Chapter 2
Overview of the Bill
2.1
The primary objective of the Telecommunications (Interception and
Access) Act 1979 (the TIA Act) is to:
...protect the privacy of individuals who use the Australian
telecommunications system. The TIA Act makes it an offence to intercept
communications or to access stored communications, other than in accordance
with the provisions of the Act. The... TIA Act [also] specif[ies] the
circumstances in which it is lawful to intercept, access communications or
authorise the disclosure of telecommunications data.[1]
2.2
The Bill seeks to amend the TIA Act to ensure that network operators can
undertake legitimate activities aimed at securing the integrity of their
network and the information it contains.[2]
Legitimate network protection activities
2.3
In recent times, the use of online services by individuals, governments,
businesses and the not-for-profit sector to store and transmit sensitive
information has increased. Protecting information and computer infrastructure
from disruption or malicious access by criminal elements seeking to gain a
financial or other benefit is therefore a growing priority for governments and computer
network owners.[3]
2.4
Network owners and operators typically use automated network protection
systems to screen and reject incoming communications if it is suspected that
they contain a virus and network operators are able to monitor internal and
outbound communications (including emails and internet browsing) provided they
have obtained the consent of people using the network.[4]
2.5
While the use of gateway control systems (such as virus protection
software) does not generally violate interception legislation, network owners
and operators undertaking network protection activities at the threshold of a
network are vulnerable to inadvertent technical breaches of the TIA Act.[5]
Whether an activity is lawful depends on the particular
characteristics of the activity that is undertaken, where it is undertaken, by
whom, and whether or not there is awareness by the affected person that it is
being done. For example, persons undertaking network protection activities may
need to copy a communication before it is delivered to the intended recipient.
However, under the TIA Act, copying is only allowed at certain points in the
delivery of that communication and under certain conditions.[6]
2.6
The main interception prohibitions contained in the TIA Act are found in
sections 7 and 108. These sections prohibit interception of telecommunications
that are passing over a telecommunications system and access to stored
communications, except in accordance with a telecommunications interception
warrant.
2.7
The TIA Act also contains special exemptions for security agencies and
certain Government departments to allow access to communications on their own
computer networks for network protection activities and for the enforcement of
professional standards. These 'network protection provisions,'[7]
contained in section 5F(2) and 5G(2) of the TIA Act, have the effect of
providing a temporary exemption from the section 7 requirements for certain employees
with responsibility for network protection or maintenance and allow these
government employees to access and/or copy any communication from within or passing
over the agencies' network for the enforcement of professional integrity. As
the Attorney-General's Department submission explained:
These provisions were originally introduced by the Telecommunications
(Interception) Amendment Act 2006 in order to allow the Australian Federal
Police (AFP) to protect its network and to ensure staff were complying with the
AFP’s professional standards. At the time, Parliament legislated a two year
sunset period for the provisions in order to allow consideration of a more
comprehensive solution.
In 2007, the provisions were widened to the current form to
allow government agencies and authorities with a security or law enforcement
focus to monitor communications for the purpose of protecting their networks
and enforcing professional standards without the risk of breaching the TIA Act.[8]
2.8
In May 2008 the committee reported on an inquiry into the Telecommunications
(Interception and Access) Amendment Act 2008. The main purpose of that Bill
was to extend sunset provisions that apply to the network protection provision to
allow sufficient time for the development of a comprehensive solution covering
both the public and private sectors.[9]
At that time, the Committee recommended that:
...if further legislation proposing amendments to the network
protection provisions (including to sunset clauses) is introduced, such
legislation should include a thorough and considered response to achieving a
balance between individual privacy rights and network protection requirements.
Such a review should assess mechanisms to mitigate intrusiveness and abuse of
access, and consider how secondary data may be managed appropriately.[10]
2.9
According to the Explanatory Memorandum, this Bill amends the TIA Act:
...to implement a full legislative solution that clarifies the
basis on which communications can be accessed for the purposes of protecting a
computer network.[11]
Existing Arrangements
2.10
As stated above, the primary objective of the TIA Act is to protect the
privacy of individuals who use the Australian telecommunications system.[12]
One way the TIA achieves this is by prohibiting the interception of a
communication that is 'passing over' a telecommunications system.[13]
2.11
Existing section 5F defines when a communication is considered to be 'passing
over' a telecommunications system. Broadly, a communication is taken to start passing
over a telecommunication system when it is sent or transmitted by the sending person
– paragraph 5F(1)(a) – and is taken to continue to pass over the system until
it becomes accessible to the intended recipient – paragraph 5F(1)(b). For
example, an email is taken to start passing over a telecommunications system
when the email is sent and is taken to finish passing over that system when it
becomes accessible to the intended recipient (i.e. it 'arrives' in the
recipient's email inbox).
2.12
Existing subsection 5F(2) alters that definition by stating that, if the
communication is sent from an address on a computer network operated by a
Commonwealth agency, security agency or eligible authority of a state, it is
not taken to have started passing over the telecommunication system until it is
no longer under the control of certain employees (i.e. those responsible for
managing the agency's network or those responsible for the enforcement of
professional standards in the agency).
2.13
Defining when a communication is passing over a telecommunication system
in this way has the effect of enabling:
...communications which are within the network boundaries of
the relevant agency or authority’s network to be copied or recorded in order to
allow network protection duties concerning the operation, protection or
maintenance of the network, or upholding professional standards, to be
performed by personnel within those bodies other than the sender.[14]
2.14
Existing section 5G similarly modifies the definition of the 'intended
recipient' to allow certain communications within Commonwealth agencies,
security authorities and eligible authorities of a State to be copied or
recorded. Subsection 5G(2) outlines that such interception may only be
conducted:
...in order to allow duties concerning the operation,
protection or maintenance of the network, or upholding professional standards,
to be performed by personnel within those bodies other than the addressee.[15]
2.15
Both subsections 5F(2) and 5G(2) are the subject of sunset clauses
(contained in subsections 5F(3) and 5G(3) respectively) meaning they cease to
have effect at the end of 12 December 2009. After this date, employees of
Commonwealth agencies, security authorities and eligible authorities of a State
with network protection responsibilities would require a warrant to copy or
record communications, even in the course of their network protection duties.
The Proposed Arrangements
2.16
The Bill seeks to establish a permanent regime that will:
-
enable all owners and operators of computer networks to undertake
activities to operate, maintain and protect their networks;
-
enable Commonwealth agencies, security authorities and eligible
State authorities to ensure that their computer network is appropriately used
by employees, office holders or contractors of the agency or authority;
-
limit secondary use and disclosure of information obtained
through network protection activities to:
-
network protection purposes;
-
undertaking disciplinary action against an employee, office
holder or contractor of a Commonwealth agency, security authority and eligible
authority of a State who has been given access to a network; and
-
reporting illegal behaviour that attracts a minimum of three
years’ imprisonment penalty threshold to the relevant authorities; and
-
require the destruction of records obtained by undertaking
network protection activities when the information is no longer required for
those purposes.
Interceptions for Network
Protection Purposes
2.17
The Bill (at Items 5-8), by repealing subsections 5F(2), (3) and 5G(2),
(3) and (4), seeks to simplify the definition of when a communication is passing
over a telecommunication system (and the definition of 'intended recipient') so
that the definition applies generically, regardless of whether the
communication is sent from within a government agency or not.
2.18
Item 11 of the Bill then inserts paragraph 7(2)(aaa), which lifts the
prohibition on the interception of a communication by a person (contained in
subsection 7(1)) if the person is appropriately authorised to engage in network
protection duties and it is necessary for the person to intercept the
communication in order to perform those duties effectively.
2.19
Importantly, the proposed regime would allow certain authorised people
in both government and non-government agencies to intercept non-voice communications
for network protection purposes.[16]
That is, the regime contained in the Bill would not be limited in application
to employees of Commonwealth agencies, security authorities and eligible
authorities of a State (though it would apply in these agencies). Furthermore,
this exception would not be subject to a sunset clause.
2.20
Item 13 of the Bill inserts a paragraph which ensures that the
prohibition contained in subsection 7(1) still applies to a voice communication
in the form of speech (including a communication that involves a recorded or
synthetic voice).
2.21
As the Explanatory Memorandum explains:
In the case of Voice over Internet Protocol (VoIP), the voice
communication in the form of packet data may be intercepted and interrogated
but the data may not be reconstructed in order to listen to the actual voice
communication.
This limitation is intended to preserve the integrity of the
interception warrant regime by excluding telephone conversations and
communications from the exception so that normal voice communications cannot be
listened to.
Recorded voice communications embedded in video or audio
files such as a music video or audio file downloaded from the internet that may
be attached to an email communication can be intercepted, reconstituted and
listened to for the purposes of communicating or making use of communications
intercepted under new paragraph 7(2)(aaa).[17]
'Appropriate use' of Government
Networks
2.22
The Bill allows network owners and operators from both the private and
public sectors to intercept communications in certain circumstances,
particularly where that interception is necessary for network protection
purposes. Only Government network operators, however, will be able to intercept
communications to ensure that staff use the network appropriately.
2.23
Item 9 of the Bill inserts new section 6AAA. Section 6AAA defines when a
network is 'appropriately used' by an employee, office holder or contractor of
a Commonwealth agency, security agency or eligible authority of a State. An
employee's use of the network is considered appropriate when they have
undertaken (in writing) to use the network in accordance with reasonable (written)
conditions specified by the agency and where their use is in compliance with
those conditions.
2.24
This definition of 'appropriate use' is designed to be flexible enough
to recognise that what constitutes appropriate use of a computer network may
vary between agencies.[18]
2.25
While user agreements must be reasonable and must comply with all
relevant Commonwealth, State and Territory laws,
...[t]he Bill does not require a new user agreement to be
entered into. Existing user agreements will suffice where an employee, office
holder or contractor of an agency or authority has undertaken to comply with
the conditions set out in the agreement and those conditions are reasonable.[19]
2.26
Furthermore, the absence of an agreement does not preclude an agency or
authority from recording information transiting their network for duties
relating to the operation, protection or maintenance of the network.
However, an agency or authority will not be able to record
information transiting their network to ensure the network is appropriately used,
nor secondarily use or disclose information accessed for disciplinary purposes.
This is because new subsection 63D(2) at Item 15 only authorises disciplinary
action to be taken in relation to ‘appropriate use’ of the network, not ‘use’
of the network.[20]
Secondary use and disclosure
2.27
The Bill also limits the use and disclosure of information obtained
through network protection activities to activities relating to the protection
of the network, the reporting of illegal behaviour (where that behaviour
attracts a minimum penalty of three years' imprisonment) to the relevant
authority, and to undertaking disciplinary action against an employee, office
holder or contractor of a Commonwealth agency, security authority and eligible
authority of a State who has been given access to a network.
Network Protection
2.28
Item 15 of the Bill also inserts new sections 63C which sets out the
terms under which a person engaged in network protection duties may communicate
or make use of the information they intercept.
2.29
Subsection 63C(1) and (2) allow a person engaged in network protection
duties to disclose that information which has been lawfully intercepted in the
course of their duties or to disclose that information to another person with
network protection duties if it is reasonably necessary to enable the other
person to perform their duties. These subsections are limited by new subsection
63C(3) which does not allow the use or disclosure of a communication that has
been converted into a voice communication in the form of speech.
2.30
Items 17-20 of the Bill:
...ensure that the limitations on the use and disclosure of
information related to disciplinary action will apply to further use and
disclosures regardless of the number of times the information is used or
disclosed. These amendments will also ensure that a person who receives
information related to disciplinary action under subsection 63D(2), may only
communicate, use or record that information where doing so does not contravene
another law of the Commonwealth or a State or Territory.[21]
Disciplinary purposes
2.31
Item 15 of the Bill inserts new section 63D, allowing a person engaged
in network protection duties to disclose (lawfully) intercepted information to
another person in order to determine whether disciplinary action should be
taken. This provision limits this on-disclosure to determinations about the
appropriate use of a network by an employee who is an employee or office holder
(or contractor) of a Commonwealth agency, security authority or eligible State
authority and who has legitimate access to that network.[22]
Destruction of records
2.32
A 'restricted record' is defined in subsection 5(1) of the TIA Act as 'a
record other than a copy that was obtained by means of an interception, whether
or not in contravention of subsection 7(1), of a communication passing over a
telecommunications system.'[23]
2.33
Current section 79 of the TIA Act sets out that where a 'restricted
record is not likely to be required for a permitted purpose in relation to the
agency, the chief officer must cause the restricted record to be destroyed.
These requirements only currently apply to interception agencies. As stated in
the Explanatory Memorandum, the new provisions:
...when combined with the new destruction requirements under
new section 79A at Item 22 would create a different regime for interception
agencies. [Requiring the same regime] would impose an onerous administrative
burden on agencies as the destruction requirements in section 79 are imposed on
an agency’s chief officer. In practice this would mean that the chief officer
of an agency would need to destroy every record of a network protection
activity when it is no longer needed. In some agencies this could amount to
thousands of records at any point in time.[24]
2.34
The Bill seeks to address this by inserting new subsection 79(3) which
ensures that new section 79A will apply to any records intercepted for network
protection duties (under new paragraph 7(2)(aaa)) while section 79 would only
apply to interception agencies.
2.35
Records of a communication intercepted under proposed paragraph
7(2)(aaa) must be destroyed once the responsible person (that is, the
individual or head of the body which operates the network) is satisfied that
the record is not likely to be required for network protection duties.
2.36
Where the network is operated by a Commonwealth agency, security
authority or eligible authority of a State and the communication was
intercepted for the purpose of determining whether disciplinary action should
be taken (or taking that action), the responsible person must cause that record
to be destroyed as soon as practicable after becoming satisfied that the record
is not likely to be required.[25]
Definition of 'permitted purpose'
2.37
Schedule 2 of the Bill contains a number of provisions which amend or
supplement the definition of 'permitted purpose'. Many of these amendments
clarify current practices or alter the definition to reflect changes in other
acts.
2.38
Item 2 inserts new subparagraph 5(1)(b)(v), which clarifies that
lawfully intercepted information can be communicated in seeking or issuing a
control order pursuant to Division 104 of the Criminal Code. Currently,
section 67 of the TIA Act allows lawfully intercepted information to be used
for a 'permitted purpose', which includes a purpose connected with an
investigation by the AFP of a prescribed offence (defined). This amendment
clarifies the TIA Act to avoid doubt that the AFP may use and communicate
lawfully intercepted information when seeking the
Attorney-General's approval, to apply for an interim control order, or when
applying for the control order to the courts. New subparagraph (b)(vi), which
is also inserted by this item, clarifies that lawfully intercepted information
can also be used or communicated in relation to preventative detention orders
sought and issued pursuant to Division 105 of the Criminal Code.[26]
2.39
According to the Explanatory Memorandum:
The amendments to permitted purpose in relation to the
use or disclosure of information related to Divisions 104 and 105 of the Criminal
Code are designed to clarify the operation of the existing legislation,
rather than expanding police powers.[27]
2.40
Item 14, contained in Part 2 of Schedule 2 of the Bill is designed to
ensure that AFP officers who have, in good faith, used or communicated lawfully
intercepted information for a purpose connected with Divisions 104 and 105 of
the Criminal Code, are not liable for any breach of the TIA Act caused
by that use or communication.[28]
2.41
Items 3 and 4 of Schedule 2 amend the 'permitted purpose' definition to
reflect changes to the Police Integrity Commission Act 1996 (NSW). This
includes amendments to facilitate the transfer of particular functions from the
Independent Commission Against Corruption to the Police Integrity Commission.
The amendments also ensure that further changes to that Act will be recognised
by the TIA Act without the need for further amendments to the Commonwealth Act.[29]
Delegation powers for certificate etc
2.42
Section 18 of the TIA Act currently contains an evidentiary certificate
regime for intercepted and stored communications. The regime allows the
Managing Director or secretary of a carrier (or of a subsidiary of a parent
company of a carrier) to issue a written, signed certificate setting out such facts
as he or she considers relevant with respect to acts or things done by, or in
relation to, employees of the carrier. These certificates set out facts in
relation to a warrant issued to the Australian Security and Intelligence
Organisation (ASIO) and include facts that may be relevant in order to have a
warrant issued or executed as well as relevant facts pertaining to anything
done by an employee of the organisation in connection with the execution of the
warrant. These certificates may be received in evidence in exempt proceedings
(defined) without further proof and are conclusive evidence of the matters
stated in the certificate.
2.43
Items 9-12 of Schedule 2 of the Bill retain this power but allow the
Managing Director or secretary to delegate their evidentiary certificate
functions by authorising, in writing, an employee of the carrier to issue such
a certificate. Although this provision will expand the number of people who can
issue evidentiary certificates under section 18 on behalf of a carrier:
...[e]nabling staff who are more accessible but of sufficient
seniority to issue the certificate gives the carrier flexibility, which should
ensure that evidentiary certificates can be issued promptly.[30]
2.44
As the Explanatory Memorandum explains:
...[t]he delegation of this function is consistent with the
current evidentiary certificate regime applying to law enforcement interception
warrants under section 61 of the TIA Act.[31]
2.45
Item 11 of Schedule 2 makes a similar amendment to section 129, allowing
a similar delegation in relation to written evidentiary certificates relating
to acts or things done to enable the execution of a stored communications
warrant (as opposed to a warrant issued to ASIO).
Telecommunications data to be included in evidentiary certificates regime
2.46
Telecommunications data is information about a communication, other than
the content or substance of the communication itself. For example, for a telephone-based
communication, telecommunications data would include subscriber information,
the telephone numbers of the parties involved, the time of the call and its
duration. In relation to internet-based applications, it would include the
Internet Protocol (IP) address used for a session and the start and finish time
of each session.[32]
2.47
Telecommunications data is available in relation to all forms of
communications, including fixed and mobile telephony services and internet
based applications, including internet browsing and Voice over Internet
Protocol (VoIP).[33]
2.48
Under the current regime, telecommunications data may only be disclosed
by a carrier to ASIO in connection with the performance of its functions and to
enforcement agencies for the investigation of criminal law, a law imposing a
pecuniary penalty or the protection of the public revenue.[34]
2.49
Item 13 of Schedule 2 of the Bill inserts three new sections, 185A, 185B
and 185C, which extends the evidentiary certificate regime (discussed above,
but also including certificates issued by the Director-General or the Deputy
Director-General of Security) to include access to telecommunications data
obtained under an authorisation. The new sections apply to historical and
prospective telecommunications data and are consistent with the existing
evidentiary certificate provisions for interception and stored communications.
Navigation: Previous Page | Contents | Next Page