Retained data in civil proceedings consultation — submission to Attorney-General’s Department
Date: 1 January 2017
Our reference: D2017/000144
Ms Anne Sheehan Assistant Secretary Communications Security Branch Attorney-General’s Department 3-5 National Circuit BARTON ACT 2600
By email: CommunicationsSecurity@ag.gov.au
Dear Ms Sheehan
Retained data in civil proceedings – consultation
Thank you for the opportunity to provide comments to the review of the general prohibition[1] on telecommunications service providers’ ability to disclose retained data[2] in connection with a civil proceeding (the prohibition).
My comments focus on the privacy impacts that may arise from the proposed changes to the prohibition as it currently applies.
Purpose of the prohibition
The prohibition on the use of retained data in connection with a civil proceeding, contained in Part 13 of the Telecommunications Act 1997 (the Telecommunications Act), reflect recommendations of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its February 2015 advisory report into the Government’s proposed data retention laws.[3]
As part of its report, the PJCIS found that ‘the proposed data retention regime is being established specifically for law enforcement and national security purposes and that as a general principle it would be inappropriate for the data retained under that regime to be drawn upon as a new source of evidence in civil disputes’.[4]
However, the PJCIS did recommend the inclusion of a regulation-making power to enable appropriate exceptions to the prohibition intended to mitigate the risk of unintended consequences, such as interference with judicial power, from a blanket prohibition on access to retained data in civil court proceedings.[5]
Review of the prohibition and regulation making power
The data retention scheme is currently subject to safeguards that limit access to retained data to prescribed enforcement agencies.[6]
Any proposal to alter the prohibition on disclosure in connection with a civil proceeding to expand access to retained data will impact on individuals’ privacy.
The right to privacy is not absolute and in some circumstances, privacy rights must necessarily give way where there is a compelling public interest reason to do so. However, proposals that require or authorise the collection, use or disclosure of personal information should be reasonable, necessary and proportionate, having regard to the objectives they seek to achieve.
Were it to be considered necessary, the scope of any regulation that permits broader access to retained data should be drafted as narrowly as possible to achieve the desired policy objective and employ appropriate privacy safeguards. In particular, any regulation should strike an appropriate balance between intrusion on individuals’ privacy, and the overall public policy purposes of the data retention scheme.
Any regulation should be the subject of appropriate consultation, in accordance with section 17 of the Legislation Act 2003, including with the Office of the Australian Information Commissioner.
Further considerations
Australia’s data retention laws expand the nature and volume of data that is compulsorily collected and retained by service providers. The telecommunications industry is currently implementing the system requirements of the data retention scheme. It may be some time before the privacy impacts of the data retention scheme are properly understood.
Having said that, if the Government proceeds to use the regulation-making power to alter the general prohibition on the disclosure of retained data, I recommend further public consultation to ensure that the scope of any regulation is consistent with the purpose of the data retention scheme.
Further, a privacy impact assessment (PIA) should be undertaken to identify any privacy impacts of the proposal, and provide an opportunity to set out any recommendations for managing, minimising or eliminating those impacts. For further information on undertaking a PIA, please see the OAIC’s Guide to undertaking a privacy impact assessment.
I look forward to participating in any further developments regarding this matter. If you would like to discuss any of the comments above or have any questions please contact Jacob Suidgeest, Director Regulation and Strategy on [contact details removed].
Yours sincerely
Timothy Pilgrim Australian Information Commissioner Australian Privacy Commissioner
January 2017
Footnotes
[1] As set out in Part 13 of the Telecommunications Act 1997
[2] ‘Retained data’ has the meaning given in the Telecommunications (Interception and Access) Act 1979 (TIA Act)
