments'.
2.39
In relation to the possibility that the proposed amendments could be used by abusers to 'track down' their victims, DITRDCA stressed that a claim from a member of the general public, without support or confirmation from law enforcement or emergency services, would not meet the threshold for disclosure.
2.40
DITRDCA confirmed that it would work with the Domestic, Family and Sexual Violence Commission and the Department of Social Services to ensure any other appropriate safeguards are in place.
2.41
DITRDCA also drew the committee's attention to legislative reforms in NSW and Victoria that removed the word 'imminent' from information disclosure requirements specifically to improve safety in situations of domestic or family violence.
Lowering 'belief' to 'suspicion'
2.42
Some submitters called for a further amendment to lower the disclosure threshold from a 'belief' to a 'suspicion', a change that was also canvassed by the NSW Coroner and Deputy Coroner.
2.43
South Australia Police argued that this would save time in urgent situations:
In practical terms the time taken to elevate a 'reasonable suspicion' to a 'reasonable belief' will likely mean the expenditure of further time and resources and the passing of critical time and irretrievable opportunities.
2.44
The Uniting Church in Australia, Synod of Victoria and Tasmania agreed that where there is a possible threat to life or health, 'the threshold to access information should be low'.
2.45
DITRDCA clarified that this change would be inconsistent with the Privacy Act:
[A]mending the disclosure threshold from 'belief' to 'suspicion' would result in a lower bar than the equivalent standards in the Privacy Act 1988. This would be inconsistent with the 'general permitted situations' in section 16A, where 'suspicion' is the threshold in cases such as unlawful activity or misconduct of a serious nature, while a higher threshold of 'belief' applies for prevention of serious threats to life, health or safety, or for locating a missing person.
2.46
However, DITRDCA advised it would monitor any recommended changes to this threshold, noting the Privacy Act is currently under review.
Calls to emergency services from unlisted numbers
2.47
Many submitters were supportive of the amendments proposed to section 285 and extending the existing access to the Integrated Public Number Database (IPND) in emergency situations to mobile phones and other unlisted numbers. The Law Council and AGD reiterated the opinion of the ALRC that most members of the public would reasonably expect this to be permitted.
2.48
South Australia Police stated that the proposed amendment would be a 'critical enabler' of the provision of emergency services. The Australian Federal Police added that the inability to access IPND information for unlisted numbers had been 'an impediment to investigations'.
2.49
However, the NSWCCL did not support the amendment 'without appropriate privacy protections dealing with disclosure, storage and destruction of that information' and expressed particular concern that metadata may be disclosed to law enforcement agencies. The Law Council similarly had reservations regarding the impact of the amendment on the right to privacy.
2.50
The Law Council also called for additional clarification of aspects of the proposed amendment to section 285 that it considered 'loosely expressed', including the scope and parameters of the phrase 'matter or matters raised by a call to an emergency services number'.
Safeguards
2.51
As with the amendments to sections 287 and 300, the bill would introduce a new requirement that it is unreasonable or impractical to obtain consent to disclosure of information via the IPND in emergency situations.
2.52
In addition, DITRDCA noted that:
Telstra, as the IPND Manager and the [Emergency Call Person (ECP)], has publicly available procedures in place to ensure that information disclosed between the IPND Manager and the ECP is handled appropriately. Obligations on IPND access seekers are specified in an enforceable industry code and in the data access agreements with Telstra.
2.53
DITRDCA also confirmed that, due to existing laws that regulate access to the IPND and provision of emergency services, in practice, 'disclosure through the measure is restricted to police, fire and ambulance services'.
Availability of alternative provisions
2.54
The NSWCCL queried, as did the PJCHR, whether the amendment to section 285 was necessary given the existence of other provisions that would also appear to facilitate access to IPND information about numbers. The EM acknowledges that there are other sections of the Act that would potentially facilitate access to information associated with an unlisted phone number, but notes section 285 is directed specifically to IPND records.
2.55
The PJCHR sought specific advice from the Minister about the use of section 286, which also permits disclosure of information in relation to calls to emergencies services, as an alternative to section 285. The Minister advised that section 286 applies to information that is known or comes into possession as a result of a call to emergency services, whereas section 285 applies specifically to information recorded on the IPND. The PJCHR concluded 'it is clear that sections 285 and 286…operate differently'.
Recording-keeping requirements
2.56
Under the Act, telecommunications providers must keep records of disclosures made under specified provisions of the Act or the Telecommunications (Interception and Access) Act 1979. The bill would expand this obligation to require more detailed information about the purposes of disclosures and the types of information disclosed.
2.57
DITRDCA noted that the amendment would require telecommunications providers to record the type of information disclosed (for example, that it was a call log or billing address) but not the information itself.
2.58
The NSWCCL indicated that it supported the principle of additional record‑keeping, but said there must be strict data retention rules. The NSWCCL also recommended that record-keeping be 'regularly audited and subject to the scrutiny of an independent monitor'.
2.59
Both DITRDCA and AGD emphasised the fact that the proposed amendment is itself intended to facilitate monitoring and oversight. In relation to this, the Commonwealth Ombudsman told the committee:
I welcome this amendment and agree with the statements in the Explanatory Memorandum that increasing record keeping requirements would support oversight of the warrants or authorisations being relied upon to utilise [section] 280.
2.60
AGD also pointed out that the amendment was consistent with a previous recommendation of the Parliamentary Joint Committee on Intelligence and Security.
Compliance
2.61
The Communications Alliance supported the intention of the proposed amendment to record-keeping obligations, but warned that compliance may prove difficult for telecommunications companies:
There are practical challenges associated with this proposed record-keeping requirement. It may not be a simple exercise for a staff member responsible for responding to requests for information to identify what item number/s in the table in section 187AA [of the Telecommunications (Interceptions and Access) Act 1979] a request for data may relate to.
2.62
The Internet Association of Australia emphasised the importance of ensuring telecommunications providers understood their new obligations:
Given the implications of these changes which will affect processes for telecommunications providers, and pose fines if such changes aren't complied with, it is important that sufficient effort is made to raise awareness across the entire industry regarding the new requirements.
Conferring immunity on telecommunications providers
2.63
The NSWCCL also raised concerns about a proposed amendment to correct a drafting error in the National Emergency Declaration (Consequential Amendments) Act 2020 (NED Act), which it did not accept was technical in nature.
2.64
The Act imposes duties on telecommunications providers to assist authorities for specified purposes in the national interest (for example, in connection with criminal or national security matters) and grants immunity for good faith performance of those duties.
2.65
The NED Act amended the Act to insert a new duty to provide assistance in relation to national disasters and emergencies, but the corresponding immunity was inadvertently omitted. The proposed amendment would rectify this omission by inserting two required cross-references. The AGD confirmed that the immunity conferred by the proposed amendment mirrors the existing immunities in relation to other duties.
2.66
The NSWCCL was of the view that the amendment would deny individuals 'any redress' where their privacy rights have been breached or damaged. However, the AGD clarified that the immunity is only in respect of liability for damages and does not restrict access to other remedies:
[T]here remain other avenues for individuals to seek remedies in situations where they believe their privacy may have been violated. This includes making a complaint to the regulator (the Australian Communications and Media Authority) which can take enforcement action, the Privacy Commissioner or seek a remedy against the relevant Commonwealth, State, or Territory body or government official initiating the request for assistance.
2.67
The AGD noted that these avenues would be outlined in greater detail in the revised Explanatory Memorandum (EM).
Other matters
Explanatory Memorandum
2.68
Many submissions echoed the PJCHR and Scrutiny Committee in highlighting deficiencies in the EM, in particular its limited explanation of how proposed amendments would operate in practice.
2.69
DITRDCA acknowledged these submissions and advised that the replacement EM would include:
clarifications of all existing and proposed safeguards to protect the rights to privacy, life, and an effective remedy in the Act;
additional details on the operation of particular clauses, responding to recommendations from the PJCHR and the Scrutiny Committee;
further clarification of expectations for record-keeping arrangements; and
other revisions suggested by the Human Rights Unit of the AGD.
2.70
The Law Council also queried whether a Privacy Impact Assessment (PIA) was completed in relation to the bill. DITRDCA advised that a threshold PIA was undertaken, which determined that a full PIA was not required.
Consultation on the draft bill
2.71
In developing the bill, DITRDCA consulted with 20 organisations, including Commonwealth government departments, state and territory law enforcement bodies and major telecommunications providers.
2.72
The Internet Association of Australia described the process as 'a targeted consultation involving only select industry representatives', which it argued was not good practice.
2.73
The NSWCCL and the Law Council were critical of DITRDCA's failure to consult with civil liberties groups prior to the introduction of the bill. DITRDCA later provided a briefing to the NSWCCL and Civil Liberties Australia, which the NSWCCL acknowledged in its submission.
Amendments beyond the scope of the bill
2.74
The committee also received evidence in relation to other possible amendments to the Act beyond the narrow scope of the bill.
2.75
The Commonwealth Ombudsman drew the committee's attention to what he described as a 'gap' in oversight where other laws, including state and territory legislation, are used in conjunction with provisions of the Act.
2.76
The Communications Alliance called for an additional amendment to improve routing and redirection of calls to emergency services from unlisted numbers. In correspondence to the Communications Alliance, DITRDCA advised that it would prioritise consideration of the proposal for future legislative reform.
Committee view
2.77
The committee notes the bill was introduced in response to serious concerns raised by the NSW Coroner and Deputy Coroner about impediments to information disclosure under the Act. In particular, the specific constraints on law enforcement agencies' access to telecommunications information when responding to public safety incidents such as life‑threatening situations. The committee commends the Government's swift response to addressing those concerns.
2.78
The committee acknowledges the issues raised by submitters to the inquiry, as well as the comments of the PJCHR and Scrutiny Committee. The committee welcomes the Minister's commitment to provide a replacement EM that more fully addresses many of these matters. The committee notes there is a clear appetite for further guidance on the scope, application, and operation of the proposed amendments to both information disclosure and record-keeping requirements.
2.79
The committee recognises that the bill gives rise to genuine concerns about personal privacy. However, the committee's view is that the proposed amendments do not provide new or additional access to information; rather, they improve the timeliness and utility of existing provisions of the Act. The committee is satisfied that these provisions would be subject to operational limitations and safeguards, including the addition of an appropriate consent requirement and enhanced record-keeping.
2.80
On that basis, the committee considers the proposed amendments strike an appropriate balance between maintaining individual privacy and protecting public safety.
2.81
The committee has not formed a view on the other matters raised by the Commonwealth Ombudsman and the Communications Alliance, which are beyond the scope of this inquiry.
2.82
Finally, the committee would like to acknowledge the tragic circumstances that drove the development of the bill. It is the committee's sincere hope that the passage of the bill will help to remove barriers that hampered attempts to locate Mr Hunt and CD.
2.83
The committee recommends that the bill be passed.
Senator Karen Grogan
Chair