The Australian Information Industry Association (AIIA) has raised concerns that the federal government's draft legislation for mandatory data retention may not be the most effective means to go about protecting public safety and security.
The peak national body that represents over 400 member organisations within the Australian IT sector, including Apple, Google, EMC, IBM, and Intel, as well as Telstra and Optus, has highlighted in its submission that there is too much ambiguity around the scope of the requests, and inadequate detailing of the financial impact it will have on service providers and consumers.
Under the draft legislation, Australian telecommunications companies will be required to retain customer data for two years, which will include call records, address information, email addresses, and assigned IP addresses.
Service providers will also have the opportunity to seek an exemption from the requirement, but at the discretion of the Communications Access Coordinator.
"The exact scope of data to be collected remains ambiguous. The description of information that may be encompassed by the legislation (described in the Explanatory Memorandum Schedule 1, Part 1, paragraph 26), creates more rather than less ambiguity," the group said.
"Frequent reference to 'any information' and 'any identifier' relating to the data elements (ie, contracts, plans, agreements, data, etc) will create compliance challenges, and without specific guidance, service providers will be compelled to over-engineer their systems and compliance regimes."
Under the Bill, service providers have the opportunity to seek a data-retention implementation plan if they are not able to comply immediately. However, the AIIA has argued that the proposed 18-month implementation plan period for service providers is dubious.
"Given the infrastructure required to comply with the requirements, it is questionable if the proposed 18-month implementation plan period is sufficient," the group said.
At the time same, the AIIA said that it does not support the proposed two-year data-retention period, noting that in similar initiatives, such as in the European Union, retention periods are typically between six and 12 months. Instead, the group suggested that any data required to be retained should be for the shortest amount of time that is needed to support the operations of agencies.
"In our view, Australian security agencies have not to date provided any substantive justification for the extended two-year period," it said.
The AIIA also raised that due to the "complex technical solutions and security arrangements ... required to accommodate the vast amount of data to be retained", it will "impose significant additional cost on service providers".
The Australian Computer Society (ACS), on the other hand, has expressed that it strongly supports the government's efforts. It suggested that the best way for the federal government to deal with the introduction of data retention is to provide support and assistance to the ACS to train IT professionals. The ACS regards training as an important "part of the broader task of ensuring the legislation delivers the outcomes intended and which can be demonstrated to the public that the parliament serves".
"Given the sensitivity of the data, the risk that the scheme potentially represents to the right to privacy, and the consequences if the captured data becomes available to inappropriate people or organisations, it is critical that the ICT professionals involved work with the highest standard of professionalism and ethics," the ACS said.
The ACS proposed that the government could be involved as an employer and independently assess those people who will be working in mission-critical areas, or alternatively legislate licensing arrangements for those working in mission-critical areas.