Keeping records of disclosures under the Telecommunications Act 1997
1 February 2016
Tags:
telecommunications
This resource provides an overview for telecommunication service providers of their obligations to maintain records of disclosures under ss 306 and 306A of the Telecommunications Act 1997. The resource includes a checklist at Appendix A to help providers ensure the relevant requirements are met when creating records of disclosures.
Overview
Generally, the Telecommunications Act 1997 (Telecommunications Act) prohibits the disclosure of information obtained during the supply of telecommunications services.[1] However, both the Telecommunications Act and the Telecommunications (Interception and Access) Act 1979 (TIA Act) contain exceptions to this general prohibition that enables telecommunication service providers to disclose information in limited circumstances.
If a telecommunication service provider discloses information under certain exceptions contained in the Telecommunications Act or the TIA Act, it must create and keep a record of the disclosure. These records must comply with specific requirements contained in ss 306 and 306A of the Telecommunications Act.
The Office of the Australian Information Commissioner (OAIC) is responsible for monitoring compliance with the record keeping requirements contained in Part 13, Division 5 of the Telecommunications Act.[2]
Who needs to comply with the record-keeping requirements?
Generally, the ss 306 and 306A record-keeping requirements in the Telecommunications Act apply to ‘eligible persons’.[3] An ‘eligible person’ includes a carrier, carriage service provider and their respective employees.[4] The record-keeping requirements also apply to ‘associates’, which includes a person who performs services for or on behalf of the carrier or carriage service provider.[5] These entities are collectively referred to as ‘telecommunication service providers’ in this resource.
More information about the terms ‘carrier’ and ‘carriage service provider’ can be found on the Australia Communications and Media Authority’s website at www.acma.gov.au.
When do the record-keeping requirements apply?
Under ss 306 and 306A, if a telecommunication service provider discloses information in accordance with certain exceptions, it must create a record of disclosure. The exceptions fall into two broad categories: s 306 applies to ‘general disclosure exceptions’ and s 306A applies to ‘prospective authorisation exceptions’.
The general disclosure exceptions enable telecommunication service providers to disclose information in certain circumstances, including to prevent or lessen a serious and imminent threat to the life or health of a person, or if summoned to give evidence or produce documents. The prospective authorisation provisions in the TIA Act generally enable criminal law-enforcement agencies to authorise telecommunication service providers to disclose information or documents that may come into existence during a particular future period of time.[6]
The exceptions that impose a record-keeping requirement are outlined at Appendix B.
When does the record need to be created?
For general disclosures, records must be created within five days of the date of disclosure.[7] For prospective authorisations, the record must be created within five days of the day on which the authorisation ceases to be in force.[8]
If an associate makes a disclosure, they must make a record within five days of the date of disclosure and give that record to the carrier or carriage service provider within five days of making the record.[9] For prospective authorisations, the associate must make a record within five days of the day on which the authorisation ceases to be in force and give a copy of that record to the carrier or provider within five days of making the record.[10]
What information needs to be included in the record?
Section 306 of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a general disclosure exception (see Table 1 at Appendix B). Section 306A of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a prospective authorisation exception (see Table 2 at Appendix B). These records may be made, given or retained in either written or electronic form.[11] The requirements of ss 306 and 306A are dealt with separately in the tables below.
Section 306: Records of disclosure — general
Section
Information that must be included
s 306(5)(a)
The name of the person who disclosed the information or document concerned (see Key Concepts below)
s 306(5)(b)
The date of the disclosure
s 306(5)(c)
A statement of the grounds for the disclosure (see Key Concepts below)
s 306(5)(d)
If the disclosure is made on the grounds of an authorisation under the TIA Act (ss 178, 179, 180(3) or 180A):
name of the person who made the authorisation
date of the making of the authorisation
s 306(5)(e)
If the disclosure was not made under an authorisation in the TIA Act, but the disclosure was requested by another body or person:
the requesting party’s name
date of request
s 306(5)(f)
If the information or document relates to the contents or substance of a communication carried by a carriage service (for example telephone, internet or Voice over Internet Protocol (VoIP) services), the particulars of that carriage service
Section 306A: Records of disclosure — prospective authorisations
Section
Information that must be included
s 306A(5)(a)
The name of the person or persons who made the disclosure or disclosures (see Key Concepts below)
s 306A(5)(b)
The date of the disclosure:
if only one disclosure is made because of the authorisation — the date of the disclosure, or
if more than one disclosure is made because of the authorisation — the date of the first and date of the last disclosures (see Key Concepts below)
s 306A(5)(c)
A statement of the grounds for the disclosure (see Key Concepts below)
s 306A(5)(d)
The name of the person who made the authorisation and the date of the making of the authorisation (see Key Concepts below)
Key concepts
Name of the person who disclosed the information
In most cases, the name of the ‘person’ who disclosed the information will be the name of the telecommunication service provider.[12] However, there may be some instances where a service provider will need to record the name of the individual who makes the disclosure. For example, s 281 of the Telecommunications Act authorises disclosure of information by a person summoned to give evidence. As only individuals may give evidence in court, in this instance the record of disclosure should identify the name of the individual who made the disclosure.
As a matter of best practice, the OAIC recommends that records of disclosure includes both the name of the telecommunication service provider and the name (or other unique identifier) of the individual who made or actioned the disclosure/s. Telecommunication service providers should also be mindful of their obligations under Australian Privacy Principle (APP) 11, which requires APP entities to take reasonable steps to protect personal information they hold. A reasonable step that entities could take to protect the personal information they hold is to record the employee name (or other unique identifier) on records of disclosures to help identify instances of unauthorised access or disclosure.
A statement of the grounds for the disclosure
The record of disclosure should identify the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure.
Name of the person who made the authorisation
Under the authorisation provisions in the TIA Act (ss 178, 179, 180, 180A and 180B), only an ‘authorised officer’[13] from a requesting entity may authorise a telecommunication service provider to disclose information. Consequently, the ‘name of the person’ who made the authorisation should be the name or other identifier of the individual officer from the requesting entity that authorised the disclosure.
Prospective authorisations — Date of the first and last disclosure
As outlined above, the prospective authorisation provisions in the TIA Act generally enable law enforcement agencies to authorise telecommunication service providers to disclose information or documents that may come into existence during a particular future period of time. The OAIC considers that a disclosure occurs each time specified information or a document comes into existence during the authorisation period and is then released by the service provider to the relevant law enforcement agency.
The ‘date of the first disclosure’ means the date the first specified document or piece of information is disclosed to the relevant law enforcement agency. Similarly, the ‘date of the last disclosure’ refers to the date the last specified document or piece of information is disclosed to the relevant law enforcement agency. Consequently, the record should identify the dates of the first and last disclosure of information to the law enforcement agency. These dates may not necessarily correspond to the dates of the start and end of the authorisation period.
How long do providers need to keep records of disclosures?
All records of disclosure must be retained for three years from the date of creation. Copies of records of disclosures given to a carrier or carriage service provider by an associate must also be kept by the carrier or carriage service provider for three years.
What is the role of the Office of the Australian Information Commissioner?
Under s 309 of the Telecommunications Act, the Information Commissioner has the function of monitoring compliance with the record-keeping requirements of ss 306 and 306A of that Act. The OAIC may conduct inspections of telecommunication service providers’ records to ensure they comply with these requirements. There are offences and penalties under the Telecommunications Act for failing to comply with the record-keeping requirements.[14]
The OAIC has a range of privacy resources on its website to assist telecommunication service providers comply with the Privacy Act.
Service providers should also consider subscribing to the OAIC’s newsletter, OAICnet, which provides news about the OAIC’s activities, publications and other information.
The information provided in this resource is of a general nature. It is not a substitute for legal advice.
Appendix A: Records of disclosure checklist
The purpose of this checklist is to assist telecommunication service providers’ address the record-keeping requirements contained in ss 306 and 306A of the Telecommunications Act.
Question 1
Is the disclosure made on the grounds of a general disclosure exception?
The general disclosure exceptions are ss 280, 281, 284, 286, 287, 288, 289, 292 of the Telecommunications Act and ss 177, 178, 179, 180(3), 180A of the TIA Act.
See also Table 1 at Appendix B.
YES: Go to Question 3
NO: Go to Question 2
Question 2
Is the disclosure made on the grounds of a prospective authorisation exception?
The prospective authorisation exceptions are ss 180 and 180B of the TIA Act.
See also Table 2 at Appendix B.
YES: Go to Question 11
NO: A record of disclosure is not required under ss 306 or 306A of the Telecommunications Act
Question 3
Does the record include the name of the person who disclosed the information?
The OAIC recommends that records include both the name of the telecommunication service provider and the name or other identifier of the individual who made or actioned the disclosure/s.
YES: Go to Question 4
NO: Non-compliant. You must address this issue before continuing to Q4
Question 4
Does the record include the date of disclosure?
YES: Go to Question 5
NO: Non-compliant. You must address this issue before continuing to Q5
Question 5
Does the record include a statement of the grounds of disclosure?
The record must identify the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure.
YES: Go to Question 6
NO: Non-compliant. You must address this issue before continuing to Q6
Question 6
Was the disclosure made voluntarily by the telecommunication service provider to an enforcement agency under s 177 of the TIA Act?
YES: Go to Question 18
NO: Go to Question 7
Question 7
Was the disclosure made on the grounds of an authorisation under ss 178, 179, 180(3) or 180A of the TIA Act?
YES: Go to Question 8
NO: Go to Question 10
Question 8
Does the record include the name of the person who made the authorisation?
The record should include the name of the authorised officer that authorised the disclosure.
YES: Go to Question 9
NO: Non-compliant. You must address this issue before continuing to Q9
Question 9
Does the record include the date of the making of the authorisation?
YES: Go to Question 18
NO: Non-compliant. You must address this issue before continuing to Q18
Question 10
If the disclosure was requested by another body or person, does the record include: the name of the body or person and the date of request.
YES: Go to Question 18
NO: Non-compliant. You must address this issue before continuing to Q18
Question 11
Does the record include the name of the person who disclosed the information or documents?
As stated above, the OAIC recommends that records include both the name of the telecommunication service provider and the name or other identifier of the individual who made or actioned the disclosure/s.
YES: Go to Question 12
NO: Non-compliant. You must address this issue before continuing to Q12
Question 12
Was more than one disclosure made under the prospective authorisation?
YES: Go to Question 14
NO: Go to Question 13
Question 13
Does the record include the date of the disclosure?
YES: Go to Question 15
NO: Non-compliant. You must address this issue before continuing to Q15
Question 14
Does the record include the date of the first and the date of the last disclosure?
The record must include the first and last dates that information was disclosed to the law enforcement agency during the authorisation period. The first and last dates of disclosure may not correspond with the first and last date of the authorisation period.
YES: Go to Question 15
NO: Non-compliant. You must address this issue before continuing to Q15
Question 15
Does the record include a statement of the grounds for the disclosure or disclosures?
The record must identify the relevant provision in the TIA Act that authorised the disclosure.
YES: Go to Question 16
NO: Non-compliant. You must address this issue before continuing to Q16
Question 16
Does the record include the name of the authorised officer of the criminal law enforcement agency who made the authorisation?
YES: Go to Question 17
NO: Non-compliant. You must address this issue before continuing to Q17
Question 17
Does the record include the date the authorisation was made?
YES: Go to Question 19
NO: Non-compliant. You must address this issue before continuing to Q19
Question 18
Was the record created within five days after the disclosure?
YES: Go to Question 20
NO: Non-compliant. You must address this issue before continuing to Q20
Question 19
Was the record created within five days after the day on which the authorisation ceased to be in force?
YES: Go to Question 20
NO: Non-compliant. You must address this issue before continuing to Q20
Question 20
Are you an associate of a carrier or carriage service provider?
Associates may include a person engaged to provide services on behalf of the carrier or carriage service provider (such as a contractor).
YES: Go to Question 21
NO: Go to Question 22
Question 21
Did you give a copy of the record of disclosure to the carrier or carriage service provider within five days of making the record?
YES: You are compliant (End of checklist)
NO: Non-compliant. You must address this issue before continuing to the end of the checklist
Question 22
Will the record of disclosure be kept for three years?
YES: You are compliant (End of checklist)
NO: Non-compliant. You must address this issue before continuing to the end of the checklist
Appendix B: Disclosure exceptions that impose a record-keeping requirement
Table 1 — General disclosure exceptions
Legislation
Section
Description of exception
Telecommunications Act
280
Where required or authorised by or under law including a disclosure that is required or authorised under a warrant in connection with an enforcement agency operation
281
Because a person is summoned as a witness to give evidence or produce documents
284
To entities including the Australian Communications and Media Authority, Australian Competition and Consumer Commission, Telecommunications Industry Ombudsman and eSafety Commissioner if the information may assist them to carry out their functions or powers
286
For emergency services related call information to emergency service organisations (e.g. police force) and despatch services for the purpose of dealing with the matters raised by that call
287
Where the discloser believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person
288
For particular maritime purposes, such as disclosure or use relating to the preservation of life at sea or the location of a vessel at sea and made for maritime communication purposes
289
Where a person consents or is reasonably likely to be aware or made aware that such disclosures usually occur
292
Where prescribed by regulations (Telecommunications Regulations 2001)
TIA Act
177
Voluntary disclosure to an enforcement agency for enforcement of criminal law, a law imposing a pecuniary penalty or protection of the public revenue
178
Authorisations for access to existing information or documents — enforcement of the criminal law
179
Authorisations for access to existing information or documents — enforcement of a law imposing a pecuniary penalty or protection of the public revenue
180(3)
Authorisations for access to existing information or documents
180A
Authorisations for access to existing information or documents — enforcement of the criminal law of a foreign country
Table 2 — Prospective authorisation exceptions
Legislation
Section
Description of exception
TIA Act
180
Authorisations by an authorised officer of a criminal law enforcement agency for access to prospective information or documents
180B
Authorisations by an authorised officer of the Australian Federal Police for access to prospective information or documents — enforcement of the criminal law of a foreign country
Footnotes
[1] Telecommunications Act 1997 (Cth) ss 276, 277 and 278.
[3] The ss 306 and 306A record-keeping requirements also apply to ‘eligible number-database persons’. Under the Telecommunications Act, the Minister may make a determination that an entity is a number-database person. However, there are currently no determinations in force. Consequently, ‘eligible number-database persons’ are not referred to in this resource.
[6] Under ss 180(3) and 180A(2) of the TIA Act, authorised officers may also authorise disclosure of specified information or documents that came into existence before the time the authorisation comes into force.
[7] Telecommunications Act 1997 (Cth) s 306(2)(a).
[8] Telecommunications Act 1997 (Cth) s 306A(2)(a).
[11] Telecommunications Act 1997 (Cth) ss 306(6) and 306A(6).
[12] Section 2C of the Acts Interpretation Act 1901 states that, in any Act, expressions used to denote ‘persons’ generally includes a body politic or corporate as well as an individual.
[13] Telecommunication (Interception and Access) Act 1979 s 5.
[14] Telecommunications Act 1997 ss 306(7) and 306A(7).