A report by the Australian Parliamentary Joint Committee on Intelligence and Security has endorsed the
Telecommunications and Other Legislation Amendment Bill 2016 (Cth), concerned with the management of "national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities".
The Committee recommends that the Bill be passed by the Parliament, and makes 12 further recommendations for improvements to the proposed framework.
The Committee’s recommendations include:
- providing further clarity in guidelines to industry on the extent of the framework’s application in areas such as cloud computing and over-the-top services,
- ensuring effective and regular information-sharing between government and industry, in particular in relation to threat information,
- introducing a specific obligation for industry to notify government of any new or amended offshoring arrangements in relation to retained telecommunications data, and
- specifying annual reporting requirements in the legislation.
The Committee has also recommended that the framework be reviewed after three years to ensure it is operating effectively.
The specific recommendations are
R1 - The Committee recommends that the administrative guidelines to the Telecommunications and Other Legislation Amendment Bill 2016 be revised to provide comprehensive information, clarity and certainty to industry in a greater range of circumstances. In particular, the revised administrative guidelines should provide further clarity regarding a company’s security obligation in circumstances where:
- a company is providing or reselling an over the top service,
- telecommunications infrastructure is used (but not necessarily owned or operated) by the company,
- a company’s infrastructure is located in a foreign country, and used to provide services and carry and/or store information from Australian customers, and
- a company provides cloud computing and cloud storage solutions.
The Committee considers that inclusion of this additional information should be finalised prior to the conclusion of the 12 month implementation period.
R2 - The Committee recommends the Telecommunications and Other Legislation Amendment Bill 2016 be amended to clarify that, in circumstances where a broadcaster is exempt from being treated as a carriage service provider under the Telecommunications Act 1997, they are also not intended to be subject to the obligations set out in the Bill.
R3 - The Committee recommends that the Attorney-General’s Department works collaboratively with industry to ensure effective and regular information sharing, in particular sharing threat information with industry, leveraging existing mechanisms where possible.
These information-sharing mechanisms should ensure industry receives timely and tailored threat information to aid industry compliance.
The Committee considers that these processes should be finalised prior to the conclusion of the 12 month implementation period.
R4 - The Committee recommends that the administrative guidelines to the Telecommunications and Other Legislation Amendment Bill 2016 be expanded to provide greater detail about the existing list of notifiable items.
This could be achieved, for example, by listing the sorts of changes that are envisaged to not require notification to the Communications Access Co ordinator (CAC), as well as providing more detailed information about the sorts of changes that do require notification to the CAC.
The Committee considers that inclusion of this additional information should be finalised prior to the conclusion of the 12 month implementation period.
R5 - The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to outline the application process for exemptions from notification requirements.
The Bill should clarify that:
- carriers and nominated carriage service providers may request the Communications Access Co-ordinator (CAC) to provide either a partial or complete exemption from the notification requirement in relation to certain types of changes, and
- the CAC may vary or revoke exemptions.
R6 - The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to make clear that the Bill does not affect the operation of existing legislated privacy obligations.
R7 - The Committee recommends that section 315J of the Telecommunications and Other Legislation Amendment Bill 2016 be amended to specify that the annual report presented to Parliament must include:
- the number of occasions the information-gathering powers have been exercised,
- the number of notifications and security capability plans received,
- regulatory performance measures, including the average response timeframes of the Communications Access Co-ordinator to notifications and the proportion of responses made within the statutory timeframes,
- details of the Government’s information-sharing arrangements with industry,
- a summary of any feedback or complaints received from stakeholders, and
- the number of occasions the directions-powers have been exercised.
The annual report should indicate if trends or issues have emerged in relation to any of the above.
R8 - The Committee recommends the Explanatory Memorandum for the Telecommunications and Other Legislation Amendment Bill 2016 be amended to clarify that negotiating in ‘good faith’, as set out in proposed subsection 315B(5), includes whether the Communications Access Co-ordinator has complied with the applicable statutory timeframes.
This would make it clear that the Attorney-General will take into account whether the Communications Access Co-ordinator responded to any relevant notifications or security capability plans received from industry within the applicable statutory timeframe, prior to issuing a direction.
R9 - The Committee recommends that the Explanatory Memorandum to the Telecommunications and Other Legislation Amendment Bill 2016 be amended to outline the avenues available for industry to recover reasonable costs in circumstances where:
- the Communications Access Co-ordinator has not responded within the statutory timeframe to the carrier or nominated carriage service provider (C/NCSP)’s notification of a proposed change, and
- the C/NCSP has proceeded with the proposed change on the basis of no response having been received, and
- the Attorney-General has subsequently issued a direction relating to the change.
R10
- The Committee recommends that, at the time of the review required to be undertaken by the Parliamentary Joint Committee on Intelligence and Security under section 187N of the Telecommunications (Interception and Access) Act 1979, the scope of the review be expanded to include consideration of the security of off-shored telecommunications data that is retained by a service provider for the purpose of the data retention regime.
R11 - The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to include, in relation to data retained under Part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require C/NCSPs to notify the CAC of any new or amended offshoring arrangements.
R12 - The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation, effectiveness and implications of the reforms, commencing within three years of the Bill receiving Royal Assent.
The scope of the review should include:
- the security of critical and sensitive data,
- the adequacy of information-sharing arrangements between government and industry, and
- the adequacy and effectiveness of the administrative guidelines in providing clarity to industry on how it can demonstrate compliance with the requirements set out in the Bill.
R13 - The Committee recommends that, subject to the above recommendations being accepted, the Telecommunications and Other Legislation Amendment Bill 2016 be passed.
In discussing Information sharing and confidentiality
at paras 5.51 through 5.61 the report states
roposed section 315H authorises the further use or disclosure of information or documents obtained under certain sections of the Bill (314A, 314B, 314C, 314D, 315C and 315H) to persons other than the Secretary of the Attorney-General’s Department, or his or her delegate.
Proposed section 315H is intended to protect commercially sensitive information by ensuring:
§ disclosures are limited to the purpose of security (as defined by the ASIO Act), and
§ identifying information must not be disclosed to a person who is not a Commonwealth officer.
The Explanatory Memorandum contains information about the circumstances in which information is likely to be shared, including for providing threat information and intelligence to foreign partners in support of reciprocal information sharing arrangements.
The Explanatory Memorandum also notes that disciplinary action would be available under existing legislation in circumstances where Australian Government employees breach the provisions. For example, section 70 of the Crimes Act 1914 applies criminal sanctions to unauthorised disclosure of information by current or former Commonwealth officers.
The Australian Information Commissioner noted that proposed sub section 315H(2) restricts the disclosure of ‘identifying information’ to a person who is not a Commonwealth officer. The Information Commissioner further noted that identifying information ‘means information that identifies the C/CSP or intermediary concerned’, and suggested that, as an additional protection, this restriction on the disclosure of identifying information be extended beyond commercial information to apply to ‘personal information’ as defined in the Privacy Act 1988.
In response, the Attorney-General’s Department stated:
Extending subsection 315H(2) to ‘personal information’ is unnecessary as there are already strong protections in place for the protection of personal information.
The Attorney-General’s Department, the Department of Communications and the Arts and other government departments, are subject to the Privacy Act 1988, which sets out how personal information is handled. ASIO’s handling of personal information is governed by the ASIO Act and the Attorney-General’s Guidelines (made under the Act) and is also subject to the oversight of the Inspector-General of Intelligence and Security.
Section 315H of the Bill is intended to cover other information, such as commercially sensitive information, that would not necessarily be captured under existing personal information protections (e.g. company names).
The Explanatory Memorandum notes that the protections in the Bill for commercial information would
operate to complement the high standard for protecting information which government agencies already operate under including compliance with requirements under the Privacy Act regarding use, disclosure and destruction of personal information and secrecy obligations in the Crimes Act 1914.
The Committee notes that proposed section 315H authorises the use or disclosure of information obtained under the Bill, and provides measures to protect commercially sensitive information, such as requiring the removal of identifying information and placing limitations on disclosures.
The Committee acknowledges the Information Commissioner’s suggestion that, as an additional protection, the restriction on the disclosure of ‘identifying information’ in proposed section 315H be extended beyond commercial information to apply to ‘personal information’, as defined in the Privacy Act 1988.
However, the Committee notes that there are already suitable protections in place for personal information, including the Privacy Act 1988, the Australian Security Intelligence Organisation Act 1979 and the Attorney General’s Guidelines (made under the ASIO Act). ASIO’s handling of personal information is also subject to the oversight of the Inspector General of Intelligence and Security.
Nevertheless, the Committee considers that the existing protections for personal information are not readily apparent on the face of the Bill. The Committee recommends that the Bill be amended to make it clear that subsection 315H(2) is intended to complement existing requirements, including those under the Privacy Act 1988, regarding use, disclosure and destruction of personal information