Publication date: 6 February 2020

Introduction

1 In 2018-19 the Office of the Australian Information Commissioner (OAIC) assessed the information security practices of four major telecommunication service providers (service providers) in relation to their handling of personal information under the Telecommunications (Interception and Access) Act 2015 (Cth) (TIA Act).

2 Under Part 5-1A of the TIA Act, service providers are obliged to retain certain types of telecommunications data for a minimum of two years (retained data). Specified enforcement and national security agencies may access the retained data held by service providers in certain circumstances. The implementation of Part 5-1A of the TIA Act is generally known as the ‘Data Retention Scheme’ (DRS).

3 The OAIC regulates the personal information handling activities of entities covered by the Privacy Act 1988. Under the DRS, service providers are required to comply with the Privacy Act in relation to retained data. In practice, this means that service providers participating in the DRS have information security obligations in general to:

  • protect the confidentiality of their retained data through encryption, and from unauthorised interference and access, in accordance with the TIA Act
  • take such steps as are reasonable in the circumstances to protect retained data from misuse, interference and loss, as well as unauthorised access, modification or disclosure, in accordance with the Privacy Act’s Australian Privacy Principle 11 (APP 11).

Methodology

4 The OAIC assessed Telstra Corporation Ltd (Telstra), Vodafone Hutchison Australia Pty Ltd (Vodafone), Singtel Optus Pty Ltd (Optus), and TPG Telecom Limited (TPG).

5 These assessments considered the reasonable steps the four service providers were taking to secure their retained data under APP 11. The assessments were risk-based and focused on identifying privacy risks to the secure handling of personal information. They involved a review of documentation that set out relevant policies and practices of service providers, site visits, and interviews with key staff.

6 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, refer to Chapter 7 of the OAIC’s Guide to Privacy Regulatory Action.

7 The scope of the assessments aligned with matters set out in the OAIC’s Guide to Securing Personal Information (the Guide). The Guide outlines the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold, such as by implementing appropriate governance arrangements, internal practices and procedures, physical and ICT security measures and access security controls. The OAIC obtained evidence from service providers’ documents and through interviews with key staff to ascertain the privacy risks in the way each service provider was implementing the requirements of the DRS.

8 The assessments did not consider the service providers’ compliance with the DRS as a whole, or involve testing of the service providers’ ICT systems.

Key findings

9 The assessors found that in general, with the exception of one service provider, the information security practices of service providers aligned with the obligations of APP 11. However, three of the four service providers had not created detailed rules for the destruction or de-identification of retained data after the mandatory two-year retention period (which had not yet passed at the time of the assessments). The creation of detailed policies and rules in this area will be increasingly important for all service providers with obligations under the DRS, as the volumes of retained data increase over time.

Telstra

10 Telstra has governance arrangements, internal practices and procedures, physical and ICT security measures and access security controls in place to protect retained data. The OAIC did not identify any medium or high-level privacy risks but made two suggestions to enhance the privacy protective measures that apply to Telstra’s handling of retained data.

Vodafone

11 Vodafone has governance arrangements, internal practices and procedures, physical and ICT security measures and access security controls in place to protect retained data. The OAIC did not identify any medium or high-level privacy risks but made one suggestion to enhance the privacy protective measures that apply to Vodafone’s handling of retained data.

Optus

12 Optus has governance arrangements, internal practices and procedures, physical and ICT security measures and access security controls in place to protect retained data. The OAIC did not identify any medium or high-level privacy risks but made two suggestions to further enhance the privacy protective measures that apply to Optus’s handling of retained data.

TPG

13 The OAIC identified some privacy risks in relation to TPG’s governance and controls for protecting retained data.

14 The OAIC made seven recommendations to improve TPG’s documentation of practices and procedures and strengthen certain security and access controls. The OAIC also made five suggestions to assist TPG to further enhance the privacy protective measures that it applies to retained data.

Responses

15 The OAIC provided each service provider with an individualised assessment report.

16 Telstra, Optus and Vodafone agreed to or noted the OAIC’s suggestions.

17 TPG accepted the recommendations. The OAIC will follow up with TPG on its implementation of the recommendation in the 2020/21 financial year.

Background — legislative obligations relating to the security of personal information

18 The TIA Act provides a legal framework for law enforcement and national security agencies to access retained data held by service providers. Section 187AA of the TIA Act outlines the retained data to be kept by service providers. This includes information about a communication, such as its source, destination, date, time, and duration.

19 Subsection 187LA(2) states that retained data is personal information for the purposes of the Privacy Act. Subsection 187LA(1) states that the Privacy Act applies to service providers, and therefore, service providers must comply with the requirements of the APPs. Section 187BA requires that service providers protect the confidentiality of information that they are required to keep by encrypting the information and protecting the information from unauthorised interference or unauthorised access.

20 Service providers were assessed against APP 11 in the Privacy Act. Schedule 1 of the Privacy Act proscribes the privacy obligations regarding the security of personal information under APP 11 as follows:

Australian Privacy Principle 11 — security of personal information

11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

  1. from misuse, interference and loss; and
  2. from unauthorised access, modification or disclosure.

11.2 If:

  1. an APP entity holds personal information about an individual; and
  2. the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
  3. the information is not contained in a Commonwealth record; and
  4. the entity is not required by or under an Australian law; or a court/tribunal order, to retain the information;

The entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.