Australian government's metadata access may be widened

The Attorney-General's Department has admitted that proposed mandatory data retention legislation may be used for far more than what the government has claimed it will be required for.

Attorney-General George Brandis has been contradicted by his own department, with the agency admitting data retention may be used to investigate more than what the government has previously indicated.

"The mandatory data-retention regime applies only to the most serious crime. Only to crime, and only to the highest levels of crimes," Brandis said on ABC's Q&A program on Monday night

The legislation before parliament would require telecommunications companies to retain an as-yet-undefined set of customer data such as assigned IP addresses, billing information, call logs and other data for two years. This data can then be accessed by a limited number of law enforcement agencies under the legislation for the investigation of serious criminal activity such as terrorism or child exploitation.

However, while both Brandis and Communications Minister Malcolm Turnbull have said that the legislation aims to protect privacy by limiting the number of agencies that have access to the data and the circumstances under which they can access the data, the legislation does leave scope for additional agencies to get access to the data for a variety of reasons.

On pages 23 to 25 of the legislation, there is the option for the government to allow agencies tasked with enforcing not only criminal law, but also laws with pecuniary penalty, or those protecting public revenue to get access to "prospective data" from telcos under the legislation.

This would potentially mean that agencies such as Centrelink would also be able to access prospective data.

When questioned about this section of the legislation, Brandis' office passed on the questions to the Attorney-General's Department. A spokesperson for the department confirmed that a number of agencies could apply to access the data for issues outside of those outlined by the government.

"The Bill allows the Attorney-General to consider applications from agencies that may have a legitimate need to access telecommunications data or stored communications," the spokesperson said.

"It would be inappropriate to speculate about whether a particular agency may be declared. As a general statement, there are a number of Commonwealth, state and territory agencies that have specialist law enforcement responsibilities.".

The spokesperson said that the Australian Securities and Investments Commission (ASIC) could seek access to the data for investigating corporate offences, while the Department of Foreign Affairs and Trade's passport office could also seek access for investigating passport fraud.

The spokesperson said that the Attorney-General will need to consider each request on its merits, and the declaration would be able to be reviewed by the parliament.

"The Bill requires the Attorney-General to consider a detailed range of factors, including whether the agency actually requires access to these types of information, and whether they are subject to a binding privacy scheme," the spokesperson said.

"The Bill allows the Attorney-General to make conditions on such declarations, including conditions that limit the use of those powers. Importantly, these declarations are 'legislative instruments', which allows parliament to review the declarations."