The Parliamentary Joint Committee on Intelligence and Security report on metadata retention makes the following recommendations. The Committee is required by Section 187N of the Telecommunications (Interception and Access) Act 1979 (Cth) to review the mandatory data retention regime prescribed by Part 5-1A of that Act.
R 1 Within 18 months from the date of the Committee’s report, the Committee recommends that the Department of Home Affairs prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies. In general terms, the purpose of the national guidelines would be to ensure greater clarity, consistency and security in respect of requests for – and the collection and management of – telecommunications data by enforcement agencies across Australia.
To that end, the national guidelines must be: consistent with the requirements of the Telecommunications (Interception and Access) Act 1979 and other relevant Commonwealth legislation (as amended in accordance with the other recommendations made by the Committee in this report); and adopted and followed by each enforcement agency.
In developing the national guidelines, the Department of Home Affairs should meet and consult with (at a minimum):
- the Privacy Commissioner;
- the Commonwealth Ombudsman;
- each criminal law-enforcement agency;
- industry representatives;
- the Law Council of Australia; and
- the Department of Infrastructure, Transport, Regional Development and Communications.
Meeting is of course not the same as taking on board and giving effect to concerns.
The national guidelines should be made public (except to the extent they contain classified information, if any).
R 2 The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended to clearly define the term “content or substance of a communication” for the purpose of providing greater certainty and enhancing privacy protections.
The Department of Home Affairs should, at a minimum, meet and consult with the following in seeking to develop this definition: the Communications Alliance and other industry representatives; the Commonwealth Ombudsman; the Inspector-General of Intelligence and Security; the Law Council of Australia; and the Privacy Commissioner.
Moreover, in defining the term “content or substance of a communication”, Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual.
R 3 The Committee recommends that Telecommunications (Interception and Access) Act 1979 be amended so that, if a provider discloses any of the information referred to in section 187A(4) of the Telecommunications (Interception and Access) Act to ASIO or a criminal law-enforcement agency, ASIO or the enforcement agency (as applicable) must: not use the information; immediately quarantine the information; notify the Commonwealth Ombudsman or the IGIS (as applicable) of the disclosure; and following consultation with the Ombudsman or the IGIS (as applicable), destroy the information.
R 4 The Committee recommends that the data retention period be kept at two years.
R 5 The Committee recommends that section 187A of the Telecommunication (Interception and Access) Act 1979 be amended to clarify that service providers are not required to store information generated by Internet of Things devices.
R 6 The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended to include the following additional reporting requirements:
- the number of authorised officers in each enforcement agency and ASIO;
- the number of authorisations made by each authorised officer;
- the number of individuals that the authorisations by each enforcement agency and ASIO related to; and
- in respect of authorisations in relation to criminal investigations, the specific offence – or offences – that the authorisations related to.
R 7 The Committee recommends that, in consultation with other stakeholders (agencies with access to the Mandatory Data Retention Regime, the Inspector General of Intelligence and Security, the Commonwealth Ombudsman and the Commonwealth Privacy Commissioner), the Department of Home Affairs should within 18 months of this report develop guidelines for data collection to be applied across the Mandatory Data Retention Regime and the most cost effective way to achieve the intended outcome of facilitating better oversight, including an ability for enforcement agencies and Home Affairs to produce reports to oversight agencies or Parliament when requested. As a minimum, any such report should include the following information (in respect of each occasion on which the powers in Chapter 4 of the Telecommunication (Interception and Access) Act 1979 were used):
- the section of the Telecommunication (Interception and Access) Act 1979 used to access the data; the case number associated with the authorisation;
- the specific offence – or offences – that the investigation related to;
- if the authorisation related to a missing person case, the name of the missing person brief reasons why the authorised officer was satisfied that the disclosure was reasonably necessary;
- where the data related to a person who did not have an obvious relationship to a suspect in an investigation, brief reasons why the authorised officer was satisfied that any interference with the privacy of the person that may have resulted from the disclosure or use of the telecommunications data was justifiable and proportionate;
- the name(s) of the officers involved in the case; the name and appointment of the authorising officer;
- if the agency became aware that the carrier disclosed any of the information referred to in section 187A(4) and action taken.
Where practicable, the report should also include:
- whether or not the data was used to rule someone out from an investigation;
- whether or not the person whose data was accessed was eventually charged, prosecuted and/or convicted of a crime;
- whether or not the data accessed eventually led to the charge, prosecution and/or conviction of another person for a crime; and
- the cost of the disclosure.
For the Australian Security Intelligence Organisation, the additional record-keeping requirements should include:
- the nature of the national security risk that led to the authorisation being given; and
- brief reasons why the authorised officer is satisfied that any interference with the privacy of the person that may result from the disclosure or use of the telecommunications data is justifiable and proportionate.
R 8 The Committee recommends that section 306(5) of the Telecommunications Act 1997 be amended to require telecommunications service providers to keep detailed records of the kinds of information included in each disclosure of telecommunications data, including the types of telecommunications data that were disclosed.
R 9 The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended so that:
- ASIO and enforcement agencies are required to retain telecommunications data for a prescribed minimum period to ensure that the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman (as applicable) are able to perform their oversight functions; and
- Having satisfied the requirements of the Inspector-General of Intelligence and Security or the Commonwealth Ombudsman (as applicable) ASIO and enforcement agencies are required to delete telecommunications data as soon as practicable after the telecommunications data is no longer needed (e.g. in the case of an enforcement agency, after an investigation has concluded).
R 10 The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended so that: authorised officers may only make verbal authorisations for the disclosure of telecommunications data in emergency situations; and the record-keeping obligations that apply to written authorisations also apply to verbal authorisations except that: the written record must be made as soon as practicable after the making of the verbal authorisation; and for each verbal authorisation, the authorised officer must make a record of the reasons why the authorisation had to be made verbally.
R 11 The Committee recommends that section 5AB of the Telecommunications (Interception and Access) Act 1979 be amended with a view to reducing the number of officers and officials of criminal law-enforcement agencies who may be designated as “authorised officers” and the circumstances in which those designations may be made. At a minimum:
- only officers or officials who hold a supervisory role in the functional command chain should normally be capable of being designated as ‘authorised officers’;
- although other individuals who hold specific appointments – rather than entire classes of officers or officials – may be capable of being designated as ‘authorised officers’;
- in order to authorise an individual to be an authorised officer, the head of an enforcement agency must be satisfied that it is necessary for the individual to be an ‘authorised officer’ in order for the individual to carry out his or her normal duties;
- and prior to the head of an enforcement agency authorising an individual to be an ‘authorised officer’: the relevant senior officer or official must complete a compulsory training program in relation to Chapter 4 of the Telecommunications (Interception and Access) Act 1979;
- and the head of the enforcement agency must be satisfied that the senior or official has the requisite experience, knowledge and skills to exercise the powers under Chapter 4 of the Telecommunications (Interception and Access) Act 1979.
R 12 The Committee recommends that section 180 of the Telecommunications (Interception and Access) Act be amended to specify when a revocation of an authorisation takes effect.
R 13 The Committee recommends that section 178 amended and section 179 be repealed so that an authorised officer cannot make an authorisation for access to existing information or documents unless he or she is satisfied that the disclosure is reasonably necessary for: the investigation of: a serious offence; or an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years. For the avoidance of doubt ‘serious offence’ is as defined in section 5D of the Telecommunications (Interception and Access) Act 1979.
R 14 The Committee recommends that Division 3 of Part 4–1 of the Telecommunication (Interception and Access) Act 1979 be amended to: increase the threshold for ASIO to authorise the disclosure of telecommunications data so that it is consistent with the threshold for ASIO to intercept telecommunications or access stored communications under a telecommunications service warrant issued under Part 2-2 of the Act; and introduce a new provision, modelled on section 180F of the Telecommunications (Interception and Access) Act, requiring ASIO to consider privacy before making an authorisation.
R 15 The Committee recommends that section 280(1)(b) of the Telecommunications Act 1997 be repealed. Moreover, the Committee recommends that the Government introduce any additional amendments to Commonwealth legislation that are necessary to ensure that: only ASIO and the agencies listed in section 110A of the Telecommunications (Interception and Access) Act 1979 be permitted to authorise the disclosure of telecommunications data; and those agencies can only access telecommunications data through Part 4–1 of the Telecommunications (Interception and Access) Act 1979 and through no other legal mechanism.
R 16 The Committee recommends that sections 186 and 187P of the Telecommunication (Interception and Access) Act 1979 be amended so that: the Minister must complete the report(s) referred to in section 186(2) and 187P as soon as practicable and, in any event, within 3 months after each 30 June; and the Minister must cause a copy of the report(s) to be tabled in each House of the Parliament as soon as practicable and, in any event, within 15 sitting days after the date on which the report is completed.
R 17 The Committee recommends that state and territory criminal law-enforcement agencies under section 110A be prescribed as ‘organisations’ under section 6F of the Privacy Act 1988 in relation to their collection and use of telecommunications data for the purposes of the Notifiable Data Breach regime.
R 18 The Committee recommends that section182(2) of the Telecommunications (Interception and Access) Act 1979 Act be amended in line with section 68(d) for the consideration of the communication of telecommunications data for disciplinary action and termination of employment.
R 19 The Committee recommends that section 29 of the Australian Information Commissioner Act, and any other statutes that apply similar constraints on information sharing by relevant oversight agencies, be amended so that agencies that have an oversight function in respect of the mandatory data retention regime are able to share intelligence on matters of regulatory concern where there is a public interest in doing so.
R 20 The Committee recommends that the Intelligence Services Act 2001 and the Telecommunications (Interception and Access) Act 1979 be amended so that the Committee may commence a review of the mandatory data retention scheme by June 2025.
R 21 The Committee recommends that Division 1 of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 be amended to require service providers to store information of the kind specified in or under section 187AA, or documents containing information of that kind, on servers located in Australia unless specifically exempted.
R 22 The Committee recommends that: agencies that have access to telecommunications data should develop minimum standards for the security of telecommunications data held within their control or premises; and, entities subject to telecommunications data retention requirements under the Telecommunications (Interception and Access) Act should be required to demonstrate to the Australian Communications and Media Authority that they have met minimum standards for ensuring the security of retained data: these minimum standards, applying to entities subject to telecommunications data retention requirements should be developed by the Australian Communications and Media Authority.