Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Retained data in civil proceedings consultation — submission to Attorney-General’s Department

Our reference: D2017/000144

Ms Anne Sheehan
Assistant Secretary
Communications Security Branch
Attorney-General’s Department
3-5 National Circuit
BARTON ACT 2600

By email: CommunicationsSecurity@ag.gov.au

Dear Ms Sheehan

Retained data in civil proceedings – consultation

Thank you for the opportunity to provide comments to the review of the general prohibition[1] on telecommunications service providers’ ability to disclose retained data[2] in connection with a civil proceeding (the prohibition).

My comments focus on the privacy impacts that may arise from the proposed changes to the prohibition as it currently applies.

Purpose of the prohibition

The prohibition on the use of retained data in connection with a civil proceeding, contained in Part 13 of the Telecommunications Act 1997 (the Telecommunications Act), reflect recommendations of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its February 2015 advisory report into the Government’s proposed data retention laws.[3]

As part of its report, the PJCIS found that ‘the proposed data retention regime is being established specifically for law enforcement and national security purposes and that as a general principle it would be inappropriate for the data retained under that regime to be drawn upon as a new source of evidence in civil disputes’.[4]

However, the PJCIS did recommend the inclusion of a regulation-making power to enable appropriate exceptions to the prohibition intended to mitigate the risk of unintended consequences, such as interference with judicial power, from a blanket prohibition on access to retained data in civil court proceedings.[5]

Review of the prohibition and regulation making power

The data retention scheme is currently subject to safeguards that limit access to retained data to prescribed enforcement agencies.[6]

Any proposal to alter the prohibition on disclosure in connection with a civil proceeding to expand access to retained data will impact on individuals’ privacy.

The right to privacy is not absolute and in some circumstances, privacy rights must necessarily give way where there is a compelling public interest reason to do so. However, proposals that require or authorise the collection, use or disclosure of personal information should be reasonable, necessary and proportionate, having regard to the objectives they seek to achieve.

Were it to be considered necessary, the scope of any regulation that permits broader access to retained data should be drafted as narrowly as possible to achieve the desired policy objective and employ appropriate privacy safeguards. In particular, any regulation should strike an appropriate balance between intrusion on individuals’ privacy, and the overall public policy purposes of the data retention scheme.

Any regulation should be the subject of appropriate consultation, in accordance with section 17 of the Legislation Act 2003, including with the Office of the Australian Information Commissioner.

Further considerations

Australia’s data retention laws expand the nature and volume of data that is compulsorily collected and retained by service providers. The telecommunications industry is currently implementing the system requirements of the data retention scheme. It may be some time before the privacy impacts of the data retention scheme are properly understood.

Having said that, if the Government proceeds to use the regulation-making power to alter the general prohibition on the disclosure of retained data, I recommend further public consultation to ensure that the scope of any regulation is consistent with the purpose of the data retention scheme.

Further, a privacy impact assessment (PIA) should be undertaken to identify any privacy impacts of the proposal, and provide an opportunity to set out any recommendations for managing, minimising or eliminating those impacts. For further information on undertaking a PIA, please see the OAIC’s Guide to undertaking a privacy impact assessment.

I look forward to participating in any further developments regarding this matter. If you would like to discuss any of the comments above or have any questions please contact Jacob Suidgeest, Director Regulation and Strategy on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Information Commissioner
Australian Privacy Commissioner

January 2017

Footnotes

[1] As set out in Part 13 of the Telecommunications Act 1997

[2] ‘Retained data’ has the meaning given in the Telecommunications (Interception and Access) Act 1979 (TIA Act)

[3]Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (PJCIS Advisory Report), Recommendation 23

[4] PJCIS Advisory Report at [6.115]

[5] PJCIS Advisory Report, Recommendation 23

[6] Section 176A of the TIA Act