This resource provides an overview for telecommunication service providers of their obligations to maintain records of disclosures under ss 306 and 306A of the Telecommunications Act 1997. The resource includes a checklist at Appendix A to help providers ensure the relevant requirements are met when creating records of disclosures.
Overview
Generally, the Telecommunications Act 1997 (Telecommunications Act) prohibits the disclosure of information obtained during the supply of telecommunications services.[1] However, both the Telecommunications Act and the Telecommunications (Interception and Access) Act 1979 (TIA Act) contain exceptions to this general prohibition that enables telecommunication service providers to disclose information in limited circumstances.
If a telecommunication service provider discloses information under certain exceptions contained in the Telecommunications Act or the TIA Act, it must create and keep a record of the disclosure. These records must comply with specific requirements contained in ss 306 and 306A of the Telecommunications Act.
The Office of the Australian Information Commissioner (OAIC) is responsible for monitoring compliance with the record keeping requirements contained in Part 13, Division 5 of the Telecommunications Act.[2]
Who needs to comply with the record-keeping requirements?
Generally, the ss 306 and 306A record-keeping requirements in the Telecommunications Act apply to ‘eligible persons’.[3] An ‘eligible person’ includes a carrier, carriage service provider and their respective employees.[4] The record-keeping requirements also apply to ‘associates’, which includes a person who performs services for or on behalf of the carrier or carriage service provider.[5] These entities are collectively referred to as ‘telecommunication service providers’ in this resource.
More information about the terms ‘carrier’ and ‘carriage service provider’ can be found on the Australia Communications and Media Authority’s website at www.acma.gov.au.
When do the record-keeping requirements apply?
Under ss 306 and 306A, if a telecommunication service provider discloses information in accordance with certain exceptions, it must create a record of disclosure. The exceptions fall into two broad categories: s 306 applies to ‘general disclosure exceptions’ and s 306A applies to ‘prospective authorisation exceptions’.
The general disclosure exceptions enable telecommunication service providers to disclose information in certain circumstances, including to prevent or lessen a serious and imminent threat to the life or health of a person, or if summoned to give evidence or produce documents. The prospective authorisation provisions in the TIA Act generally enable criminal law-enforcement agencies to authorise telecommunication service providers to disclose information or documents that may come into existence during a particular future period of time.[6]
The exceptions that impose a record-keeping requirement are outlined at Appendix B.
When does the record need to be created?
For general disclosures, records must be created within five days of the date of disclosure.[7] For prospective authorisations, the record must be created within five days of the day on which the authorisation ceases to be in force.[8]
If an associate makes a disclosure, they must make a record within five days of the date of disclosure and give that record to the carrier or carriage service provider within five days of making the record.[9] For prospective authorisations, the associate must make a record within five days of the day on which the authorisation ceases to be in force and give a copy of that record to the carrier or provider within five days of making the record.[10]
What information needs to be included in the record?
Section 306 of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a general disclosure exception (see Table 1 at Appendix B). Section 306A of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a prospective authorisation exception (see Table 2 at Appendix B). These records may be made, given or retained in either written or electronic form.[11] The requirements of ss 306 and 306A are dealt with separately in the tables below.
Section | Information that must be included |
---|---|
s 306(5)(a) | The name of the person who disclosed the information or document concerned (see Key Concepts below) |
s 306(5)(b) | The date of the disclosure |
s 306(5)(c) | A statement of the grounds for the disclosure (see Key Concepts below) |
s 306(5)(d) | If the disclosure is made on the grounds of an authorisation under the TIA Act (ss 178, 179, 180(3) or 180A):
|
s 306(5)(e) | If the disclosure was Not made under an authorisation in the TIA Act, but the disclosure was requested by aNother body or person:
|
s 306(5)(f) | If the information or document relates to the contents or substance of a communication carried by a carriage service (for example telephone, internet or Voice over Internet Protocol (VoIP) services), the particulars of that carriage service |
Section | Information that must be included |
---|---|
s 306A(5)(a) | The name of the person or persons who made the disclosure or disclosures (see Key Concepts below) |
s 306A(5)(b) | The date of the disclosure:
|
s 306A(5)(c) | A statement of the grounds for the disclosure (see Key Concepts below) |
s 306A(5)(d) | The name of the person who made the authorisation and the date of the making of the authorisation (see Key Concepts below) |
Key concepts
Name of the person who disclosed the information
In most cases, the name of the ‘person’ who disclosed the information will be the name of the telecommunication service provider.[12] However, there may be some instances where a service provider will need to record the name of the individual who makes the disclosure. For example, s 281 of the Telecommunications Act authorises disclosure of information by a person summoned to give evidence. As only individuals may give evidence in court, in this instance the record of disclosure should identify the name of the individual who made the disclosure.
As a matter of best practice, the OAIC recommends that records of disclosure includes both the name of the telecommunication service provider and the name (or other unique identifier) of the individual who made or actioned the disclosure/s. Telecommunication service providers should also be mindful of their obligations under Australian Privacy Principle (APP) 11, which requires APP entities to take reasonable steps to protect personal information they hold. A reasonable step that entities could take to protect the personal information they hold is to record the employee name (or other unique identifier) on records of disclosures to help identify instances of unauthorised access or disclosure.
A statement of the grounds for the disclosure
The record of disclosure should identify the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure.
Name of the person who made the authorisation
Under the authorisation provisions in the TIA Act (ss 178, 179, 180, 180A and 180B), only an ‘authorised officer’[13] from a requesting entity may authorise a telecommunication service provider to disclose information. Consequently, the ‘name of the person’ who made the authorisation should be the name or other identifier of the individual officer from the requesting entity that authorised the disclosure.
Prospective authorisations — Date of the first and last disclosure
As outlined above, the prospective authorisation provisions in the TIA Act generally enable law enforcement agencies to authorise telecommunication service providers to disclose information or documents that may come into existence during a particular future period of time. The OAIC considers that a disclosure occurs each time specified information or a document comes into existence during the authorisation period and is then released by the service provider to the relevant law enforcement agency.
The ‘date of the first disclosure’ means the date the first specified document or piece of information is disclosed to the relevant law enforcement agency. Similarly, the ‘date of the last disclosure’ refers to the date the last specified document or piece of information is disclosed to the relevant law enforcement agency. Consequently, the record should identify the dates of the first and last disclosure of information to the law enforcement agency. These dates may Not necessarily correspond to the dates of the start and end of the authorisation period.
How long do providers need to keep records of disclosures?
All records of disclosure must be retained for three years from the date of creation. Copies of records of disclosures given to a carrier or carriage service provider by an associate must also be kept by the carrier or carriage service provider for three years.
What is the role of the Office of the Australian Information Commissioner?
Under s 309 of the Telecommunications Act, the Information Commissioner has the function of monitoring compliance with the record-keeping requirements of ss 306 and 306A of that Act. The OAIC may conduct inspections of telecommunication service providers’ records to ensure they comply with these requirements. There are offences and penalties under the Telecommunications Act for failing to comply with the record-keeping requirements.[14]
For more information about the OAIC’s activities in this area, see Summary of OAIC’s inspection of telecommunications organisations’ records of disclosure under the Telecommunications Act.
For further information
The OAIC has a range of privacy resources on its website to assist telecommunication service providers comply with the Privacy Act.
Service providers should also consider subscribing to the OAIC’s newsletter, OAICnet, which provides news about the OAIC’s activities, publications and other information.
The information provided in this resource is of a general nature. It is Not a substitute for legal advice.
Appendix A: Records of disclosure checklist
The purpose of this checklist is to assist telecommunication service providers’ address the record-keeping requirements contained in ss 306 and 306A of the Telecommunications Act.
Question 1 | Is the disclosure made on the grounds of a general disclosure exception? The general disclosure exceptions are ss 280, 281, 284, 286, 287, 288, 289, 292 of the Telecommunications Act and ss 177, 178, 179, 180(3), 180A of the TIA Act. See also Table 1 at Appendix B. | Yes: Go to Question 3 No: Go to Question 2 |
---|---|---|
Question 2 | Is the disclosure made on the grounds of a prospective authorisation exception? The prospective authorisation exceptions are ss 180 and 180B of the TIA Act. See also Table 2 at Appendix B. | Yes: Go to Question 11 No: A record of disclosure is Not required under ss 306 or 306A of the Telecommunications Act |
Question 3 | Does the record include the name of the person who disclosed the information? The OAIC recommends that records include both the name of the telecommunication service provider and the name or other identifier of the individual who made or actioned the disclosure/s. | Yes: Go to Question 4 No: Non-compliant. You must address this issue before continuing to Q4 |
Question 4 | Does the record include the date of disclosure? | Yes: Go to Question 5 No: Non-compliant. You must address this issue before continuing to Q5 |
Question 5 | Does the record include a statement of the grounds of disclosure? The record must identify the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure. | Yes: Go to Question 6 No: Non-compliant. You must address this issue before continuing to Q6 |
Question 6 | Was the disclosure made voluntarily by the telecommunication service provider to an enforcement agency under s 177 of the TIA Act? | Yes: Go to Question 18 No: Go to Question 7 |
Question 7 | Was the disclosure made on the grounds of an authorisation under ss 178, 179, 180(3) or 180A of the TIA Act? | Yes: Go to Question 8 No: Go to Question 10 |
Question 8 | Does the record include the name of the person who made the authorisation? The record should include the name of the authorised officer that authorised the disclosure. | Yes: Go to Question 9 No: Non-compliant. You must address this issue before continuing to Q9 |
Question 9 | Does the record include the date of the making of the authorisation? | Yes: Go to Question 18 No: Non-compliant. You must address this issue before continuing to Q18 |
Question 10 | If the disclosure was requested by aNother body or person, does the record include: the name of the body or person and the date of request. | Yes: Go to Question 18 No: Non-compliant. You must address this issue before continuing to Q18 |
Question 11 | Does the record include the name of the person who disclosed the information or documents? As stated above, the OAIC recommends that records include both the name of the telecommunication service provider and the name or other identifier of the individual who made or actioned the disclosure/s. | Yes: Go to Question 12 No: Non-compliant. You must address this issue before continuing to Q12 |
Question 12 | Was more than one disclosure made under the prospective authorisation? | Yes: Go to Question 14 No: Go to Question 13 |
Question 13 | Does the record include the date of the disclosure? | Yes: Go to Question 15 No: Non-compliant. You must address this issue before continuing to Q15 |
Question 14 | Does the record include the date of the first and the date of the last disclosure? The record must include the first and last dates that information was disclosed to the law enforcement agency during the authorisation period. The first and last dates of disclosure may Not correspond with the first and last date of the authorisation period. | Yes: Go to Question 15 No: Non-compliant. You must address this issue before continuing to Q15 |
Question 15 | Does the record include a statement of the grounds for the disclosure or disclosures? The record must identify the relevant provision in the TIA Act that authorised the disclosure. | Yes: Go to Question 16 No: Non-compliant. You must address this issue before continuing to Q16 |
Question 16 | Does the record include the name of the authorised officer of the criminal law enforcement agency who made the authorisation? | Yes: Go to Question 17 No: Non-compliant. You must address this issue before continuing to Q17 |
Question 17 | Does the record include the date the authorisation was made? | Yes: Go to Question 19 No: Non-compliant. You must address this issue before continuing to Q19 |
Question 18 | Was the record created within five days after the disclosure? | Yes: Go to Question 20 No: Non-compliant. You must address this issue before continuing to Q20 |
Question 19 | Was the record created within five days after the day on which the authorisation ceased to be in force? | Yes: Go to Question 20 No: Non-compliant. You must address this issue before continuing to Q20 |
Question 20 | Are you an associate of a carrier or carriage service provider? Associates may include a person engaged to provide services on behalf of the carrier or carriage service provider (such as a contractor). | Yes: Go to Question 21 No: Go to Question 22 |
Question 21 | Did you give a copy of the record of disclosure to the carrier or carriage service provider within five days of making the record? | Yes: You are compliant (End of checklist) No: Non-compliant. You must address this issue before continuing to the end of the checklist |
Question 22 | Will the record of disclosure be kept for three years? | Yes: You are compliant (End of checklist) No: Non-compliant. You must address this issue before continuing to the end of the checklist |
Appendix B: Disclosure exceptions that impose a record-keeping requirement
Legislation | Section | Description of exception |
---|---|---|
Telecommunications Act | 280 | Where required or authorised by or under law including a disclosure that is required or authorised under a warrant in connection with an enforcement agency operation |
281 | Because a person is summoned as a witness to give evidence or produce documents | |
284 | To entities including the Australian Communications and Media Authority, Australian Competition and Consumer Commission, Telecommunications Industry Ombudsman and eSafety Commissioner if the information may assist them to carry out their functions or powers | |
286 | For emergency services related call information to emergency service organisations (e.g. police force) and despatch services for the purpose of dealing with the matters raised by that call | |
287 | Where the discloser believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person | |
288 | For particular maritime purposes, such as disclosure or use relating to the preservation of life at sea or the location of a vessel at sea and made for maritime communication purposes | |
289 | Where a person consents or is reasonably likely to be aware or made aware that such disclosures usually occur | |
292 | Where prescribed by regulations (Telecommunications Regulations 2001) | |
TIA Act | 177 | Voluntary disclosure to an enforcement agency for enforcement of criminal law, a law imposing a pecuniary penalty or protection of the public revenue |
178 | Authorisations for access to existing information or documents — enforcement of the criminal law | |
179 | Authorisations for access to existing information or documents — enforcement of a law imposing a pecuniary penalty or protection of the public revenue | |
180(3) | Authorisations for access to existing information or documents | |
180A | Authorisations for access to existing information or documents — enforcement of the criminal law of a foreign country |
Legislation | Section | Description of exception |
---|---|---|
TIA Act | 180 | Authorisations by an authorised officer of a criminal law enforcement agency for access to prospective information or documents |
180B | Authorisations by an authorised officer of the Australian Federal Police for access to prospective information or documents — enforcement of the criminal law of a foreign country |
Footnotes
[1] Telecommunications Act 1997 (Cth) ss 276, 277 and 278.
[2] Telecommunications Act 1997 (Cth) s 309.
[3] The ss 306 and 306A record-keeping requirements also apply to ‘eligible number-database persons’. Under the Telecommunications Act, the Minister may make a determination that an entity is a number-database person. However, there are currently no determinations in force. Consequently, ‘eligible number-database persons’ are not referred to in this resource.
[4] Telecommunications Act 1997 (Cth) s 271.
[5] Telecommunications Act 1997 (Cth) s 304.
[6] Under ss 180(3) and 180A(2) of the TIA Act, authorised officers may also authorise disclosure of specified information or documents that came into existence before the time the authorisation comes into force.
[7] Telecommunications Act 1997 (Cth) s 306(2)(a).
[8] Telecommunications Act 1997 (Cth) s 306A(2)(a).
[9] Telecommunications Act 1997 (Cth) s 306(3).
[10] Telecommunications Act 1997 (Cth) s 306A(3).
[11] Telecommunications Act 1997 (Cth) ss 306(6) and 306A(6).
[12] Section 2C of the Acts Interpretation Act 1901 states that, in any Act, expressions used to denote ‘persons’ generally includes a body politic or corporate as well as an individual.
[13] Telecommunication (Interception and Access) Act 1979 s 5.
[14] Telecommunications Act 1997 ss 306(7) and 306A(7).