Summary of OAIC’s inspection of telecommunications organisations’ records of disclosure under the Telecommunications Act

23 June 2022

Introduction

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) inspection of whether selected telecommunication services providers maintained records of disclosure in accordance with their obligations under ss 306 and 306A of the Telecommunications Act 1997 (Cth) (Telecommunications Act).

1.2 This inspection was conducted under s 309 of the Telecommunications Act, which allows the OAIC to inspect whether an entity is complying with Division 5, Part 13 of the Telecommunications Act.

1.3 The OAIC inspected Telstra, Vodafone (now TPG Telecom)[1], TPG (now TPG Telecom) and Optus. The OAIC inspected samples of records of disclosures created in financial years 2018-19, 2019-20 and 2020-21 to date of inspections.

1.4 The OAIC engaged Axiom Associates (Aust) Pty Ltd under s 24 of the Australian Information Commissioner Act 2010 (Cth) to assist the OAIC to conduct inspections of the 4 telecommunication services providers to assess their compliance with record keeping requirements of the Telecommunications Act.

1.5 Fieldwork for this inspection was conducted in April and May 2021. The inspection was undertaken by Axiom Associates and OAIC staff at the telecommunication services providers’ premises. Each inspection was conducted over 2 business days with telecommunications services provider employees either providing print outs of records of disclosure or screen sharing to provide the inspection team with view access to records held on their systems.

1.6 In undertaking the inspections, the OAIC observed instances of partial compliance and non-compliance by the selected providers and made several recommendations. The telecommunication service providers accepted all of the OAIC’s recommendations.

Selection of targets and methodology

1.7 The OAIC inspected Telstra, Vodafone, TPG Telecom and Optus because they are 4 of the largest telecommunication services providers in Australia.  The objective of this inspection was to assess the 4 telecommunication services providers compliance with their record keeping obligations under ss 306 and 306A of the Telecommunications Act.

1.8 The scope of this inspection was limited to records of disclosures by the telecommunication services providers under ss 306 and 306A of the Telecommunications Act for the financial years 2018–19, 2019–20 and 2020–21 (to date of inspections).

1.9 For Telstra, Vodafone and TPG, the samples selected were representative of the population breakdown of the legislative provisions which authorised the disclosure. A minimum of 2 records per legislative provision per year were selected. Due to the nature of Optus’ processes, a selective sample based on the legislative provision could not be drawn. For Optus, the sample selected was representative of the approximate population breakdown of the business processes adopted by Optus with a minimum of 2 records per business process per year selected.

1.10 The populations across the 4 telecommunication services providers varied in size from approximately 4,000 disclosures per year to over 260,000 disclosures per year. The OAIC selected a subset of 300 records per provider that were to be made available for the duration of the nominated inspection period. Of this subset, a minimum of 250 records were inspected.

1.11 The samples were randomly selected across different time periods and, where possible, were based on the purpose of disclosure. Due to the different way in which Optus maintains records, samples were randomly selected across the financial years broken down by business process. The samples were provided to the telecommunication service providers 3 business days before the inspections were scheduled to commence.

1.12 As part of this inspection the OAIC considered OAIC’s guidance resource on Keeping records of disclosures under the Telecommunications Act 1997 (Record Keeping Guidance) which provides an overview for telecommunication service providers of their obligations to maintain records of disclosures under ss 306 and 306A of the Telecommunications Act.

Key findings

Telstra

1.13 In the sample inspected, Telstra was complying with its record keeping obligations under ss 306 and 306A of the Telecommunications Act and the inspectors did not identify any compliance issues.

Vodafone

1.14 In the sample inspected, Vodafone was complying with its record keeping obligations under s 306A of the Telecommunications Act but was not fully complying with s 306. The OAIC made one recommendation to Vodafone related to the following issues.

  • First, the inspectors identified 4 records that were incomplete as they did not contain the date Vodafone disclosed the information as required under para 306(5)(b) of the Telecommunications Act.
  • Second, the inspectors identified 12 records that were incomplete as they had not set out a statement of the grounds for disclosure as required under para 306(5)(c) of Telecommunications Act. Of these, 6 records were related to disclosures to the Telecommunications Industry Ombudsman and 6 records were related to disclosures authorised under a warrant (4 of which did not set out the date of disclosure as discussed above).

TPG

1.15 In the sample inspected, TPG was not fully complying with its record keeping obligations under ss 306 and 306A of the Telecommunications Act. The OAIC made 3 recommendations to TPG related to the following issues.

  • First, the inspectors identified 36 records that were incomplete as they had not set out a statement of the grounds for disclosure as required under para 306(5)(c) of Telecommunications Act. All 36 records were related to disclosures to the Telecommunications Industry Ombudsman.
  • Second, the inspectors found that TPG only had access to the record of disclosure within an associates’ system and could not identify whether any copies had been made within TPG systems and retained for the required timeframe of 3 years as required under subss 306(4) and 306A(4) of Telecommunications Act. This impacted 210 records inspected under s 306 and 1 record inspected under s 306A.

Optus

1.16 In the sample inspected, Optus was complying with its record keeping obligations under s 306A of the Telecommunications Act but was not fully complying with s 306. The OAIC made 2 recommendations to Optus related to the following issues.

  • First, Optus could not provide a record of disclosure for 3 records selected by the OAIC for sample testing. Therefore, Optus was unable to demonstrate that it had maintained records of disclosure for 3 years for those 3 records as required by para 306(2).
  • Second, the inspectors identified 18 records that were incomplete as they had not set out a statement of the grounds for disclosure as required under para 306(5)(c) of Telecommunications Act. All 18 records were related to disclosures to the Telecommunications Industry Ombudsman.

Background

Legislative Record Keeping Requirements

1.17 Sections 306 and 306A of the Telecommunications Act require carriers and carriage service providers to make and retain records of disclosure where they disclose information or documents they hold in accordance with specific disclosure exceptions found in the Telecommunications Act or the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act).

1.18 Section 306 of the Telecommunications Act provides that where a carrier or carriage service provider discloses information or a document under a provision of Division 3 of Part 13 of the Telecommunications Act (other than ss 279, 285, 285A, 290, 291 or 291A) or under ss 177, 178, 179, 180(3) or 180A of the TIA Act, that entity must make a record of the disclosure within 5 days after the disclosure and retain that record for 3 years.

1.19 Further, subs 306(5) sets out that a record of disclosure must include:

  • the name of the person who disclosed the information
  • the date of disclosure
  • a statement of the grounds for the disclosure
  • if the disclosure was made under an authorisation allowed in the TIA Act (that is, ss 178, 179, 180(3) or 180A):
    • the name of the person who made the authorisation
    • the date of the making of the authorisation
  • if the disclosure was not made under an authorisation in the TIA Act but the disclosure was requested by another body or person:
    • the name of the body of person
    • the date of the request
  • if the information or document relates to the contents or substance of a communication that was carried by means of a carriage service—particulars of that carriage service.

1.20 Section 306A of the Telecommunications Act provides that where a carrier or carriage service provider discloses information or a document under a prospective authorisation in force due to subss 180(2) or 180B(2) of the TIA Act, they must make a record of the disclosure within 5 days after the disclosure and retain that record for 3 years.

1.21 Further, subs 306A(5) sets out that a record of disclosure must include:

  • the name of the person who disclosed the information:
    • if only one disclosure is made because of the authorisation, the date of disclosure
    • if more than one disclosure is made because of the authorisation, the date of the first and last disclosure
  • a statement of the grounds for the disclosure or disclosures
  • the name of the person who made the authorisation and the date the authorisation was made.

Footnotes

[1] Vodafone and TPG Telecom underwent a merger and changed their names in mid-2020, within the scope of the inspection period. Both organisations continued to maintain separate processes for making records of the disclosures in the 2020-21 financial year, as such they were assessed as two separate entities for the entire scope period of financial years 2018–19, 2019–20 and 2020–21.