Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Summary of OAIC’s inspection of telecommunications organisations’ records of disclosure under the Telecommunications Act

February 2016

Introduction

The Office of the Australian Information Commissioner (OAIC) undertook inspections of four telecommunications organisations to assess their compliance with their record keeping obligations under the Telecommunications Act 1997 (Telecommunications Act).

Sections 306 and 306A of the Telecommunications Act require carriers and carriage service providers to make records of disclosure (setting out prescribed information) when they are requested to disclose information they hold in accordance with specific disclosure exceptions found in the Telecommunications Act or the Telecommunications (Interception and Access) Act 1979 (TIA Act).

Under section 309 of the Telecommunications Act, the Australian Information Commissioner (Commissioner) has the function of monitoring compliance with the record keeping requirements of ss 306 and 306A of that Act.

Back to Contents

Selection of targets and methodology

The OAIC decided to conduct the inspections given telecommunications organisations in Australia hold large amounts of personal information on individuals in relation to their fixed and mobile telecommunication accounts. In addition, since the inspections were carried out, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) was passed which increased the period of time these organisations are required to retain ‘metadata’ for law-enforcement purposes.

The OAIC chose to inspect Telstra, Vodafone, Optus and iiNet because they are four of the largest telecommunications organisations in Australia.

OAIC inspectors requested a sample of records from the 2012–13, 2013–14 and 2014–15 financial years. The OAIC inspected the records at the organisations’ premises between 11 and 24 March 2015.

Back to Contents

Sampling

The OAIC requested that each telecommunications organisation compile a random sample of 204 records of disclosures made under ss 306 and 306A, drawn from each quarter of the 2012–13, 2013–14 and 2014–15 financial years.

Telstra, Vodafone and Optus provided the inspectors with the requested random sample of 204 records. iiNet were unable to provide the inspectors with the requested sample and the inspectors only reviewed 144 records drawn from the period 1 April 2013 to 30 June 2015.

The samples were randomly selected across different time periods and were not based on the purpose of disclosure. However, records assessed from Optus had a higher proportion of records of disclosures made to emergency services and the Telecommunications Industry Ombudsman (TIO) (s286 and s287 of the Telecommunications Act) relative to the other three providers. This was due to the way the sample was required to be drawn across Optus’ different record processing areas.

Consequently, due to the makeup of the sample and the different ways in which the telecommunications organisations process and store the records, it is not appropriate to directly compare the results of the four telecommunications organisations. Rather, the findings and recommendations are aimed at identifying any practices and procedures that can improve, based on the records inspected, within each organisation assessed.

Back to Contents

Key Findings

The OAIC noted the telecommunications organisations’ cooperative and responsive approaches towards the inspection and findings. Each organisation accepted the OAIC’s recommendations (where made) and indicated they would implement them or explore technological changes to implement them.

The inspectors found the following in relation to the telecommunications organisations’ obligations under ss 306 and 306A of that Act.

Telstra

In the sample inspected, Telstra was complying with its record keeping obligations under ss 306 and 306A of the Telecommunications Act and the inspectors did not identify any issues.

Vodafone

In the sample inspected, Vodafone was complying with its record keeping obligations under s 306 of the Telecommunications Act but was not fully complying with s 306A. The OAIC made one recommendation to Vodafone.

The inspectors identified 18 records made under s 306A of the Telecommunications Act for which Vodafone was unable to demonstrate it had appropriately recorded the dates of the first and last disclosure where required.

Section 306A(5)(b)(ii) of the Telecommunications Act requires records of disclosures made under a s 180(2) or s 180B(2) TIA Act prospective authorisation to include the dates of the first and last disclosure where more than one disclosure is made due to that authorisation.

Vodafone had relied on its record of the start and end date of a prospective authorisation and the corresponding disclosure period start and end dates to fulfil the requirement of s 306A(5)(b)(ii). However, the inspectors considered that this did not fulfil the requirements of the Telecommunications Act.

For example, if a law enforcement agency had requested from Vodafone access to records of all future telephone calls by a person between 1 January and 31 January under a prospective authorisation, Vodafone would record those dates. However, the first call of the person may not have occurred until 3 January and the last call on 29 January. The Telecommunications Act requires Vodafone to keep a record of the first and last disclosure, being 3 January and 29 January in this scenario.

Optus

In the sample inspected, Optus was not fully complying with its record keeping obligations under ss 306 and 306A of the Telecommunications Act. The OAIC made three recommendations to Optus related to the following issues.

First, as with Vodafone, Optus had relied on its record of the start and end date of a prospective authorisation and the corresponding disclosure period start and end dates to fulfil the requirement of s 306A(5)(b)(ii). As such, the inspectors identified six records made under s 306A of the Telecommunications Act for which Optus was unable to demonstrate it had appropriately recorded the dates of the first and last disclosure where required.

Second, the inspectors identified 10 records that were incomplete as they did not contain the date Optus disclosed the information as required under s 306(5)(b) of the Telecommunications Act.

Third, Optus had not retained a record of the email responses it had sent to the requesting agency for three records (a subset of the 10 identified above) and the email responses form part of the records under s 306(2)(b) for disclosures made via the relevant system. Therefore, Optus was unable to demonstrate that it had maintained records of disclosure for three years for those three records as required by s 306(2)(b).

iiNet

The inspectors found that iiNet was not complying with its obligations under ss 306 and 306A of the Telecommunications Act because, for the sample requested for inspection, it was unable to demonstrate that it had maintained records of the disclosures it made under the relevant sections of the Telecommunications Act and TIA Act and had maintained the appropriate records for three years.

Although the records iiNet produced for inspection included the required information, iiNet was unable to produce all the record samples from 1 July 2012 to January 2015 requested by the inspectors. The inspectors were not satisfied that iiNet had appropriate processes and procedures to ensure that it was complying with its ss 306 and 306A obligations.

The OAIC made three recommendations to iiNet. In summary, they were that iiNet:

  • take immediate steps to ensure that it maintains appropriate records of disclosures made under ss 306 and 306A of the Telecommunications Act in accordance with its obligations
  • establish clear and appropriate processes and procedures which cover how staff are to handle requests for disclosures under the Telecommunications Act and TIA Act
  • provide appropriate training to the staff members who handle requests for disclosures with appropriate regard to the requirements of the Telecommunications Act, TIA Act, Privacy Act and iiNet’s associated obligations.

Back to Contents

Follow up

The OAIC will assess Vodafone’s, Optus’s and iiNet’s implementation of the OAIC recommendations in 2016.

The OAIC will also begin a further assessment of iiNet’s compliance with its obligations under ss 306 and 306A of the Telecommunications Act and Privacy Act 1988 (Cth) within the 2015–16 financial year.

The OAIC has drafted a business resource called Keeping records of disclosures under the Telecommunications Act 1997 which will be distributed to carriers and carriage service providers to assist them in complying with ss 306 and 306A of the Telecommunications Act. The OAIC intends to conduct further inspections of other carriers and carriage service providers under the Telecommunications Act.

Back to Contents

Background — legislative record keeping requirements

Section 306 of the Telecommunications Act provides that if a carrier or carriage service provider discloses information or a document under a provision of Division 3 of the Telecommunications Act (other than ss 279, 285, 285A, 290, 291 or 291A) or under ss 177, 178, 179, 180(3) or 180A of the TIA Act, they must make a record of the disclosure within five days after the disclosure and retain that record for three years.

Further, s 306(5) sets out that a record of disclosure must include:

  • the name of the person who disclosed the information
  • the date of disclosure
  • a statement of the grounds for the disclosure
  • if the disclosure was made under an authorisation allowed in the TIA Act (that is, ss 178, 179, 180(3) or 180A):
    • the name of the person who made the authorisation
    • the date of the making of the authorisation
  • if the disclosure was not made under an authorisation in the TIA Act but the disclosure was requested by another party:
    • the requesting party’s name
    • the date of the request
  • if the disclosure is about the content or substance of a communication via a carriage service (for example telephone, internet or Voice over Internet Protocol (VoIP) services), the particulars of the carriage service.

Section 306A of the Telecommunications Act provides that where a carrier or carriage service provider discloses information or a document under a prospective authorisation in force due to ss 180(2) or 180B(2) of the TIA Act, they must make a record of the disclosure within five days after the disclosure and retain that record for three years.

Further, s 306A(5) sets out that a record of disclosure must include:

  • the name of the person who disclosed the information
  • if only one disclosure is made because of the authorisation, the date of disclosure
  • if more than one disclosure is made because of the authorisation, the date of the first and last disclosure
  • a statement of the grounds for the disclosure or disclosures
  • the name of the person who made the authorisation
  • the date the authorisation was made.

Under s 309(2)(b) of the Telecommunications Act, the Commissioner’s function of monitoring carriers and carriage service providers’ compliance includes monitoring whether the grounds for a disclosure stated in the record is one of the exceptions referred to in ss 306 and 306A of the Telecommunications Act.

Back to Contents