The Australian Government has responded to the inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

3 March 2015

Joint media release

Attorney-General
Senator the Hon George Brandis QC

Minister for Communications
The Hon Malcolm Turnbull MP

The Government will support all of the Committee's recommendations made in its unanimous bipartisan report. Debate will commence in the House of Representatives this week and the Government calls on the Parliament to give effect to the Committee's principal recommendation that the Bill be passed.

This urgent legislation contains a package of reforms to prevent the further degradation of the investigative capabilities of Australia's law enforcement and national security agencies.

Access to metadata plays a central role in almost every counterterrorism, counterespionage, cybersecurity and organised crime investigation. It is also used in almost all serious criminal investigations, including investigations into murder, serious sexual assaults, drug trafficking and kidnapping.

The Australian Federal Police (AFP) has advised that between July and September of 2014 telecommunications data was used in 92 per cent of counterterrorism investigations, 100 per cent of cybercrime investigations, 87 per cent of child protection investigations and 79 per cent of serious organised crime investigations.

However, as the business models of service providers are changing with technology they are keeping fewer records. No responsible government can sit by while those who protect our community lose access to the tools they need to do their job. In the current threat environment we cannot let this essential capability deteriorate further.

On behalf of the Government we thank the Committee for its valuable work and in particular the Chair, Mr Dan Tehan MP, and Deputy Chair, The Hon Anthony Byrne MP. The Report provided a thorough consideration of the Bill and the issues raised in evidence by a wide range of stakeholders. We thank all those who participated in its inquiry and contributed to the report.

We again acknowledge the continued bipartisanship of the Opposition on national security issues. The Government response to the Committee's recommendations is below.

Government response

Parliamentary Joint Committee on Intelligence and Security

Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

Recommendation Government response

Recommendation 1

The Committee recommends that the Government provide a response to the outstanding recommendations from the Committee's 2013 Report of the Inquiry into Potential Reforms of Australia's National Security Legislation by 1 July 2015.

Supported

The Government will write to the Committee by 1 July 2015 setting out its approach to the recommendations in Chapters 2 and 3 of the 2013 Report.

Recommendation 2

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to include the proposed data set in primary legislation.

Supported

The Government will amend the Bill to include the proposed data set in the Telecommunications (Interception and Access) Act 1979 (TIA Act).

Recommendation 3

To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare items for inclusion in the data set under the following conditions:

  • The declaration ceases to have effect after 40 sitting days of either House;
  • An amendment to include the data item in legislation should be brought before the Parliament before the expiry of the 40 sitting days; and
  • The amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.

Supported

The Government agrees that flexibility is needed to amend the data set.

The Government will amend the Bill to allow the Attorney-General to declare items to be included in the data set subject to conditions giving effect to the limitations identified by the Committee.

The Government further proposes to specify that such a declaration may take effect at a future date, to provide appropriate notice to providers of an amended obligation.

Recommendation 4

The Committee recommends that the proposed data set published by the Attorney-General's Department on 31 October 2014 be amended to incorporate the recommendations of the Data Retention Implementation Working Group.

Supported

The Government established the joint government and industry Implementation Working Group (IWG) to work with the telecommunications industry on data retention.

The Government appreciates the IWG's views and agrees that the Bill be amended to give effect to the IWG's recommendations.

Recommendation 5

The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are not required to collect and retain customer passwords, PINs or other like information.

Supported

Customer passwords and PINs are not required to be stored under the data retention regime.

The Government will amend the Explanatory Memorandum to provide additional clarity and reassurance that the data retention regime does not require providers to collect and retain customer passwords, PINs and other like information.

Recommendation 6

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are only required to retain telecommunications data to the extent that such information is, in fact, available to that service provider.

Supported

The Government agrees there is benefit in clarifying the extent of the data retention obligation on service providers.

The Government will amend the Bill to clarify that data retention obligations apply only to the activities relevant to a carrier's service. Under the regime, carriers are not required to retain data on applications running over the top of their service that are provided by a different carrier.

Recommendation 7

The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are not required to keep web-browsing histories or other destination information, for either incoming or outgoing traffic.

Supported

The data retention regime does not require service providers to keep web-browsing histories and other destination information, for either incoming or outgoing traffic in relation to web-browsing.

The Government will amend the Explanatory Memorandum to clarify that service providers are not required to keep this information.

Recommendation 8

The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to provide greater clarity in defining 'sessions' in proposed new subsection 187A(7) of the Bill.

Supported

The Government agrees that the concept of 'session' can vary depending on service types and will amend the Explanatory Memorandum to provide greater clarity about the term.

Recommendation 9

The Committee recommends that the two-year retention period specified in section 187C of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be maintained.

Supported

The Bill will continue to specify a retention period of two years.

Recommendation 10

The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 clarify the requirements for service providers with regard to the retention, de-identification or destruction of data once the two year retention period has expired.

Supported

The Privacy Act 1988 provides a framework for the destruction of personal information where this information is no longer required under law or for a legitimate business purpose.

The Government will amend the Explanatory Memorandum to explicitly draw attention to the Australian Privacy Guidelines issued by the Office of the Australian Information Commissioner.

Recommendation 11

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to define the term 'infrastructure' in greater detail, for the purposes of paragraph 187A(3)(c).

Supported

The Government will amend the Bill to include a definition of 'infrastructure' in section 187A(3)(c) as any equipment or line used to facilitate communications across a telecommunications network. 'Equipment', 'line' and 'telecommunications network' are defined by section 5 of the TIA.

Recommendation 12

The Committee recommends that the Attorney-General's Department and national security and law enforcement agencies provide the Parliamentary Joint Committee on Intelligence and Security with detailed information about the impact of the exclusion of services provided to a single area pursuant to subparagraph 187B(1)(a)(ii) as part of the Committee's review of the regime, pursuant to section 187N of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

Supported

The Government agrees that the Department and agencies will provide information regarding excluded services to the Committee when it carries out its review pursuant to section 187N of the Bill.

Recommendation 13

The Committee recommends that proposed section 187B in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require the Communications Access Co-ordinator to consider the objects of the Privacy Act 1988 when considering whether to make a declaration under proposed subsection 187B(2). If there is any uncertainty or a need for clarification, the Co-ordinator should consult with the Australian Privacy Commissioner on that issue before making such a declaration.

Further, the Co-ordinator should be required to notify the Parliamentary Joint Committee on Intelligence and Security of any declaration made under 187B(2) as soon as practicable after it is made.

Supported

The Government will amend the Bill to require the Communications Access Co-ordinator (CAC) to consider the objects of the Privacy Act when declaring that the data retention obligation applies to an otherwise exempt service provider.

The Government will further amend the Explanatory Memorandum to identify that the CAC may, if required, consult with the Privacy Commissioner.

The Government will also amend the Bill to require the PJCIS to be notified of declarations made under proposed section 187B.

Recommendation 14

To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare additional classes of service providers under the following conditions:

  • The declaration ceases to have effect after 40 sitting days of either house;
  • An amendment to include the class of service provider in legislation should be brought before the Parliament before the expiry of the 40 sitting days; and
  • The amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.

Supported

The Government agrees that flexibility is needed to include additional classes of service providers within the scheme.

The Government will amend the Bill to allow the Attorney-General to declare additional classes of service providers subject to conditions giving effect to the limitations identified by the Committee.

The Government further proposes to specify that such a declaration may take effect at a future date, to provide appropriate notice to providers of a new obligation.

Recommendation 15

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and accompanying Explanatory Memorandum be amended to enable the Communications Access Co-ordinator to refer any disputes over proposed implementation plan exemptions or variations to the Australian Communications and Media Authority for determination.

Supported

The Government will amend the Bill so that the Australian Communications and Media Authority (ACMA) will determine disputes arising from proposed implementation plan exemptions and variations.

The Bill currently provides ACMA with a role to determine disputes in relation to data retention implementation plans between the Communications Access Co-ordinator (CAC) and service providers. However, there is no such referral power when a service provider has applied to the CAC for an exemption or variation from the data retention obligations.

This amendment to the Bill will ensure a consistent approach to dispute-resolution between the CAC and service providers.

Recommendation 16

The Committee recommends that the Government make a substantial contribution to the upfront capital costs of service providers implementing their data retention obligations. When designing the funding arrangements to give effect to this recommendation, the Government should ensure that an appropriate balance is achieved that accounts for the significant variations between the services, business models, sizes and financial positions of different companies within the telecommunications industry. In particular, the Committee recommends that the Government ensure that the model for funding service providers:

  • Provides sufficient support for smaller service providers, who may not have sufficient capital budgets or operating cash flow to implement data retention, and privacy and security controls, without up-front assistance;
  • Minimises any potential anti-competitive impacts or market distortions;
  • Accounts for the differentiated impact of data retention across different segments of the telecommunications industry;
  • Incentivises timely compliance with their data retention obligations;
  • Provides appropriate incentives for service providers to implement efficient solutions to data retention;
  • Does not result in service providers receiving windfall payments to operate and maintain existing, legacy systems; and
  • Takes into account companies that have recently invested in compliant data retention capabilities in anticipation of the Bill's passage.

Supported

The Government has previously announced its commitment to make a reasonable contribution to the upfront capital expenditure required to implement data retention obligations.

The Government will take into account each of the seven factors identified by the Committee in designing the funding arrangements.

Recommendation 17

The Committee recommends that criminal law-enforcement agencies, which are agencies that can obtain a stored communications warrant, be specifically listed in the Telecommunications (Interception and Access) Act 1979.

To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare an authority or body as a criminal law-enforcement agency subject to the following conditions:

  • The declaration ceases to have effect after 40 sitting days of either House;
  • An amendment to specify the authority or body as a criminal law-enforcement agency in legislation should be brought before the Parliament before the expiry of the 40 sitting days; and
  • The amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sittings days for review and report.

Further, consistent with the existing provisions of the Bill, the Attorney-General must have regard to the factors listed in proposed paragraphs 110A(4)(b)-(f), and must also be satisfied on reasonable grounds that the functions of the agency include investigation serious contraventions.

Supported

The Government agrees there is benefit in listing agencies that can obtain a stored communications warrant in the TIA Act, but that flexibility is required to be able to include additional criminal law enforcement agencies expeditiously.

The Government will amend the Bill to allow the Attorney-General to declare additional criminal law-enforcement agencies subject to conditions giving effect to the limitations identified by the Committee.

The Government will amend the Bill to require that the Attorney-General must be satisfied on reasonable grounds that the functions of the agency to be declared include the investigation of serious contraventions.

Recommendation 18

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, or its Explanatory Memorandum, or both, be amended to provide that the characteristics of a binding scheme referred to in proposed subparagraph 110A(4)(c)(ii) of the Telecommunications (Interception and Access) Act 1979 include a mechanism:

  • For monitoring the authority or body's compliance with the scheme; and
  • To enable individuals to seek recourse if their personal information is mishandled.

The Committee notes that the Australian Privacy Commissioner currently has these functions in relation to Commonwealth agencies, and some States have privacy commissions which would be well placed to perform these functions within these jurisdictions. Other jurisdictions may need to expand the functions of their existing oversight bodies, or establish new oversight arrangements to meet these requirements.

Supported

The Government will amend the Bill to require that a binding privacy scheme include a mechanism for monitoring compliance and enabling individuals to seek recourse in the event their personal information is mishandled.

Recommendation 19

The Committee recommends that the Attorney-General's Department review whether:

  • the agencies which may access the content of communications (either by way of interception warrants or stored communications warrants) under the Telecommunications (Interception and Access) Act 1979 should be standardised, and
  • The Attorney-General's declaration power contained in proposed section 11A of the Telecommunications (Interception and Access) Act 1979 in respect of criminal law-enforcement agencies should be adjusted accordingly.

The Committee further recommends that the Attorney-General report to Parliament on the findings of review by the end of the implementation phase of the data retention regime.

Supported

The Government notes that this recommendation is closely related to the Committee's previous recommendation, contained in its 2013 Report of the inquiry into potential reforms of Australia's national security legislation, that the Attorney-General's Department examine the standardisation of thresholds for accessing the content of communications.

The Government agrees to the Department conducting a review of thresholds for access as proposed.

The Government will indicate its approach to the outstanding recommendations of the 2013 report by July 2015 in accordance with Recommendation 1.

Recommendation 20

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to list the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC) as criminal law-enforcement agencies under proposed section 110A of the Telecommunications (Interception and Access) Act 1979.

Supported

The Government recognises the law enforcement related functions of these agencies and will amend the Bill to specifically list these agencies as criminal law-enforcement agencies in the TIA Act.

Recommendation 21

The Committee recommends that enforcement agencies, which are agencies authorised to access telecommunications data under internal authorisation, be specifically listed in the Telecommunications (Interception and Access) Act 1979.

To provide for emergency circumstances the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare an authority or body as an enforcement agency subject to the following conditions:

  • The declaration ceases to have effect after 40 sitting days of either House;
  • An amendment to specify the authority or body as an enforcement agency in the legislation should be brought before the Parliament before the expiry of the 40 sitting days; and
  • The amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.

Further, consistent with the existing provisions of the Bill, the Attorney-General must have regard to the factors listed in proposed paragraphs 176A(4)(b)-(f), and must also be satisfied on reasonable grounds that the functions of the agency include enforcement of the criminal law, administering a law imposing a pecuniary penalty, or administering a law relating to the protection of the public revenue.

Supported

The Government agrees there is benefit in listing agencies that can access telecommunications data in the TIA Act but that flexibility is required to be able to include additional enforcement agencies expeditiously.

The Government will amend the Bill to allow the Attorney-General to declare additional enforcement agencies subject to conditions giving effect to the limitations identified by the Committee.

The Government will amend the Bill to require that the Attorney-General must be satisfied on reasonable grounds that the functions of the agency to be declared include the enforcement of the criminal law, administering a law imposing a pecuniary penalty or administering a law relating to the protection of public revenue.

Recommendation 22

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, or the Explanatory Memorandum, or both, be amended to provide that the characteristics of a binding scheme referred to in proposed subparagraph 176A(4)(c)(ii) of the Telecommunications (Interception and Access) Act 1979 include a mechanism:

  • For monitoring the authority or body's compliance with the scheme; and
  • To enable individuals to seek recourse if their personal information is mishandled.

The Committee notes that the Australian Privacy Commissioner currently has these functions in relation to Commonwealth agencies, and some States have privacy commissions which would be well placed to perform these functions within these jurisdictions. Other jurisdictions may need to expand the functions of their existing oversight bodies, or establish new oversight arrangement to meet these requirements.

Supported

The Government will amend the Explanatory Memorandum to clarify that a binding privacy scheme should generally include a mechanism for monitoring compliance and enabling individuals to seek recourse in the event their personal information is mishandled.

Recommendation 23

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to prohibit civil litigants from being able to access telecommunications data that is held by a service provider solely for the purpose of complying with the mandatory data retention regime.

To enable appropriate exceptions to this prohibition the Committee recommends that a regulation making power be included.

Further, the Committee recommends that the Minister for Communications and the Attorney-General review this measure and report to the Parliament on the findings of that review by the end of the implementation phase of the Bill.

Supported

The Government will amend the Bill to include an amendment to the Telecommunications Act 1997 to preclude access to telecommunications data retained and used by a service provider solely for the purpose of complying with the mandatory data retention scheme for the purposes of civil litigation, and to include the recommended regulation-making power.

As the Committee has noted, parties to a very wide range of civil litigation, including international child abduction matters and cases involving family or domestic violence, currently access telecommunications data under court order on a routine basis. The Government agrees with the Committee's assessment that this recommendation has the potential to give rise to unintended consequences.

The Government response will preserve existing access to data while restricting access to data accumulated and used solely by reason of the data retention obligation.

The Government will also initiate the recommended review, to be led by the Department of Communications in consultation with the Attorney-General's Department.

Recommendation 24

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that individuals have the right to access their personal telecommunications data retained by a service provider under the data retention regime. Telecommunications service providers should be able to recover their costs in providing such access, consistent with the model applying under their Privacy Act in respect of giving access to personal information.

Supported

The Government will amend the Bill to cross reference existing mechanisms under the Privacy Act 1988 for access to personal information and the associated cost recovery ability.

Recommendation 25

The Committee recommends that section 180F of the Telecommunications (Interception and Access) Act 1979 be replaced with a requirement that, before making an authorisation under Division 4 of 4A of Part 4-1 of the Act, the authorised officer must be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate.

In making this decision the authorised officer should be required to have regard to:

  • The gravity of the conduct being investigated, including whether the investigation relates to a serious criminal offence, the enforcement of a serious pecuniary penalty, the protection of the public revenue at a sufficiently serious level or the location of missing persons;
  • The reason why the disclosure is proposed to be authorised; and
  • The likely relevance and usefulness of the information or documents to the investigation.

Supported

The Government will amend the TIA Act to provide that issuing authorities are required under section 180F to 'be satisfied' on reasonable grounds of relevant matters rather than 'having regard to' those matters.

Recommendation 26

The Committee acknowledges the importance of recognising the principle of press freedom and the protection of journalists' sources. The Committee considers this matter requires further consideration before a final recommendation can be made.

The Committee therefore recommends that the question of how to deal with the authorisation of a disclosure or use of telecommunications data for the purpose of determining the identity of a journalist's source be the subject of a separate review by the Committee.

The Committee would report back to Parliament within three months.

In undertaking this inquiry, the Committee intends to conduct consultations with media representatives, law enforcement and security agencies and the Independent National Security Legislation Monitor. The review will also consider international best practice, including data retention regulation in the United Kingdom.

Supported

The Government agrees to refer the question of the appropriate approach to disclosure or use of telecommunications data to identify journalists' sources to the Committee for further consideration.

The Government notes that Australia's existing legal framework is founded on robust legal principles to provide fair and equal treatment of all subject to its laws.

Recommendation 27

The Committee recommends that the Telecommunications (Interception and Access) Act 1979 be amended to require agencies to provide a copy to the Commonwealth Ombudsman (or Inspector General of Intelligence and Security (IGIS) in the case of ASIO) of each authorisation that authorises disclosure of information or documents under Chapter 4 of the Act for the purpose of determining the identity of a journalist's sources.

The Committee further recommends that the IGIS or Commonwealth Ombudsman be required to notify this Committee of each instance in which such an authorisation is made in relation to ASIO and the AFP as soon as practicable after receiving advice of the authorisation and be required to brief the Committee accordingly.

Supported

The Government will amend the Bill to require agencies to provide all authorisations issued for the purpose of determining the identity of journalists' sources be provided to the Commonwealth Ombudsman or the Inspector-General of Intelligence and Security as appropriate at the next relevant inspection.

The Government will amend the Bill to require agencies to notify the Attorney-General of each such authorisation and further require that the Attorney-General provide a report to the PJCIS annually.

Recommendation 28

The Committee recommends that the Attorney-General's Department oversee a review of the adequacy of the existing destruction requirements that apply to documents or information disclosed pursuant to an authorisation made under Chapter 4 of the Telecommunications (Interception and Access) Act 1979 and held by enforcement agencies and ASIO.

The Committee further recommends that the Attorney-General report to Parliament on the findings of the review by 1 July 2017.

Supported

The Government will conduct a review as recommended.

Recommendation 29

The Committee recommends that the Government consider the additional oversight responsibilities of the Commonwealth Ombudsman set out in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and ensure that the Office of the Commonwealth Ombudsman is provided with additional financial resources to undertake its enhanced oversight responsibilities.

Supported in principle

The Government supports the provision of sufficient funding to the Ombudsman to ensure it can undertake its enhanced oversight responsibilities. Funding for the Ombudsman will be considered through the Budget process.

Recommendation 30

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require the Parliamentary Joint Committee on Intelligence and Security to commence its review no later than the second anniversary of the end of the implementation period.

The Committee considers it is desirable that a report on the review be presented to the Parliament no later than three years after the end of the implementation period.

Supported

The Government will amend the Bill to reflect the recommended reporting timeframes for the PJCIS' Review of the Data Retention Scheme under section 187P.

Recommendation 31

At the time of the review required to be undertaken by the Parliamentary Joint Committee on Intelligence and Security under proposed section 187N of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Committee recommends that the Attorney-General request the Committee to examine the following issues:

  • The effectiveness of the scheme,
  • The appropriateness of the dataset and retention period,
  • Costs,
  • Any potential improvements to oversight,
  • Regulations and determinations made,
  • The number of complaints about the scheme to relevant bodies, and
  • Any other appropriate matters.

To facilitate the review, the Committee recommends that agencies be required to collect and retain relevant statistical information to assist the Committee's consideration of the above matters. The Committee also recommends that all records of data access requests be retained for the period from commencement until the review is concluded.

Finally the Committee recommends that, to the maximum extent possible, the review be conducted in public.

Supported

The Government agrees that the review of the data retention scheme should be broad and open to the public, where possible. The review should also be informed by relevant information collected from the date of implementation.

The Government agrees to request that the Committee consider each of the issues identified.

Recommendation 32

The Committee recommends that the Attorney-General coordinate the provision of a standing secondee or secondees to the secretariat of the Parliamentary Joint Committee on Intelligence and Security, in recognition of the additional oversight and review requirements associated with the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 and the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

Supported

The Attorney-General will engage with the Chair of the Committee to establish suitable arrangements to support the Committee's work in response to the Committee's recommendation.

Recommendation 33

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require the annual report prepared under section 187P to include:

  • Costs of the scheme,
  • Use of implementation plans,
  • Category of purpose for accessing data, including a breakdown of types of offences,
  • Age of data sought,
  • Number of requests for traffic data, and
  • Number of requests for subscriber data.

The Committee also recommends that the Attorney-General's Department provide the Committee with an annual briefing on the matters included in this report.

Supported

The Government will amend the Bill to include a requirement that the Attorney-General report on the matters specified in the recommendation.

The Government will amend the Bill to require that that Department offer the Committee a briefing on the report.

Recommendation 34

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to provide that the Committee may inquire into any matter raised in the annual report prepared under proposed section 187P, including where this goes to a review of operational matters.

Legislative change to the Intelligence Services Act 2001 should be implemented to reflect this changed function.

The Committee further recommends that the Commonwealth Ombudsman and Inspector-General of Intelligence and Security provide notice to the Committee should either of them hold serious concerns about the purpose for, or the manner in which, retained data is being accessed.

Supported

The Government considers there is benefit in conferring an appropriate function on the Committee for the purposes of establishing a further oversight mechanism for the operation of the data retention scheme.

Consistent with the focus of the PJCIS on non-operational matters concerning security and intelligence, the new function would enable the PJCIS to inquire into the effectiveness of the operation of the data retention scheme, with respect to the purpose and manner of access by ASIO and AFP (to the extent those agencies are the subject of PJCIS oversight).

Recommendation 35

Having regard to the regulatory burden on small providers with an annual turnover of less than $3 million, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require all service providers to be compliant, in respect of retained data, with either the Australian Privacy Principles or binding rules developed by the Australian Privacy Commissioner.

Supported
The Government agrees that carriers bound by data retention obligations must comply with a clear privacy framework.

The Government will amend the Bill to provide that service providers required to comply with data retention obligations will be subject to the Australian Privacy Principles or binding rules developed by the Australian Privacy Commissioner.

Recommendation 36

The Committee recommends that the Government enact the proposed Telecommunications Sector Security Reforms prior to the end of the implementation phase for the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

Supported

The Government will introduce a Telecommunications Sector Security Reform scheme prior to the conclusion of the data retention implementation period.

Recommendation 37

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require service providers to encrypt telecommunications data that has been retained for the purposes of the mandatory data retention regime.

To give effect to this recommendation, the Committee recommends that the Data Retention Implementation Working Group develop an appropriate standard of encryption to be incorporated into regulations, and that the Communications Access Co-ordinator be required to consider a provider's compliance with this standard as part of the Data Retention Implementation Plan process.

Further, the Communications Access Co-ordinator should be given the power to authorise other robust security measures in limited circumstances in which technical difficulties prevent encryption from being implemented in existing systems used by service providers.

Supported

The Government supports the Committee's recommendation and will amend the Bill to include an obligation to encrypt and secure data retained as part of the service provider's mandatory data retention obligations.
As the Committee has noted encryption may not always be possible or appropriate. Accordingly the Government will amend the Bill to allow service providers to address their approach to encryption through a Data Retention Implementation Plan.

The Government has established a joint government-industry Implementation Working Group. The Group will continue to support the implementation of the data retention scheme, including consideration of technical implementation issues.

Recommendation 38

The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015.

Supported

The Government agrees to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on draft legislation.

Recommendation 39

The Committee recommends that, following consideration of the recommendations in this report, the Telecommunications (Interception and Access Amendment (Data Retention) Bill 2014 be passed.

Supported