Warnings Australian spy agency won't delete retained data

The inspector-general of Intelligence and Security has warned that Australia's top spy agency is under no obligation to delete data it receives under mandatory data-retention legislation.
Written by Josh Taylor, Contributor

The Australian Security Intelligence Organisation (ASIO) is not required to delete data that it has obtained from telcos under the mandatory data-retention legislation, the inspector-general of Intelligence and Security has warned.

Under the legislation, telecommunications companies will be required to retain a set of so-called metadata, not limited to but including call records, location information, and IP addresses for at least two years. This data can then be accessed by law-enforcement agencies including ASIO without a warrant.

The telecommunications companies are bound by the Australian Privacy Principles to delete private data no longer required by the company for its business, and the telcos have asked the government to clarify whether the data-retention legislation will exempt the telcos from those provisions for the data they're required to retain.

There are no such provisions for the agencies that receive the data from the telcos, however.

Inspector-General of Intelligence and Security Dr Vivienne Thom, who is charged with oversight of ASIO, has warned the parliament that Australia's top spy agency is under no obligation to delete any of the data it receives under the mandatory data-retention legislation.

"Once ASIO has lawfully obtained telecommunications data from a carrier or carriage service provider, there is no statutory requirement for ASIO to either delete the data or to make an active decision as to whether the material is, or continues to be, relevant to security," Thom warned in her submission to the parliamentary inquiry into the legislation.

"The Attorney-General's Guidelines and an agreement with the National Archives, allow most intelligence collected by ASIO to be retained indefinitely."

The only data that ASIO is required to destroy, Thom said, is content data that is obtained by ASIO under a warrant.

"It is reasonable for data that is relevant to an ongoing operation to be retained. Some operations run for many years. However, if data that is obtained 'in connection with an ASIO function' turns out to be not relevant to security or is relevant but only for a period of time, there is no positive requirement for ASIO to delete this data," Thom said.

"This is a privacy issue that needs to be balanced against the need for ASIO to obtain and analyse data in order to identify material relevant to security."

Thom said that some telecommunications providers accidentally send ASIO incorrect customer data as part of mandatory data retention, but that her office is routinely notified when this occurs.

Additionally, Thom said that the legislation only sets out the minimum for data to be retained by telcos, and any other data that is also retained by the telcos can be accessed by ASIO.

Privacy Commissioner Timothy Pilgrim, in his submission, called for the legislation to be amended to require mandatory data breach notification if there is a leak of the data retained by the telcos.

"By creating a large repository of personal information, the proposed data-retention scheme increases the risk and possible consequences of a data breach," Pilgrim stated.

"This is because the challenge of effectively securing that information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure will become more difficult as technology evolves."

He said that telcos are amongst the most complained about to his office, and have been the subject of 13 investigations since 2010, including Telstra accidentally making the details of 734,000 customers available online in 2011.

Telstra said in its submission that the company has "a strong track record in protecting customer data from cybersecurity threats".

Pilgrim also noted that law-enforcement agencies have yet to provide any evidence publicly as to why the data needs to be retained for two years, when 90 percent of all investigations relate to data less than one year old.

Thom, Telstra, Optus, Vodafone, the Attorney-General's Department, ASIO, the Australian Federal Police, and state police forces are due to front the committee in hearings on Thursday and Friday.

Editorial standards