No agencies temporarily allowed to access telecommunications metadata: AGD

While organisations such as Australia Post, the RSPCA of Victoria, Bankstown City Council, and Victorian Taxi Services have sought access to telecommunications metadata stored on Australian residents without a warrant, the Attorney-General's Department (AGD) has said no agency has so far gained approval from Attorney-General George Brandis.

"The attorney-general has not temporarily declared any additional enforcement agencies," AGD said in a statement.

Under Australian data-retention laws, enforcement agencies are able to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telcos.

AGD said that 21 agencies were currently able to access information, including: The Australian Security Intelligence Organisation; Australian Federal Police; the six state police forces and Northern Territory police; Australian Commission for Law Enforcement Integrity; Australian Crime Commission; Immigration and Border Protection Department; Australian Securities and Investments Commission; Australian Competition and Consumer Commission; NSW Crime Commission; NSW Independent Commission Against Corruption; NSW Police Integrity Commission; Victoria's Independent Broad-Based Anti-Corruption Commission; Crime and Corruption Commission of Queensland; Western Australia's Corruption and Crime Commission; and South Australia's Independent Commissioner Against Corruption.

Yesterday, under a Freedom of Information (FOI) request, the names of 57 agencies asking to be designated an enforcement agency as defined under the Telecommunications (Interception and Access) Act was released by AGD.

The names of four agencies were redacted, with AGD citing potential damage to relationships between the department and the relevant agencies as the reason for the non-disclosure.

Bankstown City Council was one of the agencies named, with a spokesperson telling ZDNet that it had previously used telecommunications metadata in a number of successful prosecutions for illegal dumping.

"We only ever had access to call records which assisted us in placing a person at the scene of an illegal dumping offence after they initial deny involvement," the spokesperson said. "One involved the dumping of around 20,000 tonnes of waste at five different sites."

The metadata-retention legislation allows for the attorney-general of the day to unilaterally make changes to what is retained and who could access the data in "emergency circumstances". Any such declarations expire after 40 sitting days of parliament, with amendments to legislation to be brought before parliament within that 40-day window.

The legislation mandating metadata collection by telecommunication companies passed the Australian parliament in March last year, thanks to the votes of the Labor party.

In October last year, Telstra said it is possibly the only Australian telco with an approved data-retention implementation plan, but that it would take 18 months to build.

At the time, former iiNet CTO John Lindsay downplayed the data-retention legislation coming into force.

"Data retention actually started months ago," he said on Twitter. "All that starts this week is the obligation to back it up securely."

Despite the Joint Parliamentary Committee on Intelligence and Security recommending in February 2015 that Australia has data-breach notification laws in place before the end of 2015, no such laws are yet in place

The earliest that Australia will have a working data-breach notification scheme is set to be sometime in 2017, after the AGD has released its exposure draft of amendments to the Privacy Act.