Publication date: 1 February 2016

This resource provides an overview for telecommunication service providers of their obligations to maintain records of disclosures under ss 306 and 306A of the Telecommunications Act 1997. The resource includes a checklist at Appendix A to help providers ensure the relevant requirements are met when creating records of disclosures.

Overview

Generally, the Telecommunications Act 1997 (Telecommunications Act) prohibits the disclosure of information obtained during the supply of telecommunications services.[1] However, both the Telecommunications Act and the Telecommunications (Interception and Access) Act 1979 (TIA Act) contain exceptions to this general prohibition that enables telecommunication service providers to disclose information in limited circumstances.

If a telecommunication service provider discloses information under certain exceptions contained in the Telecommunications Act or the TIA Act, it must create and keep a record of the disclosure. These records must comply with specific requirements contained in ss 306 and 306A of the Telecommunications Act.

The Office of the Australian Information Commissioner (OAIC) is responsible for monitoring compliance with the record keeping requirements contained in Part 13, Division 5 of the Telecommunications Act.[2]

Who needs to comply with the record-keeping requirements?

Generally, the ss 306 and 306A record-keeping requirements in the Telecommunications Act apply to ‘eligible persons’.[3] An ‘eligible person’ includes a carrier, carriage service provider and their respective employees.[4] The record-keeping requirements also apply to ‘associates’, which includes a person who performs services for or on behalf of the carrier or carriage service provider.[5] These entities are collectively referred to as ‘telecommunication service providers’ in this resource.

More information about the terms ‘carrier’ and ‘carriage service provider’ can be found on the Australia Communications and Media Authority’s website at www.acma.gov.au.

When do the record-keeping requirements apply?

Under ss 306 and 306A, if a telecommunication service provider discloses information in accordance with certain exceptions, it must create a record of disclosure. The exceptions fall into two broad categories: s 306 applies to ‘general disclosure exceptions’ and s 306A applies to ‘prospective authorisation exceptions’.

The general disclosure exceptions enable telecommunication service providers to disclose information in certain circumstances, including to prevent or lessen a serious and imminent threat to the life or health of a person, or if summoned to give evidence or produce documents. The prospective authorisation provisions in the TIA Act generally enable criminal law-enforcement agencies to authorise telecommunication service providers to disclose information or documents that may come into existence during a particular future period of time.[6]

The exceptions that impose a record-keeping requirement are outlined at Appendix B.

When does the record need to be created?

For general disclosures, records must be created within five days of the date of disclosure.[7] For prospective authorisations, the record must be created within five days of the day on which the authorisation ceases to be in force.[8]

If an associate makes a disclosure, they must make a record within five days of the date of disclosure and give that record to the carrier or carriage service provider within five days of making the record.[9] For prospective authorisations, the associate must make a record within five days of the day on which the authorisation ceases to be in force and give a copy of that record to the carrier or provider within five days of making the record.[10]

What information needs to be included in the record?

Section 306 of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a general disclosure exception (see Table 1 at Appendix B). Section 306A of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a prospective authorisation exception (see Table 2 at Appendix B). These records may be made, given or retained in either written or electronic form.[11] The requirements of ss 306 and 306A are dealt with separately in the tables below.

Section 306: Records of disclosure — general

Section

Information that must be included

s 306(5)(a)

The name of the person who disclosed the information or document concerned (see Key Concepts below)

s 306(5)(b)

The date of the disclosure

s 306(5)(c)

A statement of the grounds for the disclosure (see Key Concepts below)

s 306(5)(d)

If the disclosure is made on the grounds of an authorisation under the TIA Act (ss 178, 179, 180(3) or 180A):

  • name of the person who made the authorisation
  • date of the making of the authorisation

s 306(5)(e)

If the disclosure was Not made under an authorisation in the TIA Act, but the disclosure was requested by aNother body or person:

  • the requesting party’s name
  • date of request

s 306(5)(f)

If the information or document relates to the contents or substance of a communication carried by a carriage service (for example telephone, internet or Voice over Internet Protocol (VoIP) services), the particulars of that carriage service

Section 306A: Records of disclosure — prospective authorisations

Section

Information that must be included

s 306A(5)(a)

The name of the person or persons who made the disclosure or disclosures (see Key Concepts below)

s 306A(5)(b)

The date of the disclosure:

  • if only one disclosure is made because of the authorisation — the date of the disclosure, or
  • if more than one disclosure is made because of the authorisation — the date of the first and date of the last disclosures (see Key Concepts below)

s 306A(5)(c)

A statement of the grounds for the disclosure (see Key Concepts below)

s 306A(5)(d)

The name of the person who made the authorisation and the date of the making of the authorisation (see Key Concepts below)

Key concepts

Name of the person who disclosed the information

In most cases, the name of the ‘person’ who disclosed the information will be the name of the telecommunication service provider.[12] However, there may be some instances where a service provider will need to record the name of the individual who makes the disclosure. For example, s 281 of the Telecommunications Act authorises disclosure of information by a person summoned to give evidence. As only individuals may give evidence in court, in this instance the record of disclosure should identify the name of the individual who made the disclosure.

As a matter of best practice, the OAIC recommends that records of disclosure includes both the name of the telecommunication service provider and the name (or other unique identifier) of the individual who made or actioned the disclosure/s. Telecommunication service providers should also be mindful of their obligations under Australian Privacy Principle (APP) 11, which requires APP entities to take reasonable steps to protect personal information they hold. A reasonable step that entities could take to protect the personal information they hold is to record the employee name (or other unique identifier) on records of disclosures to help identify instances of unauthorised access or disclosure.

A statement of the grounds for the disclosure

The record of disclosure should identify the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure.

Name of the person who made the authorisation

Under the authorisation provisions in the TIA Act (ss 178, 179, 180, 180A and 180B), only an ‘authorised officer’[13] from a requesting entity may authorise a telecommunication service provider to disclose information. Consequently, the ‘name of the person’ who made the authorisation should be the name or other identifier of the individual officer from the requesting entity that authorised the disclosure.

Prospective authorisations — Date of the first and last disclosure

As outlined above, the prospective authorisation provisions in the TIA Act generally enable law enforcement agencies to authorise telecommunication service providers to disclose information or documents that may come into existence during a particular future period of time. The OAIC considers that a disclosure occurs each time specified information or a document comes into existence during the authorisation period and is then released by the service provider to the relevant law enforcement agency.

The ‘date of the first disclosure’ means the date the first specified document or piece of information is disclosed to the relevant law enforcement agency. Similarly, the ‘date of the last disclosure’ refers to the date the last specified document or piece of information is disclosed to the relevant law enforcement agency. Consequently, the record should identify the dates of the first and last disclosure of information to the law enforcement agency. These dates may Not necessarily correspond to the dates of the start and end of the authorisation period.

How long do providers need to keep records of disclosures?

All records of disclosure must be retained for three years from the date of creation. Copies of records of disclosures given to a carrier or carriage service provider by an associate must also be kept by the carrier or carriage service provider for three years.

What is the role of the Office of the Australian Information Commissioner?

Under s 309 of the Telecommunications Act, the Information Commissioner has the function of monitoring compliance with the record-keeping requirements of ss 306 and 306A of that Act. The OAIC may conduct inspections of telecommunication service providers’ records to ensure they comply with these requirements. There are offences and penalties under the Telecommunications Act for failing to comply with the record-keeping requirements.[14]

For more information about the OAIC’s activities in this area, see Summary of OAIC’s inspection of telecommunications organisations’ records of disclosure under the Telecommunications Act.

For further information

The OAIC has a range of privacy resources on its website to assist telecommunication service providers comply with the Privacy Act.

Service providers should also consider subscribing to the OAIC’s newsletter, OAICnet, which provides news about the OAIC’s activities, publications and other information.

The information provided in this resource is of a general nature. It is Not a substitute for legal advice.

Appendix A: Records of disclosure checklist

The purpose of this checklist is to assist telecommunication service providers’ address the record-keeping requirements contained in ss 306 and 306A of the Telecommunications Act.

Question 1

Is the disclosure made on the grounds of a general disclosure exception?

The general disclosure exceptions are ss 280, 281, 284, 286, 287, 288, 289, 292 of the Telecommunications Act and ss 177, 178, 179, 180(3), 180A of the TIA Act.

See also Table 1 at Appendix B.

Yes: Go to Question 3

No: Go to Question 2

Question 2

Is the disclosure made on the grounds of a prospective authorisation exception?

The prospective authorisation exceptions are ss 180 and 180B of the TIA Act.

See also Table 2 at Appendix B.

Yes: Go to Question 11

No: A record of disclosure is Not required under ss 306 or 306A of the Telecommunications Act

Question 3

Does the record include the name of the person who disclosed the information?

The OAIC recommends that records include both the name of the telecommunication service provider and the name or other identifier of the individual who made or actioned the disclosure/s.

Yes: Go to Question 4

No: Non-compliant. You must address this issue before continuing to Q4

Question 4

Does the record include the date of disclosure?

Yes: Go to Question 5

No: Non-compliant. You must address this issue before continuing to Q5

Question 5

Does the record include a statement of the grounds of disclosure?

The record must identify the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure.

Yes: Go to Question 6

No: Non-compliant. You must address this issue before continuing to Q6

Question 6

Was the disclosure made voluntarily by the telecommunication service provider to an enforcement agency under s 177 of the TIA Act?

Yes: Go to Question 18

No: Go to Question 7

Question 7

Was the disclosure made on the grounds of an authorisation under ss 178, 179, 180(3) or 180A of the TIA Act?

Yes: Go to Question 8

No: Go to Question 10

Question 8

Does the record include the name of the person who made the authorisation?

The record should include the name of the authorised officer that authorised the disclosure.

Yes: Go to Question 9

No: Non-compliant. You must address this issue before continuing to Q9

Question 9

Does the record include the date of the making of the authorisation?

Yes: Go to Question 18

No: Non-compliant. You must address this issue before continuing to Q18

Question 10

If the disclosure was requested by aNother body or person, does the record include: the name of the body or person and the date of request.

Yes: Go to Question 18

No: Non-compliant. You must address this issue before continuing to Q18

Question 11

Does the record include the name of the person who disclosed the information or documents?

As stated above, the OAIC recommends that records include both the name of the telecommunication service provider and the name or other identifier of the individual who made or actioned the disclosure/s.

Yes: Go to Question 12

No: Non-compliant. You must address this issue before continuing to Q12

Question 12

Was more than one disclosure made under the prospective authorisation?

Yes: Go to Question 14

No: Go to Question 13

Question 13

Does the record include the date of the disclosure?

Yes: Go to Question 15

No: Non-compliant. You must address this issue before continuing to Q15

Question 14

Does the record include the date of the first and the date of the last disclosure?

The record must include the first and last dates that information was disclosed to the law enforcement agency during the authorisation period. The first and last dates of disclosure may Not correspond with the first and last date of the authorisation period.

Yes: Go to Question 15

No: Non-compliant. You must address this issue before continuing to Q15

Question 15

Does the record include a statement of the grounds for the disclosure or disclosures?

The record must identify the relevant provision in the TIA Act that authorised the disclosure.

Yes: Go to Question 16

No: Non-compliant. You must address this issue before continuing to Q16

Question 16

Does the record include the name of the authorised officer of the criminal law enforcement agency who made the authorisation?

Yes: Go to Question 17

No: Non-compliant. You must address this issue before continuing to Q17

Question 17

Does the record include the date the authorisation was made?

Yes: Go to Question 19

No: Non-compliant. You must address this issue before continuing to Q19

Question 18

Was the record created within five days after the disclosure?

Yes: Go to Question 20

No: Non-compliant. You must address this issue before continuing to Q20

Question 19

Was the record created within five days after the day on which the authorisation ceased to be in force?

Yes: Go to Question 20

No: Non-compliant. You must address this issue before continuing to Q20

Question 20

Are you an associate of a carrier or carriage service provider?

Associates may include a person engaged to provide services on behalf of the carrier or carriage service provider (such as a contractor).

Yes: Go to Question 21

No: Go to Question 22

Question 21

Did you give a copy of the record of disclosure to the carrier or carriage service provider within five days of making the record?

Yes: You are compliant (End of checklist)

No: Non-compliant. You must address this issue before continuing to the end of the checklist

Question 22

Will the record of disclosure be kept for three years?

Yes: You are compliant (End of checklist)

No: Non-compliant. You must address this issue before continuing to the end of the checklist

Appendix B: Disclosure exceptions that impose a record-keeping requirement

Table 1 — General disclosure exceptions
LegislationSection Description of exception
Telecommunications Act

280

Where required or authorised by or under law including a disclosure that is required or authorised under a warrant in connection with an enforcement agency operation

281

Because a person is summoned as a witness to give evidence or produce documents

284

To entities including the Australian Communications and Media Authority, Australian Competition and Consumer Commission, Telecommunications Industry Ombudsman and eSafety Commissioner if the information may assist them to carry out their functions or powers

286

For emergency services related call information to emergency service organisations (e.g. police force) and despatch services for the purpose of dealing with the matters raised by that call

287

Where the discloser believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person

288

For particular maritime purposes, such as disclosure or use relating to the preservation of life at sea or the location of a vessel at sea and made for maritime communication purposes

289

Where a person consents or is reasonably likely to be aware or made aware that such disclosures usually occur

292

Where prescribed by regulations (Telecommunications Regulations 2001)

TIA Act

177

Voluntary disclosure to an enforcement agency for enforcement of criminal law, a law imposing a pecuniary penalty or protection of the public revenue

178

Authorisations for access to existing information or documents — enforcement of the criminal law

179

Authorisations for access to existing information or documents — enforcement of a law imposing a pecuniary penalty or protection of the public revenue

180(3)

Authorisations for access to existing information or documents

180A

Authorisations for access to existing information or documents — enforcement of the criminal law of a foreign country

Table 2 — Prospective authorisation exceptions
LegislationSection Description of exception
TIA Act

180

Authorisations by an authorised officer of a criminal law enforcement agency for access to prospective information or documents

180B

Authorisations by an authorised officer of the Australian Federal Police for access to prospective information or documents — enforcement of the criminal law of a foreign country

Footnotes

[1] Telecommunications Act 1997 (Cth) ss 276, 277 and 278.

[2] Telecommunications Act 1997 (Cth) s 309.

[3] The ss 306 and 306A record-keeping requirements also apply to ‘eligible number-database persons’. Under the Telecommunications Act, the Minister may make a determination that an entity is a number-database person. However, there are currently no determinations in force. Consequently, ‘eligible number-database persons’ are not referred to in this resource.

[4] Telecommunications Act 1997 (Cth) s 271.

[5] Telecommunications Act 1997 (Cth) s 304.

[6] Under ss 180(3) and 180A(2) of the TIA Act, authorised officers may also authorise disclosure of specified information or documents that came into existence before the time the authorisation comes into force.

[7] Telecommunications Act 1997 (Cth) s 306(2)(a).

[8] Telecommunications Act 1997 (Cth) s 306A(2)(a).

[9] Telecommunications Act 1997 (Cth) s 306(3).

[10] Telecommunications Act 1997 (Cth) s 306A(3).

[11] Telecommunications Act 1997 (Cth) ss 306(6) and 306A(6).

[12] Section 2C of the Acts Interpretation Act 1901 states that, in any Act, expressions used to denote ‘persons’ generally includes a body politic or corporate as well as an individual.

[13] Telecommunication (Interception and Access) Act 1979 s 5.

[14] Telecommunications Act 1997 ss 306(7) and 306A(7).