Thank you for providing the Office of the Australian Information Commissioner (OAIC) with the opportunity to comment on the exposure draft of the Telecommunications and other Legislation Amendment Bill 2015 (the Bill). The OAIC understands that the Bill, also referred to as the Telecommunications Sector Security Reforms, aims to strengthen the current framework for managing national security risks to Australia’s telecommunications networks.
The OAIC recognises the importance of effectively managing national security risks, including the risks posed by unauthorised interference and access to telecommunications networks. Additionally, the OAIC is supportive of measures to improve the security of those networks as this has the potential to support the protection of personal information handled by the telecommunications sector, particularly in light of the recent introduction of the Government’s data retention scheme.
The OAIC notes the proposal in the Bill to establish new obligations on carriers, carriage service providers and carriage service intermediaries (C/CSPs) to ‘do their best’ to protect their networks and facilities from unauthorised access and interference. This has the potential to overlap with existing security obligations under the Privacy Act 1988 (Privacy Act), in particular, Australian Privacy Principle (APP) 11. In that regard, the comments below are primarily aimed at ensuring the new security obligations on C/CSPs are clear, consistent with obligations under the Privacy Act and that the monitoring and compliance activities undertaken in relation to both C/CSPs’ new obligations and existing Privacy Act obligation are conducted efficiently and avoid duplication.
Aligning the requirement for C/CSPs to ‘do their best’ with the language in APP 11
The Bill proposes to insert new provisions into Part 14 of the Telecommunications Act 1997 (Telecommunications Act), which is titled ‘national interest matters’. This includes adding a new s 313(1A), which will require C/CSPs to ‘do their best’ to protect their telecommunications networks and facilities from unauthorised access and interference to ensure:
the confidentiality of communications carried on, and of information contained on, telecommunications networks, and
the availability and integrity of telecommunications networks and facilities.
The OAIC notes that this new obligation will be one of a number of security obligations that C/CSPs must comply with, which will include:
the existing obligation in APP 11.1 in the Privacy Act, which requires APP entities (including many C/CSPs) to take such steps as are reasonable in the circumstances to protect personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure, and
the new obligation in s 187BA of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, which commences on 13 October 2015 and will require C/CSPs covered by the data retention scheme to protect the confidentiality of information kept under that scheme by encrypting the information and by protecting the information from unauthorised interference or unauthorised access.
The OAIC considers that the potential for overlap between these obligations for C/CSPs makes consistency between these obligations particularly important.
The draft Explanatory Memorandum appears to indicate that the requirement for a C/CSP to ‘do their best’ in the new s 313(1A) is equivalent to the requirements under APP 11.1 to take ‘such steps as are reasonable in the circumstances’. Specifically, the draft Explanatory Memorandum describes the obligation as requiring C/CSPs to take all reasonable steps to prevent unauthorised access and interference for the purpose of protecting the confidentiality of information and the availability and integrity of networks. Further, that what constitutes reasonable steps will depend upon factors specific to each network and business delivery model and that the required mitigation measures will be specific to each network, noting that there will be degrees of risk that vary across networks and providers. However, on the face of the Bill it is not clear whether the requirement in the Bill for C/CSPs ‘to do their best’ has the same meaning as the requirement in APP 11.1, or whether the threshold in the Bill is higher or lower than that in APP 11.1.
The differences in the wording of each obligation may create uncertainty for C/CSPs who are required to comply with both obligations. While the OAIC recognises that the phrase ‘best efforts’ was adopted largely to ensure consistency with the terminology used in the existing provisions in s 313 of the Telecommunications Act (and its legacy provisions), the OAIC suggests that the language of the proposed s 313(1A) be aligned with APP 11.1 by replacing the phrase ‘best efforts’ with ‘such steps as are reasonable in the circumstances’. The Explanatory Memorandum could then explain that an important consideration in determining what steps are reasonable in the circumstances is assessing the risks posed to the particular C/CSP, for example as a result of its outsourcing and offshoring arrangements. This could be further explained in the proposed Administrative Guidelines, which the OAIC understands will be developed to assist C/CSPs to understand what parts of networks are particularly vulnerable to unauthorised access and interference, and provide guidance to C/CSPs on the controls and measures that can be implemented to manage these vulnerabilities.
The OAIC considers aligning the language in the new s 313(1A) with APP 11.1 has a number of benefits, including that it will:
assist in addressing any concerns that it is not clear, on the face of the legislation, what standard is set by the requirement for a C/CSP to ‘do their best’
provide additional clarity for C/CSPs, many of which are already required to comply with the APP 11.1 and are, therefore, familiar with the concept of reasonable steps, and
assist small C/CSPs who will be required to comply with the Privacy Act, including APP 11.1, for the first time following the commencement of the Government’s data retention scheme. The OAIC considers that aligning the language in s 313(1A) with APP 11.1 will make it simpler for such small C/CSPs to understand and comply with both of their new obligations.
Separating out the obligation to protect communications
Section 313(1A) requires C/CSPs to ‘do their best to protect telecommunications networks and facilities from unauthorised access and interference’. The draft Explanatory Memorandum indicates that the focus of the new s 313(1A) is the management of security risks to telecommunications infrastructure, particularly risks arising in relation to outsourcing and offshoring decisions.
The OAIC notes that the construction of this obligation is different to the obligation in APP 11.1, which requires C/CSPs that are covered by the Privacy Act to take reasonable steps to protect the personal information that they hold from unauthorised access and interference, (as well as misuse and loss, and unauthorised modification and disclosure). While taking reasonable steps under APP 11.1 is likely to involve the C/CSP taking steps to protect their networks and facilities, the primary objective of APP 11.1 is the protection of the personal information itself. It may not be clear whether the steps taken to comply with s 313(1A) are the same as those steps a C/CSP would need to take to comply with APP 11.1, or at least a subset of those steps.
The OAIC suggests that the objective of s 313(1A), of protecting information carried or stored on telecommunications networks, could be achieved by framing this as a separate obligation within the Bill (e.g. s 313(1AA)) to ‘take reasonable steps to protect communications carried on, or information contained on, telecommunications networks from unauthorised access and interference.’ Section 313(1A) could then focus on the protection of ‘telecommunications networks and facilities’ from unauthorised access and interference to ensure the integrity and availability of that infrastructure.
The OAIC considers that this approach has a number of benefits, including that:
the objective of protecting communications carried on, or information contained on, telecommunications networks is aligned more explicitly with the obligation itself
the obligation to take reasonable steps to protect that information is aligned with, and builds on, C/CSPs’ existing obligation to take reasonable steps to protect personal information under APP 11.1, and
taking reasonable steps to protect that information would include putting in place measures to protect telecommunications infrastructure from unauthorised access and interference, including managing risks to that information that would arise from outsourcing or offshoring decisions.
The OAIC notes that if this suggestion is adopted, carriers and nominated CSPs will still be required to notify the Communications Access Coordinator, under s 202B of the Telecommunications (Interception and Access) Act 1979 (TIA Act), of any planned changes to the C/CSP’s telecommunications services or systems which would be likely to have a material adverse effect on its ability to protect information carried or contained on telecommunications networks, including changes to outsourcing or offshoring arrangements.
Clarifying what information is captured by ‘communications carried on, or information contained on, telecommunications networks’
The OAIC believes that there would be benefits to be gained from further clarification of what is captured by the phrase ‘communications carried on, or information contained on, telecommunications networks’. The OAIC notes that ‘telecommunications network’ is defined broadly to mean ‘a system or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy’ (s 7 of the Telecommunications Act). However, the OAIC is not clear:
whether the reference to only ‘telecommunications networks’ rather than ’telecommunication networks and facilities’ is intended to exclude certain types of infrastructure or equipment, such as data storage equipment (eg a CSP’s servers), and
what information ‘is contained on a telecommunications network’ that is not a ‘communication carried on’ such a network. For example, would the subscriber information stored by a web-based messaging service be ‘information contained on a network’, or would this phrase only extend to the messages that are sent using that service?
Accordingly, the OAIC suggests that the Bill, the Explanatory Memorandum and/or proposed Administrative Guidelines could be amended to make clear what information is required to be protected; in particular, whether the obligation extends to stored data that may relate to the provision of a carriage service but which may not, itself, be a communication (such as stored data about a C/CSPs’ subscribers).
The OAIC considers that clarification about whether the obligation in s313(1A) applies to such stored data is particularly important in light of the upcoming commencement of the Government’s data retention scheme, as it will affect the extent to which the obligations overlap with APP 11.1, which will already apply to telecommunications data collected and retained under that scheme.
Monitoring, compliance and investigative activities
Ensuring the new security obligations in the Bill are clear and consistent with existing obligations will be particularly important in the context of the OAIC’s monitoring, compliance and investigative activities. As part of promoting privacy and ensuring compliance with the Privacy Act, the Australian Information Commissioner (Commissioner) is empowered to monitor, or conduct an assessment of, whether personal information is being maintained and handled by an entity in accordance with the APPs (ss 28A and 33C). The Commissioner also has the power to commence an investigation into a suspected or alleged interference with privacy, including an alleged contravention of APP 11.1, either on receipt of a complaint or as a Commissioner initiated investigation.  Further, the Commissioner also issues guidance about privacy obligations and provides advice to stakeholders as part of its guidance related functions (s 28).
The OAIC considers that clarifying the scope of the new security obligations in the Bill and aligning them with APP 11.1 will assist industry in complying with those obligations and also assist the Attorney-General’s Department (AGD) and the OAIC in exercising their respective regulatory powers. In particular, it will:
allow for more efficient and targeted application of resources by both the OAIC and AGD, and
ensure that guidance issued by both AGD and the OAIC is consistent and, thereby, simpler for industry to interpret and apply.
Additionally, the OAIC suggests that these benefits could be further enhanced through the OAIC and the AGD adopting a coordinated and consultative approach to providing guidance and monitoring compliance with s 313(1A) and APP 11.1, where possible. Such an approach will help to avoid duplication and improve the efficiency of the monitoring, compliance and investigative activities undertaken by both agencies.
To give effect to this, it may be appropriate for the OAIC and AGD to implement arrangements that set out how the OAIC and AGD will work together to achieve a coordinated approach. Additionally, it may also be important to establish a process for information sharing in circumstances where, for example, through a data breach notification made to the OAIC or through an investigation undertaken by the OAIC, the OAIC becomes aware of circumstances where a C/CSP has not complied with the new requirements under the Bill.
Sections 315C-315H of the Bill establish new information-gathering powers for the Secretary of the Attorney General’s Department (Attorney-General’s Secretary). The OAIC understands that under these powers, the Secretary is empowered to request information from C/CSPs where that information is relevant to their obligation under s 313(1A). Further, that this is to ensure that the Secretary, as the regulator, has access to information in order to make an assessment of a C/CSP’s compliance with the obligation, and to assess the risk of unauthorised access and interference which could give rise to a national security risk.
The OAIC notes the statement in the draft Explanatory Memorandum that the information to be sought under s 315C(2) is likely to be of a commercial nature rather than personal information and that it is very unlikely that this information would relate to end-users. Rather, that it is intended that the information would likely fall into the category of procurement plans, network or service design plans, tender documentation, contracts and other documents specifying business and service delivery models and network layouts. In this respect, the OAIC notes that if personal information was to be sought by the Attorney General’s Secretary under this power, the Secretary would be required to handle that information in accordance with the APPs.
The OAIC also notes the limitation in s 315H around the sharing of information collected under s 315C(2), which must be for the purpose of either making the assessment of a C/CSP’s compliance with their obligations, or for security purposes. The OAIC understands from the draft Explanatory Memorandum that, in practice, it is likely that information sharing may take place between relevant government agencies, which are covered by the Privacy Act or an equivalent privacy regime. However, to protect the privacy of any affected individuals in the event that personal information is disclosed under s 315C(2), the OAIC recommends that the Bill should require that the entity to which the information is disclosed:
- only use that information for the purposes in s 315H(1), and
- not make any secondary disclosures of that information.
 The Privacy Act 1988 has 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Act, which set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. The APPs apply to Australian Government agencies (and the Norfolk Island administration) and all businesses and not-for-profit organisations with an annual turnover more than $3 million, subject to some exceptions.
 Explanatory Memorandum, Telecommunications and other Legislation Amendment Bill 2015, paragraph 22
 From 13 October 2015, all C/CSPs will need to comply with the Privacy Act in relation to the data they collect and retain under the Government’s data retention scheme, including information collected and retained under an approved data retention implementation plan. Importantly, this applies to all C/CSPs that are covered by the data retention scheme, including service providers who are otherwise exempt from complying with the APPs because they are a small business (under s 6D of the Privacy Act, many small businesses with an annual turnover of $3 million or less do not need to comply with the APPs). For further information see the OAIC’s Privacy Business Resource 11: Telecommunications service providers’ obligations arising under the Privacy Act 1988 as a result of Part 5-1A of the Telecommunications (Interception and Access) Act 1979.
 The OAIC’s interpretation of the requirements under APP 11 (and other APPs) and our approach to monitoring, compliance and enforcement can be found in the OAIC’s Guide to securing personal information, the APP Guidelines, the Privacy regulatory action policy and the Guide to privacy regulatory action.
 The OAIC receives voluntary notifications about data breaches from entities covered by the Privacy Act1988. For more information see the OAIC’s resource: Data breach notification — A guide to handling personal information security breaches. Further, the OAIC notes that as part of the Government’s response to the inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Government agreed to introduce a mandatory data breach notification scheme by the end of 2015.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org