Telecommunications and Other Legislation Amendments Bill 2016 — submission to PJCIS

Date: 1 February 2017

Our reference: D2016/009410

Inquiry Secretary
Parliamentary Joint Committee on Intelligence and Security
PO Box 6021
Parliament House
Canberra ACT 2600

Via email: pjcis@aph.gov.au

Submission on the Telecommunications and Other Legislation Amendments Bill 2016

Thank you for the opportunity to provide the Parliamentary Joint Committee on Intelligence and Security with this submission to the Inquiry into the Telecommunications and Other Legislation Amendments Bill 2016 (the Bill).

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency. The OAIC was established by the Australian Parliament to bring together three functions:

  • privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Privacy Act), and other Acts)
  • freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982), and
  • information management functions (as set out in the Information Commissioner Act 2010).

I provided comments on exposure drafts of the Bill[1] and was consulted on relevant revisions that have been made to the Bill and the Explanatory Memorandum. While the Bill and accompanying Explanatory Memorandum have addressed most issues raised in my earlier submissions, I would like to draw the Committee’s attention to relevant issues and suggest some remaining improvements.

Alignment of new security obligation with the Privacy Act

In the OAIC’s submission on the first exposure draft, the OAIC suggested a number of changes that were intended to align carriers and carriage service provers’ (C/CSPs’) new security obligations in s 313(1A), which requires C/CSPs’ to ‘do their best’ to protect telecommunications networks and facilities, with their existing obligations to ‘take reasonable steps’ to protect personal information under Australian Privacy Principle (APP) 11.1 in the Privacy Act. I considered it important to align terms as far as is appropriate to assist the regulated community to comply.

The Attorney General’s Department’s draft guidelines for industry and the Explanatory Memorandum now explain that the term ‘do your best’ in s 313(1A) broadly means taking all reasonable steps to protect networks and facilities from unauthorised access and interference. Further, what constitutes reasonable steps in a particular circumstance to secure a network or facility will differ depending on the risk factors of that network or facility.

Additionally, I welcome that the scope of the new obligation in s 313(1A) and its relationship with APP 11.1 has been clarified.

Finalising the draft guidelines for industry will provide a further opportunity to ensure alignment with the Privacy Act where appropriate. The OAIC looks forward to continuing to engage on these issues as the guidelines are finalised.

Protecting disclosure of personal information

The OAIC’s submission on the first exposure draft said that the Bill should be amended to prevent the secondary disclosure of any personal information collected under the proposed s 315C. The Bill was not amended, however, I appreciate that instead a full and clear explanation of the reason why that amendment was not needed was added to the second exposure draft Explanatory Memorandum. For example, the Explanatory Memorandum states that information would ‘generally be de-identified prior to being shared to remove personal information, unless information needs to be shared for the purposes of security’.

Section 315H sets out how information obtained by the Communications Access Co-ordinator or the Secretary of the Attorney General’s Department may be used and disclosed, including disclosed to persons other than the Secretary of the Attorney General’s Department or their delegate.

I note that s 315H(2) restricts the disclosure of ‘identifying information’ to a person who is not a Commonwealth officer. Identifying information ‘means information that identifies the carrier, carriage service provider or carriage service intermediary concerned’. I suggest, as an additional protection, that this restriction on the disclosure of ‘identifying information’ is extended beyond commercial information to apply to ‘personal information’ as defined in the Privacy Act.

If you would like to discuss any of the comments above or have any questions, please contact Sophie Higgins on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Information Commissioner
Australian Privacy Commissioner

February 2017

Footnotes

[1] OAIC, Submission to Attorney-General’s Department on the Telecommunications Sector Security Reforms (August 2015) – available at https://www.oaic.gov.au/engage-with-us/submissions/submission-to-attorney-general-s-department-on-the-telecommunications-sector-security-reforms; OAIC, Second exposure draft of the Telecommunications and other Legislation Amendment Bill 2015 – submission to Attorney-General’s Department (18 January 2016)– available at https://www.oaic.gov.au/engage-with-us/submissions/second-exposure-draft-of-the-telecommunications-and-other-legislation-amendment-bill-2015-submission-to-attorney-general-s-department.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au