OAIC still asking for information privacy amendments to data retention regime

It also wants to be consulted before additional authorities or bodies are declared as 'enforcement agencies' or when the categories of retained metadata are to be increased under the data retention regime.

The Office of the Australian Information Commissioner (OAIC) wants clarification on terminology used in Australia's data retention regime, saying that with a lack of definition, "content" and "substance" have the potential to see more personal information than is necessary be collected.

The OAIC made the request in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security's (PJCIS) review of the mandatory data retention regime of the Telecommunications (Interception and Access) Act) 1979 (TIA Act).

The OAIC said Section 187AA of the TIA Act sets out the kinds of information a service provider is required to keep under the regime. It notes that service providers are not required to keep "information that is the contents or substance of a communication".

"The terms 'contents' and 'substance' are not defined in the TIA Act. The OAIC considers that clarifying these terms would create greater certainty and enhance privacy protections by reducing the potential for more personal information to be collected than is necessary for the purposes of the regime," it wrote.

"With this in mind, the OAIC recommends that the committee consider amending the TIA Act to define the terms 'contents' and 'substance' where they appear."

See also: Home Affairs floats making telcos retain MAC addresses and port numbers

The OAIC also asks the committee to consider reducing the retention period to better ensure the proportionality of the regime.

"As the OAIC raised in its 2015 submission to the committee, evidence should be provided to the public to demonstrate the proportionality of this measure," it said.

While the OAIC said it appreciates that a reduction in the data retention period may impact on some law enforcement activities, it said the statistics reported from enforcement agencies suggest that the continued retention of data for two years may not be proportionate to the privacy impacts on individuals.

Some agencies however, like the Australian Commission for Law Enforcement Integrity, would in an ideal world like to see the two-year period for retention be stretched to a longer period.

"It will be many years before the telecommunications data which is presently still retained by telecommunications providers, outlives its usefulness to law enforcement," it said in its submission to the review last month.

"The dangers of mandating a minimum retention period include the possibility that telecommunications providers, which presently retain more data than is required under the regime, will eventually, and perhaps sooner rather than later, reduce their holdings, and that all providers will treat the minimum as a maximum."

Further, the OAIC wants the TIA Act to incorporate an express obligation on service providers and enforcement bodies to destroy or de-identify telecommunications data after a specifically defined period.

Currently, there is no defined time frame under the regime for the destruction of telecommunications data obtained by an enforcement body.

"The potential consequences of data and security breaches increase with the quantities of personal information retained," the OAIC said.

See also: Optus gained exemption to store metadata unencrypted

Countering requests for more agencies to be granted permission to access telco data, the OAIC wants to implement measures to restrict the number, asking it be limited to those covered by safeguards in the TIA Act.

"As the law currently stands, there appears to be mechanisms for accessing telecommunications data outside of the TIA Act that, while permitted, have the practical impact of reducing the effectiveness of safeguards in the TIA Act," the OAIC submission continued.

Similarly, the OAIC has asked that any expansion of the scope regarding which agencies can have access to telecommunications data under the regime be made through legislative amendments to the TIA Act rather than through legislative instruments to ensure transparency and accountability.

Alongside this recommendation is the request that an amendment be made to include a requirement for the Information Commissioner to be consulted before additional authorities or bodies are declared to be "enforcement agencies" or when categories of retained metadata are to be increased.

The OIAC also asked that there be the introduction of a warrant-based scheme to access telecommunications data and a reconsideration is given to limit the purpose for which an authorisation to disclose telecommunications data can be made to "where it is reasonably necessary to investigate a serious offence and safeguard national security".

RELATED COVERAGE