OAIC wants visual on what telcos are handing over under data retention regime
Australian Information and Privacy Commissioner Angelene Falk has agreed with the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that physically seeing the datasets that telecommunications providers are handing over under the country’s data retention regime would enhance her agency’s role.
“We have not seen the actual disclosures. We’ve seen the documents that are required to be kept under Section 306 of the Telecommunications Act, which are around time, date, provision that’s been authorised,” Falk told the committee on Friday.
Under the Telecommunications Act, the Office of the Australian Information Commissioner (OAIC) can monitor and inspect telecommunication service providers’ compliance with record-keeping obligations when disclosing telecommunications data to agencies.
Facing the PJCIS and its review of the data retention regime that came into being in March 2015, Falk was asked if she thinks having visual on the actual data would benefit the OAIC.
“I do think that it would enhance the oversight; I think there’d be a couple of things that would assist in enabling that more readily: One is to include … a list of the kinds of information that are permitted to be disclosed under the TIA Act and that would then enable my office to look at what has been provided,” she said.
“I would likely need some enhancements to my enforcement regime and the ability to compulsory acquire information in the context of an assessment, which I don’t currently have.
“It is something that I would like to have, the government’s announced a review of the Privacy Act, and they’re the kinds of matters that I’ll be putting forward.”
Falk said the OAIC has provided guidance, carried out inspections and assessments of telecommunications providers, and informed that its inspections and assessments have identified both good implementation of obligations and areas of improvement.
“In those cases, recommendations are made and have been accepted by the regulated entities,” she said. “My office will continue to carry out inspections and assessments in order to assess and address any privacy risks in the system.”
Committee members raised concerns, however, that the data possessed by telcos is not totally stored within Australia.
While Falk admitted her staff has visited storage centres in Australia, she said she was unaware of regime-related data being stored offshore.
“Under the Privacy Act, Australian privacy principle 11 requires the telecommunications providers to take reasonable steps to secure the data protected from unauthorised access, loss, disclosure, and so what we’re looking for is to ensure that the controls that we would expect — the access controls, the physical security, the governance — meets that reasonable steps test,” she continued.
“The location of the data is one aspect that any provider will need to consider in their risk assessment and they need to ensure that they have the reasonable steps in place.
“The location of the data in and of itself is not the issue. It’s the security parameters around it.”
With the committee saying it had been under the impression that all data would be kept onshore once the regime commenced, until it realised this wasn’t the case, Falk said that while there isn’t a data localisation provision in the law, she was not submitting that there should be.
“I note that in the My Health Records provisions, there is a requirement to store that data onshore and so these are all, I think, valid lines of inquiry with the telecommunications providers,” she said.
“I don’t have information that suggests that it’s located anywhere other than Australia, as at the time when we conducted this assessments last year.”
In her opening statement, Falk said some of the privacy issues raised by the OAIC back in 2015 have been addressed, but other “key” ones that sought to establish privacy safeguards were not adopted or fully adopted.
“For example, we recommended that access to retain data be limited to where it is reasonably necessary to prevent or detect a serious offence and to safeguard national security,” she explained.
Falk asked the committee to consider reducing the potential for personal information to be collected outside of what is intended or reasonably necessary under the regime.
“This goes to the issue that’s previously been raised around defining what’s out of the regime, through the meaning of ‘content’ and ‘substance’ of communications,” she said.
Echoing remarks made by Human Rights Commissioner Edward Santow who appeared before her on Friday, Falk asked the committee to consider reducing the retention period.
“A high proportion of telecommunications data accessed by law enforcement is less than 12 months old, with the majority of data accessed being less than three months old,” she reiterated. “To complement that, to introduce an express obligation to destroy or de-identify telecommunications data after a defined period, noting that the impact of any data breach can increase with the commensurate increase in the volume of data that’s retained.”
Falk also asked the PJCIS to consider measures that ensure access to retain data is appropriately limited to agencies operating under the Telecommunications Interception and Access regime, and that any increases to the agencies, who are lawfully able to access data, be set out in the legislation by way of legislative amendment.
She wants the committee to similarly consider limiting the purposes for accessing historical data to where it’s reasonably necessary and consider introducing a warrant system.
“Warrants would provide one of the strongest forms of privacy protection through the exercise of real time, independent oversight over the operations of the regime,” she said.
“Analysis of telecommunications data can paint a very detailed picture of an individual’s location, movements, habits, relationships, and preferences with accuracy and detail that increases in line with the nature and volume of that data that’s available.
“With this in mind, I do recommend that the committee consider limiting the purpose for which an authorisation to disclose telecommunications data can be made to where it is reasonably necessary to investigate serious offenses, safeguard national security, and to consider within the context of all the evidence whether a warrant system should be introduced.”