This resource will assist providers of telecommunications services in Australia who are required to comply with the data retention provisions in Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (TIA Act) understand their obligations under the Privacy Act 1988 (Cth) (Privacy Act).
In March 2015, the Australian parliament passed legislation to introduce a data retention scheme into Part 5-1A of the TIA Act. The scheme requires some providers of telecommunications services in Australia (service providers) to collect and retain specified types of telecommunications data (called ‘retained data’ in the TIA Act) for a minimum period of two years. Importantly, Part 5-1A requires all service providers that collect and retain telecommunications data under the data retention scheme to comply with the Privacy Act in relation to that data.
For the larger service providers, their obligations will not change in terms of compliance with the Privacy Act. However, the effect of Part 5-1A will be to bring under the coverage of the Privacy Act service providers who may otherwise have been classed as small businesses and therefore have been exempt, but only in relation to the telecommunications data they are required to collect and retain under that Part.
How will the Privacy Act apply to service providers?
The Privacy Act regulates how Australian and Norfolk Island government agencies and some private sector organisations handle personal information. The Privacy Act includes 13 Australian Privacy Principles (APPs) that set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information.
The data retention scheme commences on 13 October 2015. From this date, service providers will need to comply with the Privacy Act in relation to the data they collect and retain under Part 5-1A of the TIA Act, including information collected and retained under an approved data retention implementation plan. Importantly, under Part 5-1A, retained data is classified as personal information for the purposes of the Privacy Act and, therefore, must be handled in accordance with the APPs.
It is also important to note that this applies to all service providers that are covered by Part 5-1A, including service providers who are otherwise small businesses for the purposes of the Privacy Act and, therefore, might otherwise have been exempt. Service providers that are already covered by the Privacy Act should ensure they continue complying with their obligations under the Act, including in respect of all other personal information they handle.
What do service providers need to do to comply with the Privacy Act?
To ensure they are able to comply with the Privacy Act when the data retention scheme commences, all service providers should consider their obligations under the APPs. Key obligations include:
Establishing practices, procedures and systems that ensure compliance with the APPs; see the Office of the Australian Information Commissioner’s (OAIC) Privacy Management Framework
Notifying individuals when their personal information is collected: see the APP guidelines: Chapter 5 — Notification of the collection of personal information.
Protecting and securing the personal information they collect and retain: see the OAIC’s Guide to securing personal information
Ensuring personal information sent overseas is protected; see the OAIC’s Sending personal information overseas
Providing individuals with access to the personal information they collect and retain about them: see the APP guidelines: Chapter 12 — Access to Personal Information
Other resources to assist service providers comply with the APPs include Privacy fact sheet 17, which sets out the full text of the APPs, the APP quick reference tool, which provides a short summary of the APPs, and the OAIC’s APP guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters it may take into account when exercising functions and powers under the Privacy Act. For people who are not familiar with the Privacy Act, a summary of the obligations in the APPs is contained in Introduction to the APPs and the OAIC’s regulatory approach.
How can service providers improve their privacy practices?
Whilst service providers that are also small businesses for the purposes of the Privacy Act may only be required to comply with the Privacy Act in relation to the data they collect and retain under Part 5-1A, as a matter of best practice, the OAIC would encourage those providers to consider handling all the personal information they collect or hold in accordance with the APPs. This has a number of benefits including:
minimising the risk of a data breach, which can have serious consequences for the service provider and individuals
ensuring consistency in the data handling processes of the service provider, which minimises duplication and complexity
ensuring service providers have robust personal information handling procedures in place should their other activities be covered by the Privacy Act in the future.
For further information
The OAIC has a range of privacy resources on its website that will help service providers comply with the Privacy Act.
Service providers should also consider subscribing to the OAIC’s newsletter, OAICnet, which provides news about the OAIC’s activities, publications and other information.
The information provided in this resource is of a general nature. It is not a substitute for legal advice.