Australian sysadmins cop brunt of data-retention burden

IT professional organisation SAGE-AU has called on the government to "fill in the gaps" around the requirements for its mandatory data-retention legislation.

The legislation, currently before the parliament, would require telecommunications companies to retain an as-yet-undefined set of customer data -- such as call records, IP addresses, and billing information -- for a minimum of two years for access by law-enforcement agencies without a warrant.

The telcos have already warned the government that such a scheme will cost hundreds of millions of dollars to set up, and tens of millions each year to maintain. The legislation will not only have a financial impact on the telcos, it will also heavily impact the employees of the carriers, who will be responsible for setting up, operating, and maintaining the systems built for the mandatory data. These workers will also be responsible for responding to requests from law-enforcement agencies and deciding what requests to approve or reject.

SAGE-AU president Robert Hudson told ZDNet that it would be a lot of work for IT professionals.

"We would have a lot of work to do this. We would be chasing our tails in terms of servicing requests for that data," he said.

Although the government has moved to reduce the number of agencies that have access to stored data under the new legislation, Hudson said it is still unclear to carriers how this will be enforced, or how the carriers will know who in an organisation is authorised to request access to the data.

"When Party XYZ says they want access to this data, how do sysadmins knows this request is legitimate?"

He said the legislation, as it stands, does not provide enough safeguards for the protection of the data, and echoed calls from Privacy Commissioner Timothy Pilgrim for the legislation to include mandatory data breach notification for leaks of stored metadata.

There was no indication as to the exact format the data would need to be retained in, or whether telcos would need to massage the data into a single format for all agencies. Hudson said that there is much work left to be done on the legislation that Attorney-General George Brandis said was a "priority" to be passed in parliament in the first sitting period in 2015.

"It's very immature legislation proposal. It's more holes than cheese. There's more questions around it than there are answers," he said.

"It's casting a very wide net to catch a very small fish. As it stands, SAGE-AU could not be considered to support it. We would require a lot more of the gaps to be filled before we consider it. And even then, I don't think it is a good idea, and SAGE-AU doesn't think it is an appropriate path to be taking."

Rival IT professional organisation the Australian Computer Society (ACS), on the other hand, has expressed its support for the government's mandatory data-retention legislation, and has suggested that IT professionals be offered training via the ACS.

The ACS regards training as an important "part of the broader task of ensuring the legislation delivers the outcomes intended and which can be demonstrated to the public that the parliament serves".

"Given the sensitivity of the data, the risk that the scheme potentially represents to the right to privacy, and the consequences if the captured data becomes available to inappropriate people or organisations, it is critical that the ICT professionals involved work with the highest standard of professionalism and ethics," the ACS said.

The ACS proposed that the government could be involved as an employer and independently assess those people who will be working in mission-critical areas, or alternatively legislate licensing arrangements for those working in mission-critical areas.